Method: instances.extractSyslog

Full name: projects.locations.instances.extractSyslog

ExtractSyslog extracts structured part of log from a unstructured log by running a grok regex over it. The target field indicates the structured part. For a raw log: "123.249.198.123 structured_part" And preprocess config this: regex: "%{IP:Principal_ip} %{GREEDYDATA:data}", target: "data" This will generate: map<string, string> {"data": "structured_part"}

HTTP request

POST https://chronicle.googleapis.com/v1alpha/{instance}:extractSyslog

Path parameters

Parameters
instance

string

Required. The Chronicle instance associated with the request. Format: projects/{project}/locations/{location}/instances/{instance}

Request body

The request body contains data with the following structure:

JSON representation 
{
  "preprocess_config": {
    object (PreProcessConfig)
  },
  "log": string
}
Fields
preprocess_config

object (PreProcessConfig)

PreProcessConfig holds the GROK expression to extract the syslog header.
log

string (bytes format)

The raw log.

A base64-encoded string.

Response body

Response message for ExtractSyslog.

If successful, the response body contains data with the following structure:

JSON representation 
{
  "field_mappings": {
    string: string,
    ...
  },
  "error": {
    object (Status)
  }
}
Fields
field_mappings

map (key: string, value: string)

map of extracted fields.

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.
error

object (Status)

Output only. Error message if any, when running grok_regex over the log.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

IAM Permissions

Requires the following IAM permission on the instance resource:

  • chronicle.parserExtensions.removeSyslog

For more information, see the IAM documentation.