Returns the current status and available results for an async EQL search or a stored synchronous EQL search Added in 7.9.0

GET /_eql/search/{id}

Path parameters

  • id string Required

    Identifier for the search.

Query parameters

  • keep_alive string

    Period for which the search and its results are stored on the cluster. Defaults to the keep_alive value set by the search’s EQL search API request.

  • wait_for_completion_timeout string

    Timeout duration to wait for the request to finish. Defaults to no timeout, meaning the request waits for complete search results.

Responses

  • 200 application/json
    Hide response attributes Show response attributes object
    • id string
    • is_partial boolean

      If true, the response does not contain complete search results.

    • is_running boolean

      If true, the search request is still executing.

    • took number

      Time unit for milliseconds

    • timed_out boolean

      If true, the request timed out before completion.

    • hits object Required

      Additional properties are allowed.

      Hide hits attributes Show hits attributes object
      • total object

        Additional properties are allowed.

        Hide total attributes Show total attributes object
      • events array[object]

        Contains events matching the query. Each object represents a matching event.

        Hide events attributes Show events attributes object
        • _index string Required
        • _id string Required
        • _source object Required

          Original JSON body passed for the event at index time.

          Additional properties are allowed.

        • missing boolean

          Set to true for events in a timespan-constrained sequence that do not meet a given condition.

        • fields object
          Hide fields attribute Show fields attribute object
          • * array[object] Additional properties

            Additional properties are allowed.

      • sequences array[object]

        Contains event sequences matching the query. Each object represents a matching sequence. This parameter is only returned for EQL queries containing a sequence.

        Hide sequences attributes Show sequences attributes object
        • events array[object] Required

          Contains events matching the query. Each object represents a matching event.

          Hide events attributes Show events attributes object
          • _index string Required
          • _id string Required
          • _source object Required

            Original JSON body passed for the event at index time.

            Additional properties are allowed.

          • missing boolean

            Set to true for events in a timespan-constrained sequence that do not meet a given condition.

          • fields object
        • join_keys array[object]

          Shared field values used to constrain matches in the sequence. These are defined using the by keyword in the EQL query syntax.

          Additional properties are allowed.
GET /_eql/search/{id} 
curl \
 -X GET http://api.example.com/_eql/search/{id}
Response examples (200) 
{
  "id": "string",
  "is_partial": true,
  "is_running": true,
  "": 42.0,
  "timed_out": true,
  "hits": {
    "total": {
      "relation": "eq",
      "value": 42.0
    },
    "events": [
      {
        "_index": "string",
        "_id": "string",
        "_source": {},
        "missing": true,
        "fields": {
          "additionalProperty1": [
            {}
          ],
          "additionalProperty2": [
            {}
          ]
        }
      }
    ],
    "sequences": [
      {
        "events": [
          {
            "_index": "string",
            "_id": "string",
            "_source": {},
            "missing": true,
            "fields": {}
          }
        ],
        "join_keys": [
          {}
        ]
      }
    ]
  }
}