[illegal_argument_exception] Fielddata is disabled on text fields by default. Set fielddata=true on [host.name]

Boomania · June 3, 2020, 3:49pm

Hi everyone,

I am stuck with an issue regarding fielddata aggregation. I spent many days looking for similar issues, but none of them worked.

In a nutshell, I use ELK stack (version 7.3.1) for personal purpose and want to exploit Dashboard & SIEM utilities.

My architecture is the following (all based on Linux OS):
[subnet 1 : various beats on every available machines a own -> kafka] -> Personnal Routeur -> [Subnet 2 : Logstash -> Elasticsearch <- Kibana]

I configured Xpack free functionalities for encryption/Keystores... and I managed to centralize the logs on the Elasticsearch. Then on Kibana interface I created index paterns based on indexes available on the index management page. I used logstash to parse the logs that are not already parsed by default. When I go to the Discover page, everything runs fine. I have all my indexes, and I can search using advanced filters.

The problem is : I have issues when I want to use the SIEM app, only the main overview counts Hosts Events & Network Events. When I click on one of them, nothing displays and I have the following error : [illegal_argument_exception] Fielddata is disabled on text fields by default. Set fielddata=true on [host.name]

As I understand, Logstash has something that alters data type. I firstly checked my Logstash file configuration. Here is the end of it :

       output {
    	elasticsearch {
    		hosts => "localhost:9200"
    		**manage_template => "false"**
    		index => "%{[@metadata][kafka][lc_topic]}-%{+YYYY.MM.dd}"
    		user => "${ES_USER}"
    		password => "${ES_PWD}"
    	}
    }

I though it was because I didn't correctly uploaded / install the beats templates. So I did it again, following those steps :

I deleted all indexes with the Kibana interface
On each machine : < beat_name> export template > <beat_name>.template.json
Checked they were populated, and uploaded them on the ELK server (scp)
Used the command ```curl -XPUT -H 'Content-Type: application/json'
http://localhost:9200/_template/<beat_name-version> -d@<beat_name>.template.json

5) As the issue was not resolved, I restarted ELK services. No improvement.

I hope I was clear, feel free to ask any further technical information.

Thank you in advance for your help.

Topic		Replies	Views
Visualize: Fielddata is disabled on text fields by default. Set fielddata=true on [system.syslog.hostname] in order to load fielddata in memory by uninverting the inverted index. Note that this can however use significant memory Elasticsearch	3	1922	June 1, 2017
How can I run analytics on elasticsearch using aggregations without getting the fielddata error? Elasticsearch	1	863	June 27, 2017
Not able to search the data in index Elasticsearch	5	1413	November 4, 2022
Set fielddata=true on [event.dataset] Kibana	2	2501	August 1, 2020
My field is doc_value , but got error : Fielddata is disabled on text fields by default. Set fielddata=true Elasticsearch	2	1135	December 14, 2016

[illegal_argument_exception] Fielddata is disabled on text fields by default. Set fielddata=true on [host.name]

Related topics