Mapper [signal.ancestors.index] cannot be changed from type [text] to [keyword]

Elastic Security
1

Hello, probably after an upgrade (current ver. 7.17.6) every time we accesso to alerts/rules of Security section we got the following error:
{
"name": "Error",
"body": {
"message": "illegal_argument_exception: mapper [signal.ancestors.index] cannot be changed from type [text] to [keyword]",
"status_code": 400
},
"message": "Bad Request",

How can we fix this? We don't care about data (can be erased) we need only to fix this and restart using the alerts and rules.

Thanks

2

Hey there,

You can simply delete the .siem-signals- index to resolve this, since you don’t care about the data.
Did you upgrade from any previous versions before you ran into this?

James

3

Thanks James, I've already tried to delete the index but the issue reappear.
Yes, this can be caused by an update of ELK.
Any hint?

4

You may want to try running a manual migration - Detection Alerts Migration API | Elastic Security Solution [8.6] | Elastic

5

This is the migration status:

{"indices":[{"index":".siem-signals-default-000001","version":0,"signal_versions":[{"version":57,"count":179671}],"migrations":,"is_outdated":true}]}

but if I force the migration the index result as write index and I got:
{"indices":[{"index":".siem-signals-default-000001","error":{"message":"The specified index is a write index and cannot be migrated.","status_code":400},"migration_id":null,"migration_index":null}]}

6

Hi Enrico, which step of the migration process gave you that message?

7

this one: /api/detection_engine/signals/migration

8

Can you share the post payload you provided?

9

curl -k -X POST "https://192.168.1.183/api/detection_engine/signals/migration" -u elastic:password -H 'kbn-xsrf: true' -H "Content-Type: application/json" -d '{
"index": [".siem-signals-default-000001"]
}'

10

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.