Skip to main content

Ok, I can’t figure it out and could not find any good examples on the internet, how do I use searchRawLogs endpoint?

 

Use case:  For research, we want to export a “small” subset of data that matches a rawLog. Time is usually paramount, so I cannot use the data-export-api, as that gets queued for DAYS sometimes.

 

So I’m attempting to see if searchRawLogs will fulfill our needs for targeted export of raw logs via api calls. (I understand that we can use raw log search and export csv from the UI, but I need to do it via the API for integrations).

 

I’m trying this:

POST https://us-chronicle.googleapis.com/v1alpha/projects/<project>/locations/us/instances/<uuid>/:searchRawLogs BODY: {

   "baseline_query":  "/ASA/",

   "baseline_time_range": {

       "start_time": "2025-08-11T01:00:01Z",

      "end_time": "2025-08-12T02:00:01Z”

   }

no matter what I try, I just get 400, Request contains an invalid argument. I’m doing something stupid, but I can’t figure out what it is.

 

also unclear from the docs how to limit  by log-type.. sure use the LogType Object, but what fields in the logType object are required? it just shows me the LogType from the logType endpoint perspective…

 

https://cloud.google.com/chronicle/docs/reference/rest/v1alpha/projects.locations.instances/searchRawLogs#request-body

 

Thanks,

 

\- Mike

 

Hello ​@mwisener ,

 

Maybe this is just a copy/paste typo but you have an extra “/” in your endpoint URL, right before the “:” after the UUID of your instance. It should be : https://us-chronicle.googleapis.com/v1alpha/projects/<project>/locations/us/instances/<uuid>:searchRawLogs

 

You can see the expected POST body and the possible values by using the rawlog search in the SecOps UI. Access the UDM search UI and type the query raw = “ASA” for example, then you can inspect the POST query to searchRawLogs using your browser’s dev tools ! Note that the field names can be camelcase in the browser but they work also with snakecase also just like in the API docs.

Regarding your particular issue, the problem is in the value of “baseline_query”, it looks like it should always include raw = , updating the value to raw = /ASA/ should fix :)

Additionnally, after a bit of testing, the UI does not seem to use the “log_type” parameter in the POST request to limit by LogType. It just appends a filter to the baseline_query, using the name of the LogType as it appears in the drop-down list (ex: “Microsoft Powershell” for log_type “POWERSHELL”).
Example :
raw = "http" log_source IN ["Microsoft PowerShell"]

Thanks ​@chrisd2  - I originally had raw = /ASA/ when i had the log-type stuff in there which I’m guessing was also wrong -  then through several permutations of fiddling with params to try to get it to work, it morphed into /ASA/ but with log-type stuff removed! 

So raw = /ASA/ appeared to be my issue for sure. Also doesn’t matter on the / either one works, with or without the / before the :

 

thanks!

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.