Skip to content

Wazuh Dashboard Field Mapping Error #4

New issue
New issue
Open
Open
Wazuh Dashboard Field Mapping Error#4
@erenruun-code

Description

@erenruun-code
erenruun-code
opened on Oct 26, 2025

Problem:
The Wazuh dashboard displayed a search_phase_execution_exception error due to the manager.name field being mapped as a text type in OpenSearch. Text fields disable aggregations and sorting operations by default, causing dashboard visualizations to fail, and appear like this when you refresh in the dashboard:

"[WazuhError]: search_phase_execution_exception: [illegal_argument_exception] Reason: Text fields are not optimised for operations that require per-document field data like aggregations and sorting, so these operations are disabled by default. Please use a keyword field instead. Alternatively, set fielddata=true on [manager.name] in order to load field data by uninverting the inverted index. Note that this can use significant memory.; [illegal_argument_exception] Reason: Text fields are not optimised for operations that require per-document field data like aggregations and sorting, so these operations are disabled by default. Please use a keyword field instead. Alternatively, set fielddata=true on [manager.name] in order to load field data by uninverting the inverted index. Note that this can use significant memory."

Root Cause:
OpenSearch/Elasticsearch text fields are optimized for full-text search but not for operations requiring per-document field data (aggregations, sorting). The Wazuh dashboard needed to perform aggregations on the manager.name field for its visualizations.

Solution:
Enabled fielddata=true on the existing manager.name text field mapping using:

curl -k -u admin:admin -X PUT "https://localhost:9200/wazuh-alerts-*/_mapping"
-H 'Content-Type: application/json'
-d '{"properties":{"manager":{"properties":{"name":{"type":"text","fielddata":true}}}}}'

Result:
Dashboard aggregations now work properly. The fix allows the existing text field to support the required operations without needing to reindex data or change field types.

Note:
This solution uses more memory as it loads field data into memory, but resolves the immediate dashboard functionality issue.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions