- HTTP request
- Path parameters
- Request body
- Response body
- Authorization scopes
- IAM Permissions
- FetchUdmSearchCsvFields
- QueryType
- CsvEntries
- FailureCsvFieldValidation
- Try it!
Full name: projects.locations.instances.legacy.legacyFetchUdmSearchCsv
Legacy endpoint for fetching csv rows for matching UDM search.
HTTP request
Path parameters
| Parameters | |
|---|---|
instance |
Required. Chronicle instance this request is sent to. Format: projects/{project}/locations/{location}/instances/{instance} |
Request body
The request body contains data with the following structure:
| JSON representation |
|---|
{ "baselineQuery": string, "snapshotQuery": string, "baselineTimeRange": { object ( |
| Fields | |
|---|---|
baselineQuery |
Required. The baseline query to search for. |
snapshotQuery |
The snapshot query to search for. |
baselineTimeRange |
Required. The time range to search for [inclusive start time, exclusive end time). |
snapshotTimeRange |
The time range to filter for [inclusive start time, exclusive end time). This time range must be completely within |
fields |
Required. The fields in UDM Event whose values need to be used to create the CSV File. |
caseInsensitive |
If true, the search should be performed in a case-insensitive manner. This applies to both baseline and snapshot queries. |
skipSafeDownload |
Optional. By default false. In this case the CSV having invalid fields will be downloaded.If true, the CSV will not be downloaded. |
queryType |
Optional. The type of the query in the request. |
Response body
Response with the CSV entries to append to file in UI along with progress.
If successful, the response body contains data with the following structure:
| JSON representation |
|---|
{ "progress": number, "tooManyEvents": boolean, "complete": boolean, "validBaselineQuery": boolean, "validSnapshotQuery": boolean, "queryValidationErrors": [ { object ( |
| Fields | |
|---|---|
progress |
Progress of the query represented as a double between 0 and 1. |
tooManyEvents |
If true, there are too many events to return and some have been omitted. |
complete |
Streaming for this response is done. There will be no additional updates. |
validBaselineQuery |
Indicates whether the request baselineQuery is a valid structured query or not. If not, |
validSnapshotQuery |
Indicates whether the request baseline and snapshot queries are valid. If not, |
queryValidationErrors[] |
Parse error for the baselineQuery and/or the snapshotQuery. |
runtimeErrors[] |
Runtime errors. |
csv |
List of CSV rows |
failureCsvFieldValidations[] |
List of invalid CSV fields. |
Authorization scopes
Requires the following OAuth scope:
https://www.googleapis.com/auth/cloud-platform
For more information, see the Authentication Overview.
IAM Permissions
Requires the following IAM permission on the instance resource:
chronicle.legacies.legacyFetchUdmSearchCsv
For more information, see the IAM documentation.
FetchUdmSearchCsvFields
| JSON representation |
|---|
{ "fields": [ string ] } |
| Fields | |
|---|---|
fields[] |
|
QueryType
The type of the query in the request.
| Enums | |
|---|---|
UNKNOWN |
The default query type. Denotes that the query is not being set. |
UDM_QUERY |
UDM query. |
RAW_LOG_QUERY |
Raw log query. |
CsvEntries
| JSON representation |
|---|
{ "row": [ string ], "timestamps": [ string ] } |
| Fields | |
|---|---|
row[] |
|
timestamps[] |
Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: |
FailureCsvFieldValidation
| JSON representation |
|---|
{ "field": string } |
| Fields | |
|---|---|
field |
|