Console
    Start free

    Method: instances.udmSearch

    Full name: projects.locations.instances.udmSearch

    Performs a UDM search that returns matching events for the query.

    HTTP request


    GET https://chronicle.africa-south1.rep.googleapis.com/v1beta/{instance}:udmSearch

    Path parameters

    Parameters
    instance

    string

    Required. Chronicle instance this request is sent to. Format: projects/{project}/locations/{location}/instances/{instance}

    Query parameters

    Parameters
    query

    string

    Required. The boolean query to search for. Example: 'ip=/172.*/ AND metadata.event_type!="NETWORK_CONNECTION" AND ( target.ip = "3.225.179.73" OR target.ip = "23.47.48.70")'
    timeRange

    object ( Interval )

    Required. Time range to search for [Inclusive start time, exclusive end time).
    limit

    integer

    Maximum number of results to be returned for the query. Anything over 10000 will be coerced to 10000.
    queryDialect

    enum ( QueryDialect )

    Optional. Specifieshe language that the query string is written in.

    Request body

    The request body must be empty.

    Response body

    Returns results matching the query and time range in UdmSearchRequest.

    If successful, the response body contains data with the following structure:

    JSON representation 
     { 
 "events" 
 : 
 [ 
 { 
 object (  Event 
 
) 
 } 
 ] 
 , 
 "moreDataAvailable" 
 : 
 boolean 
 , 
 "stats" 
 : 
 { 
 object (  StatsData 
 
) 
 } 
 }
    Fields
    events[]

    object ( Event )

    List of matched events.
    moreDataAvailable

    boolean

    Too many events matched the search criterion, some results have been omitted.
    stats

    object ( StatsData )

    LINT.ThenChange( //depot/google3/googlex/security/malachite/proto/udmSearch.proto:stats_data ) Stats response for the query.

    Authorization scopes

    Requires one of the following OAuth scopes:

    • https://www.googleapis.com/auth/cloud-platform
    • https://www.googleapis.com/auth/chronicle
    • https://www.googleapis.com/auth/chronicle.readonly

    For more information, see the Authentication Overview .

    IAM Permissions

    Requires the following IAM permission on the instance resource:

    • chronicle.events.udmSearch

    For more information, see the IAM documentation .

    QueryDialect

    Specifies the dialect a UDM Search Query is written in.

    Enums
    QUERY_DIALECT_UNSPECIFIED Defaults to YL2.
    YL2 YL2 query dialect.
    SQL SQL query dialect.

    StatsData

    LINT.IfChange(stats_data) Stats results when the query is for statistics

    JSON representation 
     { 
 "results" 
 : 
 [ 
 { 
 object (  StatsColumnData 
 
) 
 } 
 ] 
 , 
 "tooManyResults" 
 : 
 boolean 
 , 
 "hasJoin" 
 : 
 boolean 
 , 
 "hasDataTable" 
 : 
 boolean 
 }
    Fields
    results[]

    object ( StatsColumnData )

    Result rows that are queried.
    tooManyResults

    boolean

    If true, there are too many results to return and some have been omitted.
    hasJoin

    boolean

    Indicates to the frontend that the result is a join-stats result.
    hasDataTable

    boolean

    Indicates to the frontend that the result contains a data-table.

    StatsColumnData

    Represents a single column in the set of columns returned as the stats query result.

    JSON representation 
     { 
 "column" 
 : 
 string 
 , 
 "values" 
 : 
 [ 
 { 
 object (  StatsColumnType 
 
) 
 } 
 ] 
 }
    Fields
    column

    string

    Used to store column names.
    values[]

    object ( StatsColumnType )

    Store list of values in a column.

    StatsColumnType

    Singular vs list of values in a column.

    JSON representation 
     { 
 // Union field type 
can be only one of the following: 
 "value" 
 : 
 { 
 object (  StatsColumnValue 
 
) 
 } 
 , 
 "list" 
 : 
 { 
 object (  StatsList 
 
) 
 } 
 // End of list of possible types for union field type 
. 
 }
    Fields
    Union field type . Store single value or list of values in a column. type can be only one of the following:
    value

    object ( StatsColumnValue )

    Single value in a column.

    list

    object ( StatsList )

    List of values in a column e.g. IPs

    StatsColumnValue

    Represents a single value in the set of values returned as the stats query result.

    JSON representation 
     { 
 // Union field value 
can be only one of the following: 
 "nullVal" 
 : 
 boolean 
 , 
 "boolVal" 
 : 
 boolean 
 , 
 "bytesVal" 
 : 
 string 
 , 
 "doubleVal" 
 : 
 number 
 , 
 "int64Val" 
 : 
 string 
 , 
 "uint64Val" 
 : 
 string 
 , 
 "stringVal" 
 : 
 string 
 , 
 "timestampVal" 
 : 
 string 
 , 
 "dateVal" 
 : 
 { 
 object (  Date 
 
) 
 } 
 , 
 "protoVal" 
 : 
 { 
 "@type" 
 : 
 string 
 , 
 field1 
 : 
 ... 
 , 
 ... 
 } 
 // End of list of possible types for union field value 
. 
 }
    Fields
    Union field value . Value of the column based on data type value can be only one of the following:
    nullVal

    boolean

    True if the value is NULL.

    boolVal

    boolean

    Boolean value.

    bytesVal

    string ( bytes format)

    Bytes value.

    A base64-encoded string.

    doubleVal

    number

    Double value.

    int64Val

    string ( int64 format)

    Integer value (signed).

    uint64Val

    string

    Un-signed integer value.

    stringVal

    string

    String value. Enum values are returned as strings.

    timestampVal

    string ( Timestamp format)

    Timestamp values.

    Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z" , "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30" .

    dateVal

    object ( Date )

    Date values.

    protoVal

    object

    For any proto values that are not any of the above.

    An object containing fields of an arbitrary type. An additional field "@type" contains a URI identifying the type. Example: { "id": 1234, "@type": "types.example.com/standard/id" } .

    StatsList

    Store list of values in a column.

    JSON representation 
     { 
 "values" 
 : 
 [ 
 { 
 object (  StatsColumnValue 
 
) 
 } 
 ] 
 }
    Fields
    values[]

    object ( StatsColumnValue )

    List of values in one cell of the column.
    Design a Mobile Site
    View Site in Mobile | Classic
    Share by: