Skip to main content
Solved

I want to create a dashboard that displays the log volume for each asset using Native Dashboard.

  • March 22, 2025
  • 4 replies
  • 182 views
keiS
Forum|alt.badge.img+2

I have multiple devices with the same Logtype, and I would like to calculate and display the amount of logs being ingested into SecOps for each device.

I was able to display the log capacity for each Logtype using the following:

$Log_Type = ingestion.log_type
match:
$Log_Type
outcome:
$Total_Size_GB = math.round(sum(ingestion.log_volume) / (1024 * 1024 * 1024), 1)
order:
$Total_Size_GB desc
limit:
50

Is there a way to display the log capacity for each principal.asset.hostname or principal.hostname?

Thank you in advance.

Best answer by cmorris

The events data source (containing hostname mappings) is separate from the ingestion data source (that you are querying) and joins aren't supported at this time, so I don't believe you will be able to use this query to aggregate volume based on host. You could aggregate on ingestion source, but that won't be at the individual hostname level. 

4 replies

dnehoda
Staff
Forum|alt.badge.img+16
  • dnehoda
  • Staff
  • March 24, 2025

If you know all the hostnames you can use a ref list.  If you have a ref list where you can use a regex identifier, I believe you could use that in your query and the results would point to your hostname 

You'd need to create a hostname variable $hostname = principal.hostname and then match on $hostname too.  

keiS
cmorris
Staff
Forum|alt.badge.img+10
  • cmorris
  • Staff
  • Answer
  • March 24, 2025

The events data source (containing hostname mappings) is separate from the ingestion data source (that you are querying) and joins aren't supported at this time, so I don't believe you will be able to use this query to aggregate volume based on host. You could aggregate on ingestion source, but that won't be at the individual hostname level. 

James_E
keiS
keiS
Forum|alt.badge.img+2
  • keiSBronze 4
  • Author
  • Bronze 4
  • March 25, 2025

Hello,

Thank you for your reply.
I understand that it is not currently possible to aggregate logs by host name.
Thank you very much.

chicoqueiroga
Forum|alt.badge.img+3

If you have enabled silent host monitoring, you can look up ingestion metrics in the API using a query like this:

 

ingestion.log_type != ""
ingestion.component = "Ingestion API"
$log_types = ingestion.log_type
$log_sources = ingeston.ingestion_source
match:
   $log_types, $log_sources
outcome:
   $size_GB = math.round(sum(ingestion.log_volume) / (1024 * 1024 * 1024), 1)
order:
   $size_GB desc
limit:
   50

 

However, we need to verify the ingestion_source attribute in Ingestion Metrics.

 

refs:

https://cloud.google.com/chronicle/docs/reference/ingestion-metrics-schema#ingestion_api_schema

https://medium.com/@thatsiemguy/native-dashboards-preview-in-chronicle-siem-eacb3e0824f3

https://docs.bindplane.com/how-to-guides/google-secops/google-secops-silent-host-monitoring

Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.