You can use Google Security Operations to search the raw logs in your
Google SecOps account and get relevant context with related events and
entities.
Raw log searches show you the correlation between raw events and the
UDM events generated using those raw logs. A raw log search helps you to
understand how log fields are parsed and normalized and helps you to investigate
any gaps in the normalization process.
After you complete a raw log search, each matching raw log line is replaced with
the events and entities contained in the log line. The number of events and
entities extracted from each log line is limited to a maximum of 10.
To perform a raw log search, follow these steps:
Go to Investigation > SIEM Search.
In the search field, add the prefix raw = to your search and
enclose your search term in quotation marks (for example, raw =
"example.com").
Select the raw log search from the menu option. Google SecOps finds the
associated raw logs, UDM events, and associated entities. You can also run
the same search (raw = "example.com") from the UDM Search page.
You can use the same quick filters used to refine UDM search results. Select the
filter you want to apply to the raw log results to refine them further.
Optimize raw log queries
Raw log searches are typically slower than UDM searches. To improve your search
performance, limit the amount of data you conduct your query over by changing
the search settings:
Time range selector: Limits the time range of the data over which you run
your query.
Log Source selector: Limits your raw log search to only the logs from
specific sources, as opposed to all of your log sources. From the Log
sources menu, select one or more log sources (the default is
all).
Regular expressions: Use a regular expression. For example, raw =
/goo\w{3}.com/
would match against google.com, goodle.com,
goog1e.com to further
limit the scope of your raw log search.
Trend over time
Use the trend graph to understand the distribution of raw logs over the time of
your search. You can apply filters on the graph to look for parsed logs and
raw logs.
Raw log results
When you run a raw log search, the results are a combination of UDM events and
entities generated by the raw logs that match your searches, along with the
raw logs. You can explore the search results further by clicking any of the
results:
UDM event or entity: If you click a UDM event or entity, Google SecOps
shows any related events and entities, along with the raw log associated
with that item.
Raw log: If you click a raw log, Google SecOps shows
you the entire raw log line, along with the source for that log.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eRaw log searches in Google Security Operations allow users to examine raw logs and their correlation with UDM events and entities, aiding in understanding log normalization and identifying gaps.\u003c/p\u003e\n"],["\u003cp\u003eUsers can perform raw log searches by adding the prefix \u003ccode\u003eraw =\u003c/code\u003e to their search terms in the SIEM Search, or the UDM Search page, enclosed within quotation marks.\u003c/p\u003e\n"],["\u003cp\u003eTo optimize performance, users can limit the scope of raw log searches by adjusting the time range, selecting specific log sources, or using regular expressions.\u003c/p\u003e\n"],["\u003cp\u003eThe results of a raw log search display UDM events, entities, and the raw logs, which can be explored further to view related data or the complete log line and its source.\u003c/p\u003e\n"],["\u003cp\u003eThe number of events and entities extracted from each log line is limited to a maximum of 10.\u003c/p\u003e\n"]]],[],null,["Conduct a raw log search \nSupported in: \nGoogle secops [SIEM](/chronicle/docs/secops/google-secops-siem-toc)\n| **Note:** This feature is covered by [Pre-GA Offerings Terms](https://chronicle.security/legal/service-terms/) of the Google Security Operations Service Specific Terms. Pre-GA features might have limited support, and changes to pre-GA features might not be compatible with other pre-GA versions. For more information, see the [Google SecOps Technical Support Service guidelines](https://chronicle.security/legal/technical-support-services-guidelines/) and the [Google SecOps Service Specific Terms](https://chronicle.security/legal/service-terms/).\n\n\u003cbr /\u003e\n\n| **Note:** This feature is not available to all customers in all regions.\n\n\u003cbr /\u003e\n\nYou can use Google Security Operations to search the raw logs in your\nGoogle SecOps account and get relevant context with related events and\nentities.\n\nRaw log searches show you the correlation between raw events and the\nUDM events generated using those raw logs. A raw log search helps you to\nunderstand how log fields are parsed and normalized and helps you to investigate\nany gaps in the normalization process.\n\nAfter you complete a raw log search, each matching raw log line is replaced with\nthe events and entities contained in the log line. The number of events and\nentities extracted from each log line is limited to a maximum of 10.\n\nTo perform a raw log search, follow these steps:\n\n1. Go to **Investigation \\\u003e SIEM Search**.\n\n2. In the search field, add the prefix `raw = ` to your search and\n enclose your search term in quotation marks (for example, `raw =\n \"example.com\"`).\n\n3. Select the raw log search from the menu option. Google SecOps finds the\n associated raw logs, UDM events, and associated entities. You can also run\n the same search (raw = \"example.com\") from the UDM Search page.\n\nYou can use the same quick filters used to refine UDM search results. Select the\nfilter you want to apply to the raw log results to refine them further.\n\nOptimize raw log queries\n\nRaw log searches are typically slower than UDM searches. To improve your search\nperformance, limit the amount of data you conduct your query over by changing\nthe search settings:\n\n- Time range selector: Limits the time range of the data over which you run your query.\n- Log Source selector: Limits your raw log search to only the logs from specific sources, as opposed to all of your log sources. From the **Log\n sources** menu, select one or more log sources (the default is **all**).\n- Regular expressions: Use a regular expression. For example, `raw =\n /goo\\w{3}.com/` would match against `google.com`, `goodle.com`, `goog1e.com` to further limit the scope of your raw log search.\n\nTrend over time\n\nUse the trend graph to understand the distribution of raw logs over the time of\nyour search. You can apply filters on the graph to look for parsed logs and\nraw logs.\n\nRaw log results\n\nWhen you run a raw log search, the results are a combination of UDM events and\nentities generated by the raw logs that match your searches, along with the\nraw logs. You can explore the search results further by clicking any of the\nresults:\n\n- UDM event or entity: If you click a UDM event or entity, Google SecOps\n shows any related events and entities, along with the raw log associated\n with that item.\n\n- Raw log: If you click a raw log, Google SecOps shows\n you the entire raw log line, along with the source for that log.\n\n**Need more help?** [Get answers from Community members and Google SecOps professionals.](https://security.googlecloudcommunity.com/google-security-operations-2)"]]
