I am currently pushing system logs using filebeat(7.10.2) to opensearch (2.5.0). Filebeat contains 1056 field approximately and their mapping is done properly. But when I create detector using Security analytics plugin, I come across the following error:
log [07:05:28.384] [info][server][OpenSearchDashboards][http] http server running at http://192.168.0.185:5601
Security Analytics - DetectorsService - createDetector: StatusCodeError: [security_analytics_exception] Monitor [Yn_9m4YBW3IdnokIzN7W] can't process index [filebeat-7.10.2-2023.03.01] due to field mapping limit
at respond (/home/opensearch/Downloads/opensearch-dashboards-2.5.0/node_modules/elasticsearch/src/lib/transport.js:349:15)
at checkRespForFailure (/home/opensearch/Downloads/opensearch-dashboards-2.5.0/node_modules/elasticsearch/src/lib/transport.js:306:7)
at HttpConnector.<anonymous> (/home/opensearch/Downloads/opensearch-dashboards-2.5.0/node_modules/elasticsearch/src/lib/connectors/http.js:173:7)
at IncomingMessage.wrapper (/home/opensearch/Downloads/opensearch-dashboards-2.5.0/node_modules/lodash/lodash.js:4991:19)
at IncomingMessage.emit (events.js:412:35)
at IncomingMessage.emit (domain.js:475:12)
at endReadableNT (internal/streams/readable.js:1333:12)
at processTicksAndRejections (internal/process/task_queues.js:82:21) {
status: 500,
displayName: 'InternalServerError',
path: '/_plugins/_security_analytics/detectors',
query: {},
body: {
error: {
root_cause: [Array],
type: 'security_analytics_exception',
reason: "Monitor [Yn_9m4YBW3IdnokIzN7W] can't process index [filebeat-7.10.2-2023.03.01] due to field mapping limit",
caused_by: [Object]
},
status: 500
Can anyone please suggest the fix?
My filebeat index contains mapping limit of 10,000 already. What else could be done?