This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
The Google Cloud Security Community will be in read-only mode July 16 - July 22 as we migrate platforms. 

Read more and check out our FAQ
Log in to ask a question

Getting Error - UDM Search

Posted on 02-18-2025 07:11 AM
abhishekag
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

I am running the following UDM search:

$e.metadata.vendor_name != ""
$log_type = $e.metadata.vendor_name
match:
$log_type
outcome:
$count = count($e.metadata.id)
 
Getting following error: ERROR: Search has encountered an error and could not load data. Please try again, and contact support if this error continues.
 
Please help
0 7 402
Topic Labels
0 Likes
Reply
7 REPLIES 7

Posted on --/--/---- --:-- AM
mikewilusz
Staff
Reply posted on --/--/---- --:-- AM

There's no need to use variables, like $e, in UDM stats searches. Those are only used in YARA-L rules today. Removing that will make it a valid query.

metadata.vendor_name != ""
$log_type = metadata.vendor_name
match:
    $log_type
outcome:
    $count = count(metadata.id)

-mike

Reply

Posted on --/--/---- --:-- AM
abhishekag
Bronze 1
Bronze 1
In response to mikewilusz
Reply posted on --/--/---- --:-- AM

Thanks, Mike

But still getting same error:

ERROR: Search has encountered an error and could not load data. Please try again, and contact support if this error continues.

0 Likes
Reply

Posted on --/--/---- --:-- AM
ashnaiku
Staff
In response to abhishekag
Reply posted on --/--/---- --:-- AM

Can you try some other simpler UDM stats search like below to verify that the feature is working : 

  target.ip != ""
  match:
    principal.ip
  outcome:
    $min_seconds = min(metadata.event_timestamp.seconds)

 

0 Likes
Reply

Posted on --/--/---- --:-- AM
abhishekag
Bronze 1
Bronze 1
In response to ashnaiku
Reply posted on --/--/---- --:-- AM

Still getting the same error.

I think, udm state serach is not enabled that's why getting this issue. How can I confirm that this is enable or not.

0 Likes
Reply

Posted on --/--/---- --:-- AM
ashnaiku
Staff
In response to abhishekag
Reply posted on --/--/---- --:-- AM

You can share you Hex ID with support team privately (donot share in public forums) and help them confirm 

0 Likes
Reply

Posted on --/--/---- --:-- AM
ashnaiku
Staff
Reply posted on --/--/---- --:-- AM

UDM stats search is slightly different from UDM search (w/o stats). Here are some examples that might help

https://cloud.google.com/chronicle/docs/investigation/statistics-aggregations-in-udm-search

0 Likes
Reply

Posted on --/--/---- --:-- AM
jstoner
Staff
Reply posted on --/--/---- --:-- AM

The search you initially wrote will work even with the event variable $e in it, the key to that is that once you have a UDM field with an event variable, all UDM fields need it, so consistency is key. @mikewilusz search also works but removes the extraneous event variable that can sometimes confuse folks. I agree with your suspicion that the stats search functionality is not enabled in the tenant and request out to the support team should hopefully get that fixed. 

Once you get access, here are a few additional resources to help you get going:

Blogs: 

https://www.googlecloudcommunity.com/gc/Community-Blog/New-to-Google-SecOps-Introducing-Statistical-...

https://www.googlecloudcommunity.com/gc/Community-Blog/New-to-Google-SecOps-Getting-More-From-Statis...

Videos: 

https://www.youtube.com/watch?v=o50ix8vQVIM

https://www.youtube.com/watch?v=7RofNmlarXA

 

 

Reply
Top Solution Authors
View all