Method: instances.findUdmFieldValues

Full name: projects.locations.instances.findUdmFieldValues

Finds ingested UDM field values that match a query.

HTTP request


GET https://chronicle.africa-south1.rep.googleapis.com/v1alpha/{instance}:findUdmFieldValues

Path parameters

Parameters
instance

string

Required. Chronicle instance this request is sent to. Format: projects/{project}/locations/{location}/instances/{instance}

Query parameters

Parameters
query

string

Required. The partial UDM field value to match.
pageSize
(deprecated)

integer

Optional. Deprecated: Pagination is not supported for this API. Use limit field instead. The maximum number of value matches to return. If unspecified, a default value will be used.
limit

integer

Optional. The maximum number of value matches to return. The service may return fewer matches than this value. If unspecified, defaults to 250. The maximum value is 1000; values above 1000 will be coerced to 1000. This field replaces the deprecated pageSize field.

Request body

The request body must be empty.

Response body

Ingested UDM field values that match a query.

If successful, the response body contains data with the following structure:

JSON representation 
{
  "valueMatches": [
    {
      object (ValueMatch)
    }
  ],
  "fieldMatches": [
    {
      object (FieldMatch)
    }
  ],
  "fieldMatchRegex": string,
  "nextPageToken": string,
  "hasMoreMatches": boolean
}
Fields
valueMatches[]

object (ValueMatch)

Values that match the query.
fieldMatches[]

object (FieldMatch)

Fields that might contain a matching value.
fieldMatchRegex

string

A regular expression based on the query that can be used to find matching values within the field-level matches.
nextPageToken
(deprecated)

string

Deprecated: Pagination is not supported for this API. Use hasMoreMatches field instead. Currently, this field is used only to indicate whether more value matches are available. If it is empty, there are no more value matches.
hasMoreMatches

boolean

Indicates if there are more value matches available but were not returned due to the limit. This field replaces the deprecated nextPageToken field.

Authorization scopes

Requires one of the following OAuth scopes:

  • https://www.googleapis.com/auth/cloud-platform
  • https://www.googleapis.com/auth/chronicle
  • https://www.googleapis.com/auth/chronicle.readonly

For more information, see the Authentication Overview.

IAM Permissions

Requires the following IAM permission on the instance resource:

  • chronicle.events.findUdmFieldValues

For more information, see the IAM documentation.

ValueMatch

A UDM field value that matches the query.

JSON representation 
{
  "fieldPath": string,
  "value": string,
  "ingestionTime": string,
  "matchStart": integer,
  "matchEnd": integer
}
Fields
fieldPath

string

The UDM field containing the matching value.
value

string

The matching value.
ingestionTime

string (Timestamp format)

The approximate time of the last ingestion of the value.

Uses RFC 3339, where generated output will always be Z-normalized and use 0, 3, 6 or 9 fractional digits. Offsets other than "Z" are also accepted. Examples: "2014-10-02T15:01:23Z", "2014-10-02T15:01:23.045123456Z" or "2014-10-02T15:01:23+05:30".
matchStart

integer

The index within value where the matching text starts.
matchEnd

integer

The index within value where the matching text ends (exclusive).

FieldMatch

A UDM field that might contain a value that matches the query.

JSON representation 
{
  "fieldPath": string
}
Fields
fieldPath

string

The UDM field that might contain a matching value.