Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Saved object for the index pattern can not be found section to Wazuh dashboard troubleshooting #5497

Merged
merged 6 commits into from
Oct 11, 2022
Merged

Add Saved object for the index pattern can not be found section to Wazuh dashboard troubleshooting #5497

Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
9553147
feature: Add the issue "Saved object for the index pattern can not be…
Desvelao Aug 2, 2022
aabe358
fix: apply the suggested changes
Desvelao Aug 4, 2022
95022f6
Editorial review
s-ocando Oct 10, 2022
332cef8
fix(troubleshooting): add emphasize-lines and rephrase comment relate…
Desvelao Oct 11, 2022
dd1f704
Update source/user-manual/wazuh-dashboard/troubleshooting.rst
Desvelao Oct 11, 2022
71f8e43
Remove extra blank line
s-ocando Oct 11, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
114 changes: 114 additions & 0 deletions source/user-manual/wazuh-dashboard/troubleshooting.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -107,6 +107,120 @@ Starting Wazuh 4.0 the Wazuh API username variable changed from ``user`` to ``us
password: wazuh-wui
run_as: false

Saved object for index pattern not found
----------------------------------------

Saved objects store data for later use, including dashboards, visualizations, maps, index patterns, and more.

This message indicates that there is a problem loading the information of an index pattern which should be stored in a saved object, but the dashboard is unable to find it.

This situation can happen if the indexer is reinstalled and the previously saved objects are lost, while the dashboard is running and is not restarted in the process.

Remediation
^^^^^^^^^^^

The dashboard initializes the saved objects with the index definitions when it starts, so the suggested solution is to restart the service to initialize the saved objects again.

#. Restart the Wazuh dashboard service.

.. include:: /_templates/common/restart_dashboard.rst

This will initialize the index with the required mappings.

.. note:: If the index contains data but has missing objects, the dashboard will migrate the data to a new index with the missing objects added.

If the restart does not solve the problem, we can execute this process manually:

#. Stop the Wazuh dashboard service.

.. tabs::

.. group-tab:: Systemd

.. code-block:: console

# systemctl stop wazuh-dashboard

.. group-tab:: SysV

.. code-block:: console

# service wazuh-dashboard stop

#. Identify the index or indices that have the wrong field mappings, this depends on the logged user that experiences the problem or the selected tenant. By default, the index name should start with ``.kibana``.

#. Get the field mapping for the ``type`` field for the indices that store the saved objects.

.. code-block:: console

# curl https://<WAZUH_INDEXER_IP>:9200/.kibana*/_mapping/field/type?pretty -u <wazuh_indexer_user>:<wazuh_indexer_password> -k

.. code-block:: none
:class: output
:emphasize-lines: 8,10,11,26,28,29

{
".kibana" : {
"mappings" : {
"type" : {
"full_name" : "type",
"mapping" : {
"type" : {
"type" : "text",
"fields" : {
"keyword" : {
"type" : "keyword",
"ignore_above" : 256
}
}
}
}
}
}
},
".kibana_92668751_admin_1" : {
"mappings" : {
"type" : {
"full_name" : "type",
"mapping" : {
"type" : {
"type" : "text",
"fields" : {
"keyword" : {
"type" : "keyword",
"ignore_above" : 256
}
}
}
}
}
}
}
}


In the output, we can see `type` field mapping for the ``.kibana`` and ``.kibana_92668751_admin_1`` indices. Note that the field mapping type for the `type` field is ``text`` and that it contains a subfield called `keyword`. This is not the expected result, the `type` field should be ``keyword``, not ``text``, and it should not include the `keyword` subfield.

These errors happened because there was no template that specified the appropriate field mappings at the time the saved object data was indexed. To solve the errors, we need to remove the index and rebuild it.

#. Delete the index or indices that store the saved objects with the wrong field mapping.

.. code-block:: console

# curl https://<WAZUH_INDEXER_IP>:9200/<INDEX/INDICES_SEPARATED_BY_COMMAS> -u <wazuh_indexer_user>:<wazuh_indexer_password> -k -XDELETE

.. code-block:: none
:class: output

{“acknowledged”:true}


#. Restart the Wazuh dashboard service.

.. include:: /_templates/common/restart_dashboard.rst

.. note:: These actions take into account that the index that stores the saved objects must have valid field mappings. The field mappings are defined through a template, so they should exist before the index is created. This template is added when Wazuh dashboard starts if it doesn’t exist.

None of the above solutions are fixing my problem
-------------------------------------------------

Expand Down