Method: logTypes.runParser

Full name: projects.locations.instances.logTypes.runParser

RunParser runs the parser against a log and returns normalized events or any error that occurred during the normalization.

HTTP request

POST https://chronicle.googleapis.com/v1alpha/{logtype}:runParser

Path parameters

Parameters
logtype

string

Required. The logtype of parser or parser_extension. Format: projects/{project}/locations/{location}/instances/{instance}/logTypes/{logtype}

Request body

The request body contains data with the following structure:

JSON representation 
{
  "parser": {
    object (Parser)
  },
  "parser_extension": {
    object (ParserExtension)
  },
  "log": [
    string
  ],
  "statedump_allowed": boolean
}
Fields
parser

object (Parser)

The parser configuration.
parser_extension

object (ParserExtension)

The parser extension configuration.
log[]

string (bytes format)

sample logs used for while running the parser

A base64-encoded string.
statedump_allowed

boolean

Optional. Flag whether the Statedump filter is enabled or not for a config. If enabled, the intermediate state of the parsing will be returned as part of the output. Useful for debugging purposes.

Response body

Response message for RunParser.

If successful, the response body contains data with the following structure:

JSON representation 
{
  "run_parser_results": [
    {
      object (ParserLogResult)
    }
  ]
}
Fields
run_parser_results[]

object (ParserLogResult)

Results produced after running a parser over log.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

IAM Permissions

Requires the following IAM permission on the logtype resource:

  • chronicle.parsers.runParser

For more information, see the IAM documentation.

ParserLogResult

Result generated when normalizing a log.

JSON representation 
{
  "log": string,
  "statedump_results": [
    {
      object (StatedumpResult)
    }
  ],

  // Union field result can be only one of the following:
  "parsed_events": {
    object (ParsedEvents)
  },
  "error": {
    object (Status)
  }
  // End of list of possible types for union field result.
}
Fields
log

string (bytes format)

Log entry.

A base64-encoded string.
statedump_results[]

object (StatedumpResult)

Statedump filter output.
Union field result. parsed result. result can be only one of the following:
parsed_events

object (ParsedEvents)

Parsed events when normalizing a log.
error

object (Status)

Error message when normalizing the log.

ParsedEvents

Normalized events generated from a log.

JSON representation 
{
  "events": [
    {
      object (ParsedEvent)
    }
  ]
}
Fields
events[]

object (ParsedEvent)

Events generated when normalizing the log.

ParsedEvent

EventInfo is a wrapper containing a UDM or Entity.

JSON representation 
{

  // Union field event_info can be only one of the following:
  "event": {
    object (UDM)
  },
  "entity": {
    object (Entity)
  }
  // End of list of possible types for union field event_info.
}
Fields

Union field event_info.

event_info can be only one of the following:
event

object (UDM)

A UDM event.
entity

object (Entity)

An Entity.

StatedumpResult

StatedumpResult represents statedump filter output generated from a log.

JSON representation 
{
  "label": string,
  "statedump_result": string
}
Fields
label

string

Label represents a tag for the statedump filter.
statedump_result

string

StatedumpResult represents output for the corresponding label.