Understand your Ingestion metrics dashboard

This topic describes the elements of the Ingestion metrics page.

The Ingestion metrics dashboard provides the following information. Note that some data may be squashed. For more information about squashing, see About squashing in the Ingest monitoring dashboard.

Table 1. Data ingestion page
ElementDescription
Data Entities: View by fieldSelect the types of data you wish to view in the Data Entities: View byfield. You can search by any combination of the following:
  • Index
  • Source type
  • Host
  • Source
Metric field

Select the metrics you'd like to view. Possible options are

  • Event count
  • Volume
  • Latest latency
  • Latest index time
Data entities with notable ingestion changes panelData entities with notable ingestion changes is the count of entities for which we have seen +/- 50% change in volume, or a change in the events count metric, compared to the time range in the compare to dropdown.
Data entities with no ingestion panel

Data entities have no ingestion when that entity’s latest index time is before the selected current time range. This can help you identify missing data sources.

Note that there is a time lag, which is always 10 minutes unless there are any failed saved searches. See First time data and missing datafor more information.

First time data entities panelData entities are categorized as "First time data entities" when an entity’s first seen time is within the selected current time range. See First time data and missing datafor more information.
Search fieldEnter search criteria you want to use to locate data entities. For example, you can search for an index called "firewall" by adding that as a search term in the Search field. You can search using the names of indexes, source types, sources, or hosts.
Filter data entities field (Optional)

(Optional) In Filter data entities, select one of the following:

  • All (default)
  • With notable ingestion changes
  • With no ingestion
Results table

The data in this table is calculated by joining the data with the "last_index_event_lookup" lookup table and the volume, latency, and event count metrics. This helps identify the records with time stamps that fall outside of the selected time period. The results table shows the following information:

  • Index
  • Source type
  • Host
  • Source
  • Event count: Number of events.
  • Event count change: Displays the difference in event count as a percentage. For instance, if 100k events were ingested in the last four hours, while 200k events were ingested during the same period one week ago (as per the selected "Compare to" time), the dashboard will indicate a 50% decline. Note, this column is visible only when a "Compare to" time range is selected.
  • Latest latency: SeeUnderstand your Ingestion metrics dashboard for more information.
  • Latest index time: The index time of the last event ingested for a data entity.
  • Action: To further investigate an item, click "Investigate" in the Action column. See ​Investigate a data entity​ for more information.