Map runtime field

I got following query which should create a new field:

PUT filebeat*
{
  "mappings": {
    "runtime": {
      "sophos.utm.to.domain": {
        "type": "keyword",
        "script": {
          "source": "emit(def m = /@((?:(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?|\\[(?:(?:(2(5[0-5]|[0-4][0-9])|1[0-9][0-9]|[1-9]?[0-9]))\\.){3}(?:(2(5[0-5]|[0-4][0-9])|1[0-9][0-9]|[1-9]?[0-9])|[a-z0-9-]*[a-z0-9]:(?:[\\x01-\\x08\\x0b\\x0c\\x0e-\\x1f\\x21-\\x5a\\x53-\\x7f]|\\\\[\\x01-\\x09\\x0b\\x0c\\x0e-\\x7f])+)\\]))/.matcher(doc['sophos.utm.to'].value); return m.find() ? m.group(1): '';)"
        }
      }
    }
  }
}

I get following error:

{
  "error" : {
    "root_cause" : [
      {
        "type" : "security_exception",
        "reason" : "action [indices:admin/create] is unauthorized for user [test]"
      }
    ],
    "type" : "security_exception",
    "reason" : "action [indices:admin/create] is unauthorized for user [test]",
    "caused_by" : {
      "type" : "illegal_state_exception",
      "reason" : "There are no external requests known to support wildcards that don't support replacing their indices"
    }
  },
  "status" : 403
}

The role superuser is assigned to the "test" user

@paasi6666 Do you get the same error if you applied your mapping to a single index versus a wildcard?

Also, if you need to apply this to future Filebeat indices, perhaps applying this to the index template for that pattern might be useful.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.