Skip to main content

Hi Community,

I have ingested the two entity with same IOCs data at the same time with different severity level fields. The raw log search shows both entries, but in UDM Search, only the latest entry is visible. 

Is this expected behavior?

What should happen when I ingest the same entity with different severity levels and different interval start times?

Will both entries be visible in the dashboard, or will only the latest entity be visible?

My concern is that when similar entities are ingested, only the latest entry should be visible in the dashboard. Do I need to use the window.last function if the latest entry is not being considered?
 

Entity with LOW Severity
Entity with HIGH Severity
UDM Search shows latest entry

 

Hi ​@jaymin .  The scenario you are describing is one in which you are ingesting an entity multiple times, and where you can see each of these multiple instances in raw log search;  but outside of raw log search you only see a single entity.  Is that correct?

This is by design; when an entity is ingested multiple times, each of those ingested entries will show up as its own raw log.  Once the raw logs are processed and normalized into UDM, only a single instance of this entity will exist as part of the entity graph.

The following documentation has additional detail around this behavior.

https://cloud.google.com/chronicle/docs/event-processing/data-enrichment

Hi ​@vaskenh Thank you for your reponse. As you confirmed, an entity will have only a single instance in the entity graph, even when ingested multiple times.Issue I'm Experiencing:I'm building a dashboard for entities and noticed inconsistent behavior when querying the same entity (192.168.0.1) that was ingested multiple times with different severity, risk scores, and timestamps:
RawLog Search for the Entity


- When searching within the entity's default time range: Only the latest entry appears (expected)
- When extending the search to include past dates (e.g., 3 days prior): Older entries of the same entity become visible

Multiple Entity visible in UDM Search



Expected Behavior:
Based on our previous discussion and Chronicle's documentation, I expected that regardless of the time range selected, only the latest version of an entity would be displayed in the dashboard.

Without Window.last 

Current Workaround:
I've implemented `window.last()` to ensure only the latest entry appears, but this approach requires:
1. Applying it separately to each field (severity, risk score, ingestion time)
2. Working around the limitation that `window.last()` only accepts string parameters facing this error when trying with enum types.

compilation error compiling query: validating query: expect type [int bytes bool], got type backstory.SecurityResult.ProductSeverity for "$severity"
Issue with window.last


Question:
Is there a more efficient approach to ensure dashboards always display only the latest entity data regardless of the selected time range? Or is using `window.last()` for each field the recommended solution?

Thank you.

Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.