Skip to main content

Hey Folks,

I am fairly new to Chronicle's IDE for custom app development. I have developed an app for an unsupported log source to ingest logs from a vendor API. I have managed to create batches and successfully push logs to Chronicle. I do see http response 200 for all batch post requests. However on SIEM I can only find significantly less entries created. Validated this by rerunning the job i created several times. It's like less than 1% of total events getting invested. My events are proper json formatted and structured as per ingestion API specs. 

How can I isolate the problem? 

Hi - I would certainly need more info to be helpful but there is a limit per batch which I believe is 1MB.  

 

Hi - I would certainly need more info to be helpful but there is a limit per batch which I believe is 1MB.  

 


Hi @dnehoda , I had the logic implemented to not exceed a batch size 1MB. The issue turns out be e flaw in my logic. I am enriching entities with vulnerability info from Tenable. Now with this as far I have observed, if the same entities are enriched with same info over time, they do not show up as new events in raw log search. My Job kept pulling same set of vulnerabilities due to a logic flaw which I managed to fix now. The job is working now and pulling new vulnerabilities. 

The only problem that I am now trying to fix is if multiple vulnerabilities are reported for an host as multiple entries, the vulnerability details are overwritten by latest details and that is messing up the final entity context.

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.