Optional. The start time of the time range of events to test the rule text over. If unspecified, will default to 12 hours before endTime.
Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".
Optional. The end time of the time range of events to test the rule text over. If unspecified, will either default to 12 hours after startTime, or the current day bucket if startTime is also unspecified.
Uses RFC 3339, where generated output will always be Z-normalized and uses 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".
maxDetections
integer
Optional. The maximum number of detections to return. The service may return fewer than this value. If unspecified, at most 1,000 detections will be returned. The maximum value is 10,000; values above 10,000 will be coerced to 10,000.
scope
string
Optional. The data access scope to use to run the rule. This field is only required if data access control is enabled. If reference lists are used in the rule, validations will be performed against this scope to ensure that the reference lists are compatible with both the user's and the rule's scopes. The scope should be in the format: "projects/{project}/locations/{location}/instances/{instance}/dataAccessScopes/{scope}".
Response body
legacy.legacyTestRuleStreaming response message.
If successful, the response body contains data with the following structure:
JSON representation
{"ruleCompilationError": {object (RuleCompilationError)},"tooManyDetections": boolean,"progressPercent": number,// Union field result can be only one of the following:"detection": {object (Collection)},"executionError": {object (ExecutionError)}// End of list of possible types for union field result.}
A detection generated from the test. The following fields will not be set because the detection is not persisted: - createdTime - detection[].rule_id - detection[].rule_version id will be set, but cannot be passed to other methods to retrieve the detection since it is not persisted.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[[["\u003cp\u003eThis API endpoint \u003ccode\u003elegacyTestRuleStreaming\u003c/code\u003e tests a given rule text over a specified time range, streaming back detections and errors without persisting them.\u003c/p\u003e\n"],["\u003cp\u003eThe HTTP request is a \u003ccode\u003ePOST\u003c/code\u003e to \u003ccode\u003ehttps://chronicle.googleapis.com/v1alpha/{instance}/legacy:legacyTestRuleStreaming\u003c/code\u003e, with the required path parameter \u003ccode\u003einstance\u003c/code\u003e specifying the Chronicle instance.\u003c/p\u003e\n"],["\u003cp\u003eThe request body requires a \u003ccode\u003erule_text\u003c/code\u003e field, and accepts optional \u003ccode\u003estart_time\u003c/code\u003e, \u003ccode\u003eend_time\u003c/code\u003e, \u003ccode\u003emax_detections\u003c/code\u003e, and \u003ccode\u003escope\u003c/code\u003e parameters to define the test's parameters.\u003c/p\u003e\n"],["\u003cp\u003eThe response body may contain a \u003ccode\u003erule_compilation_error\u003c/code\u003e, a boolean \u003ccode\u003etoo_many_detections\u003c/code\u003e if it exceeds the limits, a \u003ccode\u003eprogress_percent\u003c/code\u003e, or a union \u003ccode\u003eresult\u003c/code\u003e which can be either a \u003ccode\u003edetection\u003c/code\u003e or an \u003ccode\u003eexecution_error\u003c/code\u003e.\u003c/p\u003e\n"],["\u003cp\u003eThis API requires the \u003ccode\u003ehttps://www.googleapis.com/auth/cloud-platform\u003c/code\u003e OAuth scope and the \u003ccode\u003echronicle.legacies.legacyTestRuleStreaming\u003c/code\u003e IAM permission on the \u003ccode\u003einstance\u003c/code\u003e resource.\u003c/p\u003e\n"]]],[],null,["# Method: legacy.legacyTestRuleStreaming\n\n- [HTTP request](#body.HTTP_TEMPLATE)\n- [Path parameters](#body.PATH_PARAMETERS)\n- [Request body](#body.request_body)\n - [JSON representation](#body.request_body.SCHEMA_REPRESENTATION)\n- [Response body](#body.response_body)\n - [JSON representation](#body.LegacyTestRuleStreamingResponse.SCHEMA_REPRESENTATION)\n- [Authorization scopes](#body.aspect)\n- [IAM Permissions](#body.aspect_1)\n- [ExecutionError](#ExecutionError)\n - [JSON representation](#ExecutionError.SCHEMA_REPRESENTATION)\n- [Try it!](#try-it)\n\n**Full name**: projects.locations.instances.legacy.legacyTestRuleStreaming\n\nlegacy.legacyTestRuleStreaming tests the given rule text over a specified time range and streams detections/errors back without persisting them.\n\n### HTTP request\n\nChoose a location: \nafrica-south1 asia-northeast1 asia-south1 asia-southeast1 asia-southeast2 australia-southeast1 europe-west12 europe-west2 europe-west3 europe-west6 europe-west9 me-central1 me-central2 me-west1 northamerica-northeast2 southamerica-east1 us eu \n\n\u003cbr /\u003e\n\n### Path parameters\n\n### Request body\n\nThe request body contains data with the following structure:\n\n### Response body\n\nlegacy.legacyTestRuleStreaming response message.\n\nIf successful, the response body contains data with the following structure:\n\n### Authorization scopes\n\nRequires the following OAuth scope:\n\n- `https://www.googleapis.com/auth/cloud-platform`\n\nFor more information, see the [Authentication Overview](/docs/authentication#authorization-gcp).\n\n### IAM Permissions\n\nRequires the following [IAM](https://cloud.google.com/iam/docs) permission on the `instance` resource:\n\n- `chronicle.legacies.legacyTestRuleStreaming`\n\nFor more information, see the [IAM documentation](https://cloud.google.com/iam/docs).\n\nExecutionError\n--------------\n\nAn execution error generated from the test."]]