Problem
The cloud source for chronicle SQL queries fails ~78% of the time. Very few devices have ever successfully queried cloud.
Error breakdown:
Root Cause
Sessions either haven't been synced yet, have expired server-side, or the cloud API can't find them by the IDs being queried. The LLM may also be constructing queries for sessions that only exist locally.
Fix
- Pre-validate that a session exists in cloud before routing the query there
- Return a clear
session_not_synced error (not generic 404) so the tool can fall back to local
- Investigate why
empty_result is so common — are the queries valid but the data missing?
Telemetry
Event: chronicle.sqlQuery with source=cloud, errors empty_result and HTTP 404
Problem
The
cloudsource for chronicle SQL queries fails ~78% of the time. Very few devices have ever successfully queried cloud.Error breakdown:
empty_result— most common: query runs but returns nothingHTTP 404— session not found on serverRoot Cause
Sessions either haven't been synced yet, have expired server-side, or the cloud API can't find them by the IDs being queried. The LLM may also be constructing queries for sessions that only exist locally.
Fix
session_not_syncederror (not generic 404) so the tool can fall back to localempty_resultis so common — are the queries valid but the data missing?Telemetry
Event:
chronicle.sqlQuerywithsource=cloud, errorsempty_resultandHTTP 404