Map runtime field

I got following query which should create a new field:

PUT filebeat*
{
  "mappings": {
    "runtime": {
      "sophos.utm.to.domain": {
        "type": "keyword",
        "script": {
          "source": "emit(def m = /@((?:(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?|\\[(?:(?:(2(5[0-5]|[0-4][0-9])|1[0-9][0-9]|[1-9]?[0-9]))\\.){3}(?:(2(5[0-5]|[0-4][0-9])|1[0-9][0-9]|[1-9]?[0-9])|[a-z0-9-]*[a-z0-9]:(?:[\\x01-\\x08\\x0b\\x0c\\x0e-\\x1f\\x21-\\x5a\\x53-\\x7f]|\\\\[\\x01-\\x09\\x0b\\x0c\\x0e-\\x7f])+)\\]))/.matcher(doc['sophos.utm.to'].value); return m.find() ? m.group(1): '';)"
        }
      }
    }
  }
}

I get following error:

{
  "error" : {
    "root_cause" : [
      {
        "type" : "security_exception",
        "reason" : "action [indices:admin/create] is unauthorized for user [test]"
      }
    ],
    "type" : "security_exception",
    "reason" : "action [indices:admin/create] is unauthorized for user [test]",
    "caused_by" : {
      "type" : "illegal_state_exception",
      "reason" : "There are no external requests known to support wildcards that don't support replacing their indices"
    }
  },
  "status" : 403
}

The role superuser is assigned to the "test" user

@paasi6666 Do you get the same error if you applied your mapping to a single index versus a wildcard?

Also, if you need to apply this to future Filebeat indices, perhaps applying this to the index template for that pattern might be useful.