Skip to main content

User is asking me when did we start logging their project “my-project” in cloud logs.

If I UDM  search on project = “my-project” for the past year ,I get the “too many results” warning and the time graph won’t show up for the whole 1 year I’m searching.

“WARNING: Can't show all results because the query is too broad. Events are sampled. Try a more specific query.”

In Splunk I’d just use index = foo | fields index and I’d be done in a second.

Instead in SIEM I have to spend time researching looking for a field/value pair that doesn’t occur very often 

 

There’s got to be an easier way to do this

 

[removed by moderator] ,

There’s a couple features of SecOps that can help here. The first is you noted looking for a KV pair, likely trying to find where the project name/ID is. I use UDM lookup all the time, which (to date myself), is a lot like a card catalog in a library. You tell it what you’re looking for and it will tell you where it may be. Details on this here:

For me, using GCP, the audit logs put the project name/ID in target.cloud.project.name. Now that I know that, I can use a stats/aggregation search to find the first/last seen for that project name. This is how that search looks.

target.cloud.project.name != ""
target.cloud.project.name = $cloud_project
match:
 $cloud_project
outcome:
 $last_seen = timestamp.get_timestamp(max(metadata.event_timestamp.seconds))
 $first_seen = timestamp.get_timestamp(min(metadata.event_timestamp.seconds))

And my results show me the first/last seen time for each project in my GCP environment.

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.