Skip to main content

I have multiple devices with the same Logtype, and I would like to calculate and display the amount of logs being ingested into SecOps for each device.

I was able to display the log capacity for each Logtype using the following:

$Log_Type = ingestion.log_type
match:
$Log_Type
outcome:
$Total_Size_GB = math.round(sum(ingestion.log_volume) / (1024 * 1024 * 1024), 1)
order:
$Total_Size_GB desc
limit:
50

Is there a way to display the log capacity for each principal.asset.hostname or principal.hostname?

Thank you in advance.

If you know all the hostnames you can use a ref list.  If you have a ref list where you can use a regex identifier, I believe you could use that in your query and the results would point to your hostname 


You'd need to create a hostname variable $hostname = principal.hostname and then match on $hostname too.  

The events data source (containing hostname mappings) is separate from the ingestion data source (that you are querying) and joins aren't supported at this time, so I don't believe you will be able to use this query to aggregate volume based on host. You could aggregate on ingestion source, but that won't be at the individual hostname level. 

Hello,

Thank you for your reply.
I understand that it is not currently possible to aggregate logs by host name.
Thank you very much.

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.