This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
Webinar May 14th: Gemini's generative AI within Google SecOps
Webinar May 29th: Log Ingestion: Bindplane + Google SecOps
Log in to ask a question

Search query combining UDM and Raw

Posted on 11-20-2023 10:14 PM
srijankafle
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

Hi All,

Is there any way to combine a raw log search with some UDM filter applied. Let's say I want to search a text "service" within logs with UDM query:

namespace="collectorSiteA" and principal.hostname="testMachine" 

The query just a sample and it doesn't represent an actual usecase.

0 6 938
Topic Labels
0 Likes
6 REPLIES 6

Posted on --/--/---- --:-- AM
deeshu
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

Assuming that you have an event which is not completely parsed and mapped to UDM. e.g. - A value 'service' is not parsed and mapped to any UDM field.

Well, you can't run a raw search for a field which is not parsed from UDM search page. You can apply a procedural filtering from raw search page but I know that is not what you are looking for.

 

0 Likes

Posted on --/--/---- --:-- AM
srijankafle
Bronze 4
Bronze 4
In response to deeshu
Reply posted on --/--/---- --:-- AM

Since Procedural filter only has limited filtering capability, it does not serve the purpose for me. Hope this gets added sometimes in the future. 

Is there anyplace to do a community based feature request?

0 Likes

Posted on --/--/---- --:-- AM
cmmartin_google
Staff
In response to srijankafle
Reply posted on --/--/---- --:-- AM

Raw Log searching will be included in UDM Search in the near future, i.e, Raw Log Search and UDM Search in the same part of the UI.  As I understand it the intent is that you'll be able to see UDM Metadata for Raw Log searches, e.g, if you start with a Raw Log Search (and the data was normalized) you'll be able to filter or build a UDM Search from the results.

Note, you won't be able to do a combined search though:

metadata.event_type = "NETWORK_DNS" and raw_log = /foo/

This is on the near term roadmap.

For raising a Feature Request, as present the best approach would be via Google Cloud Support or your Chronicle account team.

Posted on --/--/---- --:-- AM
srijankafle
Bronze 4
Bronze 4
In response to cmmartin_google
Reply posted on --/--/---- --:-- AM

Hi @cmmartin_google 

My requirement is to filter in/out some logs while searching the UDM events. Since all the field in logs are not available in UDM fields, I intended on using something similar to what you mentioned

 

metadata.event_type = "NETWORK_DNS" and raw_log = /foo/
metadata.event_type = "NETWORK_DNS" and raw_log != /foo/

 

0 Likes

Posted on --/--/---- --:-- AM
reapzor
Bronze 2
Bronze 2
In response to cmmartin_google
Reply posted on --/--/---- --:-- AM

Hi Chris, is this still on the roadmap?

Posted on --/--/---- --:-- AM
SIM_92
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

Hi everyone, I am also interested about this option. Is still on the roadmap?

Thanks a lot

0 Likes
Top Solution Authors
View all