@Aura, ahhh, I think I might see what's going on. I bet when you first setup winlog beat you accidentally forgot to push your templates which control the mapping?
https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-template.html
You can check your mapping in your dev tools:
like so....To see the entire mapping of your winlog beats:
GET winlogbeat-7.6.0/_mapping
If you want to just concentrate on the field in question which sounds like host.name it would be like so:
GET winlogbeat-7.6.0/_mapping/field/host.name
You can see in my screen shot that host.name for my winlog beats is a keyword field. If for some reason it showed up as text field I would expect the error you have above showing up which indicates that you probably just need to overwrite your winlogbeat per that link above to fix things and then maybe do a reindex of existing data to change it from text to keyword fields.
Which would make sense. Without an initial template/mapping loaded Elastic Search is going to auto-create your mapping and take guesses about things being text fields and keyword fields and then when our application tries to do an aggregation or sort you will see those errors showing up.