Chronicle Events schema changes and how to view
The udm_events table in BigQuery has been replaced with the new Events table.
The Events table schema is largely the same as previous version except for the field that stores date partitions. A new field, called
hour_time_bucket identifies the partition as the hour of day in the metadata.event_timestamp field. This new field replaces the
_PARTIONTIME pseudo column in the original udm_events table.
Values in the hour_time_bucket field are hourly time stamps that take the form: <YYYY-MM-DD HH:MM:SS UTC>. Here are examples:
- 2022-05-20 00:00:00 UTC
- 2022-05-20 01:00:00 UTC
- 2022-05-20 02:00:00 UTC
- 2022-05-20 03:00:00 UTC
For example, the value 2022-05-20 00:00:00 UTC labels data with an event_timestamp between 2022-05-20 00:00:00 UTC and 2022-05-20 00:59:59 UTC.
In BigQuery, you'll notice the table called Events.
Figure: Field list in BigQuery
In Chronicle dashboards, you'll notice a new data structure called Events (Preview).
Figure: Table list in Chronicle dashboards explorer
Viewing the Event schema
The Events schema in BigQuery is modeled after the Unified Data Model (UDM) schema. Choose one or more of the following options to learn more about Events schema fields and the structure:
- View a description of each UDM field in the UDM field list.
- View the Events schema document Events schema in BigQuery.
- In the Cloud console BigQuery Explorer, select <project name> > datalake > events to browse the schema.
In Chronicle Dashboards:
- Create a new dashboard or edit an existing dashboard.
- Add a Tile. Select Visualization as the type if prompted.
- In the list of tables, choose the Events (Preview) table.
- Browse the list of fields.
Figure: Field list in Chronicle Events (preview)