+4Simple Question:
Is there any way to identify which raw logs ingested into Google SecOps do not yet have a parser?
There are many teams ingesting logs into my Google SecOps, and I would like to identify which logs do not yet have an active parser. Is there a way to view or report on logs that are not yet parsed?
+11try below:
raw= formatWhen using the raw= format, use these parameters to filter raw logs:
parsed: Filters logs based on their parsing status.
parsed=true: Returns only parsed logs.parsed=false: Returns only unparsed logs.log_source=IN["log_source_name1", "log_source_name2"]: Filters by log type.
https://docs.cloud.google.com/chronicle/docs/investigation/filter-data-raw-log-scan-view
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.