Skip to main content

Hi,

We are encountering discrepancies between the data shown in the Data Ingestion Health Dashboard and the SecOps data.

Specifically, I am trying to view the unparsed event count in the dashboard, which outputs the unparsed count. However, when searching for the same data source in Chronicle and checking the unparsed logs under "Event Type" (searching 10,000 logs at a time), no results are returned.

Could this discrepancy be due to the tenant using autonomous parsing? If so, why does the dashboard show a different result?

Additionally, if autonomous parsing is enabled, I understand that Chronicle will parse those events and categorize them under "GENERIC_EVENT." Is there a way to identify these events, such as through a tag or another method?

Thanks,

Sumith.P

 

I will suggest you to open a support case to check the discrepancies issues you're reporting.


For autonomous parsing, I believe still in preview, and only some log types support, you can do a search via 



extracted.fields.key = /.*/

I will suggest you to open a support case to check the discrepancies issues you're reporting.


For autonomous parsing, I believe still in preview, and only some log types support, you can do a search via 



extracted.fields.key = /.*/


Thank you @hzmndt  for the update. Could you please tell me if there is any way we can filter the unparsed events in the chronicle rather than searching 10 K logs at a time and checking the event type as Unparsed? sometime its very difficult to get the unparsed events while searching 10K logs. 

Thanks,

Sumith.P

Here’s an idea...

Why couldn’t the metadata.event_type = “UNPARSED_RAW_LOG”

Just like it is in the UI? Makes sense to me ¯\_(ツ)_/¯

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.