Retrieve raw Python logs
Google recommends using the API endpoint
/api/external/v1/logging/python with specific filters to get only
the information that you need.
For full information on /api/external/v1/logging/python and other
API endpoints, refer to your localized Swagger documentation.
There are two types of filters available: SOAR specific and generic.
SOAR specific filters
-
labels.integration_name -
labels.integration_instance -
labels.integration_version -
labels.connector_name -
labels.connector_instance -
labels.action_name -
labels.job_name -
labels.correlation.id
Generic filters
Built-in log filters can be found in Build queries by using the Logging query language.
Examples for common filters
The following examples show you some common query filters for retrieving the information you need.
Integration version
To retrieve logs for a specific integration version, use the following filters together:
labels.integration_name=For example:"INTEGRATION_NAME"AND labels.integration_version="INTEGRATION_NUMBER"
labels.integration_name="Exchange" AND labels.integration_version="19"
Integration instance
To retrieve logs for a specific integration instance, use the following filter:
labels.integration_instance="INTEGRATION_NAME"
For example:labels.integration_instance="GoogleAlertCenter_1"
All connectors
To retrieve logs for all connectors, use the following filter with the regular expression:
labels.connector_name=~"^."
Specific connector
To retrieve logs for a specific connector, use the following filter:
labels.connector_name="CONNECTOR_NAME"
For example: labels.connector_name="Exchange Mail Connector v2 with Oauth Authentication"
All jobs
To retrieve logs for all jobs, use the following filter with the regular expression:
labels.job_name=~"^."
Specific job
To retrieve logs for a specific job, use the following filter:
labels.job_name="JOB_NAME"
For example: labels.job_name="Cases Collector"
All actions
To retrieve logs for all actions, use the following filter with the regular expression:
labels.action_name=~"^."
Specific action
To retrieve logs for a specific action, use the following filter:
labels.action_name="ACTION_NAME"
For example: labels.action_name="Enrich Entities"
Failed actions
To retrieve logs for a failed action, use the following filters together:
labels.action_name="ACTION_NAME" AND SEARCH("Result Value: False")
For example: labels.action_name="Enrich Entities" AND SEARCH("Result Value: False")
Case sensitive search
To retrieve logs for a case sensitive search result, use the following filter:
SEARCH("FREE_TEXT")
For example: SEARCH("Find my CASE SensiTive stRing")
Specific message text
To retrieve logs for a specific message, use the following filter:
textPayload=~"FREE_TEXT"
For example: textPayload=~"Invalid JSON payload"
Siemplify Cases Collector job
To retrieve logs for cases collector errors, use the following filters together:
textPayload=~(\".*----Cases Collector DB started---*\") AND severity>="Error"
Server errors
To retrieve logs for server errors, use the following filter:
textPayload=~"Internal Server Error"
Correlation ID
To retrieve logs for a correlation ID, use the following filter:
labels.correlation_id="CORRELATION_ID"
For example: labels.correlation_id="e4a0b1f4afeb43e5ab89dafb5c815fa7"
Timestamp filter
You can retrieve logs using timestamps, using either RFC 3339 or ISO 8601 format. In query expressions, timestamps in RFC 3339 format can specify a timezone with Z or ±hh:mm. Timestamps are represented to nanosecond accuracy.
For more information, refer to Values and conversions.
To retrieve logs newer than a specific timestamp (UTC), use the following filter:
timestamp>="ISO_8601_format"
For example: timestamp>="2023-12-02T21:28:23.045Z"
To retrieve logs for a specific day, use the following filters together:
timestamp>=For example:"YYYY-MM-DD"AND timestamp<"YYYY-MM-DD"
timestamp>="2023-12-01" AND timestamp<"2023-12-03"