Validating data source ingestion in Data Explorer

Use IBM® Security Data Explorer to validate that your ingestion data sources are ingested.

About this task

Create queries in Data Explorer to validate that your ingestion data sources are ingested.

Procedure

  1. If you are on the Ingestion data sources page, click the date in the Last event seen column for the source that you want to validate.
  2. If you are not on the Ingestion data sources page, go to Data Explorer, and then click Advanced builder.
  3. Enter the following query:
    alerts     
        // Only bring back what you need - there are 250+ columns in alerts view
        | project original_time
        // Limit to the time range you need specifically
        | where original_time > ago(60m)
        | count
  4. Click the timestamp for the start date and select a date from the quick ranges.
  5. Click Apply custom range.
  6. Click Run query.

Results

The results of your query appear.

What to do next

Explore Results