Overview of data ingestion metrics - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-10-07
Category
Administrator Guide
Abstract

Learn more about the data ingestion health metrics in the metrics_source dataset and the metrics_view preset.

The data ingestion metrics are calculated in 5-minute aggregation periods and saved to the metrics_source dataset and metrics_view preset. These metrics measure the amount, size, and rate in which logs are ingested by a data source:

Metric

Description

total_size_bytes

Total size (in bytes) of the logs collected during the aggregation period.

total_size_rate

Average size (in bytes per second) of the logs collected during the aggregation period.

total_event_count

Total number of logs collected during the aggregation period

total_event_rate

Average number (in count per second) of logs collected during the aggregation period.

In the metrics_source dataset the data ingestion metrics are saved alongside additional fields that describe the data source associated with the metrics. Only entries with ingestion metric values greater than zero are saved in the dataset. Entries with zero values are not saved in this dataset. metrics_view is a preset for data in the metrics_source dataset. The preset also simulates completion of entries with zero values in data ingestion metrics at runtime, which allows effective use of metrics. Therefore, when investigating disruptions in data collection, we recommend using the metrics_view preset in XQL queries and correlation rules.

Cortex XSIAM's built-in data ingestion monitoring and alerts mechanism uses the data ingestion metrics to identify disruptions in the data ingestion pipeline. Using analytical logic, Cortex XSIAM creates an ingestion baseline for each data source that reflects the routine pattern of log collection. If a data source isn't ingesting logs or there is a significant deviation from the baseline, ingestion alerts are triggered. You can see all ingestion alerts on the Health Alerts page. To troubleshoot or investigate an alert, right click an alert and click Investigate in XQL query. For more information, see Investigate and resolve health alerts.

In addition, you can create your own custom logic for data ingestion health monitoring by setting up correlation rules that monitor the data ingestion metrics. For more information, see Creating correlation rules to monitor data ingestion health.

The following table describes all the fields in the metrics_source dataset and metrics_view preset: