Mapper [signal.ancestors.index] cannot be changed from type [text] to [keyword]

Hello, probably after an upgrade (current ver. 7.17.6) every time we accesso to alerts/rules of Security section we got the following error:
"name": "Error",
"body": {
"message": "illegal_argument_exception: mapper [signal.ancestors.index] cannot be changed from type [text] to [keyword]",
"status_code": 400
"message": "Bad Request",

How can we fix this? We don't care about data (can be erased) we need only to fix this and restart using the alerts and rules.


Hey there,

You can simply delete the .siem-signals- index to resolve this, since you don’t care about the data.
Did you upgrade from any previous versions before you ran into this?


Thanks James, I've already tried to delete the index but the issue reappear.
Yes, this can be caused by an update of ELK.
Any hint?

You may want to try running a manual migration - Detection Alerts Migration API | Elastic Security Solution [8.6] | Elastic

This is the migration status:


but if I force the migration the index result as write index and I got:
{"indices":[{"index":".siem-signals-default-000001","error":{"message":"The specified index is a write index and cannot be migrated.","status_code":400},"migration_id":null,"migration_index":null}]}

Hi Enrico, which step of the migration process gave you that message?

this one: /api/detection_engine/signals/migration

Can you share the post payload you provided?

curl -k -X POST "" -u elastic:password -H 'kbn-xsrf: true' -H "Content-Type: application/json" -d '{
"index": [".siem-signals-default-000001"]

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.