View rule errors

There are two main types of errors that you can get from rules:

  • Compilation errors: identify problems in rule syntax or logic by performing static analysis.

  • Runtime errors: only occur when testing a rule, running a live rule, or running a retrohunt.

Compilation errors

Google Security Operations identifies compilation errors when you save or test the rule.

The icon in the top left-hand corner of the rules editor indicates whether the rule has an error.

Click to view error details in the Runtime Error dialog.

If there is no error in your rule, the icon is a green . If the error message includes a column or line position, that part of the rule is displayed with a red underline in the rules editor. More complex errors don't included a position because they are caused by a combination of issues in multiple places.

If you try to save a rule or test a rule that has a compilation error, a runtime error is displayed. You cannot save a rule or run a test until the compilation error is fixed.

Runtime errors

Runtime errors are not displayed during compile time. Some runtime errors prevent a rule from completing, like query took too long to execute, which occurs sporadically. To check if your rule has runtime errors, click Run test in the rules editor.

If a runtime error occurs, a link is displayed in the Test rule results bar that gives more information about the error that occurred.

It is possible to get unknown runtime errors that don't have a useful description. This indicates that the system is encountering this particular error for the first time and it doesn't have a user message associated with the error. If this happens, contact your Google Security Operations representative for assistance.

If a runtime error occurs during live rule or retrohunt execution, a link is displayed on the Detections page that gives more information about the error that occurred.

Similarly to test the rule, runtime errors that occur during live rule or retrohunt execution have an indicator with clickable, underlined text that gives more information about the error that occurred.