This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

XQL Query for calculating XDR log ingestion

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

XQL Query for calculating XDR log ingestion

PA_nts
L4 Transporter

‎06-29-2025 11:35 PM

Hi, 
As this is covered by the XDR license and not visible in the data ingestion widgets..

Does anyone have a query to look at data ingestion for XDR agents only?

 

thanks in adv

0 Likes Likes
5 REPLIES 5

mavega
L3 Networker

‎07-09-2025 08:24 AM

Hi,

 

Thanks for reaching out LC.

 

You can use the below query example below and filter by the product you want to view:

 

dataset = metrics_source
| fields _vendor , _product , total_size_bytes , total_size_rate
| comp sum(total_size_bytes ) as ingestion by _product
| alter Ingestion_by_MB = divide(round(multiply(divide(ingestion , pow(2,20)),10000)),10000)
| fields _product ,Ingestion_by_MB
| sort desc Ingestion_by_MB

 

Regards.

 

If you feel this answered your inquiry please mark As Solution.

Visit our Cortex XDR Customer Corner on Live Community to access resources for your product journey, engage in discussions with community members and subject matter experts, and register for upcoming events: Cortex XDR Customer Corner
0 Likes Likes

PA_nts
L4 Transporter

‎07-09-2025 11:33 PM - edited ‎07-10-2025 12:43 AM

Thanks Mavega

..that does work.. but, it shows the metrics for xdrc - the xdr collector only. not xdr agents.

 

any ideas?

thanks

0 Likes Likes

A.Elzedy
L2 Linker

‎07-10-2025 09:53 AM

I'm not aware of any log size's metrics for endpoints, but being familiar with the log counts per xdr agent should bring you closer to your goal  

dataset = xdr_data 
| filter   _product = "XDR agent"
| comp count() as logs by agent_id , agent_hostname 
| sort desc logs

 

kadirerol
L1 Bithead
In response to mavega

‎04-08-2026 01:48 AM

dataset = metrics_source

|comp sum (total_size_bytes) as gunluk_total_bytes by _product //

|alter gunluk_ortalama_log_boyut_kb=divide (gunluk_total_bytes ,1024) //KB
|alter gunluk_ortalama_log_boyut_mb=divide (gunluk_ortalama_log_boyut_kb ,1024) //MB
|alter gunluk_ortalama_log_boyut_gb=divide (gunluk_ortalama_log_boyut_mb ,1024) // GB


you can use this query

0 Likes Likes

kadirerol
L1 Bithead

‎04-08-2026 01:49 AM

By the way How can we write an XQL query to calculate the total log volume for the last 24 hours in GB and check whether it is 20% higher than the previous day?

0 Likes Likes
  • 1761 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks