MCP Tools Reference: chronicle.googleapis.com

Tool: get_parser

Get details of a specific parser in Chronicle.

Retrieves the configuration and metadata for a specific parser, including its current state, parser code, and other properties. Useful for reviewing existing parsers or copying configurations for new parsers.

Agent Responsibilities: - Provide the necessary IDs to construct the parser resource name. - Parse the raw JSON response to extract parser details. - The agent should not present the raw JSON. Instead, it should format the output as a human-readable summary of the parser's metadata (e.g., state, log type, creation time). - The parser script (in the code field) can be very long and is not useful in most cases. The agent should only display the script if the user specifically asks for it.

Workflow Integration: - Use to review existing parser configurations before modifications. - Essential for troubleshooting parsing issues by examining the current parser logic. - Helps understand how specific log types are being processed in Chronicle. - Useful for copying parser configurations as templates for new parsers.

Use Cases: - Review parser code to understand how logs are being transformed. - Troubleshoot parsing issues by examining the current configuration. - Copy existing parser configurations as starting points for new parsers. - Audit parser configurations for compliance or security reviews. - Understand the parsing logic for specific log types during investigations.

Args: log_type (str): Chronicle log type identifier for the parser. parser_id (str): Unique identifier of the parser to retrieve. Can include a revision ID, e.g., "pa_123@v_456". project_id (str): Google Cloud project ID (required). customer_id (str): Chronicle customer ID (required). region (str): Chronicle region (e.g., "us", "europe") (required).

Returns: str: Raw JSON response from the API, representing the Parser object. The agent should parse this and present a formatted summary to the user. Returns error message if parser retrieval fails.

Example Usage: get_parser( log_type="OKTA", parser_id="pa_12345678-1234-1234-1234-123456789012", project_id="my-project", customer_id="my-customer", region="us" )

# Get a specific revision
        get_parser(
            log_type="OKTA",
            parser_id="pa_12345678-1234-1234-1234-123456789012@a1b2c3d4",
            project_id="my-project",
            customer_id="my-customer",
            region="us"
        )

Next Steps (using MCP-enabled tools): - Modify the parser configuration if needed and create an updated version using create_parser. - Test the parser code from the response using run_parser. - Use the configuration as a template for creating parsers for similar log types. - Activate or deactivate the parser based on your requirements.

The following sample demonstrate how to use curl to invoke the get_parser MCP tool.

Curl Request 
                  
curl --location 'https://chronicle.googleapis.com/mcp' \
--header 'content-type: application/json' \
--header 'accept: application/json, text/event-stream' \
--data '{
  "method": "tools/call",
  "params": {
    "name": "get_parser",
    "arguments": {
      // provide these details according to the tool's MCP specification
    }
  },
  "jsonrpc": "2.0",
  "id": 1
}'

Input Schema

Request message for GetParser.

GetParserRequest

JSON representation 
{
  "projectId": string,
  "customerId": string,
  "region": string,
  "logType": string,
  "parserId": string
}
Fields
projectId

string

Project ID of the customer.
customerId

string

Customer ID of the customer.
region

string

Region of the customer.
logType

string

Log type of the parser to get.
parserId

string

ID of the parser to get.

Output Schema

Parser is a representation of a parser.

Parser

JSON representation 
{
  "projectId": string,
  "customerId": string,
  "region": string,
  "logType": string,
  "parserId": string,
  "state": enum (State),
  "createTime": string,
  "code": string
}
Fields
projectId

string

Project ID of the customer.
customerId

string

Customer ID of the customer.
region

string

Region of the customer.
logType

string

Log type of the parser to activate.
parserId

string

ID of the parser to activate.
state

enum (State)

State of the parser.
createTime

string (Timestamp format)

Time at which the parser was created.

Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".
code

string

Code of the parser.

Timestamp

JSON representation 
{
  "seconds": string,
  "nanos": integer
}
Fields
seconds

string (int64 format)

Represents seconds of UTC time since Unix epoch 1970-01-01T00:00:00Z. Must be between -62135596800 and 253402300799 inclusive (which corresponds to 0001-01-01T00:00:00Z to 9999-12-31T23:59:59Z).
nanos

integer

Non-negative fractions of a second at nanosecond resolution. This field is the nanosecond portion of the duration, not an alternative to seconds. Negative second values with fractions must still have non-negative nanos values that count forward in time. Must be between 0 and 999,999,999 inclusive.

Tool Annotations

Destructive Hint: ❌ | Idempotent Hint: ✅ | Read Only Hint: ✅ | Open World Hint: ❌