Skip to main content
Solved

Is there any way I can see which raw logs ingested into Google SecOps don’t have a parser yet?

  • April 7, 2026
  • 1 reply
  • 50 views
Dome
Forum|alt.badge.img+4

Simple Question:

Is there any way to identify which raw logs ingested into Google SecOps do not yet have a parser?

There are many teams ingesting logs into my Google SecOps, and I would like to identify which logs do not yet have an active parser. Is there a way to view or report on logs that are not yet parsed?

Best answer by hzmndt

try below:

Use the raw= format

When using the raw= format, use these parameters to filter raw logs:

  • parsed: Filters logs based on their parsing status.

    • parsed=true: Returns only parsed logs.
    • parsed=false: Returns only unparsed logs.

  • log_source=IN["log_source_name1", "log_source_name2"]: Filters by log type.


https://docs.cloud.google.com/chronicle/docs/investigation/filter-data-raw-log-scan-view

1 reply

hzmndt
Staff
Forum|alt.badge.img+11
  • hzmndt
  • Staff
  • Answer
  • April 7, 2026

try below:

Use the raw= format

When using the raw= format, use these parameters to filter raw logs:

  • parsed: Filters logs based on their parsing status.

    • parsed=true: Returns only parsed logs.
    • parsed=false: Returns only unparsed logs.

  • log_source=IN["log_source_name1", "log_source_name2"]: Filters by log type.


https://docs.cloud.google.com/chronicle/docs/investigation/filter-data-raw-log-scan-view

    Terms & ConditionsAccessibility statement
    Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

    © 2025 Google. All rights reserved.