If you know all the hostnames you can use a ref list.  If you have a ref list where you can use a regex identifier, I believe you could use that in your query and the results would point to your hostname 

You'd need to create a hostname variable $hostname = principal.hostname and then match on $hostname too.  

The events data source (containing hostname mappings) is separate from the ingestion data source (that you are querying) and joins aren't supported at this time, so I don't believe you will be able to use this query to aggregate volume based on host. You could aggregate on ingestion source, but that won't be at the individual hostname level. 

Hello,

Thank you for your reply.
I understand that it is not currently possible to aggregate logs by host name.
Thank you very much.

If you have enabled silent host monitoring, you can look up ingestion metrics in the API using a query like this:

ingestion.log_type != ""
ingestion.component = "Ingestion API"
$log_types = ingestion.log_type
$log_sources = ingeston.ingestion_source
match:
   $log_types, $log_sources
outcome:
   $size_GB = math.round(sum(ingestion.log_volume) / (1024 * 1024 * 1024), 1)
order:
   $size_GB desc
limit:
   50

However, we need to verify the ingestion_source attribute in Ingestion Metrics.

refs:

https://cloud.google.com/chronicle/docs/reference/ingestion-metrics-schema#ingestion_api_schema

https://medium.com/@thatsiemguy/native-dashboards-preview-in-chronicle-siem-eacb3e0824f3

https://docs.bindplane.com/how-to-guides/google-secops/google-secops-silent-host-monitoring