- HTTP request
- Path parameters
- Request body
- Response body
- Authorization scopes
- RawLogResult
- EventTimeline
- EventTimelineBucket
- Aggregations
- FieldAggregation
- ValueCount
- FieldValue
- Try it!
Full name: projects.locations.instances.searchRawLogs
Api to get events, entities, or unparsed raw logs matching the given raw log query. This api also returns the timeline, field aggregations over the results.
HTTP request
POST https://chronicle.googleapis.com/v1alpha/{instance}:searchRawLogs
Path parameters
| Parameters | |
|---|---|
instance |
Required. Chronicle instance this request is sent to. Format: projects/{project}/locations/{location}/instances/{instance} |
Request body
The request body contains data with the following structure:
| JSON representation |
|---|
{ "baseline_query": string, "baseline_time_range": { object ( |
| Fields | |
|---|---|
baseline_query |
Required. Query to search for raw logs. Any matches will be returned in the normalized form or raw log snippet if they can't be normalized. |
baseline_time_range |
Required. The time range to search for [inclusive, exclusive). |
snapshot_query |
Optional. Query to filter results. This is applied on top of the baseline query and doesn't fetch results outside of the baseline results restricted to the result limit. |
snapshot_time_range |
Optional. The time range to filter results [inclusive, exclusive). This time range must // be completely within |
case_sensitive |
Optional. If true, the search should be performed in a case-sensitive manner. This applies to both baseline and snapshot queries. |
log_types[] |
Optional. If present, limit the result to the matching log types. |
max_aggregations_per_field |
Optional. The maximum number of values a UDM field can have before resorting to only show the top and bottom values by prevalence. If the number of values is greater than |
page_size |
Optional. The maximum number of results to return. |
Response body
Response to SearchRawLogsRequest. Contains all the matches converted to normalized form when available, histogram of logs over time, field aggregations for top/bottom fields in all result types.
If successful, the response body contains data with the following structure:
| JSON representation |
|---|
{ "matches": [ { object ( |
| Fields | |
|---|---|
matches[] |
Results that match the raw log search. |
progress |
Progress of the query represented as a percentage between 0 and 100. |
timeline |
Timeline of results counts broken into buckets. |
aggregations |
Result fields with aggregated values. |
next_page_token |
Currently, this field is used only to indicate whether more value matches are available. If it is empty, there are no more value matches. |
Authorization scopes
Requires the following OAuth scope:
https://www.googleapis.com/auth/cloud-platform
For more information, see the Authentication Overview.
RawLogResult
RawLogResult contains a single result match that is one of unparsed raw log, telemetry event, or entity context event. Along with that this contains summary, id, logType of the log that generated the result.
| JSON representation |
|---|
{ "summary": string, "log_type": { object ( |
| Fields | |
|---|---|
summary |
If the result is unparsed log, summary will be a snippet for unparsed raw log. If the result is a telemetry event or a context event, it will be a description of the event. |
log_type |
Log type of the result. |
Union field
|
|
event |
Normalized UDM event from the raw log that matched search query. |
entity |
Normalized entity context event from the raw log that matched search query. |
id |
Raw log id in case of unparsed log. A base64-encoded string. |
EventTimeline
Timeline of results counts broken into buckets.
| JSON representation |
|---|
{
"buckets": [
{
object ( |
| Fields | |
|---|---|
buckets[] |
Complete list of buckets that represent the entire search window. Each bucket with duration of bucket_size. Time window of each bucket is [inclusive, exclusive). |
bucket_size |
Duration of each timeline bucket. A duration in seconds with up to nine fractional digits, ending with ' |
EventTimelineBucket
Represents a single time bucket containing number of parsed, unparsed logs in baseline and filtered results.
| JSON representation |
|---|
{ "baseline_parsed_log_count": integer, "parsed_log_count": integer, "baseline_unparsed_log_count": integer, "unparsed_log_count": integer, "too_many_events": boolean, "baseline_event_count": integer, "event_count": integer, "baseline_entity_count": integer, "entity_count": integer } |
| Fields | |
|---|---|
baseline_parsed_log_count |
Number of parsed logs in the baseline results. |
parsed_log_count |
Number of parsed logs in the filtered results. |
baseline_unparsed_log_count |
Number of unparsed logs in the baseline results. |
unparsed_log_count |
Number of unparsed logs in the filtered results. |
too_many_events |
Indicates that the bucket has events that couldn't be displayed due to event limits. If the flag is true and the other counters are > 0, it indicates that we reached the limit and had to truncate the results. If the counters are 0 and the flag is set, it indicates that there are >0 events in this bucket that couldn't be fetched due to limit being reached by other buckets. |
baseline_event_count |
Number of events in the baseline results. |
event_count |
Number of events in the filtered results. |
baseline_entity_count |
Number of context events in the baseline results. |
entity_count |
Number of context events in the filtered results. |
Aggregations
Aggregations contains field aggregations for udm, entity, raw log, and grouped fields.
| JSON representation |
|---|
{ "udm_field_aggregations": [ { object ( |
| Fields | |
|---|---|
udm_field_aggregations[] |
List of UDM fields with aggregated values. |
group_field_aggregations[] |
List of grouped UDM fields with aggregated values. |
entity_field_aggregations[] |
List of entity fields with aggregated values. |
raw_log_aggregations[] |
List of raw logs with aggregated values. |
FieldAggregation
All of the field values and their counts.
| JSON representation |
|---|
{ "field": string, "baseline_count": integer, "count": integer, "too_many_values": boolean, "value_count": integer, "all_values": [ { object ( |
| Fields | |
|---|---|
field |
Name of the field being aggregated. |
baseline_count |
Number of baseline results with this field. |
count |
Number of filtered results with this field. |
too_many_values |
True, if there are too many values to be returned for this field. |
value_count |
Number of values with non-zero result count for this field. |
all_values[] |
Populated with all events if |
top_values[] |
Populated with the top N/2 events if |
bottom_values[] |
Populated with the bottom N/2 events if |
ValueCount
The number of times a particular field value appears in the results.
| JSON representation |
|---|
{
"value": {
object ( |
| Fields | |
|---|---|
value |
Value of the field. |
baseline_result_count |
Number of events with |
result_count |
Number of events with |
FieldValue
The value of a field.
| JSON representation |
|---|
{ // Union field |
| Fields | |
|---|---|
Union field value. The value of the field. value can be only one of the following: |
|
string_value |
The value of a string field. |
int32_value |
The value of a 32-bit integer field. |
uint32_value |
The value of a 32-bit unsigned integer field. |
int64_value |
The value of a 64-bit integer field. |
uint64_value |
The value of a 64-bit unsigned integer field. |
float_value |
The value of a single-precision floating-point field. |
double_value |
The value of a double-precision floating-point field. |
enum_value |
The value of an enum field. |
bool_value |
The value of a boolean field. |
bytes_value |
The value of a bytes field. A base64-encoded string. |
is_null |
If true, the value is NULL. |
timestamp_value |
The value of a timestamp field. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: |