Method: legacy.legacyFetchUdmSearchCsv

Full name: projects.locations.instances.legacy.legacyFetchUdmSearchCsv

Legacy endpoint for fetching csv rows for matching UDM search.

HTTP request


Path parameters

Parameters
instance

string

Required. Chronicle instance this request is sent to. Format: projects/{project}/locations/{location}/instances/{instance}

Request body

The request body contains data with the following structure:

JSON representation
{
  "baselineQuery": string,
  "snapshotQuery": string,
  "baselineTimeRange": {
    object (Interval)
  },
  "snapshotTimeRange": {
    object (Interval)
  },
  "fields": {
    object (FetchUdmSearchCsvFields)
  },
  "caseInsensitive": boolean,
  "skipSafeDownload": boolean,
  "queryType": enum (QueryType)
}
Fields
baselineQuery

string

Required. The baseline query to search for.

snapshotQuery

string

The snapshot query to search for.

baselineTimeRange

object (Interval)

Required. The time range to search for [inclusive start time, exclusive end time).

snapshotTimeRange

object (Interval)

The time range to filter for [inclusive start time, exclusive end time). This time range must be completely within baselineTimeRange. If not set, it is assumed to match baselineTimeRange.

fields

object (FetchUdmSearchCsvFields)

Required. The fields in UDM Event whose values need to be used to create the CSV File.

caseInsensitive

boolean

If true, the search should be performed in a case-insensitive manner. This applies to both baseline and snapshot queries.

skipSafeDownload

boolean

Optional. By default false. In this case the CSV having invalid fields will be downloaded.If true, the CSV will not be downloaded.

queryType

enum (QueryType)

Optional. The type of the query in the request.

Response body

Response with the CSV entries to append to file in UI along with progress.

If successful, the response body contains data with the following structure:

JSON representation
{
  "progress": number,
  "tooManyEvents": boolean,
  "complete": boolean,
  "validBaselineQuery": boolean,
  "validSnapshotQuery": boolean,
  "queryValidationErrors": [
    {
      object (ErrorMessage)
    }
  ],
  "runtimeErrors": [
    {
      object (RuntimeError)
    }
  ],
  "csv": {
    object (CsvEntries)
  },
  "failureCsvFieldValidations": [
    {
      object (FailureCsvFieldValidation)
    }
  ]
}
Fields
progress

number

Progress of the query represented as a double between 0 and 1.

tooManyEvents

boolean

If true, there are too many events to return and some have been omitted.

complete

boolean

Streaming for this response is done. There will be no additional updates.

validBaselineQuery

boolean

Indicates whether the request baselineQuery is a valid structured query or not. If not, queryValidationErrors will include the parse error.

validSnapshotQuery

boolean

Indicates whether the request baseline and snapshot queries are valid. If not, queryValidationErrors will include the parse error.

queryValidationErrors[]

object (ErrorMessage)

Parse error for the baselineQuery and/or the snapshotQuery.

runtimeErrors[]

object (RuntimeError)

Runtime errors.

csv

object (CsvEntries)

List of CSV rows

failureCsvFieldValidations[]

object (FailureCsvFieldValidation)

List of invalid CSV fields.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

IAM Permissions

Requires the following IAM permission on the instance resource:

  • chronicle.legacies.legacyFetchUdmSearchCsv

For more information, see the IAM documentation.

FetchUdmSearchCsvFields

JSON representation
{
  "fields": [
    string
  ]
}
Fields
fields[]

string

QueryType

The type of the query in the request.

Enums
UNKNOWN The default query type. Denotes that the query is not being set.
UDM_QUERY UDM query.
RAW_LOG_QUERY Raw log query.

CsvEntries

JSON representation
{
  "row": [
    string
  ],
  "timestamps": [
    string
  ]
}
Fields
row[]

string

timestamps[]

string (Timestamp format)

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

FailureCsvFieldValidation

JSON representation
{
  "field": string
}
Fields
field

string