Chronicle Events schema changes and how to view
The udm_events table in BigQuery has been replaced with the new Events table. The Events table schema is largely the same except for the field that stores date partitions.
The Events table has a new field, called
hour_time_bucket that stores the
partition label that is based on the hour of the day in the metadata.event_timestamp
field. This new field replaces the
_PARTIONTIME pseudo column in the
original udm_events table.
The values stored in the hour_time_bucket field take the form: <YYYY-MM-DD-HH>, where HH is the two digit hour of day. Here are examples:
In BigQuery, you'll notice the table called Events.
Field list in BigQuery
In Chronicle dashboards, you'll notice a new data structure called Events (Preview).
Table list in Chronicle dashboards explorer
Viewing the Event schema
The Events schema in BigQuery is modeled after the Unified Data Model (UDM) schema. Choose one or more of the following options to learn more about Events schema fields and the structure:
- View a description of each UDM field in the UDM field list.
- View the Events schema document Events schema in BigQuery.
- In the Cloud console BigQuery Explorer, select <project name> > datalake > events to browse the schema.
In Chronicle Dashboards:
- Create a new dashboard or edit an existing dashboard.
- Add a Tile. Select Visualization as the type if prompted.
- In the list of tables, choose the Events (Preview) table.
- Browse the list of fields.