Namaste everyone,
Since the raw search function has a limitation of 10,000 logs, it's difficult to identify which logs are failing to parse. Does anyone know how to find unparsed logs using the SIEM UI? We don't have CLI access, so solutions that leverage the SIEM UI would be greatly appreciated.
Hey @Indra,
Does this help at all - performing a raw log (it could be a regex with a .*), then applying a procedural filter on 'Event Type' to 'Unparsed Log'.
Kind Regards,
Ayman C
Hi @Indrajeet_D
If you have access to the backstory key for the tenant you could use the Colab notebook written by Eugene (@google). There is a section titled "List CBN Parser Errors";
When customer-specific and default parsers encounter errors, they are captured and saved. This endpoint retrieves the errors generated by a specific logType over a defined time range. It returns a maximum of 1000 errors with each request.Using the backstory key for a tenant you can pull the errors in JSON (up-to 1000 events) and download for review.
Contact your Google SecOps partner for access to the Colab notebook.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.