"Fields not usable in Wazuh Dashboard due to missing cached mappings"

[gokul20010530]

Describe the bug
Hi ,
I have an issue regarding field in wazuh dashboard, where I am not able to use the fields.
It is showing "No cached mapping for this field. Refresh field list from the Management > Index patterns page"
As mentioned when I have done the refresh the fields will appear in the "wazuh-alerts-*" at that moment but again go back to how it was before refreshing.

I had checked about this issue and could only find "Refresh the field list" as a solution.
But, that is not working in my case. It just works for sometime and it is reverted back to how it was before refreshing the field list.

Here are some screenshots of the issue:

This is number of fields in "wazuh-alerts-*" before refreshing.

This is number of fields after refreshing "wazuh-alerts-*"

This gets reverted back to how it was before refreshing after sometime.

Also, I would like to point out that there is no problem with default fields.

All the solution got was to refresh the field list. But it does not work out.

Wazuh version being used is version 4.7

Looking forward for a solution for this issue.

[Desvelao]

The index pattern field list of Wazuh alerts could be refreshed:

• refresh by the Wazuh dashboard (health heck and other views)
• manual refresh from Index patterns page

The index pattern related to Wazuh alerts ( wazuh-alerts-*) could be created in the health check despite there is no indices matching the index pattern, when this is done, the index pattern is created with a set of pre-defined fields (e.g. for Wazuh dashboard 4.7.0: https://github.com/wazuh/wazuh-dashboard-plugins/blob/v4.7.0-2.8.0/plugins/main/public/utils/known-fields.js that has 434 fields as you screenshot before refreshing the field list).

If the new Wazuh alerts data adds a document with a field that is not included in the current index pattern field list, you could get the message No cached mapping for this field. Refresh the field list from Management > Index patterns page in Wazuh dashboard. To solve this, you need to refresh all the fields of the index pattern (manual refresh from the indicated page or the Wazuh dashboard does it in some page). After refreshing the index pattern field list, you should not get the commented message.

The selected index pattern of Wazuh alerts could be refreshed by using Wazuh dashboard, but this should not cause you lose fields in the list meanwhile you have documents that define those fields. If for some reason, some documents of Wazuh alerts that include some "rare" fields are deleted (ISM, manual index deletion), this could cause refreshing the field list loses some fields because they are not present in the indices data (fields mapping) and if after that, new Wazuh alerts data is indexed with documents that have the deleted fields from the index pattern, you could get the same message in the same field again.

I assume you get this problem in the Wazuh alerts (wazuh-alerts-*) index pattern of the same tenant (if multitenancy is enabled).

1. How many fields does the index pattern have after the field list is reverted after sometime? If this has around the 434, maybe it is caused by a problem getting the field from the indices matching, causing the refreshes of index pattern field list by the Wazuh dashboard usage, this uses the set of pre-defined fields (434 for Wazuh 4.7.0). You could review the requests done by the browser side searching some error through the browser dev tools (Network tab) with special attention to the requests listed as _fields_for_wildcard (GET api/index_patterns/_fields_for_wildcard) reviewing the request and response in the Network tab.
2. Could you identify the time that passes after the index pattern field list is reverted? Was some Wazuh dashboard user using the Wazuh dashboard when the field list was refreshed?
3. Ensure you have some index that matches the index pattern with mapping for the "rare" fields. From Index/Indexer management > Dev tools, run the following request for the "rare" fields:

GET wazuh-alerts-*/_mapping/field/<field>

replacing the <field> placeholder.