Why is the percentage of processed data so small in the log source Overview tab in Panther?

Last updated
Save as PDF

QUESTION

I noticed the "% of total processed data" field in my log source Overview tab shows a very small value (~0.04%). Is that expected?

ANSWER

The field % of total processed data shows the amount of data processed from the individual log source you are viewing vs. the sum of all the log sources. This means, that the amount from this log source is compared against the sum of all the other log sources that you have configured and the metric does not solely refer to the amount of that specific log source.

The other two fields, "Vol. of data processed" and "#of events processed" are dedicated to the ingestion progress of your log source and show the "total uncompressed data processed without including the unclassified and filtered events" and "count of events classified via an attached schema" respectively.

If there are no error messages in the Health tab and logs keep coming to your log source, then it looks like the ingestion flow is happening as expected.

To see metrics on overall log source ingestion, check the log sources overview page at Configure > Log Sources.