Retrieve raw Python logs
Google recommends using the API endpoint
/api/external/v1/logging/python
with specific filters to get only
the information that you need.
For full information on /api/external/v1/logging/python
and other
API endpoints, refer to your localized Swagger documentation.
There are two types of filters available: SOAR specific and generic.
SOAR specific filters
-
labels.integration_name
-
labels.integration_instance
-
labels.integration_version
-
labels.connector_name
-
labels.connector_instance
-
labels.action_name
-
labels.job_name
-
labels.correlation.id
Generic filters
Built-in log filters can be found in Build queries by using the Logging query language.
Examples for common filters
The following examples show you some common query filters for retrieving the information you need.
Integration version
To retrieve logs for a specific integration version, use the following filters together:
labels.integration_name="INTEGRATION_NAME"
AND labels.integration_version="INTEGRATION_NUMBER"
labels.integration_name="Exchange" AND labels.integration_version="19"
Integration instance
To retrieve logs for a specific integration instance, use the following filter:
labels.integration_instance="INTEGRATION_NAME"
labels.integration_instance="GoogleAlertCenter_1"
All connectors
To retrieve logs for all connectors, use the following filter with the regular expression:
labels.connector_name=~"^."
Specific connector
To retrieve logs for a specific connector, use the following filter:
labels.connector_name="CONNECTOR_NAME"
labels.connector_name="Exchange Mail Connector v2 with Oauth Authentication"
All jobs
To retrieve logs for all jobs, use the following filter with the regular expression:
labels.job_name=~"^."
Specific job
To retrieve logs for a specific job, use the following filter:
labels.job_name="JOB_NAME"
labels.job_name="Cases Collector"
All actions
To retrieve logs for all actions, use the following filter with the regular expression:
labels.action_name=~"^."
Specific action
To retrieve logs for a specific action, use the following filter:
labels.action_name="ACTION_NAME"
labels.action_name="Enrich Entities"
Failed actions
To retrieve logs for a failed action, use the following filters together:
labels.action_name="ACTION_NAME
" AND SEARCH("Result Value: False")
labels.action_name="Enrich Entities" AND SEARCH("Result Value: False")
Case sensitive search
To retrieve logs for a case sensitive search result, use the following filter:
SEARCH("FREE_TEXT
")
SEARCH("`Find my CASE SensiTive stRing`")
Specific message text
To retrieve logs for a specific message, use the following filter:
textPayload=~"FREE_TEXT
"
textPayload=~"Invalid JSON payload"
Siemplify Cases Collector job
To retrieve logs for cases collector errors, use the following filters together:
textPayload=~(\\".\*----Cases Collector DB started---\*\\") AND severity>="Error"
Server errors
To retrieve logs for server errors, use the following filter:
textPayload=~"Internal Server Error"
Correlation ID
To retrieve logs for a correlation ID, use the following filter:
labels.correlation_id="CORRELATION_ID
"
labels.correlation_id="e4a0b1f4afeb43e5ab89dafb5c815fa7"
Timestamp filter
You can retrieve logs using timestamps, using either RFC 3339 or ISO 8601 format. In query expressions, timestamps in RFC 3339 format can specify a timezone with Z or ±hh:mm. Timestamps are represented to nanosecond accuracy.
For more information, refer to Values and conversions.
To retrieve logs newer than a specific timestamp (UTC), use the following filter:
timestamp>="ISO_8601_format"
timestamp>="2023-12-02T21:28:23.045Z"
To retrieve logs for a specific day, use the following filters together:
timestamp>="YYYY-MM-DD"
AND timestamp<"YYYY-MM-DD"
timestamp>="2023-12-01" AND timestamp\<"2023-12-03"