Useful Queries

Use these queries to check blocked devices, time delay, size calculation of logs, check number of live searches, benchmarker, and MPS.

Default Device Stopped Sending Logs for Half an Hour

Use to check if log collection has stopped, but does not include Log Source devices or Cloud devices configured on localhost or M365 collector.

| chart max(col_ts) as max_time_ts by device_ip | process current_time(a) as time | chart max(time-max_time_ts) as elapsed_time by max_time_ts, device_ip | search elapsed_time>1800

Time Difference Between col_ts and log_ts

Use to check for inconsistencies in timezone settings or delays in log collection.

| process eval("diff=col_ts-log_ts") |chart count() by diff,device_name order by diff  desc limit 10  | search diff > 300 

Check Actual EPS

Use to check EPS logs.

source_name="/opt/immune/var/log/benchmarker/store_handler.log" | fields log_ts, service, action, actual_mps, doable_mps

Show events for hours, minutes and seconds on individual devices

Displays devices and events per hour, minute, and second.

| chart count() as Events_per_hour, sum(1/60) as Events_per_minute, sum(1/3600) as Events_per_second by device_name order by Events_per_minute DESC limit 25

Exporting RAW logs into CSV from the GUI

Use the hidden field msg to display the raw log to be able to export it as CSV or Excel.

Use the hidden field msg to display the raw log to be able to export it as CSV or Excel.

or