MCP Tools Reference: chronicle.googleapis.com

Tool: list_parsers

List all parsers for a given log type, returning only metadata.

Retrieves a list of parser metadata for a specific log type, or for all log types if "-" is specified. This tool is useful for getting an overview of existing parsers and their states without fetching the full parser code.

Agent Responsibilities: - The response is a JSON object. The agent should access the parsers key to get a list of parser objects. - Each object in the list contains parser metadata such as name, log_type, state, create_time, etc. - The name field contains the full resource name, from which the parser ID can be extracted. - If the response contains a next_page_token, it indicates that more results are available. The agent should use this token in a subsequent call to retrieve the next page. - The agent should not present the raw JSON. Instead, it should format the output as a human-readable list, for example, using a table or a bulleted list.

Workflow Integration: - Use to discover existing parsers for a specific log type. - Helpful for finding a parser ID to use with other tools like get_parser or activate_parser. - Use to audit which parsers exist for a customer and their current states (ACTIVE, INACTIVE, etc.).

Args: project_id (str): Google Cloud project ID (required). customer_id (str): Chronicle customer ID (required). region (str): Chronicle region (e.g., "us", "europe") (required). log_type (str): Chronicle log type identifier for the parser. Use "-" to list parsers for all log types. Defaults to "-". page_size (int): The maximum number of parsers to return. The service may return fewer than this value. page_token (str): A page token, received from a previous list_parsers call. Provide this to retrieve the subsequent page. filter (str): A filter to be applied to the list of parsers.

Returns: str: Raw JSON response from the API, representing a list of Parser metadata objects. The agent should parse this and present a formatted list to the user. Returns an error message if listing fails.

Example Usage: # List all parsers for a specific log type list_parsers( project_id="my-project", customer_id="my-customer", region="us", log_type="OKTA" )

# List all parsers for all log types
        list_parsers(
            project_id="my-project",
            customer_id="my-customer",
            region="us"
        )

The following sample demonstrate how to use curl to invoke the list_parsers MCP tool.

Curl Request 
                  
curl --location 'https://chronicle.googleapis.com/mcp' \
--header 'content-type: application/json' \
--header 'accept: application/json, text/event-stream' \
--data '{
  "method": "tools/call",
  "params": {
    "name": "list_parsers",
    "arguments": {
      // provide these details according to the tool's MCP specification
    }
  },
  "jsonrpc": "2.0",
  "id": 1
}'

Input Schema

Request message for ListParsers.

ListParsersRequest

JSON representation 
{
  "projectId": string,
  "customerId": string,
  "region": string,
  "logType": string,
  "pageSize": integer,
  "pageToken": string,
  "filter": string
}
Fields
projectId

string

Project ID of the customer.
customerId

string

Customer ID of the customer.
region

string

Region of the customer.
logType

string

Log type of the parsers to list. Use '-' to list parsers for all log types.
pageSize

integer

The maximum number of parsers to return.
pageToken

string

A page token, received from a previous ListParsers call.
filter

string

A filter to be applied to the list of parsers.

Output Schema

Response message for listing parsers.

ListParsersResponse

JSON representation 
{
  "parsers": [
    {
      object (Parser)
    }
  ],
  "nextPageToken": string
}
Fields
parsers[]

object (Parser)

The parsers from the specified chronicle instance.
nextPageToken

string

A token, which can be sent as page_token to retrieve the next page. If this field is omitted, there are no subsequent pages.

Parser

JSON representation 
{
  "projectId": string,
  "customerId": string,
  "region": string,
  "logType": string,
  "parserId": string,
  "state": enum (State),
  "createTime": string,
  "code": string
}
Fields
projectId

string

Project ID of the customer.
customerId

string

Customer ID of the customer.
region

string

Region of the customer.
logType

string

Log type of the parser to activate.
parserId

string

ID of the parser to activate.
state

enum (State)

State of the parser.
createTime

string (Timestamp format)

Time at which the parser was created.

Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".
code

string

Code of the parser.

Timestamp

JSON representation 
{
  "seconds": string,
  "nanos": integer
}
Fields
seconds

string (int64 format)

Represents seconds of UTC time since Unix epoch 1970-01-01T00:00:00Z. Must be between -62135596800 and 253402300799 inclusive (which corresponds to 0001-01-01T00:00:00Z to 9999-12-31T23:59:59Z).
nanos

integer

Non-negative fractions of a second at nanosecond resolution. This field is the nanosecond portion of the duration, not an alternative to seconds. Negative second values with fractions must still have non-negative nanos values that count forward in time. Must be between 0 and 999,999,999 inclusive.

Tool Annotations

Destructive Hint: ❌ | Idempotent Hint: ❌ | Read Only Hint: ✅ | Open World Hint: ❌