SIEM error new install

jclemons7 · July 1, 2020, 1:43am

Hello,

I have a filebeat from one ubuntu 20.04 and netflow going to my stack directly into elasticsearch. The stack is one server and it's running native (not in docker or anything) running 7.8. Whenever I try to open the SIEM app I get the following error.

[illegal_argument_exception] Text fields are not optimised for operations that require per-document field data like aggregations and sorting, so these operations are disabled by default. Please use a keyword field instead. Alternatively, set fielddata=true on [event.dataset] in order to load field data by uninverting the inverted index. Note that this can use significant memory.

Any tips or tricks to get the SIEM app to work?

RylandHerrick · July 1, 2020, 3:33am

Hi @jclemons7, welcome back to the forum!

Your error indicates that event.dataset is being mapped to a text field instead of a keyword field. Since the filebeat index template maps event.dataset to keyword, it's possible that you did not load the index template as part of your filebeat setup.

If that's the issue, follow those instructions and you should be on your way! If not, sharing your mapping and the details of your setup will help further narrow the issue.

--
Ryland

system · July 29, 2020, 3:33am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Elastic 7.9.1 - Security (SIEM) - Your visualization has error(s) - [illegal_argument_exception] SIEM	16	2246	November 9, 2020
Auditbeat - SIEM Beats auditbeat	6	1102	August 2, 2019
Fielddata error preventing Authentications tab populating SIEM	4	550	October 2, 2019
Filebeat syslog problem Beats filebeat	1	327	April 29, 2022
Illegal_argument_exception at index filebeat-7.4.0 Beats filebeat	2	559	November 16, 2020

SIEM error new install

Related topics