If you have a runtime field that references a field, be sure to define the mapping for the referenced field. I was using an ECS field that was "always" present in my indices... until there was an ingest problem. When ILM rolled over the index, no data containing my referenced winlog.user_data.FilePath existed, so the field wasn't mapped. This causes very ugly runtime errors like the one below.
The fix is to add the field mapping to the existing index and add it to your template to prevent future problems 
{
"error" : {
"root_cause" : [
{
"type" : "script_exception",
"reason" : "runtime error",
"script_stack" : [
"org.elasticsearch.search.lookup.LeafDocLookup.getScriptFieldFactory(LeafDocLookup.java:58)",
"org.elasticsearch.search.lookup.LeafDocLookup.get(LeafDocLookup.java:89)",
"org.elasticsearch.search.lookup.LeafDocLookup.get(LeafDocLookup.java:27)",
"if (doc['winlog.user_data.FilePath'].size() == 0) ",
" ^---- HERE"
],
"script" : "if (doc['winlog.user_data.FilePath'].size() == 0) return; …",
"lang" : "painless",
"position" : {
"offset" : 8,
"start" : 0,
"end" : 50
}
}
],
"type" : "search_phase_execution_exception",
"reason" : "all shards failed",
"phase" : "query",
"grouped" : true,
"failed_shards" : [
{