Can anyone please help resolve this?
Please don't post images of text as they are hardly readable and not searchable.
Instead paste the text and format it with </> icon. Check the preview window.
Also give more context about what you did, what settings you changed, when this happens...
Sorry my bad. I simply just created an index pattern and tried to view data on the SIEM app and it pops up this error “[illegal_argument_exception] Fielddata is disabled on text fields by default. Set fielddata=true on [host.name] in order to load fielddata in memory by uninverting the inverted index. Note that this can however use significant memory. Alternatively use a keyword field instead.
What is the source of your data?
At first sight that looks like Beats data for which the Elasticsearch mapping was not loaded. If my guess is right, it would be good to give us the Beat type, version, and if you are sending data directly to Elasticsearch or via Logstash or something else.
Auditbeat 7.2 and winlogbeat 7.2. I’m sending to Elasticsearch via Logstash
Hi @Chinedum_Nwuzor - before sending data through Logstash you first have to load the index templates from the Beats with ./auditbeat setup and ./winlogbeat setup. That makes sure the host.name field is a keyword field (which supports aggregations), not a text field (which does not).
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.