https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/data-ingest-per-source-for-palo-alto-firewalls-in-cortex-xdr/m-p/592116#M6924 <P>stumbled upon this query here.. thanks helps me alot!</P> <P>if i were to want to do the graph based on an hourly ingestion rate over a say 24 hour period.. how can i achieve this?</P> <P>still learning xql so not my strongpoint atm.</P> <P>running XSIAM as a POC atm</P> <P>&nbsp;</P> Tue, 16 Jul 2024 07:41:29 GMT PA_nts 2024-07-16T07:41:29Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/data-ingest-per-source-for-palo-alto-firewalls-in-cortex-xdr/m-p/591277#M6886 <P>I do not think this is in the correct Board, but I could not find a Cortex XDR channel.. First time posting so I am sure I missed it.&nbsp;</P> <P>&nbsp;</P> <P>I have Cortex XDR and we are trying to see what firewall is sending the largest amount of data by GB Ingest. We are using the collection integrations, NGFW, Panorama Managed. We have 8 firewall pairs that are sending logs to Cortex XDR. We need to see how much in GB each firewall is sending into Cortex. I am sure I am missing something. I can see how many logs, but I would like to see how much in ingest data each is using per day.&nbsp;</P> <P><LI-PRODUCT title="Cortex XDR" id="Cortex_XDR"></LI-PRODUCT>&nbsp;<LI-PRODUCT title="NGFW" id="NGFW"></LI-PRODUCT>&nbsp;</P> <P>&nbsp;</P> <P>Thanks!!</P> Fri, 05 Jul 2024 16:42:18 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/data-ingest-per-source-for-palo-alto-firewalls-in-cortex-xdr/m-p/591277#M6886 BH6678 2024-07-05T16:42:18Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/data-ingest-per-source-for-palo-alto-firewalls-in-cortex-xdr/m-p/591664#M6897 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/52507">@BH6678</a>&nbsp;,</P> <P>&nbsp;</P> <P>Please refer the query to find the data ingestion from the metric sources. However, the catch here is XDR doesn't provide granular visibility over each firewall ingestion as the required data is not available in data source. As of now this can be achieved by XSIAM.&nbsp;</P> <P>dataset = metrics_source <BR />| fields _vendor , _product , total_size_bytes , total_size_rate<BR />| comp sum(total_size_bytes ) as ingestion by _product <BR />| alter Ingestion_by_GB = divide(round(multiply(divide(ingestion , pow(2,30)),10000)),10000) //rounding out to 4 decimal places and convert to MB<BR />| fields _product ,Ingestion_by_GB<BR />| limit 20<BR />| sort desc Ingestion_by_GB <BR />| view graph type = column subtype = grouped layout = horizontal show_callouts = `true` xaxis = _product yaxis = Ingestion_by_GB seriescolor("Ingestion_by_GB","#d2510e") headcolor = "#171616" gridcolor = "#38def6" font = "Arial Black"</P> <P>&nbsp;</P> <P>You can either reach out to Accounts Team or have FR open to include the device id in&nbsp;metrics_source dataset.</P> <P>&nbsp;</P> <P><SPAN>If you feel this has answered your query, please let us know by clicking on Like and "mark this as a Solution".</SPAN></P> <P>&nbsp;</P> Thu, 11 Jul 2024 09:34:11 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/data-ingest-per-source-for-palo-alto-firewalls-in-cortex-xdr/m-p/591664#M6897 aspatil 2024-07-11T09:34:11Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/data-ingest-per-source-for-palo-alto-firewalls-in-cortex-xdr/m-p/592116#M6924 <P>stumbled upon this query here.. thanks helps me alot!</P> <P>if i were to want to do the graph based on an hourly ingestion rate over a say 24 hour period.. how can i achieve this?</P> <P>still learning xql so not my strongpoint atm.</P> <P>running XSIAM as a POC atm</P> <P>&nbsp;</P> Tue, 16 Jul 2024 07:41:29 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/data-ingest-per-source-for-palo-alto-firewalls-in-cortex-xdr/m-p/592116#M6924 PA_nts 2024-07-16T07:41:29Z