This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
Webinar May 14th: Gemini's generative AI within Google SecOps
Webinar May 29th: Log Ingestion: Bindplane + Google SecOps
Log in to ask a question

Ingestion API

Posted on 09-22-2024 04:16 AM
vishnu_manu
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

Community,

I recently integrated a log source using the Ingestion API. Specifically, I have a script that makes API calls, and the responses are sent to Chronicle via the Ingestion API.

The first time I ran the script, the logs were ingested successfully, and I could see them. However, after running the script 2-3 more times, even though there were no errors, the logs are not refelected in the instance and its been like 48hrs.

I'm wondering what the issue could be. If the logs were ingested successfully the first time, why are they not appearing on subsequent attempts? For your info, I'm trying to ingest the same logs again. Could it be that the Ingestion API prevents sending the same logs multiple times, or something like that?

Solved Solved
0 3 412
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
suzhuang
Staff
Reply posted on --/--/---- --:-- AM

The Ingestion API uses batch IDs to track groups of logs. If you send a batch of logs with the same batch ID as a previous batch, the new logs will be discarded and not appear in your SecOps instance. Were the second/third logs you were trying to send from the same batch ID?

View solution in original post

Jump to Solution
3 REPLIES 3

Posted on --/--/---- --:-- AM
suzhuang
Staff
Reply posted on --/--/---- --:-- AM

The Ingestion API uses batch IDs to track groups of logs. If you send a batch of logs with the same batch ID as a previous batch, the new logs will be discarded and not appear in your SecOps instance. Were the second/third logs you were trying to send from the same batch ID?

Jump to Solution

Posted on --/--/---- --:-- AM
vishnu_manu
Bronze 4
Bronze 4
In response to suzhuang
Reply posted on --/--/---- --:-- AM

How can I check the batch ID, and how do I ensure that each time I run my script, the batch ID is unique?

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Rene_Figueroa
Staff
In response to vishnu_manu
Reply posted on --/--/---- --:-- AM

Hi @vishnu_manu The batch IDs are internal information only available inside Google. The batch ID will be unique as long as duplicate logs are not sent.

Jump to Solution
Top Solution Authors
View all