Getting Error - UDM Search

Forum|Forum|1 year ago
February 18, 2025
7 replies
85 views

abhishekag
New Member

I am running the following UDM search:

$e.metadata.vendor_name != ""

$log_type = $e.metadata.vendor_name

match:

$log_type

outcome:

$count = count($e.metadata.id)

Getting following error: ERROR: Search has encountered an error and could not load data. Please try again, and contact support if this error continues.

Please help

+10

mikewilusz
Staff
Forum|Forum|1 year ago
February 18, 2025

There's no need to use variables, like $e, in UDM stats searches. Those are only used in YARA-L rules today. Removing that will make it a valid query.

metadata.vendor_name != ""
$log_type = metadata.vendor_name
match:
    $log_type
outcome:
    $count = count(metadata.id)

-mike

ashnaiku
Staff
Forum|Forum|1 year ago
February 18, 2025

UDM stats search is slightly different from UDM search (w/o stats). Here are some examples that might help

https://cloud.google.com/chronicle/docs/investigation/statistics-aggregations-in-udm-search

abhishekag
Author
New Member
Forum|Forum|1 year ago
February 19, 2025

There's no need to use variables, like $e, in UDM stats searches. Those are only used in YARA-L rules today. Removing that will make it a valid query.

metadata.vendor_name != ""
$log_type = metadata.vendor_name
match:
    $log_type
outcome:
    $count = count(metadata.id)

-mike

Thanks, Mike

But still getting same error:

ERROR: Search has encountered an error and could not load data. Please try again, and contact support if this error continues.

ashnaiku
Staff
Forum|Forum|1 year ago
February 19, 2025

Thanks, Mike

But still getting same error:

ERROR: Search has encountered an error and could not load data. Please try again, and contact support if this error continues.

Can you try some other simpler UDM stats search like below to verify that the feature is working :

  target.ip != ""
  match:
    principal.ip
  outcome:
    $min_seconds = min(metadata.event_timestamp.seconds)

abhishekag
Author
New Member
Forum|Forum|1 year ago
February 19, 2025

Can you try some other simpler UDM stats search like below to verify that the feature is working :

  target.ip != ""
  match:
    principal.ip
  outcome:
    $min_seconds = min(metadata.event_timestamp.seconds)

Still getting the same error.

I think, udm state serach is not enabled that's why getting this issue. How can I confirm that this is enable or not.

ashnaiku
Staff
Forum|Forum|1 year ago
February 19, 2025

Still getting the same error.

I think, udm state serach is not enabled that's why getting this issue. How can I confirm that this is enable or not.

You can share you Hex ID with support team privately (donot share in public forums) and help them confirm

+23

jstoner
Staff
Forum|Forum|1 year ago
February 19, 2025

The search you initially wrote will work even with the event variable $e in it, the key to that is that once you have a UDM field with an event variable, all UDM fields need it, so consistency is key. @mikewilusz search also works but removes the extraneous event variable that can sometimes confuse folks. I agree with your suspicion that the stats search functionality is not enabled in the tenant and request out to the support team should hopefully get that fixed.

Once you get access, here are a few additional resources to help you get going:

Blogs:

https://www.googlecloudcommunity.com/gc/Community-Blog/New-to-Google-SecOps-Introducing-Statistical-Search/ba-p/750365

https://www.googlecloudcommunity.com/gc/Community-Blog/New-to-Google-SecOps-Getting-More-From-Statistical-Searches/ba-p/750385

Videos:

https://www.youtube.com/watch?v=o50ix8vQVIM

https://www.youtube.com/watch?v=7RofNmlarXA