PARSING-NORMALIZATION errors

There is an API for it.

https://backstory.googleapis.com/v1/tools/cbnParsers:listCbnParserErrors?log_type={}&start_time={}&end_time={}

Hi @Rached1996 ,

In Google SecOps under SIEM Dashboards Data ingestion and Health Dashboard there is a Tile named Ingestion - Events by Log Type there you can see the normalized events, parsing errors, etc.

How can i use this API please ?

Can i search these errors through UDM ? 
Iwant to know where exactly the error is , for exemple for o365 log type 

Hi Rached,

You this link to get the parser errors.
Google Security Operations CLI User Guide  |  Google Cloud

Hi @Rached1996 ,

I'm not sure about getting the error through UDM, but if you do raw log search and then if you see the event_type there will unparsed logs and you can check which logs are getting error and finetune the parser accordingly.

Thanks for the reply 
how can i know where the problem is in the parser ? i mean the problem causing the unparsed log

Hi @Rached1996 ,

While validating the parser you will get which particular log is having an error.
with that particular log you will see what is the error and make necessary changes in the parser.

Also, you can look for the unparsed logs in the UI.  You should go to Legacy Raw Log Search (top right on SIEM search) and then do a RLS on the log type you are interested in.  Once the results show up, on the right side in the Procedural Filtering, choose Even Type drop down and look for Unparsed logs and choose show only on that.

I was wondering why the current search capability does not have either the procedural filter. I can see events tagged as Type of "unparsed_raw_log" in the raw logs table but the Aggregations filter does not recognize these and there is no filter to only show "unparsed_raw_log" types in the current UI. Why is this? I'd assume the legacy search will one day go away, seems inefficient to keep two search tools.