Threshold rules not triggering on selfmade index

Its me again.

I have created a new index called ldap_delme2 with the following command:

POST ldap_delme2/_mapping
{
  "properties": {
    "@timestamp" : {
      "type" : "date"
    },
    "user.name" : {
      "type": "keyword"
    },
    "event.category": {
      "type": "text"
    },
    "event.outcome" : {
      "type": "text"
    }
  }
}

which leads to this mapping schema:

{
  "ldap_delme2" : {
    "mappings" : {
      "properties" : {
        "@timestamp" : {
          "type" : "date"
        },
        "event" : {
          "properties" : {
            "category" : {
              "type" : "text"
            },
            "outcome" : {
              "type" : "text"
            }
          }
        },
        "user" : {
          "properties" : {
            "name" : {
              "type" : "keyword"
            }
          }
        }
      }
    }
  }
}

I have indexed this event 5 times (timestamps differ by 1 second for each entry):

POST ldap_delme2/_doc/
{
  "@timestamp" : "2020-10-08T17:00:15",
  "user.name" : "test.user",
  "event.category" : "authentication",
  "event.outcome" : "failed"
}

Which leads to an index that looks like this:

{
  "took" : 1,
  "timed_out" : false,
  "_shards" : {
    "total" : 1,
    "successful" : 1,
    "skipped" : 0,
    "failed" : 0
  },
  "hits" : {
    "total" : {
      "value" : 6,
      "relation" : "eq"
    },
    "max_score" : 0.074107975,
    "hits" : [
      {
        "_index" : "ldap_delme2",
        "_type" : "_doc",
        "_id" : "Yf7OCHUBJXM-BF0goJ6i",
        "_score" : 0.074107975,
        "_source" : {
          "@timestamp" : "2020-10-08T17:00:10",
          "user.name" : "test.user",
          "event.category" : "authentication",
          "event.outcome" : "failed"
        }
      },
      {
        "_index" : "ldap_delme2",
        "_type" : "_doc",
        "_id" : "Yv7OCHUBJXM-BF0gp55A",
        "_score" : 0.074107975,
        "_source" : {
          "@timestamp" : "2020-10-08T17:00:11",
          "user.name" : "test.user",
          "event.category" : "authentication",
          "event.outcome" : "failed"
        }
      },
      {
        "_index" : "ldap_delme2",
        "_type" : "_doc",
        "_id" : "Y_7OCHUBJXM-BF0grZ40",
        "_score" : 0.074107975,
        "_source" : {
          "@timestamp" : "2020-10-08T17:00:12",
          "user.name" : "test.user",
          "event.category" : "authentication",
          "event.outcome" : "failed"
        }
      },
      {
        "_index" : "ldap_delme2",
        "_type" : "_doc",
        "_id" : "ZP7OCHUBJXM-BF0gs545",
        "_score" : 0.074107975,
        "_source" : {
          "@timestamp" : "2020-10-08T17:00:13",
          "user.name" : "test.user",
          "event.category" : "authentication",
          "event.outcome" : "failed"
        }
      },
      {
        "_index" : "ldap_delme2",
        "_type" : "_doc",
        "_id" : "Zf7OCHUBJXM-BF0guJ7n",
        "_score" : 0.074107975,
        "_source" : {
          "@timestamp" : "2020-10-08T17:00:14",
          "user.name" : "test.user",
          "event.category" : "authentication",
          "event.outcome" : "failed"
        }
      },
      {
        "_index" : "ldap_delme2",
        "_type" : "_doc",
        "_id" : "Zv7OCHUBJXM-BF0gvp59",
        "_score" : 0.074107975,
        "_source" : {
          "@timestamp" : "2020-10-08T17:00:15",
          "user.name" : "test.user",
          "event.category" : "authentication",
          "event.outcome" : "failed"
        }
      }
    ]
  }
}

I created a new detection rule with these settings:

The rule is unable to produce any signal.
Now in the "Overview" Tab I get a Data Fetch error that complains about the usage of non-keyword fields for aggregation even tho the user.name field is only mapped to the type keyword.

I have created a third index identical to the one I posted here except every field has the type keyword.

I am still unable to produce a single signal.