I have created a custom parser for json raw data for proofpoint. I tested my parser and was able to get all required fields in UDM output.
Let say, I ingested some sample raw data around 32 via s3. There were 2 logs with incorrect json data and 30 with required format.
After waiting 5 min, I was able to see the unparsed 2 raw data events but not the other parsed 30 logs events.
I checked in ingestion dashboard to see the stats correct - Ingested 30, normalised 30, error 2
Where are the 30 ingested logs ?
Solved
Chronicle logs ingested but not appear in search for a custom parser
+1Best answer by deeshu
I hope that by this time you have seen the events in UDM search page. For the first time it takes little time to get the events displayed in UDM search page than get displayed under raw search page.
- Bronze 2
- Answer
I hope that by this time you have seen the events in UDM search page. For the first time it takes little time to get the events displayed in UDM search page than get displayed under raw search page.
+1yes surprisingly it appeared after 24hr of ingestion.
Observation:
1. If the timestamp of the indexed event is backdated to far date (in my case over 2 weeks) then it does not show the parsed log within 3-4hr of checking (unparsed appears immediately within 15 min)
2. However to see or test parsed UDM events in 10-15 min, do update the timestamps of sample logs to todays or a day before.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.