Tool: deactivate_parser
Deactivate a parser for a specific log type in Chronicle.
Deactivates a parser, stopping it from processing incoming logs of the specified type. After deactivation, logs of this type will not be parsed until another parser is activated or the same parser is reactivated.
Workflow Integration: - Use when you need to temporarily stop parsing for a specific log type. - Essential for troubleshooting parsing issues by stopping problematic parsers. - Useful before deploying updated parser versions to prevent conflicts. - Helps manage parser lifecycle during development and testing phases.
Use Cases: - Temporarily stop parsing while troubleshooting issues with the current parser. - Deactivate a parser before activating an updated version. - Stop parsing for log types that are no longer needed or relevant. - Prevent parsing during maintenance windows or system changes. - Disable problematic parsers that are causing ingestion errors.
Warning: After deactivation, incoming logs of this type will not be parsed into UDM format and may not be searchable or usable for detection until a parser is reactivated.
Args: log_type (str): Chronicle log type identifier for the parser. parser_id (str): Unique identifier of the parser to deactivate (without revision ID). project_id (str): Google Cloud project ID (required). customer_id (str): Chronicle customer ID (required). region (str): Chronicle region (e.g., "us", "europe") (required).
Returns: str: Success message confirming parser deactivation. Returns error message if deactivation fails.
Example Usage: deactivate_parser( log_type="CUSTOM_APP", parser_id="pa_12345678-1234-1234-1234-123456789012", project_id="my-project", customer_id="my-customer", region="us" )
Next Steps (using MCP-enabled tools): - Verify the parser's status using get_parser. - Activate an updated parser version if this was part of a parser update process. - Monitor log ingestion to ensure no critical parsing is stopped unintentionally. - Test and validate any replacement parser before activating it. - Document the reason for deactivation for operational tracking.
The following sample demonstrate how to use curl to invoke the deactivate_parser MCP tool.
| Curl Request |
|---|
curl --location 'https://chronicle.googleapis.com/mcp' \ --header 'content-type: application/json' \ --header 'accept: application/json, text/event-stream' \ --data '{ "method": "tools/call", "params": { "name": "deactivate_parser", "arguments": { // provide these details according to the tool's MCP specification } }, "jsonrpc": "2.0", "id": 1 }' |
Input Schema
Request message for DeactivateParser.
DeactivateParserRequest
| JSON representation |
|---|
{ "projectId": string, "customerId": string, "region": string, "logType": string, "parserId": string } |
| Fields | |
|---|---|
projectId |
Project ID of the customer. |
customerId |
Customer ID of the customer. |
region |
Region of the customer. |
logType |
Log type of the parser to deactivate. |
parserId |
ID of the parser to deactivate. |
Output Schema
A generic empty message that you can re-use to avoid defining duplicated empty messages in your APIs. A typical example is to use it as the request or the response type of an API method. For instance:
service Foo {
rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty);
}
Tool Annotations
Destructive Hint: ❌ | Idempotent Hint: ❌ | Read Only Hint: ❌ | Open World Hint: ❌