diff --git a/exporter/chronicleexporter/marshal_test.go b/exporter/chronicleexporter/marshal_test.go
index c3a5d7c41..0416e6def 100644
--- a/exporter/chronicleexporter/marshal_test.go
+++ b/exporter/chronicleexporter/marshal_test.go
@@ -535,3 +535,180 @@ func mockLogs(record plog.LogRecord) plog.Logs {
 	record.CopyTo(sl.LogRecords().AppendEmpty())
 	return logs
 }
+
+type getRawFieldCase struct {
+	name         string
+	field        string
+	logRecord    plog.LogRecord
+	scope        plog.ScopeLogs
+	resource     plog.ResourceLogs
+	expect       string
+	expectErrStr string
+}
+
+// Used by tests and benchmarks
+var getRawFieldCases = []getRawFieldCase{
+	{
+		name:  "String body",
+		field: "body",
+		logRecord: func() plog.LogRecord {
+			lr := plog.NewLogRecord()
+			lr.Body().SetStr("<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Service Control Manager' Guid='{555908d1-a6d7-4695-8e1e-26931d2012f4}' EventSourceName='Service Control Manager'/><EventID Qualifiers='16384'>7036</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8080000000000000</Keywords><TimeCreated SystemTime='2024-11-08T18:51:13.504187700Z'/><EventRecordID>3562</EventRecordID><Correlation/><Execution ProcessID='604' ThreadID='4792'/><Channel>System</Channel><Computer>WIN-L6PC55MPB98</Computer><Security/></System><EventData><Data Name='param1'>Print Spooler</Data><Data Name='param2'>stopped</Data><Binary>530070006F006F006C00650072002F0031000000</Binary></EventData></Event>")
+			return lr
+		}(),
+		scope:    plog.NewScopeLogs(),
+		resource: plog.NewResourceLogs(),
+		expect:   "<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Service Control Manager' Guid='{555908d1-a6d7-4695-8e1e-26931d2012f4}' EventSourceName='Service Control Manager'/><EventID Qualifiers='16384'>7036</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8080000000000000</Keywords><TimeCreated SystemTime='2024-11-08T18:51:13.504187700Z'/><EventRecordID>3562</EventRecordID><Correlation/><Execution ProcessID='604' ThreadID='4792'/><Channel>System</Channel><Computer>WIN-L6PC55MPB98</Computer><Security/></System><EventData><Data Name='param1'>Print Spooler</Data><Data Name='param2'>stopped</Data><Binary>530070006F006F006C00650072002F0031000000</Binary></EventData></Event>",
+	},
+	{
+		name:  "Empty body",
+		field: "body",
+		logRecord: func() plog.LogRecord {
+			lr := plog.NewLogRecord()
+			lr.Body().SetStr("")
+			return lr
+		}(),
+		scope:    plog.NewScopeLogs(),
+		resource: plog.NewResourceLogs(),
+		expect:   "",
+	},
+	{
+		name:  "Map body",
+		field: "body",
+		logRecord: func() plog.LogRecord {
+			lr := plog.NewLogRecord()
+			lr.Body().SetEmptyMap()
+			lr.Body().Map().PutStr("param1", "Print Spooler")
+			lr.Body().Map().PutStr("param2", "stopped")
+			lr.Body().Map().PutStr("binary", "530070006F006F006C00650072002F0031000000")
+			return lr
+		}(),
+		scope:    plog.NewScopeLogs(),
+		resource: plog.NewResourceLogs(),
+		expect:   `{"binary":"530070006F006F006C00650072002F0031000000","param1":"Print Spooler","param2":"stopped"}`,
+	},
+	{
+		name:  "Map body field",
+		field: "body[\"param1\"]",
+		logRecord: func() plog.LogRecord {
+			lr := plog.NewLogRecord()
+			lr.Body().SetEmptyMap()
+			lr.Body().Map().PutStr("param1", "Print Spooler")
+			lr.Body().Map().PutStr("param2", "stopped")
+			lr.Body().Map().PutStr("binary", "530070006F006F006C00650072002F0031000000")
+			return lr
+		}(),
+		scope:    plog.NewScopeLogs(),
+		resource: plog.NewResourceLogs(),
+		expect:   "Print Spooler",
+	},
+	{
+		name:  "Map body field missing",
+		field: "body[\"missing\"]",
+		logRecord: func() plog.LogRecord {
+			lr := plog.NewLogRecord()
+			lr.Body().SetEmptyMap()
+			lr.Body().Map().PutStr("param1", "Print Spooler")
+			lr.Body().Map().PutStr("param2", "stopped")
+			lr.Body().Map().PutStr("binary", "530070006F006F006C00650072002F0031000000")
+			return lr
+		}(),
+		scope:    plog.NewScopeLogs(),
+		resource: plog.NewResourceLogs(),
+		expect:   "",
+	},
+	{
+		name:  "Attribute log_type",
+		field: `attributes["log_type"]`,
+		logRecord: func() plog.LogRecord {
+			lr := plog.NewLogRecord()
+			lr.Attributes().PutStr("status", "200")
+			lr.Attributes().PutStr("log.file.name", "/var/log/containers/agent_agent_ns.log")
+			lr.Attributes().PutStr("log_type", "WINEVTLOG")
+			return lr
+		}(),
+		scope:    plog.NewScopeLogs(),
+		resource: plog.NewResourceLogs(),
+		expect:   "WINEVTLOG",
+	},
+	{
+		name:  "Attribute log_type missing",
+		field: `attributes["log_type"]`,
+		logRecord: func() plog.LogRecord {
+			lr := plog.NewLogRecord()
+			lr.Attributes().PutStr("status", "200")
+			lr.Attributes().PutStr("log.file.name", "/var/log/containers/agent_agent_ns.log")
+			return lr
+		}(),
+		scope:    plog.NewScopeLogs(),
+		resource: plog.NewResourceLogs(),
+		expect:   "",
+	},
+	{
+		name:  "Attribute chronicle_log_type",
+		field: `attributes["chronicle_log_type"]`,
+		logRecord: func() plog.LogRecord {
+			lr := plog.NewLogRecord()
+			lr.Attributes().PutStr("status", "200")
+			lr.Attributes().PutStr("log.file.name", "/var/log/containers/agent_agent_ns.log")
+			lr.Attributes().PutStr("chronicle_log_type", "MICROSOFT_SQL")
+			return lr
+		}(),
+		scope:    plog.NewScopeLogs(),
+		resource: plog.NewResourceLogs(),
+		expect:   "MICROSOFT_SQL",
+	},
+	{
+		name:  "Attribute chronicle_namespace",
+		field: `attributes["chronicle_namespace"]`,
+		logRecord: func() plog.LogRecord {
+			lr := plog.NewLogRecord()
+			lr.Attributes().PutStr("status", "200")
+			lr.Attributes().PutStr("log_type", "k8s-container")
+			lr.Attributes().PutStr("log.file.name", "/var/log/containers/agent_agent_ns.log")
+			lr.Attributes().PutStr("chronicle_log_type", "MICROSOFT_SQL")
+			lr.Attributes().PutStr("chronicle_namespace", "test")
+			return lr
+		}(),
+		scope:    plog.NewScopeLogs(),
+		resource: plog.NewResourceLogs(),
+		expect:   "test",
+	},
+}
+
+func Test_getRawField(t *testing.T) {
+	for _, tc := range getRawFieldCases {
+		t.Run(tc.name, func(t *testing.T) {
+			m := &protoMarshaler{}
+			m.teleSettings.Logger = zap.NewNop()
+
+			ctx := context.Background()
+
+			rawField, err := m.getRawField(ctx, tc.field, tc.logRecord, tc.scope, tc.resource)
+			if tc.expectErrStr != "" {
+				require.Contains(t, err.Error(), tc.expectErrStr)
+				return
+			}
+
+			require.NoError(t, err)
+			require.Equal(t, tc.expect, rawField)
+		})
+	}
+}
+
+func Benchmark_getRawField(b *testing.B) {
+	m := &protoMarshaler{}
+	m.teleSettings.Logger = zap.NewNop()
+
+	ctx := context.Background()
+
+	for _, tc := range getRawFieldCases {
+		b.ResetTimer()
+		b.Run(tc.name, func(b *testing.B) {
+			for i := 0; i < b.N; i++ {
+				_, _ = m.getRawField(ctx, tc.field, tc.logRecord, tc.scope, tc.resource)
+			}
+		})
+	}
+
+}