This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
New SecOps Webinar May 14th! Learn about Gemini's generative AI within Google SecOps
Log in to ask a question

How to view raw logs that have failed to parse?

Posted Tuesday
jonahbf
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

We developed a custom parser for our log source, and validated it with various samples in the parser IDE. However, once we put in production, the ingestion metrics dashboards indicate that 1-5% of logs fail to parse, and drop with one of the drop tags we specify in our parser.  Is there any easy way we can view logs that we know have dropped so we can identify any issues with the validation/parser? Or alternatively, is there an API or SDK we can use to test sample logs against the parser in bulk? I've tried to use Raw Logs queries to find unparsed logs, but they max out at 10k results and it always shows all of them parsed. The Search API doesn't appear to support searching raw logs

 

Note that our log source is sending only entities to the parser, no events 

 
 
0 1 43
Topic Labels
0 Likes
1 REPLY 1

Posted on --/--/---- --:-- AM
dlove40
Bronze 5
Bronze 5
Reply posted on --/--/---- --:-- AM

The chronicle cli has a command to list errors. 

 
The old CBN CLI tool does as well.
https://github.com/chronicle/cbn-tool
0 Likes
Top Solution Authors
View all