- HTTP request
- Path parameters
- Request body
- Response body
- Authorization scopes
- IAM Permissions
- Try it!
Full name: projects.locations.instances.extractSyslog
instances.extractSyslog extracts structured part of log from a unstructured log by running a grok regex over it. The target field indicates the structured part. For a raw log: "123.249.198.123 structured_part" And preprocess config this: regex: "%{IP:Principal_ip} %{GREEDYDATA:data}", target: "data" This will generate: map<string, string> {"data": "structured_part"}
HTTP request
Path parameters
| Parameters | |
|---|---|
instance |
Required. The name of the parent resource, which is the SecOps instance associated with the request. Format: projects/{project}/locations/{location}/instances/{instance} |
Request body
The request body contains data with the following structure:
| JSON representation |
|---|
{
"preprocessConfig": {
object ( |
| Fields | |
|---|---|
preprocessConfig |
PreProcessConfig holds the GROK expression to extract the syslog header. |
log |
The raw log. A base64-encoded string. |
Response body
Response message for instances.extractSyslog.
If successful, the response body contains data with the following structure:
| JSON representation |
|---|
{
"fieldMappings": {
string: string,
...
},
"error": {
object ( |
| Fields | |
|---|---|
fieldMappings |
map of extracted fields. An object containing a list of |
error |
Output only. Error message if any, when running grokRegex over the log. |
Authorization scopes
Requires the following OAuth scope:
https://www.googleapis.com/auth/cloud-platform
For more information, see the Authentication Overview.
IAM Permissions
Requires the following IAM permission on the instance resource:
chronicle.parserExtensions.removeSyslog
For more information, see the IAM documentation.