Tool: activate_parser
Activate a parser for a specific log type in Chronicle.
Activates a parser, making it the active parser for the specified log type. Once activated, the parser will be used to process all incoming logs of that type. Only one parser can be active for each log type at a time.
Workflow Integration: - Use after creating and testing a parser to make it operational. - Essential step for putting new or updated parsers into production. - Enables the parser to process incoming logs and generate searchable UDM events. - Required before logs of the specified type can be properly parsed and analyzed.
Use Cases: - Activate a newly created parser after successful testing. - Switch to an updated parser version with improved parsing logic. - Restore a previously working parser after troubleshooting parsing issues. - Deploy parser changes as part of log ingestion pipeline updates.
Args: log_type (str): Chronicle log type identifier for the parser. parser_id (str): Unique identifier of the parser to activate (without revision ID). project_id (str): Google Cloud project ID (required). customer_id (str): Chronicle customer ID (required). region (str): Chronicle region (e.g., "us", "europe") (required).
Returns: str: Success message confirming parser activation. Returns error message if activation fails.
Example Usage: activate_parser( log_type="CUSTOM_APP", parser_id="pa_12345678-1234-1234-1234-123456789012", project_id="my-project", customer_id="my-customer", region="us" )
Next Steps (using MCP-enabled tools): - Verify the parser is active using get_parser. - Ingest test logs using import_logs to verify the parser is working correctly. - Monitor parsing success rates and troubleshoot any issues. - Search for parsed events using udm_search to confirm proper UDM conversion. - Create detection rules that leverage the newly parsed UDM fields. - Set up monitoring for the log type to ensure continued parsing success.
The following sample demonstrate how to use curl to invoke the activate_parser MCP tool.
| Curl Request |
|---|
curl --location 'https://chronicle.googleapis.com/mcp' \ --header 'content-type: application/json' \ --header 'accept: application/json, text/event-stream' \ --data '{ "method": "tools/call", "params": { "name": "activate_parser", "arguments": { // provide these details according to the tool's MCP specification } }, "jsonrpc": "2.0", "id": 1 }' |
Input Schema
Request message for ActivateParser.
ActivateParserRequest
| JSON representation |
|---|
{ "projectId": string, "customerId": string, "region": string, "logType": string, "parserId": string } |
| Fields | |
|---|---|
projectId |
Project ID of the customer. |
customerId |
Customer ID of the customer. |
region |
Region of the customer. |
logType |
Log type of the parser to activate. |
parserId |
ID of the parser to activate. |
Output Schema
A generic empty message that you can re-use to avoid defining duplicated empty messages in your APIs. A typical example is to use it as the request or the response type of an API method. For instance:
service Foo {
rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty);
}
Tool Annotations
Destructive Hint: ❌ | Idempotent Hint: ❌ | Read Only Hint: ❌ | Open World Hint: ❌