Path parameters

• id string Required

  Identifier for the search.

Query parameters

• keep_alive string

  Period for which the search and its results are stored on the cluster. Defaults to the keep_alive value set by the search’s EQL search API request.

• wait_for_completion_timeout string

  Timeout duration to wait for the request to finish. Defaults to no timeout, meaning the request waits for complete search results.

Responses

• 200 application/json
  Hide response attributes Show response attributes object

  • id string
  • is_partial boolean

    If true, the response does not contain complete search results.

  • is_running boolean

    If true, the search request is still executing.

  • took number

    Time unit for milliseconds

  • timed_out boolean

    If true, the request timed out before completion.

  • hits object Required
    Hide hits attributes Show hits attributes object

    • total object
      Hide total attributes Show total attributes object

      • relation string Required

        Values are eq or gte.

      • value number Required
    • events array[object]

      Contains events matching the query. Each object represents a matching event.

      Hide events attributes Show events attributes object

      • _index string Required
      • _id string Required
      • _source object Required

        Original JSON body passed for the event at index time.

      • missing boolean

        Set to true for events in a timespan-constrained sequence that do not meet a given condition.

      • fields object
        Hide fields attributes Show fields attributes object

        • Additional properties
        • key array
    • sequences array[object]

      Contains event sequences matching the query. Each object represents a matching sequence. This parameter is only returned for EQL queries containing a sequence.

      Hide sequences attributes Show sequences attributes object

      • events array[object] Required

        Contains events matching the query. Each object represents a matching event.

        Hide events attributes Show events attributes object

        • _index string Required
        • _id string Required
        • _source object Required

          Original JSON body passed for the event at index time.

        • missing boolean

          Set to true for events in a timespan-constrained sequence that do not meet a given condition.

        • fields object
      • join_keys array[object]

        Shared field values used to constrain matches in the sequence. These are defined using the by keyword in the EQL query syntax.