Method: legacy.legacyFetchUdmSearchView

Full name: projects.locations.instances.legacy.legacyFetchUdmSearchView

Legacy endpoint for fetching events, filters, and histograms matching UDM search.

HTTP request


Path parameters

Parameters
instance

string

Required. The name of the parent resource, which is the SecOps instance this request is sent to. Format: projects/{project}/locations/{location}/instances/{instance}

Request body

The request body contains data with the following structure:

JSON representation 
{
  "baselineQuery": string,
  "snapshotQuery": string,
  "baselineTimeRange": {
    object (Interval)
  },
  "snapshotTimeRange": {
    object (Interval)
  },
  "eventList": {
    object (UdmEventListOptions)
  },
  "timeline": {
    object (EventCountTimelineOptions)
  },
  "fieldAggregations": {
    object (UdmFieldAggregationsOptions)
  },
  "caseInsensitive": boolean,
  "generateAiOverview": boolean,
  "returnOperationIdOnly": boolean,
  "detectionOptions": {
    object (DetectionOptions)
  },
  "statsFunctionParameter": {
    object (FunctionParameter)
  },
  "draftDataAccessScope": {
    object (DataAccessScope)
  },
  "prevalence": {
    object (UdmPrevalenceOptions)
  },
  "enablePocFastPath": boolean,
  "federationMetadata": {
    object (FederationMetadata)
  }
}
Fields
baselineQuery

string

Required. Boolean query to search for events. You can refer to https://cloud.google.com/chronicle/docs/investigation/udm-search for the query syntax. Example: 'ip=/172.*/ AND metadata.event_type!="NETWORK_CONNECTION" AND ( target.ip = "3.225.179.73" OR target.ip = "23.47.48.70")'
snapshotQuery

string

Query applied to the baseline query's events. In other words, this query is applied to the Snapshot produced from the baseline query. The snapshotQuery has the same syntax as baselineQuery and is implicitly ANDed with baselineQuery to produce events.
baselineTimeRange

object (Interval)

Required. Required, the time range to search for [inclusive start time, exclusive end time).
snapshotTimeRange

object (Interval)

The time range to filter for [inclusive start time, exclusive end time). This time range must be completely within baselineTimeRange. If not set, it is assumed to match baselineTimeRange.
eventList

object (UdmEventListOptions)

Parameters for the Events that will be streamed back.
timeline

object (EventCountTimelineOptions)

Parameters for the EventCountTimeline that will be streamed back.
fieldAggregations

object (UdmFieldAggregationsOptions)

Parameters for the Aggregated UDM fields that will be streamed back.
caseInsensitive

boolean

If true, the search should be performed in a case-insensitive manner.
generateAiOverview

boolean

Optional. If true, generate AI overview for the search results.
returnOperationIdOnly

boolean

Optional. If this field is set to true, the response will only contain the operation resource name. The actual search results (events) will be streamed back when the client invokes the streamSearchOperation method using this operation resource name.
detectionOptions

object (DetectionOptions)

Fetch alerts/detections relevant to the search result.
statsFunctionParameter

object (FunctionParameter)

The request to apply statistical function on filtered data.
draftDataAccessScope

object (DataAccessScope)

Data access scope used to filter events. This is intended to be used by admins to preview in-development scopes. Should only be called by users with global access. If the caller does not have global access, the request will fail.
prevalence

object (UdmPrevalenceOptions)

Parameters to get prevalence counts on Events returned by UDM Search
enablePocFastPath

boolean

If true, search will limit maxBaselineResults to 30K events and remove time-order guarantee (i.e., results may not be the most-recent events in baseline query time range). In this mode, replayed search queries are not guaranteed to yield the same results each time. This option is for poc use-cases only.
federationMetadata

object (FederationMetadata)

Optional. Federation metadata for the request. If this field is populated, it implied this is a federated search.

Response body

Depending on the parameters in ListUdmEventsV3Request, stream back some combination of UDM Events, EventCountTimeline, and UdmFieldAggregations.

If successful, the response body contains data with the following structure:

JSON representation 
{
  "operation": string,
  "progress": number,
  "tooManyEvents": boolean,
  "tooLargeResponse": boolean,
  "complete": boolean,
  "validBaselineQuery": boolean,
  "baselineEventsCount": integer,
  "validSnapshotQuery": boolean,
  "queryValidationErrors": [
    {
      object (ErrorMessage)
    }
  ],
  "runtimeErrors": [
    {
      object (RuntimeError)
    }
  ],
  "filteredEventsCount": integer,
  "statsFunctionParameterValidationErrorMessage": string,
  "prevalence": {
    object (UdmPrevalenceResponse)
  },
  "stats": {
    object (Stats)
  },
  "dataSources": [
    enum (SearchDataSource)
  ],
  "aiOverview": {
    object (AIOverview)
  },
  "selectedFields": [
    string
  ],
  "unselectedFields": [
    string
  ],
  "events": {
    object (UdmEventList)
  },
  "timeline": {
    object (EventCountTimeline)
  },
  "fieldAggregations": {
    object (UdmFieldAggregations)
  },
  "udmEntityFieldAggregations": {
    object (UdmFieldAggregations)
  },
  "entityContextTypeFieldAggregations": {
    object (UdmFieldAggregations)
  },
  "groupedFieldAggregations": {
    object (UdmFieldAggregations)
  },
  "datatableAggregations": {
    object (UdmFieldAggregations)
  },
  "detections": {
    object (Detections)
  },
  "statsFunctionResponse": {
    object (FunctionResponse)
  },
  "activityTimeline": {
    object (EventCountTimeline)
  }
}
Fields
operation

string

The name of the operation resource representing the UDM Search operation. This can be passed to StreamSearchOperation to fetch stored results or stream the results of an in-progress operation.

The metadata type of the operation is UdmSearchMetadata. The response type is LegacyFetchUdmSearchViewResponse.

Format: projects/{project}/locations/{location}/instances/{instance}/operations/{operation}
progress

number

Progress of the query represented as a double between 0 and 1.
tooManyEvents

boolean

If true, there are too many events to return and some have been omitted.
tooLargeResponse

boolean

If true, the response to be returned to the UI is too large and some events have been omitted.
complete

boolean

Streaming for this response is done. There will be no additional updates.
validBaselineQuery

boolean

Indicates whether the request baselineQuery is a valid structured query or not. If not, queryValidationErrors will include the parse error.
baselineEventsCount

integer

The number of events in the baseline query.
validSnapshotQuery

boolean

Indicates whether the request baseline and snapshot queries are valid. If not, queryValidationErrors will include the parse error.
queryValidationErrors[]

object (ErrorMessage)

Parse error for the baselineQuery and/or the snapshotQuery.
runtimeErrors[]

object (RuntimeError)

Runtime errors.
filteredEventsCount

integer

The number of events in the snapshot that match the snapshotQuery. This is <= baselineEventsCount. If the snapshot query is empty this will be equivalent to baselineEventsCount.
statsFunctionParameterValidationErrorMessage

string

If the request's statsFunctionParameter` is invalid, this field will contain the detailed error message.
prevalence

object (UdmPrevalenceResponse)

Prevalence results on Events returned by UDM Search
stats

object (Stats)

Stats results when the query is for statistics
dataSources[]

enum (SearchDataSource)

Datasource of the query and results in case of a statistics query
aiOverview

object (AIOverview)

AI generated overview for the search results. Only populated if the AI features are enabled for the customer and generateAiOverview is set to true in the request.
selectedFields[]

string

Fields and variables that have been selected in the query.
unselectedFields[]

string

Fields and variables that have been unselected / excluded in the query.
events

object (UdmEventList)

List of UDM events. NOTE: After complete is set to true, the UdmEventList message will be omitted from the response. The latest message should be used as reference. If the UdmEventList message is returned again, then it should replace the previous value.
timeline

object (EventCountTimeline)

Timeline of event counts broken into buckets.
fieldAggregations

object (UdmFieldAggregations)

List of UDM fields with aggregated values.
udmEntityFieldAggregations

object (UdmFieldAggregations)

List of Entity fields with aggregated values.
entityContextTypeFieldAggregations

object (UdmFieldAggregations)

List of Entity fields aggregated by context type.
groupedFieldAggregations

object (UdmFieldAggregations)

List of grouped fields with aggregated values.
datatableAggregations

object (UdmFieldAggregations)

List of datatable fields with aggregated column values.
detections

object (Detections)

List of relevant detections, if detectionList.max_returned_detections was set.
statsFunctionResponse

object (FunctionResponse)

Result for statistical function.
activityTimeline

object (EventCountTimeline)

Timeline of event counts broken into hourly/daily buckets to identify activity.

Authorization scopes

Requires the following OAuth scope:

  • https://www.googleapis.com/auth/cloud-platform

For more information, see the Authentication Overview.

IAM Permissions

Requires the following IAM permission on the instance resource:

  • chronicle.legacies.legacyFetchUdmSearchView

For more information, see the IAM documentation.

UdmEventListOptions

JSON representation 
{
  "maxReturnedEvents": integer
}
Fields
maxReturnedEvents

integer

EventCountTimelineOptions

This type has no fields.

UdmFieldAggregationsOptions

JSON representation 
{
  "maxValuesPerField": integer
}
Fields
maxValuesPerField

integer

DetectionOptions

JSON representation 
{
  "snapshotQuery": string,
  "detectionList": {
    object (DetectionListOptions)
  },
  "fieldAggregations": {
    object (UdmFieldAggregationsOptions)
  },
  "fetchNonAlertingDetections": boolean
}
Fields
snapshotQuery

string
detectionList

object (DetectionListOptions)
fieldAggregations

object (UdmFieldAggregationsOptions)
fetchNonAlertingDetections

boolean

DetectionListOptions

JSON representation 
{
  "maxReturnedDetections": integer
}
Fields
maxReturnedDetections

integer

FunctionParameter

JSON representation 
{
  "groupedFields": [
    {
      object (GroupByField)
    }
  ],
  "selectedFields": [
    {
      object (SelectedField)
    }
  ],
  "orders": [
    {
      object (OrderBy)
    }
  ],
  "maxReturnedRows": integer
}
Fields
groupedFields[]

object (GroupByField)
selectedFields[]

object (SelectedField)
orders[]

object (OrderBy)
maxReturnedRows

integer (uint32 format)

GroupByField

JSON representation 
{
  "udmFieldPath": string,
  "toLowerCase": boolean,

  // Union field transformation can be only one of the following:
  "resolutionInNanoSeconds": string,
  "cidrPrefixLengthInBits": integer,
  "topNLevelDomain": integer,
  "getRegisteredDomain": boolean
  // End of list of possible types for union field transformation.
}
Fields
udmFieldPath

string
toLowerCase

boolean

Union field transformation.

transformation can be only one of the following:
resolutionInNanoSeconds

string
cidrPrefixLengthInBits

integer (uint32 format)
topNLevelDomain

integer (uint32 format)
getRegisteredDomain

boolean

SelectedField

JSON representation 
{
  "udmFieldPath": string,
  "functionType": enum (FunctionType),
  "percentile": number
}
Fields
udmFieldPath

string
functionType

enum (FunctionType)
percentile

number

FunctionType

Enums
FUNCTION_TYPE_UNSPECIFIED
FUNCTION_TYPE_SUM
FUNCTION_TYPE_COUNT
FUNCTION_TYPE_COUNT_DISTINCT
FUNCTION_TYPE_AVERAGE
FUNCTION_TYPE_STDDEV
FUNCTION_TYPE_MIN
FUNCTION_TYPE_MAX

OrderBy

JSON representation 
{
  "fieldIndex": integer,
  "isDescendingOrder": boolean
}
Fields
fieldIndex

integer (uint32 format)
isDescendingOrder

boolean

UdmPrevalenceOptions

JSON representation 
{
  "getPrevalence": boolean,
  "bucketSize": {
    object (UdmSearchAggregationBucketFunction)
  }
}
Fields
getPrevalence

boolean
bucketSize

object (UdmSearchAggregationBucketFunction)

UdmSearchAggregationBucketFunction

JSON representation 
{
  "resolutionInSeconds": integer
}
Fields
resolutionInSeconds

integer

FederationMetadata

Federation metadata definition. UI will use this to provide information about the instance and instance groups on which federated search is to be performed.

JSON representation 
{
  "instances": [
    {
      object (InstanceSelection)
    }
  ],
  "federationGroups": [
    {
      object (FederationGroupSelection)
    }
  ]
}
Fields
instances[]

object (InstanceSelection)

Optional. List of instances on which federated search request is being made.
federationGroups[]

object (FederationGroupSelection)

Optional. List of instance groups on which federated search request is being made.

InstanceSelection

Chronicle instance on which federated search request is being made.

JSON representation 
{
  "instance": string
}
Fields
instance

string

Required. Chronicle instance name on which federated search request is being made. Format: projects/{project}/locations/{location}/instances/{instance}

FederationGroupSelection

Chronicle federation group on which federated search request is being made.

JSON representation 
{
  "federationGroup": string
}
Fields
federationGroup

string

Optional. Resource name of the Federation Group. Format: projects/{project}/locations/{location}/instances/{instance}/federationGroups/{federationGroup}

UdmEventList

JSON representation 
{
  "events": [
    {
      object (UdmEventInfo)
    }
  ],
  "columnNames": {
    object (ColumnNames)
  },
  "progress": number,
  "tooManyEvents": boolean,
  "complete": boolean,
  "datatableInfo": [
    {
      object (SearchDataTableInfo)
    }
  ],
  "rows": [
    {
      object (ResultRow)
    }
  ]
}
Fields
events[]

object (UdmEventInfo)
columnNames

object (ColumnNames)
progress

number
tooManyEvents

boolean
complete

boolean
datatableInfo[]

object (SearchDataTableInfo)
rows[]

object (ResultRow)

ColumnNames

JSON representation 
{
  "names": [
    string
  ]
}
Fields
names[]

string

SearchDataTableInfo

JSON representation 
{
  "dataTable": string,
  "columnInfo": [
    {
      object (SearchDataTableColumnInfo)
    }
  ]
}
Fields
dataTable

string
columnInfo[]

object (SearchDataTableColumnInfo)

SearchDataTableColumnInfo

JSON representation 
{
  "originalColumn": string,
  "isDefault": boolean
}
Fields
originalColumn

string
isDefault

boolean

ResultRow

JSON representation 
{
  "outcomes": [
    {
      object (UdmColumnType)
    }
  ],

  // Union field result can be only one of the following:
  "event": {
    object (EventRecord)
  },
  "entity": {
    object (EntityContextRecord)
  },
  "join": {
    object (JoinRecord)
  }
  // End of list of possible types for union field result.
}
Fields
outcomes[]

object (UdmColumnType)

Union field result.

result can be only one of the following:
event

object (EventRecord)
entity

object (EntityContextRecord)
join

object (JoinRecord)

EventRecord

JSON representation 
{
  "event": {
    object (UDM)
  },
  "eventLogToken": string,
  "alertNumber": integer,
  "alertViewId": string,
  "annotations": [
    enum (Annotation)
  ],
  "detections": [
    {
      object (Collection)
    }
  ],
  "table": string,
  "tenantId": string
}
Fields
event

object (UDM)
eventLogToken

string
alertNumber

integer
alertViewId

string (bytes format)

A base64-encoded string.
annotations[]

enum (Annotation)
detections[]

object (Collection)
table

string
tenantId

string

Optional.

Annotation

Enums
ANNOTATION_UNSPECIFIED
ANNOTATION_ALERT

EntityContextRecord

JSON representation 
{
  "entity": {
    object (Entity)
  },
  "eventLogToken": string,
  "timed": boolean,
  "connectedComponentLabel": string,
  "detections": [
    {
      object (Collection)
    }
  ],
  "table": string,
  "tenantId": string
}
Fields
entity

object (Entity)
eventLogToken

string
timed

boolean
connectedComponentLabel

string (bytes format)

Optional.

A base64-encoded string.
detections[]

object (Collection)
table

string
tenantId

string

Optional.

JoinRecord

JSON representation 
{
  "events": [
    {
      object (EventRecord)
    }
  ],
  "entities": [
    {
      object (EntityContextRecord)
    }
  ]
}
Fields
events[]

object (EventRecord)
entities[]

object (EntityContextRecord)

EventCountTimeline

JSON representation 
{
  "buckets": [
    {
      object (EventCountTimelineBucket)
    }
  ],
  "sizeOfBucketMs": string
}
Fields
buckets[]

object (EventCountTimelineBucket)
sizeOfBucketMs

string (int64 format)

EventCountTimelineBucket

JSON representation 
{
  "baselineEventCount": integer,
  "eventCount": integer,
  "baselineAlertCount": integer,
  "alertCount": integer,
  "baselineTimedEntityCount": integer,
  "filteredTimedEntityCount": integer,
  "entityChangedCount": {
    object (EntityChangedCountTimelineBucket)
  },
  "joinsResultCount": [
    {
      object (JoinsResultCountTimelineBucket)
    }
  ]
}
Fields
baselineEventCount

integer
eventCount

integer
baselineAlertCount

integer
alertCount

integer
baselineTimedEntityCount

integer
filteredTimedEntityCount

integer
entityChangedCount

object (EntityChangedCountTimelineBucket)
joinsResultCount[]

object (JoinsResultCountTimelineBucket)

EntityChangedCountTimelineBucket

JSON representation 
{
  "totalChangedEntitiesCount": integer,
  "entityChangedInfo": [
    {
      object (EntityChangedInfo)
    }
  ]
}
Fields
totalChangedEntitiesCount

integer
entityChangedInfo[]

object (EntityChangedInfo)

EntityChangedInfo

JSON representation 
{
  "artifacts": {
    object (FieldAndValue)
  },
  "entityCount": integer
}
Fields
artifacts

object (FieldAndValue)
entityCount

integer

FieldAndValue

JSON representation 
{
  "value": string,
  "entityNamespace": string,

  // Union field type can be only one of the following:
  "fieldPath": string,
  "kvalueType": enum (KValueType)
  // End of list of possible types for union field type.
}
Fields
value

string
entityNamespace

string

Union field type.

type can be only one of the following:
fieldPath

string
kvalueType

enum (KValueType)

KValueType

Enums
UNKNOWN
COLLECTOR_ID
EVENT_SHARD
ASSET_IP_ADDRESS
MAC
HOSTNAME
PRODUCT_SPECIFIC_ID
NAMESPACE
DOMAIN_NAME
RESOLVED_IP_ADDRESS
STEMMED_DOMAIN_NAME
PROCESS_ID
FULL_COMMAND_LINE
FILE_NAME
FILE_PATH
HASH_MD5
HASH_SHA256
HASH_SHA1
RAW_PID
PARENT_PROCESS_ID
EMAIL
USERNAME
WINDOWS_SID
EMPLOYEE_ID
PRODUCT_OBJECT_ID
USER_DISPLAY_NAME
CLOUD_RESOURCE_NAME
REGISTRY_KEY
REGISTRY_VALUE_DATA
REGISTRY_VALUE_NAME
CIDR_BLOCK

JoinsResultCountTimelineBucket

JSON representation 
{
  "tableType": enum (TableType),
  "table": string,
  "baselineCount": integer,
  "filteredCount": integer
}
Fields
tableType

enum (TableType)
table

string
baselineCount

integer
filteredCount

integer

TableType

Enums
TABLE_TYPE_UNSPECIFIED
TABLE_TYPE_EVENT
TABLE_TYPE_ENTITY

UdmFieldAggregations

JSON representation 
{
  "fields": [
    {
      object (UdmFieldAggregation)
    }
  ],
  "groupByFields": [
    {
      object (GroupAggregationByField)
    }
  ],
  "complete": boolean
}
Fields
fields[]

object (UdmFieldAggregation)
groupByFields[]

object (GroupAggregationByField)
complete

boolean

UdmFieldAggregation

JSON representation 
{
  "fieldName": string,
  "baselineEventCount": integer,
  "eventCount": integer,
  "tooManyValues": boolean,
  "valueCount": integer,
  "allValues": [
    {
      object (UdmValueCount)
    }
  ],
  "topValues": [
    {
      object (UdmValueCount)
    }
  ],
  "bottomValues": [
    {
      object (UdmValueCount)
    }
  ],
  "aggregationType": enum (UdmFieldAggregationType)
}
Fields
fieldName

string
baselineEventCount

integer
eventCount

integer
tooManyValues

boolean
valueCount

integer
allValues[]

object (UdmValueCount)
topValues[]

object (UdmValueCount)
bottomValues[]

object (UdmValueCount)
aggregationType

enum (UdmFieldAggregationType)

UdmValueCount

JSON representation 
{
  "value": {
    object (UdmFieldValue)
  },
  "baselineEventCount": integer,
  "eventCount": integer
}
Fields
value

object (UdmFieldValue)
baselineEventCount

integer
eventCount

integer

UdmFieldValue

JSON representation 
{

  // Union field value can be only one of the following:
  "stringValue": string,
  "int32Value": integer,
  "uint32Value": integer,
  "int64Value": string,
  "uint64Value": string,
  "floatValue": number,
  "doubleValue": number,
  "enumValue": string,
  "boolValue": boolean,
  "bytesValue": string,
  "isNull": boolean,
  "timestampValue": string
  // End of list of possible types for union field value.
}
Fields

Union field value.

value can be only one of the following:
stringValue

string
int32Value

integer
uint32Value

integer (uint32 format)
int64Value

string (int64 format)
uint64Value

string
floatValue

number
doubleValue

number
enumValue

string
boolValue

boolean
bytesValue

string (bytes format)

A base64-encoded string.
isNull

boolean
timestampValue

string (Timestamp format)

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".

UdmFieldAggregationType

Enums
UNSPECIFIED_FIELD_AGGREGATION_TYPE
UDM_FIELD_AGGREGATION_TYPE
ENTITY_FIELD_AGGREGATION_TYPE
DATA_TABLE_FIELD_AGGREGATION_TYPE

GroupAggregationByField

JSON representation 
{
  "fieldName": string,
  "fieldValue": {
    object (UdmFieldValue)
  },
  "fields": [
    {
      object (UdmFieldAggregation)
    }
  ],
  "baselineEventCount": integer,
  "eventCount": integer,
  "valueCount": integer
}
Fields
fieldName

string
fieldValue

object (UdmFieldValue)
fields[]

object (UdmFieldAggregation)
baselineEventCount

integer
eventCount

integer
valueCount

integer

Detections

JSON representation 
{
  "detections": [
    {
      object (Collection)
    }
  ],
  "complete": boolean,
  "tooManyDetections": boolean,
  "validSnapshotQuery": boolean,
  "baselineAlertsCount": integer,
  "filteredAlertsCount": integer,
  "detectionFieldAggregations": {
    object (AlertFieldAggregations)
  }
}
Fields
detections[]

object (Collection)
complete

boolean
tooManyDetections

boolean
validSnapshotQuery

boolean
baselineAlertsCount

integer
filteredAlertsCount

integer
detectionFieldAggregations

object (AlertFieldAggregations)

FunctionResponse

JSON representation 
{
  "rows": [
    {
      object (FunctionResponseRow)
    }
  ],
  "tooManyRows": boolean
}
Fields
rows[]

object (FunctionResponseRow)
tooManyRows

boolean

FunctionResponseRow

JSON representation 
{
  "values": [
    {
      object (UdmFieldValue)
    }
  ]
}
Fields
values[]

object (UdmFieldValue)

UdmPrevalenceResponse

JSON representation 
{
  "buckets": [
    {
      object (UdmPrevalenceBucket)
    }
  ],
  "partialPrevalence": boolean
}
Fields
buckets[]

object (UdmPrevalenceBucket)
partialPrevalence

boolean

UdmPrevalenceBucket

JSON representation 
{
  "prevalence": [
    {
      object (UdmPrevalence)
    }
  ]
}
Fields
prevalence[]

object (UdmPrevalence)

UdmPrevalence

JSON representation 
{
  "artifacts": [
    {
      object (FieldAndValue)
    }
  ],
  "prevalence": integer
}
Fields
artifacts[]

object (FieldAndValue)
prevalence

integer

Stats

Stats results when the query is for statistics

JSON representation 
{
  "results": [
    {
      object (ColumnData)
    }
  ],
  "dataQueryExpression": string,
  "tooManyResults": boolean,
  "totalResults": integer,
  "sortOrder": [
    {
      object (ColumnSort)
    }
  ],
  "hasJoin": boolean
}
Fields
results[]

object (ColumnData)

Result rows that are queried.
dataQueryExpression

string

Expression that represent the subset of the requested query used to filter data. The expression will be used to enable features such as drill-down from stats results to UDM events. In that case, the new query will be composed by this expression and the expression related to a stats result.
tooManyResults

boolean

If true, there are too many results to return and some have been omitted.
totalResults

integer

The total number of results returned.
sortOrder[]

object (ColumnSort)

Indicates the columns used for sorting and the order in which they are sorted. If no ORDER section is specified in the query, this will be empty.
hasJoin

boolean

Indicates to the frontend that the result is a join-stats result.

ColumnData

Represents a single column in the set of columns returned as the stats query result.

JSON representation 
{
  "column": string,
  "values": [
    {
      object (ColumnType)
    }
  ],
  "filterable": boolean,
  "filterExpression": string,
  "columnMetadata": {
    object (ColumnMetadata)
  }
}
Fields
column

string

Used to store column names.
values[]

object (ColumnType)

To store store column data.
filterable

boolean

To identify if the column can be used for filtering/drill-downs.
filterExpression

string

Expression used to compose a query for filtering/drill-downs related to the data in this column.
columnMetadata

object (ColumnMetadata)

Metadata for the column.

ColumnType

Singular vs list of values in a column.

JSON representation 
{

  // Union field type can be only one of the following:
  "value": {
    object (ColumnValue)
  },
  "list": {
    object (List)
  }
  // End of list of possible types for union field type.
}
Fields

Union field type.

type can be only one of the following:
value

object (ColumnValue)

Single value in a column.
list

object (List)

List of values in a column e.g. IPs

ColumnValue

Value of the column based on data type

JSON representation 
{

  // Union field value can be only one of the following:
  "nullVal": boolean,
  "boolVal": boolean,
  "bytesVal": string,
  "doubleVal": number,
  "int64Val": string,
  "uint64Val": string,
  "stringVal": string,
  "timestampVal": string,
  "dateVal": {
    object (Date)
  },
  "protoVal": {
    "@type": string,
    field1: ...,
    ...
  }
  // End of list of possible types for union field value.
}
Fields

Union field value.

value can be only one of the following:
nullVal

boolean

True if the value is NULL.
boolVal

boolean

Boolean value.
bytesVal

string (bytes format)

Bytes value.

A base64-encoded string.
doubleVal

number

Double value.
int64Val

string (int64 format)

Integer value (signed).
uint64Val

string

Un-signed integer value.
stringVal

string

String value. Enum values are returned as strings.
timestampVal

string (Timestamp format)

Timestamp values.

Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".
dateVal

object (Date)

Date values.
protoVal

object

For any proto values that are not any of the above.

An object containing fields of an arbitrary type. An additional field "@type" contains a URI identifying the type. Example: { "id": 1234, "@type": "types.example.com/standard/id" }.

List

Store list of values in a column.

JSON representation 
{
  "values": [
    {
      object (ColumnValue)
    }
  ]
}
Fields
values[]

object (ColumnValue)

List of values in one cell of the column.

ColumnMetadata

Metadata for a column.

JSON representation 
{
  "column": string,
  "fieldPath": string,
  "functionNameUsed": string,
  "functionModule": string,
  "longitude": boolean,
  "latitude": boolean
}
Fields
column

string

Name of the column.
fieldPath

string

Field path of the column. eg: "udm.principal.hostname"
functionNameUsed

string

Function name of the column. eg: "ARRAY_IGNORE_NULLS_LIMIT", this corresponds to array function.
functionModule

string

Module name of the column.
longitude

boolean

Whether the column is a longitude field.
latitude

boolean

Whether the column is a latitude field.

ColumnSort

Contains the column name and which direction the column is sorted (ascending or descenging).

JSON representation 
{
  "name": string,
  "descending": boolean
}
Fields
name

string

Name of the column.
descending

boolean

Whether the column is sorted in descending order (ascending by default);

SearchDataSource

Data source for stats results in LegacyFetchUdmSearchViewResponse Equivalent to dashboard API

Enums
SEARCH_DATA_SOURCE_UNSPECIFIED Unspecified data source.
SEARCH_UDM Events
SEARCH_ENTITY Entities
SEARCH_RULE_DETECTIONS To be used for detections data source.
SEARCH_RULESETS To be used for ruleset with detections datasource.

AIOverview

AI generated overview for the search results.

JSON representation 
{
  "aiSummary": string,
  "suggestions": [
    {
      object (Action)
    }
  ],
  "complete": boolean
}
Fields
aiSummary

string

AI summary for the search results. Markdown formatted.
suggestions[]

object (Action)

Suggested actions to continue the investigation in chat.
complete

boolean

Whether AI overview generation is complete.