- HTTP request
- Path parameters
- Request body
- Response body
- Authorization scopes
- IAM Permissions
- FetchUdmSearchCsvFields
- CsvEntries
- FailureCsvFieldValidation
Full name: projects.locations.instances.legacy.legacyFetchUdmSearchCsv
Legacy endpoint for fetching csv rows for matching UDM search.
HTTP request
POST https://chronicle.googleapis.com/v1alpha/{instance}/legacy:legacyFetchUdmSearchCsv
Path parameters
| Parameters | |
|---|---|
instance |
Required. Chronicle instance this request is sent to. Format: projects/{project}/locations/{location}/instances/{instance} |
Request body
The request body contains data with the following structure:
| JSON representation |
|---|
{ "baseline_query": string, "snapshot_query": string, "baseline_time_range": { object ( |
| Fields | |
|---|---|
baseline_query |
Required. The baseline query to search for. |
snapshot_query |
The snapshot query to search for. |
baseline_time_range |
Required. The time range to search for [inclusive start time, exclusive end time). |
snapshot_time_range |
The time range to filter for [inclusive start time, exclusive end time). This time range must be completely within |
fields |
Required. The fields in UDM Event whose values need to be used to create the CSV File. |
case_insensitive |
If true, the search should be performed in a case-insensitive manner. This applies to both baseline and snapshot queries. |
skip_safe_download |
Optional. By default false. In this case the CSV having invalid fields will be downloaded.If true, the CSV will not be downloaded. |
Response body
Response with the CSV entries to append to file in UI along with progress.
If successful, the response body contains data with the following structure:
| JSON representation |
|---|
{ "progress": number, "too_many_events": boolean, "complete": boolean, "valid_baseline_query": boolean, "valid_snapshot_query": boolean, "query_validation_errors": [ { object ( |
| Fields | |
|---|---|
progress |
Progress of the query represented as a double between 0 and 1. |
too_many_events |
If true, there are too many events to return and some have been omitted. |
complete |
Streaming for this response is done. There will be no additional updates. |
valid_baseline_query |
Indicates whether the request baseline_query is a valid structured query or not. If not, |
valid_snapshot_query |
Indicates whether the request baseline and snapshot queries are valid. If not, |
query_validation_errors[] |
Parse error for the baseline_query and/or the snapshot_query. |
runtime_errors[] |
Runtime errors. |
csv |
List of CSV rows |
failure_csv_field_validations[] |
List of invalid CSV fields. |
Authorization scopes
Requires the following OAuth scope:
https://www.googleapis.com/auth/cloud-platform
For more information, see the Authentication Overview.
IAM Permissions
Requires the following IAM permission on the instance resource:
chronicle.legacies.legacyFetchUdmSearchCsv
For more information, see the IAM documentation.
FetchUdmSearchCsvFields
| JSON representation |
|---|
{ "fields": [ string ] } |
| Fields | |
|---|---|
fields[] |
|
CsvEntries
| JSON representation |
|---|
{ "row": [ string ], "timestamps": [ string ] } |
| Fields | |
|---|---|
row[] |
|
timestamps[] |
Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
FailureCsvFieldValidation
| JSON representation |
|---|
{ "field": string } |
| Fields | |
|---|---|
field |
|