Skip to main content
Question

Finding Unparsed events

  • December 18, 2024
  • 6 replies
  • 211 views
S
Forum|alt.badge.img+5

Hi,

What is the best way to field unparsed events ingested in SecOps SIEM without it being a pain. I have so far been searching for raw log with regex and using Procedural Filtering for individual log source until I collect few hundreds and then try to work on parser extension. This has been painful and a lot of manual task and chances of missing unparsed event is high for us (considering the volume of data we ingest and search result capping the returned events to x result (10,000 default)

 

I believe there should be a way for searching for just unparsed logs so that we have better visibility of what we are missing out on. 

6 replies

D
Forum|alt.badge.img+6
  • deeshuBronze 2
  • Bronze 2
  • December 19, 2024

You can now run raw searches through udm search page. 

 

chrisproudley
Staff
Forum|alt.badge.img+4

Hello @srijankaflethe raw scan is your best approach. A few pointers that might help narrow things down a little:

  • .* is a nice broad wildcard to leverage
  • A dropdown of log sources (types) can be selected to narrow the search to a specific type of data, e.g.

  • A time boundary is always applied to raw search, could this be narrowed further from whatever you're using?

If the above doesn't get you further ahead, you might find some more answers here: https://cloud.google.com/chronicle/docs/investigation/search-raw-log or feel free to follow up here with further questions.

S
Forum|alt.badge.img+5
  • srijankafleBronze 2
  • Author
  • Bronze 2
  • January 28, 2025

Hello @srijankaflethe raw scan is your best approach. A few pointers that might help narrow things down a little:

  • .* is a nice broad wildcard to leverage
  • A dropdown of log sources (types) can be selected to narrow the search to a specific type of data, e.g.

  • A time boundary is always applied to raw search, could this be narrowed further from whatever you're using?

If the above doesn't get you further ahead, you might find some more answers here: https://cloud.google.com/chronicle/docs/investigation/search-raw-log or feel free to follow up here with further questions.


Hi @chrisproudley ,

We are currently using the same method. However in an MSSP environment where there are thousands of events ingested every few seconds, finding the unparsed log is like searching for a needle in a haystack.

We have reached where a point where we have to reduce the timeframe to only include few minutes of logs (as the maximum result is capped) and identify unparsed logs and repeat this until we assume there are no other logs missing.
We are searching for a way to search just for unparsed log. As a engineer this is a very crucial part of the task that we would need and I do not see this being discussed anywhere else.

stein1
nahatx
mogriffs
Forum|alt.badge.img+3
  • mogriffsBronze 1
  • Bronze 1
  • November 5, 2025

I’m still stuck with the same issue. The solution to apply a procedural filter (or the post-search filter suggested above) doesn’t work because the results cap at 10k which are all parsed fine, leading to a very misleading “No results found”. This solution above only works in tiny environments.

 

This is a fundamental SOC/SIEM maintenance task so it should be supported directly in the UI with a method that works in high volume environments.

_K_O
cmmartin_google
Staff
Forum|alt.badge.img+11

We recently released this functionality in UDM Search:

 

raw = /.+/ parsed = false

 

mogriffs
mogriffs
Forum|alt.badge.img+3
  • mogriffsBronze 1
  • Bronze 1
  • November 12, 2025

That’s the ticket, thanks!

Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.