+2I am trying to create a view to have time difference between <now()> and <metadata.ingested_timestamp(max) Time> value. And to then set an alert, dashboard etc when value of <time difference> is greater then (X) hrs.
While i am doing so getting strange values in time diff. Anyone can suggest what i am doing wrong here.????
Time difference custom field code expression
You can try with
diff_hours(now(),${ingestion_metric_with_ingestion_stats.timestamp_time})
+2Hi,
Dashboards using Looker Embedded are leveraging data from BigQuery database that is not real-time (data is pushed in it several times a day). Therefore you can have a gap of several hours between last log and now and it might not be the best way to know if you have an issue on your collection.
If your use case is indeed to be notified in case there is no logs from a source or a forwarder since X hours, I'm suggesting using your GCP tenant and the metrics from the SIEM to create Alerting policies (Monitoring > Alerting in GCP).
You can find the official documentation here: https://cloud.google.com/chronicle/docs/ingestion/ingestion-notifications-for-health-metrics
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
