Elastic SIEM "Data Fetch Failure Invalid time value"

soufiane_adn · September 21, 2020, 3:33pm

Hello guys,
i hope you are doing well,
so i'm facing a problem on the elastic siem app after parsing my logs and migrating them to ecs by logstash.
the problem is the following error on the host/ event view :
Data Fetch Failure
Invalid time value
but not on all my indexes just one of them i tried to rebuild timestamps but i still have this error.
if just someone could tell me the source of this one

thanks in the advance

ylasri · September 21, 2020, 3:43pm

We are not all guys here
Make sure all indexes used by SIEM app all have @timestamp field of type date

Under Stack Management >> Advanced Setting

soufiane_adn · September 21, 2020, 4:50pm

Hi Yassine,
thanks but the thing is all my indices have type date for the @timestamp field (same mapping)

borna_talebi · September 21, 2020, 5:30pm

Can you post an example? maybe it's a format problem?

soufiane_adn · September 23, 2020, 11:16am

Hi borna
Problem resolved.
it was an unstructured event.start format
Thanks

Frank_Hassanabad · September 25, 2020, 2:07pm

Thanks for posting that your problem was solved. I really the forums because of all the users always post their solution and what solved their problems for others to see.

system · October 23, 2020, 2:07pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.