Dashboard errors on httpRequest.clientIp after install

[pkennedyvt]

The first index that is built has cleintIp as text. This throws the following error in the Dashboard:

Request to Elasticsearch failed: {"error":{"root_cause":[{"type":"illegal_argument_exception","reason":"Fielddata is disabled on text fields by default. Set fielddata=true on [httpRequest.clientIp] in order to load fielddata in memory by uninverting the inverted index. Note that this can however use significant memory. Alternatively use a keyword field instead."}],"type":"search_phase_execution_exception","reason":"all shards failed","phase":"query","grouped":true,"failed_shards":[{"shard":0,"index":"awswaf-2020-07-23","node":"YRRPzsdTRNKcReVxFSbKwA","reason":

Two things fix it.

• When a second index is built clientIp becomes a keyword. I think this is coming from aws-waf-dashboard/cloudformation-custom-resources/kibana-customizer-lambda/custom/template.json.
• Changing the three saved objects of Top10 IpAddresses, Filters and Unique IP count to have "field": "httpRequest.clientIp.keyword" in visiState instead of just "httpRequest.clientIp".

[Mudpuppy12]

This change worked for me

[Galal-Eltfawy]

@Mudpuppy12 how did you solve it , would you please share the modified file template.json

[dkennedy256]

How do you fix this?