Feature Request – Support for Dynamic Labels in GCP Chronicle Unstructured Sink

[WeslleyLobo07]

Background

We have been working with the GCP Chronicle Unstructured sink in Vector to send logs to Google SecOps.
Our main goal is to determine when a host has stopped sending logs, which we can monitor through detection rules or Google Cloud Monitoring.

Problem

One of the challenges with Google SecOps is that it parses hostnames inconsistently. Depending on the SIEM parser, the hostname might appear in different fields.

To work around this, we currently apply the hostname directly to metadata labels in SecOps, which standardizes host identification regardless of how the parser handles the logs.

However, the GCP Chronicle Unstructured sink in Vector only supports literal strings for labels. This limitation prevents us from dynamically setting label values using Vector’s template syntax.

For example, we cannot do something like:

labels:
  ingestion_source: "{{ .file_host }}"

…where .file_host is extracted per-event.

Dynamic label support would allow us to use actual hostname values from each log without having to hardcode or preprocess them before sending.

Current Configuration Attempt

sinks:
  siem:
    type: gcp_chronicle_unstructured
    inputs:
      - routing_parse_by_status.completed
    customer_id: "REPLACE_CUSTOMER_ID"
    credentials_path: ""
    endpoint: 'https://malachiteingestion-pa.googleapis.com:443'
    log_type: "{{ .log_type }}"
    encoding:
      codec: raw_message
    labels:
      ingestion_source: "{{ .file_host }}"

Why This Matters

• Ensures consistent host identification in Google SecOps regardless of parser differences.
• Eliminates the need for pre-processing steps just to set static labels.
• Enables per-event metadata enrichment directly at the ingestion stage.

Reference

Google SecOps Labels Documentation:
https://cloud.google.com/chronicle/docs/reference/ingestion-metrics-schema#ingestion_api_schema

Request
Are there plans to add dynamic label support to the GCP Chronicle Unstructured sink in Vector so we can take advantage of per-event values using template syntax?