View your billed ingestion volume

Supported in:

Your Google Security Operations billing is based on the amount of raw log data you ingest. This page explains how to use the ingestion metrics that directly align with the billing system for accurate cost management.

Key Principle

  • Billing is based only on the raw log data bytes. Metadata and labels associated with the logs are not counted toward the billed volume.

  • Any other internal dashboard or external metric shouldn't be considered the source of information for billing purposes.

View the amount of data ingested

The ingestion volume for billing is accessible in three primary locations. All three sources draw from the same underlying ingestion metrics data, ensuring consistency with your bill.

Method 1: Main dashboard

  1. Log in to Google SecOps.

  2. Click Dashboards.

  3. Select the dashboard called Main. You can search for it using the Search tab.

  4. Navigate to the Throughput widget. This widget shows the data throughput. You can use the time range selector to view the total throughput for the required time period.

Method 2: Data health and ingestion dashboard

  1. Log in to Google SecOps.

  2. Click Dashboards.

  3. Select the dashboard called Data Ingestion and Health. You can search for it using the Search tab.

  4. Navigate to the Throughput widget. This widget shows the data throughput. You can use the time range selector to view the total throughput for the required time period.

Method 3: Cloud Monitoring

This method is available to customers who use a Bring Your Own Project (BYOP) setup.

  1. In the Google Google Cloud console, go to Settings and select Profile.

  2. Select your Cloud Monitoring profile.

  3. On the Profile page, type Integrations in the search bar.

  4. Select Metrics explorer.

  5. Click promQL to switch to promQL query mode.

  6. To view the results in a table format, locate Results and then select Table.

  7. To view the ingestion volume (ingestion_log_byte_count) copy and paste the following ingestion metric query into the query editor and run it.

    
    sum (increase(chronicle_googleapis_com:ingestion_log_bytes_count{monitored_resource="chronicle.googleapis.com/Collector"}[1h]))

  8. Optional: Filter a specific log type, and include it in the query. For example, to view ingestion for the log type GCP_CLOUDAUDIT, run the following query:

        sum(increase(chronicle_googleapis_com:ingestion_log_bytes_count{monitored_resourc e="chronicle.googleapis.com/Collector",log_type="GCP_CLOUDAUDIT"}[1h]))

Create alerts on the amount of data ingested

Creating alerts on ingestion volume is a critical component of cost management, and helps you take action quickly to unexpected spikes in data volume. Alerting is managed through Cloud Monitoring. For more information, see Set up ingestion notification for health metrics.

View ingestion metrics for your managed tenants

You can monitor the ingestion volume for the various tenants that you manage using Cloud Monitoring metric scopes.

A metric scope lets you monitor data from multiple managed Google Cloud tenants within a single console. To enable this, the managed tenants must grant you the necessary access to their Cloud Monitoring project, generally by configuring your account as a scoping project. Once configured, you can use the centralized view to monitor the total ingestion volume (log_byte_count).

For more information, see Metrics scopes overview and to configure metrics scope see Configure a metrics scope.

Need more help? Get answers from Community members and Google SecOps professionals.