Hi,
Opensearch and Opensearch Dashboards v2.13 (before 2.12, 2.11…)
system: Alma Linux.
We use Security Analytics hardly ever but a few weeks ago it worked, I created a few rules, later deleted them. Now I tried to use it again but unfortunately I can’t see anything, no rules, only errors.
I’ve seen https://github.com/opensearch-project/security-analytics/issues/700 and I deleted 3 .opensearch-sap indices related to windows (i created detector based on windows logs) but still i can see errors.
also stacktrace:
org.opensearch.transport.RemoteTransportException: [itsec-data-1][x.x.x.x:9300][indices:admin/mapping/put], Caused by: java.lang.IllegalArgumentException: Mapper for [name] conflicts with existing mapper:, Cannot update parameter [analyzer] from [default] to [whitespace], at org.opensearch.index.mapper.ParametrizedFieldMapper$Conflicts.check(ParametrizedFieldMapper.java:581) ~[opensearch-2.13.0.jar:2.13.0], at org.opensearch.index.mapper.ParametrizedFieldMapper.merge(ParametrizedFieldMapper.java:129) ~[opensearch-2.13.0.jar:2.13.0], at org.opensearch.index.mapper.ParametrizedFieldMapper.merge(ParametrizedFieldMapper.java:77) ~[opensearch-2.13.0.jar:2.13.0], at org.opensearch.index.mapper.ObjectMapper.doMerge(ObjectMapper.java:625) ~[opensearch-2.13.0.jar:2.13.0], at org.opensearch.index.mapper.RootObjectMapper.doMerge(RootObjectMapper.java:353) ~[opensearch-2.13.0.jar:2.13.0], at org.opensearch.index.mapper.ObjectMapper.merge(ObjectMapper.java:584) ~[opensearch-2.13.0.jar:2.13.0], at org.opensearch.index.mapper.RootObjectMapper.merge(RootObjectMapper.java:348) ~[opensearch-2.13.0.jar:2.13.0], at org.opensearch.index.mapper.Mapping.merge(Mapping.java:130) ~[opensearch-2.13.0.jar:2.13.0], at org.opensearch.index.mapper.DocumentMapper.merge(DocumentMapper.java:310) ~[opensearch-2.13.0.jar:2.13.0], at org.opensearch.cluster.metadata.MetadataMappingService$PutMappingExecutor.applyRequest(MetadataMappingService.java:283) ~[opensearch-2.13.0.jar:2.13.0], at org.opensearch.cluster.metadata.MetadataMappingService$PutMappingExecutor.execute(MetadataMappingService.java:244) ~[opensearch-2.13.0.jar:2.13.0], at org.opensearch.cluster.service.MasterService.executeTasks(MasterService.java:882) ~[opensearch-2.13.0.jar:2.13.0], at org.opensearch.cluster.service.MasterService.calculateTaskOutputs(MasterService.java:434) ~[opensearch-2.13.0.jar:2.13.0], at org.opensearch.cluster.service.MasterService.runTasks(MasterService.java:301) ~[opensearch-2.13.0.jar:2.13.0], at org.opensearch.cluster.service.MasterService$Batcher.run(MasterService.java:212) ~[opensearch-2.13.0.jar:2.13.0], at org.opensearch.cluster.service.TaskBatcher.runIfNotProcessed(TaskBatcher.java:204) ~[opensearch-2.13.0.jar:2.13.0], at org.opensearch.cluster.service.TaskBatcher$BatchedTask.run(TaskBatcher.java:242) ~[opensearch-2.13.0.jar:2.13.0], at org.opensearch.common.util.concurrent.ThreadContext$ContextPreservingRunnable.run(ThreadContext.java:854) ~[opensearch-2.13.0.jar:2.13.0], at org.opensearch.common.util.concurrent.PrioritizedOpenSearchThreadPoolExecutor$TieBreakingPrioritizedRunnable.runAndClean(PrioritizedOpenSearchThreadPoolExecutor.java:283) ~[opensearch-2.13.0.jar:2.13.0], at org.opensearch.common.util.concurrent.PrioritizedOpenSearchThreadPoolExecutor$TieBreakingPrioritizedRunnable.run(PrioritizedOpenSearchThreadPoolExecutor.java:246) ~[opensearch-2.13.0.jar:2.13.0], at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144) [?:?], at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642) [?:?], at java.lang.Thread.run(Thread.java:1583) [?:?]
Also I can’t see any .opensearch-sap* indices but i don’t have plugins.security.system_indices.enabled: true in my settings so it might be the reason.
Please, help me to make Security Analytics usable again
Best