Field [gcp.audit.response.status.conditions.lastHeartbeatTime] of type [flattened] doesn't support formats

AndreiRD · September 23, 2022, 3:25pm

So, I have enabled GCP Audit logs collection using the GCP integration from Elastic Agent 8.3.3.
I've had no problems so far running searches in this dataset, but as of today the next error keeps appearing, and now I can no longer searcg through the gcp.audit logs in Kibana Discover:

{
  "took": 827,
  "timed_out": false,
  "_shards": {
    "total": 256,
    "successful": 255,
    "skipped": 245,
    "failed": 1,
    "failures": [
      {
        "shard": 0,
        "index": ".ds-logs-gcp.audit-2022.09.xx-0000xx",
        "node": "256AwbrySDuevtredacted",
        "reason": {
          "type": "illegal_argument_exception",
          "reason": "error fetching [gcp.audit.response.status.conditions.lastHeartbeatTime]: Field [gcp.audit.response.status.conditions.lastHeartbeatTime] of type [flattened] doesn't support formats.",
          "caused_by": {
            "type": "illegal_argument_exception",
            "reason": "Field [gcp.audit.response.status.conditions.lastHeartbeatTime] of type [flattened] doesn't support formats."
          }
        }
      }
    ]
  },
  "hits": {
    "max_score": null,
    "hits": []
  }
}

It looks like some one else had a similar issue with aws logs: Illegal_argument_exception
Any idea on what can be done to fix these issues?

AndreiRD · September 23, 2022, 4:17pm

I did try to disable the Set Format option for this particular field, but the setting is not persistent. It gets reverted immediately after I press Save.

AndreiRD · September 26, 2022, 9:08am

If anyone comes across this, my temporary solution was to add gcp.audit.response.status.conditions.lastHeartbeatTime to Field filters tab in the Data View that I used.

system · October 24, 2022, 9:09am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.