This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Log source stopped reporting from last (x) days

Posted on 06-20-2024 11:58 PM
yadavmanjeet65
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

I am trying to create a view to have time difference between <now()>  and <metadata.ingested_timestamp(max) Time> value. And to then set an alert, dashboard etc when value of  <time difference> is greater then (X) hrs. 

While i am doing so getting strange values in time diff. Anyone can suggest what i am doing wrong here.????

yadavmanjeet65_0-1718952952334.png

Time difference custom field code expression

yadavmanjeet65_1-1718953016421.png

 

 

 

0 2 86
0 Likes
2 REPLIES 2

Posted on --/--/---- --:-- AM
Dev_Choudhary
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

Hi @yadavmanjeet65 

You can try with 

diff_hours(now(),${ingestion_metric_with_ingestion_stats.timestamp_time})

 

Dev_Choudhary_0-1719031022710.png

 

Posted on --/--/---- --:-- AM
jpetitg
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Hi,

Dashboards using Looker Embedded are leveraging data from BigQuery database that is not real-time (data is pushed in it several times a day). Therefore you can have a gap of several hours between last log and now and it might not be the best way to know if you have an issue on your collection.

If your use case is indeed to be notified in case there is no logs from a source or a forwarder since X hours, I'm suggesting using your GCP tenant and the metrics from the SIEM to create Alerting policies (Monitoring > Alerting in GCP).

You can find the official documentation here: https://cloud.google.com/chronicle/docs/ingestion/ingestion-notifications-for-health-metrics

Top Solution Authors
View all