You are reviewing logs and find that the content appears as one large block of text within the @rawstring field for incoming firewall logs. The other expected structured fields are empty.
The correct answer is A. The parser was incorrect .
CrowdStrike LogScale documentation explains that when data is ingested without an appropriate parser , the event still arrives in LogScale, but it is not automatically parsed into fields . In that case, the event remains as raw text in @rawstring, while the expected extracted fields stay empty. That matches the exact symptom described in the question.
Why the other options are incorrect:
B is incorrect because if the ingestion token were invalid, the data generally would not be ingested successfully in the first place. C is incorrect because an overloaded sink may delay or buffer delivery, but it does not explain why only @rawstring is populated while structured fields are missing. D is incorrect because a timestamp parsing problem may cause time-related errors, but it would not by itself explain why the entire firewall event remains unparsed as raw text. CrowdStrike’s parser error docs show that parse failures are tracked separately and that @rawstring is what you inspect when events fail to parse correctly.
==========
Contribute your Thoughts:
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit