Method: logTypes.runParser

Full name: projects.locations.instances.logTypes.runParser

logTypes.runParser runs the parser against a log and returns normalized events or any error that occurred during the normalization.

HTTP request


Path parameters

Parameters
logtype

string

Required. The logtype of parser or parserExtension. Format: projects/{project}/locations/{location}/instances/{instance}/logTypes/{logtype}

Request body

The request body contains data with the following structure:

JSON representation 
{
  "parser": {
    object (Parser)
  },
  "parserExtension": {
    object (ParserExtension)
  },
  "dynamicParsingConfig": {
    object (ParserExtension)
  },
  "log": [
    string
  ],
  "statedumpAllowed": boolean,
  "continueOnError": boolean
}
Fields
parser

object (Parser)

The parser configuration.
parserExtension

object (ParserExtension)

The parser extension configuration.
dynamicParsingConfig

object (ParserExtension)

Optional. The dynamic parsing config.
log[]

string (bytes format)

sample logs used for while running the parser

A base64-encoded string.
statedumpAllowed

boolean

Optional. Flag whether the Statedump filter is enabled or not for a config. If enabled, the intermediate state of the parsing will be returned as part of the output. Useful for debugging purposes.
continueOnError

boolean

Optional.

Response body

Response message for logTypes.runParser.

If successful, the response body contains data with the following structure:

JSON representation 
{
  "runParserResults": [
    {
      object (ParserLogResult)
    }
  ]
}
Fields
runParserResults[]

object (ParserLogResult)

Results produced after running a parser over log.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

IAM Permissions

Requires the following IAM permission on the logtype resource:

  • chronicle.parsers.runParser

For more information, see the IAM documentation.

ParserLogResult

Result generated when normalizing a log.

JSON representation 
{
  "log": string,
  "statedumpResults": [
    {
      object (StatedumpResult)
    }
  ],
  "parsedFields": {
    object
  },
  "failedFieldsAndErrors": {
    object
  },

  // Union field result can be only one of the following:
  "parsedEvents": {
    object (ParsedEvents)
  },
  "error": {
    object (Status)
  }
  // End of list of possible types for union field result.
}
Fields
log

string (bytes format)

Log entry.

A base64-encoded string.
statedumpResults[]

object (StatedumpResult)

Statedump filter output.
parsedFields

object (Struct format)
failedFieldsAndErrors

object (Struct format)
Union field result. parsed result. result can be only one of the following:
parsedEvents

object (ParsedEvents)

Parsed events when normalizing a log.
error

object (Status)

Error message when normalizing the log.

ParsedEvents

Normalized events generated from a log.

JSON representation 
{
  "events": [
    {
      object (ParsedEvent)
    }
  ]
}
Fields
events[]

object (ParsedEvent)

Events generated when normalizing the log.

ParsedEvent

EventInfo is a wrapper containing a UDM or Entity.

JSON representation 
{

  // Union field event_info can be only one of the following:
  "event": {
    object (UDM)
  },
  "entity": {
    object (Entity)
  }
  // End of list of possible types for union field event_info.
}
Fields

Union field event_info.

event_info can be only one of the following:
event

object (UDM)

A UDM event.
entity

object (Entity)

An Entity.

StatedumpResult

StatedumpResult represents statedump filter output generated from a log.

JSON representation 
{
  "label": string,
  "statedumpResult": string
}
Fields
label

string

Label represents a tag for the statedump filter.
statedumpResult

string

StatedumpResult represents output for the corresponding label.