SIEM error new install


I have a filebeat from one ubuntu 20.04 and netflow going to my stack directly into elasticsearch. The stack is one server and it's running native (not in docker or anything) running 7.8. Whenever I try to open the SIEM app I get the following error.

[illegal_argument_exception] Text fields are not optimised for operations that require per-document field data like aggregations and sorting, so these operations are disabled by default. Please use a keyword field instead. Alternatively, set fielddata=true on [event.dataset] in order to load field data by uninverting the inverted index. Note that this can use significant memory.

Any tips or tricks to get the SIEM app to work?

Hi @jclemons7, welcome back to the forum!

Your error indicates that event.dataset is being mapped to a text field instead of a keyword field. Since the filebeat index template maps event.dataset to keyword, it's possible that you did not load the index template as part of your filebeat setup.

If that's the issue, follow those instructions and you should be on your way! If not, sharing your mapping and the details of your setup will help further narrow the issue.


This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.