Visualize: Fielddata is disabled on text fields by default. Set fielddata=true on [alert.category] in order to load fielddata in memory by uninverting the inverted index. Note that this can however use significant memory.
NetBarDJ opened this issue · 6 comments
I will need a lot more information. Elastic Stack version? OS? etc.
i have try elk 7 and 6.2, Both have this issue. OS is Ubuntu 14.04.5 LTS
Now, i use the dev tools' console of kibana, to modify the fielddata=true of alert.category, just like as follow:
POST suricata-1.0.1-2019.05.18/_mapping/
{
"properties": {
"alert.category": {
"type": "text",
"fielddata":true
}
}
}
and then the issue is fixed.
But now the new issue is, how to update the synlite_suricata.template.json to make the "fielddata" is true.
Look forward to your reply.
I'm having the same issue and what NetBarDJ mentioned resolves the issue.
tested with ELK 7, 6.8 and 6.2 on CentOS 7.
It isn't the correct fix. Only a workaround. The issue is that the index was created before the index template was properly loaded by the Logstash output (if using ES 7.x the index template would have definitely failed to load).
The update of this solution for 7.x is almost done.
Perfect.
Updating synlite_suricata.template.json & synlite_suricata_stats.template.json from
"event": {
"dynamic": true,
"type": "object",
"properties": {
"host": {
"type": "keyword"
},
"subtype": {
"type": "keyword"
},
"type": {
"type": "keyword"
}
}
},
to
"dynamic": true,
"type": "object",
"properties": {
"host": {
"properties": {
"name": {
"type": "keyword"
}
}
},
"subtype": {
"type": "keyword"
},
"type": {
"type": "keyword"
}
}
},
resolved the issue.
ELK 6.8, CentOS 7