This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
Webinar May 14th: Gemini's generative AI within Google SecOps
Webinar May 29th: Log Ingestion: Bindplane + Google SecOps
Log in to ask a question

Log Latency Dashboard

Posted on 03-05-2025 07:34 PM
AJMSecOps
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Has anyone built any SIEM Dashboards in SecOps to monitor for latency? I'm specifically interested in finding a solution to monitoring the difference between event_timestamps and ingestion_timestamps by log type. I'd want to visualize the average difference, per log type, based on whatever timeframe I search on.

Solved Solved
0 4 197
Topic Labels
Jump to Solution
0 Likes
3 ACCEPTED SOLUTIONS

Posted on --/--/---- --:-- AM
amithpatil
Staff
Reply posted on --/--/---- --:-- AM

If you're using native dashboards ,  You can write a query something similar to below to achieve this : 

 

match:
    metadata.log_type
outcome:
    $event_count = count_distinct(metadata.id)
    $event_latency = avg(metadata.ingested_timestamp.seconds - metadata.event_timestamp.seconds)

View solution in original post

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
cmorris
Staff
Reply posted on --/--/---- --:-- AM

Please try this:

metadata.log_type != ""
$logType = metadata.log_type

match:
  $logType

outcome:
  $eventTotal = count_distinct(metadata.id)
  $deltaSec = math.round((sum(metadata.ingested_timestamp.seconds) - sum(metadata.event_timestamp.seconds))/$eventTotal,0)
  $deltaMin =  math.round($deltaSec/60,2)

order:
  $deltaMin desc

View solution in original post

Jump to Solution

Posted on --/--/---- --:-- AM
cmmartin_google
Staff
Reply posted on --/--/---- --:-- AM

See https://medium.com/@thatsiemguy/fix-rfc3164-timestamps-with-bindplane-for-enterprise-fb96dd16d015 for some examples too

View solution in original post

Jump to Solution
0 Likes
4 REPLIES 4

Posted on --/--/---- --:-- AM
amithpatil
Staff
Reply posted on --/--/---- --:-- AM

If you're using native dashboards ,  You can write a query something similar to below to achieve this : 

 

match:
    metadata.log_type
outcome:
    $event_count = count_distinct(metadata.id)
    $event_latency = avg(metadata.ingested_timestamp.seconds - metadata.event_timestamp.seconds)
Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
cmorris
Staff
Reply posted on --/--/---- --:-- AM

Please try this:

metadata.log_type != ""
$logType = metadata.log_type

match:
  $logType

outcome:
  $eventTotal = count_distinct(metadata.id)
  $deltaSec = math.round((sum(metadata.ingested_timestamp.seconds) - sum(metadata.event_timestamp.seconds))/$eventTotal,0)
  $deltaMin =  math.round($deltaSec/60,2)

order:
  $deltaMin desc
Jump to Solution

Posted on --/--/---- --:-- AM
cmmartin_google
Staff
Reply posted on --/--/---- --:-- AM

See https://medium.com/@thatsiemguy/fix-rfc3164-timestamps-with-bindplane-for-enterprise-fb96dd16d015 for some examples too

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
AJMSecOps
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Very helpful, so thanks to all who posted here.

Jump to Solution
Top Solution Authors
View all