Describe the issue: We are seeing the famous NoOpTrigger Errors in Security Analytics. When examing the logs one error dominates (MapperParsingException). We assume a relation.
[2025-10-23T09:08:07,819][ERROR][o.o.a.u.DocLevelMonitorQueries] [opensearch-nodes-2] MapperParsingException[failed to parse]; nested: QueryShardException[No field mapping can be found for the field with name [trigger_field]];
I do not understand either of those messages. Some pointers on how to further debug would be appreciated.
[2025-10-23T09:08:07,819][ERROR][o.o.a.u.DocLevelMonitorQueries] [opensearch-nodes-2] MapperParsingException[failed to parse]; nested: QueryShardException[No field mapping can be found for the field with name [trigger_field]];
is already the sample log. The OpenSearch logs are full of this.
And I just setup some detectors (the same that run fine in other installations). They generate the NoOp trigger errors every 10 minutes (they are scheduled to run every 5 minutes).
The “trigger_field” seems to indicate some internal problem since I do not have any logs containing a field named “trigger_field”. I do have triggers. They send a message to an external webhook.
