Discrepancies in Data Ingestion health dashboard &...

Surendrasumith · 11-27-2024 03:59 AM

Hi,

We are encountering discrepancies between the data shown in the Data Ingestion Health Dashboard and the SecOps data.

Specifically, I am trying to view the unparsed event count in the dashboard, which outputs the unparsed count. However, when searching for the same data source in Chronicle and checking the unparsed logs under "Event Type" (searching 10,000 logs at a time), no results are returned.

Could this discrepancy be due to the tenant using autonomous parsing? If so, why does the dashboard show a different result?

Additionally, if autonomous parsing is enabled, I understand that Chronicle will parse those events and categorize them under "GENERIC_EVENT." Is there a way to identify these events, such as through a tag or another method?

Thanks,

Sumith.P

hzmndt

I will suggest you to open a support case to check the discrepancies issues you're reporting.

For autonomous parsing, I believe still in preview, and only some log types support, you can do a search via

extracted.fields.key = /.*/

Surendrasumith

Thank you @hzmndt for the update. Could you please tell me if there is any way we can filter the unparsed events in the chronicle rather than searching 10 K logs at a time and checking the event type as Unparsed? sometime its very difficult to get the unparsed events while searching 10K logs.

Thanks,

Sumith.P

Webinar May 14th: Gemini's generative AI within Google SecOps
Webinar May 29th: Log Ingestion: Bindplane + Google SecOps

Discrepancies in Data Ingestion health dashboard & SecOps Data.

Webinar May 14th: Gemini's generative AI within Google SecOpsWebinar May 29th: Log Ingestion: Bindplane + Google SecOps

Discrepancies in Data Ingestion health dashboard & SecOps Data.

Webinar May 14th: Gemini's generative AI within Google SecOps
Webinar May 29th: Log Ingestion: Bindplane + Google SecOps