Field [gcp.audit.response.status.conditions.lastHeartbeatTime] of type [flattened] doesn't support formats

So, I have enabled GCP Audit logs collection using the GCP integration from Elastic Agent 8.3.3.
I've had no problems so far running searches in this dataset, but as of today the next error keeps appearing, and now I can no longer searcg through the gcp.audit logs in Kibana Discover:

{
  "took": 827,
  "timed_out": false,
  "_shards": {
    "total": 256,
    "successful": 255,
    "skipped": 245,
    "failed": 1,
    "failures": [
      {
        "shard": 0,
        "index": ".ds-logs-gcp.audit-2022.09.xx-0000xx",
        "node": "256AwbrySDuevtredacted",
        "reason": {
          "type": "illegal_argument_exception",
          "reason": "error fetching [gcp.audit.response.status.conditions.lastHeartbeatTime]: Field [gcp.audit.response.status.conditions.lastHeartbeatTime] of type [flattened] doesn't support formats.",
          "caused_by": {
            "type": "illegal_argument_exception",
            "reason": "Field [gcp.audit.response.status.conditions.lastHeartbeatTime] of type [flattened] doesn't support formats."
          }
        }
      }
    ]
  },
  "hits": {
    "max_score": null,
    "hits": []
  }
}

It looks like some one else had a similar issue with aws logs: Illegal_argument_exception
Any idea on what can be done to fix these issues?

I did try to disable the Set Format option for this particular field, but the setting is not persistent. It gets reverted immediately after I press Save.

image587×585 42 KB

If anyone comes across this, my temporary solution was to add gcp.audit.response.status.conditions.lastHeartbeatTime to Field filters tab in the Data View that I used.

image1587×352 47.8 KB

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.