when using the search chronicle api, is there a wa...

spawar_apex · 09-07-2023 04:21 AM

Hi Team, when using the search chronicle api, is there a way to get more than 10,000 events? or some type of paging functionality?

https://cloud.google.com/chronicle/docs/reference/search-api

As per doc, it says

What is the Page Size Property?

- For each API call, you can specify the page_size property to limit the maximum number of returned results. As there's no next page token, to limit the volume of data returned, specify a narrower time range. Any help would be appreciated? Thanks!

cmmartin_google

At the moment no, it is no possible via a single API call to get more than 10K results. We do have pagination, e.g., you can get 10x 1k page results, but for more than 10k results you would need to build a bookmark yourself for the end of a query, e.g., you ran from X to Y date, and then launch another query starting from Y, and coalesce the results in your client application

cmmartin_google

Raising a Feature Request via Support for more than 10K results would also be a recommendation, as its not a common request, and FRs will help to raise the visibility for such a request

spawar_apex

Thanks Christopher.

spawar_apex

@cmmartin_google - Would you pls share the Request Id?

spawar_apex

@cmmartin_google My follow up question is:

When returning results especially over 10k is there some order that the results get returned?

Will the query that returns over 10k results will it always return the same data?

New SecOps Webinar May 14th! Learn about Gemini's generative AI within Google SecOps

when using the search chronicle api, is there a way to get more than 10,000 events?