LinkedIn
Twitter
Hello All,
Could anyone please let me know why there are more than one last heartbeat days, since the last heartbeat should be only one? Please find the below snip.
Also, could anyone please let me know why there is a difference in the data when we take the ingestion_metrics? The comparison is given in the below snips.
Thanks,
Aravind S
For the first issue, it would be better suited to use the 'Measures', in particular in this case I believe 'Max End Time' would be best suited.
Please see the below representation (filtering on just 1 Log type to not cause too much confusion) without ONLY using the max end time (it is visible in the third column to show there is no discrepancy between 'Timestamp Date' and 'Max End Time's representation, beside it containing the HH:MM:SS. If this is not needed then use custom expressions.
After using Max End Time:
The source of truth is always Chris Martin ๐
In an old blog post he wrote the following:
My ingestion_stats table's last modified date is Feb 6th (today is Feb 14th). I'm not sure *what* its still used for, but best to rely on the metrics one I think.
Also on the heartbeat question that was already answered, the docs are here:
https://cloud.google.com/chronicle/docs/reference/ingestion-metrics-schema
I think this means that some logs will have it and some logs won't. Due to the duplicates in your original image, t doesn't look like you're filtering out the most recent heartbeat per log type. Did you make this visualisation yourself or did you get it from somewhere?
I have no idea how you can filter the logs better, i'd be open to suggestions. E.g. if we go on from AymanC's example, how would we select the max last_heartbeat if we wanted to use that instead? If I try to create a custom measure on the heartbeat fields, I only have the measure type "Count Distinct". I'm assuming this is based on the field's type, but I could have also missed something obvious.
