Fielddata error preventing Authentications tab populating

Hi all,

I'm using Filebeat 7.3.1 with Elastic Cloud 7.3.0 and the Authentications pane (in SIEM app) is empty (despite being able to view them in Discover / filebeat index.

When I inspect the response in the SIEM app I get :

type": "illegal_argument_exception",
          "reason": "Fielddata is disabled on text fields by default

The index template is loaded so not sure why this is happening? Same is happening on Auditbeat

Most likely is a text field when it should be keyword. Have you loaded the templates for Auditbeat and Filebeat using the setup command? Do they contain this section:

          "strings_as_keyword" : {
            "mapping" : {
              "ignore_above" : 1024,
              "type" : "keyword"
            "match_mapping_type" : "string"

That should ensure that (and all other string fields) is a keyword field.

Ideally, you could fix the templates and reindex the data so it's all keyword fields. You could also keep your current data and enable fielddata as described in

Thanks @cwurm! Yes I've run the setup command, deleted all filebeat indexes. Here's the template current filebeat template.

If I inspect the mapping for user :

      "user": {
        "properties": {
          "name": {
            "type": "text",
            "fields": {
              "keyword": {
                "type": "keyword",
                "ignore_above": 256

I'm stumped for now...any other suggestions? Re-indexing doesn't appeal as I can just delete my indexes as I can do without the data for a little while, but hopefully not much longer!

Here are the steps I took to fix the problem :

  • Stop all filebeat services from sending data (this was apparently what prevented index template from applying)
  • Delete all filebeat indexes
  • run sudo filebeat setup on a node