Issue: OpenSearch dashboard is reporting the following mapping conflict warning:
Mapping conflict! A field is defined as several types (string, integer, etc) across the indices that match this pattern. You may still be able to use these conflict fields in parts of OpenSearch dashboard, but they will be unavailable for functions that require OpenSearch dashboard to know their type. Correcting this issue will require reindexing your data.
To view the issue in OpenSearch dashboard, perform the following:
Launch the OpenSearch dashboard page.
Click the Management tab.
Under OpenSearch dashboard section, select Index Patterns.
Select security.events.normalized_*
Ensure that, there are 632 fields indexed and there is no mapping conflict warning.
Workaround: Perform the following, if the number of fields indexed are less than 632 or to fix the OpenSearch dashboard mapping conflict warning:
Delete the below index pattern from the OpenSearch dashboard Management tab:
security.events.normalized_*
Switch to the following bin directory:
cd <sentinel-installation-path>/opt/novell/sentinel/bin
Switch to the novell user:
su novell
Delete indices by following the below command from the Sentinel’s OpenSearch:
./OpenSearchRestClient.sh {sentinel_ip} {port used for OpenSearch} DELETE security.events.normalized_*Run the following command to apply mapping template on events index in the Sentinel’s OpenSearch:
./OpenSearch_index_template.sh {sentinel-ip} {port used for OpenSearch} security.events.normalized_* 6 1Run the following command to create the Index pattern in the OpenSearch dashboard:
./create_OpenSearch dashboard_index_pattern.sh http://{localhost}:5601 security.events.normalized_* {tenant-name}