Kibana APIs
1.0.2
https://localhost:5601
The Kibana REST APIs enable you to manage resources such as connectors, data views, and saved objects. The API calls are stateless. Each request that you make happens in isolation from other calls and must include all of the necessary information for Kibana to fulfill the request. API requests return JSON output, which is a format that is machine-readable and works well for automation.
To interact with Kibana APIs, use the following operations:
- GET: Fetches the information.
- PATCH: Applies partial modifications to the existing information.
- POST: Adds new information.
- PUT: Updates the existing information.
- DELETE: Removes the information.
You can prepend any Kibana API endpoint with kbn:
and run the request in Dev Tools → Console.
For example:
GET kbn:/api/data_views
For more information about the console, refer to Run API requests.
NOTE: Access to internal Kibana API endpoints will be restricted in Kibana version 9.0. Please move any integrations to publicly documented APIs.
Documentation source and versions
This documentation is derived from the main
branch of the kibana repository.
It is provided under license Attribution-NonCommercial-NoDerivatives 4.0 International.
This documentation contains work-in-progress information for future Elastic Stack releases.
This is version 1.0.2
of this API documentation.
Last update on Feb 11, 2025.
Update a rule
Path parameters
-
The identifier for the rule.
Body
-
actions array[object]
Default value is
[]
(empty). -
alert_delay object
Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.
Additional properties are NOT allowed.
-
flapping object | null
When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.
Additional properties are NOT allowed.
-
The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
notify_when string | null
Indicates how often alerts generate actions. Valid values include:
onActionGroupChange
: Actions run when the alert status changes;onActiveAlert
: Actions run when the alert becomes active and at each check interval while the rule conditions are met;onThrottleInterval
: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specifynotify_when
at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.Values are
onActionGroupChange
,onActiveAlert
, oronThrottleInterval
. -
params object
The parameters for the rule.
Default value is
{}
(empty). Additional properties are allowed. -
Additional properties are NOT allowed.
-
throttle string | null
Use the
throttle
property in the actionfrequency
object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
curl \
--request PUT https://localhost:5601/api/alerting/rule/{id} \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"name":"new name","tags":[],"params":{"index":[".updated-index"],"aggType":"avg","groupBy":"top","aggField":"sheet.version","termSize":6,"termField":"name.keyword","threshold":[1000],"timeField":"@timestamp","timeWindowSize":5,"timeWindowUnit":"m","thresholdComparator":"\u003e"},"actions":[{"id":"96b668d0-a1b6-11ed-afdf-d39a49596974","group":"threshold met","params":{"level":"info","message":"Rule {{rule.name}} is active for group {{context.group}}:\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}\n- Timestamp: {{context.date}}"},"frequency":{"summary":false,"notify_when":"onActionGroupChange"}}],"schedule":{"interval":"1m"}}'
{
"name": "new name",
"tags": [],
"params": {
"index": [
".updated-index"
],
"aggType": "avg",
"groupBy": "top",
"aggField": "sheet.version",
"termSize": 6,
"termField": "name.keyword",
"threshold": [
1000
],
"timeField": "@timestamp",
"timeWindowSize": 5,
"timeWindowUnit": "m",
"thresholdComparator": ">"
},
"actions": [
{
"id": "96b668d0-a1b6-11ed-afdf-d39a49596974",
"group": "threshold met",
"params": {
"level": "info",
"message": "Rule {{rule.name}} is active for group {{context.group}}:\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}\n- Timestamp: {{context.date}}"
},
"frequency": {
"summary": false,
"notify_when": "onActionGroupChange"
}
}
],
"schedule": {
"interval": "1m"
}
}
{
"id": "ac4e6b90-6be7-11eb-ba0d-9b1c1f912d74",
"name": "new name",
"tags": [],
"params": {
"index": [
".updated-index"
],
"aggType": "avg",
"groupBy": "top",
"aggField": "sheet.version",
"termSize": 6,
"termField": "name.keyword",
"threshold": [
1000
],
"timeField": "@timestamp",
"timeWindowSize": 5,
"timeWindowUnit": "m",
"thresholdComparator": ">"
},
"actions": [
{
"id": "96b668d0-a1b6-11ed-afdf-d39a49596974",
"uuid": "07aef2a0-9eed-4ef9-94ec-39ba58eb609d",
"group": "threshold met",
"params": {
"level": "info",
"message": "Rule {{rule.name}} is active for group {{context.group}}:\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}\n- Timestamp: {{context.date}"
},
"frequency": {
"summary": false,
"throttle": null,
"notify_when": "onActionGroupChange"
},
"connector_type_id": ".server-log"
}
],
"enabled": true,
"running": false,
"consumer": "alerts",
"last_run": {
"outcome": "succeeded",
"warning": null,
"outcome_msg": null,
"alerts_count": {
"new": 0,
"active": 0,
"ignored": 0,
"recovered": 0
}
},
"mute_all": false,
"next_run": "2024-03-26T23:23:51.316Z",
"revision": 1,
"schedule": {
"interval": "1m"
},
"throttle": null,
"created_at": "2024-03-26T23:13:20.985Z",
"created_by": "elastic",
"updated_at": "2024-03-26T23:22:59.949Z",
"updated_by": "elastic",
"rule_type_id": ".index-threshold",
"api_key_owner": "elastic",
"muted_alert_ids": [],
"execution_status": {
"status": "ok",
"last_duration": 52,
"last_execution_date": "2024-03-26T23:22:51.390Z"
},
"scheduled_task_id": "4c5eda00-e74f-11ec-b72f-5b18752ff9ea",
"api_key_created_by_user": false
}
Disable a rule
Path parameters
-
The identifier for the rule.
curl \
--request POST https://localhost:5601/api/alerting/rule/{id}/_disable \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"untrack":true}'
# Headers
kbn-xsrf: true
# Payload
{
"untrack": true
}
Enable a rule
Path parameters
-
The identifier for the rule.
curl \
--request POST https://localhost:5601/api/alerting/rule/{id}/_enable \
--header "kbn-xsrf: true"
APM agent configuration
Adjust APM agent configuration without need to redeploy your application.
Delete cases
You must have read
or all
privileges and the delete
sub-feature privilege for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're deleting.
Query parameters
-
The cases that you want to removed. All non-ASCII characters must be URL encoded.
curl \
--request DELETE https://localhost:5601/api/cases?ids=d4e7abb0-b462-11ec-9a8d-698504725a43 \
--header "kbn-xsrf: string"
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
Get cases for an alert Technical preview
You must have read
privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're seeking.
Path parameters
-
An identifier for the alert.
Query parameters
-
owner string | array[string]
A filter to limit the response to a specific set of applications. If this parameter is omitted, the response contains information about all the cases that the user has access to read.
curl \
--request GET https://localhost:5601/api/cases/alerts/09f0c261e39e36351d75995b78bb83673774d1bc2cca9df2d15f0e5c0a99a540
[
{
"id": "06116b80-e1c3-11ec-be9b-9b1838238ee6",
"title": "security_case"
}
]
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
Update a connector
Path parameters
-
An identifier for the connector.
Body
-
The display name for the connector.
config object
The connector configuration details.
One of: bedrock_config object crowdstrike_config object d3security_config object email_config object gemini_config object resilient_config object index_config object jira_config object genai_azure_config object genai_openai_config object opsgenie_config object pagerduty_config object sentinelone_config object servicenow_config object servicenow_itom_config object slack_api_config object swimlane_config object thehive_config object tines_config object torq_config object webhook_config object cases_webhook_config object xmatters_config objectDefines properties for connectors when type is
.bedrock
.secrets object
One of: bedrock_secrets object crowdstrike_secrets object d3security_secrets object email_secrets object gemini_secrets object resilient_secrets object jira_secrets object teams_secrets object genai_secrets object opsgenie_secrets object pagerduty_secrets object sentinelone_secrets object servicenow_secrets object slack_api_secrets object swimlane_secrets object thehive_secrets object tines_secrets object torq_secrets object webhook_secrets object cases_webhook_secrets object xmatters_secrets objectDefines secrets for connectors when type is
.bedrock
.
curl \
--request PUT https://localhost:5601/api/actions/connector/{id} \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"name":"updated-connector","config":{"index":"updated-index"}}'
{
"name": "updated-connector",
"config": {
"index": "updated-index"
}
}
{
"config": {},
"connector_type_id": "string",
"id": "string",
"is_deprecated": true,
"is_missing_secrets": true,
"is_preconfigured": true,
"is_system_action": true,
"name": "string"
}
Get data streams
[Required authorization] Route required privileges: ALL of [fleet-agents-all, fleet-agent-policies-all, fleet-settings-all].
curl \
--request GET https://localhost:5601/api/fleet/data_streams
{
"data_streams": [
{
"dashboards": [
{
"id": "string",
"title": "string"
}
],
"dataset": "string",
"index": "string",
"last_activity_ms": 42.0,
"namespace": "string",
"package": "string",
"package_version": "string",
"serviceDetails": {
"environment": "string",
"serviceName": "string"
},
"size_in_bytes": 42.0,
"size_in_bytes_formatted": 42.0,
"type": "string"
}
]
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
Create a data view
curl \
--request POST https://localhost:5601/api/data_views/data_view \
--header "Content-Type: application/json" \
--header "kbn-xsrf: string" \
--data '{"data_view":{"name":"My Logstash data view","title":"logstash-*","runtimeFieldMap":{"runtime_shape_name":{"type":"keyword","script":{"source":"emit(doc['shape_name'].value)"}}}}}'
{
"data_view": {
"name": "My Logstash data view",
"title": "logstash-*",
"runtimeFieldMap": {
"runtime_shape_name": {
"type": "keyword",
"script": {
"source": "emit(doc['shape_name'].value)"
}
}
}
}
}
{
"data_view": {
"allowNoIndex": true,
"fieldAttrs": {
"additionalProperty1": {
"count": 42,
"customDescription": "string",
"customLabel": "string"
},
"additionalProperty2": {
"count": 42,
"customDescription": "string",
"customLabel": "string"
}
},
"fieldFormats": {},
"fields": {},
"id": "ff959d40-b880-11e8-a6d9-e546fe2bba5f",
"name": "string",
"namespaces": [
"default"
],
"runtimeFieldMap": {
"additionalProperty1": {
"script": {
"source": "string"
},
"type": "string"
},
"additionalProperty2": {
"script": {
"source": "string"
},
"type": "string"
}
},
"sourceFilters": [
{
"value": "string"
}
],
"timeFieldName": "string",
"title": "string",
"typeMeta": {
"aggs": {},
"params": {}
},
"version": "WzQ2LDJd"
}
}
{
"error": "Bad Request",
"message": "string",
"statusCode": 400
}
Get a data view
Path parameters
-
An identifier for the data view.
curl \
--request GET https://localhost:5601/api/data_views/data_view/ff959d40-b880-11e8-a6d9-e546fe2bba5f
{
"data_view": {
"id": "ff959d40-b880-11e8-a6d9-e546fe2bba5f",
"name": "Kibana Sample Data eCommerce",
"title": "kibana_sample_data_ecommerce",
"fields": {
"_id": {
"name": "_id",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"_id"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": false,
"shortDotsEnable": false,
"readFromDocValues": false
},
"sku": {
"name": "sku",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"type": {
"name": "type",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"user": {
"name": "user",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"email": {
"name": "email",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"_index": {
"name": "_index",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"_index"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": false
},
"_score": {
"name": "_score",
"type": "number",
"count": 0,
"format": {
"id": "number"
},
"isMapped": true,
"scripted": false,
"searchable": false,
"aggregatable": false,
"shortDotsEnable": false,
"readFromDocValues": false
},
"_source": {
"name": "_source",
"type": "_source",
"count": 0,
"format": {
"id": "_source"
},
"esTypes": [
"_source"
],
"isMapped": true,
"scripted": false,
"searchable": false,
"aggregatable": false,
"shortDotsEnable": false,
"readFromDocValues": false
},
"category": {
"name": "category",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"text"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": false,
"shortDotsEnable": false,
"readFromDocValues": false
},
"currency": {
"name": "currency",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"order_id": {
"name": "order_id",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"order_date": {
"name": "order_date",
"type": "date",
"count": 0,
"format": {
"id": "date"
},
"esTypes": [
"date"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"customer_id": {
"name": "customer_id",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"day_of_week": {
"name": "day_of_week",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"manufacturer": {
"name": "manufacturer",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"text"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": false,
"shortDotsEnable": false,
"readFromDocValues": false
},
"products._id": {
"name": "products._id",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"text"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": false,
"shortDotsEnable": false,
"readFromDocValues": false
},
"products.sku": {
"name": "products.sku",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"day_of_week_i": {
"name": "day_of_week_i",
"type": "number",
"count": 0,
"format": {
"id": "number"
},
"esTypes": [
"integer"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"event.dataset": {
"name": "event.dataset",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"customer_phone": {
"name": "customer_phone",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"geoip.location": {
"name": "geoip.location",
"type": "geo_point",
"count": 0,
"format": {
"id": "geo_point",
"params": {
"transform": "wkt"
}
},
"esTypes": [
"geo_point"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"products.price": {
"name": "products.price",
"type": "number",
"count": 1,
"format": {
"id": "number",
"params": {
"pattern": "$0,0.00"
}
},
"esTypes": [
"half_float"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"total_quantity": {
"name": "total_quantity",
"type": "number",
"count": 1,
"format": {
"id": "number"
},
"esTypes": [
"integer"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"customer_gender": {
"name": "customer_gender",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"geoip.city_name": {
"name": "geoip.city_name",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"category.keyword": {
"name": "category.keyword",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"subType": {
"multi": {
"parent": "category"
}
},
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"geoip.region_name": {
"name": "geoip.region_name",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"products.category": {
"name": "products.category",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"text"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": false,
"shortDotsEnable": false,
"readFromDocValues": false
},
"products.quantity": {
"name": "products.quantity",
"type": "number",
"count": 0,
"format": {
"id": "number"
},
"esTypes": [
"integer"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"customer_full_name": {
"name": "customer_full_name",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"text"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": false,
"shortDotsEnable": false,
"readFromDocValues": false
},
"customer_last_name": {
"name": "customer_last_name",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"text"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": false,
"shortDotsEnable": false,
"readFromDocValues": false
},
"products.min_price": {
"name": "products.min_price",
"type": "number",
"count": 0,
"format": {
"id": "number",
"params": {
"pattern": "$0,0.00"
}
},
"esTypes": [
"half_float"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"taxful_total_price": {
"name": "taxful_total_price",
"type": "number",
"count": 0,
"format": {
"id": "number",
"params": {
"pattern": "$0,0.[00]"
}
},
"esTypes": [
"half_float"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"customer_birth_date": {
"name": "customer_birth_date",
"type": "date",
"count": 0,
"format": {
"id": "date"
},
"esTypes": [
"date"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"customer_first_name": {
"name": "customer_first_name",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"text"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": false,
"shortDotsEnable": false,
"readFromDocValues": false
},
"products.base_price": {
"name": "products.base_price",
"type": "number",
"count": 0,
"format": {
"id": "number",
"params": {
"pattern": "$0,0.00"
}
},
"esTypes": [
"half_float"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"products.created_on": {
"name": "products.created_on",
"type": "date",
"count": 0,
"format": {
"id": "date"
},
"esTypes": [
"date"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"products.product_id": {
"name": "products.product_id",
"type": "number",
"count": 0,
"format": {
"id": "number"
},
"esTypes": [
"long"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"products.tax_amount": {
"name": "products.tax_amount",
"type": "number",
"count": 0,
"format": {
"id": "number"
},
"esTypes": [
"half_float"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"taxless_total_price": {
"name": "taxless_total_price",
"type": "number",
"count": 0,
"format": {
"id": "number",
"params": {
"pattern": "$0,0.00"
}
},
"esTypes": [
"half_float"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"geoip.continent_name": {
"name": "geoip.continent_name",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"manufacturer.keyword": {
"name": "manufacturer.keyword",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"subType": {
"multi": {
"parent": "manufacturer"
}
},
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"products._id.keyword": {
"name": "products._id.keyword",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"subType": {
"multi": {
"parent": "products._id"
}
},
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"products.manufacturer": {
"name": "products.manufacturer",
"type": "string",
"count": 1,
"format": {
"id": "string"
},
"esTypes": [
"text"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": false,
"shortDotsEnable": false,
"readFromDocValues": false
},
"products.product_name": {
"name": "products.product_name",
"type": "string",
"count": 1,
"format": {
"id": "string"
},
"esTypes": [
"text"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": false,
"shortDotsEnable": false,
"readFromDocValues": false
},
"products.taxful_price": {
"name": "products.taxful_price",
"type": "number",
"count": 0,
"format": {
"id": "number",
"params": {
"pattern": "$0,0.00"
}
},
"esTypes": [
"half_float"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"total_unique_products": {
"name": "total_unique_products",
"type": "number",
"count": 0,
"format": {
"id": "number"
},
"esTypes": [
"integer"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"geoip.country_iso_code": {
"name": "geoip.country_iso_code",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"products.taxless_price": {
"name": "products.taxless_price",
"type": "number",
"count": 0,
"format": {
"id": "number",
"params": {
"pattern": "$0,0.00"
}
},
"esTypes": [
"half_float"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"products.base_unit_price": {
"name": "products.base_unit_price",
"type": "number",
"count": 0,
"format": {
"id": "number",
"params": {
"pattern": "$0,0.00"
}
},
"esTypes": [
"half_float"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"products.discount_amount": {
"name": "products.discount_amount",
"type": "number",
"count": 0,
"format": {
"id": "number"
},
"esTypes": [
"half_float"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"products.category.keyword": {
"name": "products.category.keyword",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"subType": {
"multi": {
"parent": "products.category"
}
},
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"customer_full_name.keyword": {
"name": "customer_full_name.keyword",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"subType": {
"multi": {
"parent": "customer_full_name"
}
},
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"customer_last_name.keyword": {
"name": "customer_last_name.keyword",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"subType": {
"multi": {
"parent": "customer_last_name"
}
},
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"customer_first_name.keyword": {
"name": "customer_first_name.keyword",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"subType": {
"multi": {
"parent": "customer_first_name"
}
},
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"products.discount_percentage": {
"name": "products.discount_percentage",
"type": "number",
"count": 0,
"format": {
"id": "number"
},
"esTypes": [
"half_float"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"products.manufacturer.keyword": {
"name": "products.manufacturer.keyword",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"subType": {
"multi": {
"parent": "products.manufacturer"
}
},
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"products.product_name.keyword": {
"name": "products.product_name.keyword",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"subType": {
"multi": {
"parent": "products.product_name"
}
},
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"products.unit_discount_amount": {
"name": "products.unit_discount_amount",
"type": "number",
"count": 0,
"format": {
"id": "number"
},
"esTypes": [
"half_float"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
}
},
"version": "WzUsMV0=",
"typeMeta": {},
"fieldAttrs": {
"products.price": {
"count": 1
},
"total_quantity": {
"count": 1
},
"products.manufacturer": {
"count": 1
},
"products.product_name": {
"count": 1
}
},
"namespaces": [
"default"
],
"allowNoIndex": false,
"fieldFormats": {
"products.price": {
"id": "number",
"params": {
"pattern": "$0,0.00"
}
},
"products.min_price": {
"id": "number",
"params": {
"pattern": "$0,0.00"
}
},
"taxful_total_price": {
"id": "number",
"params": {
"pattern": "$0,0.[00]"
}
},
"products.base_price": {
"id": "number",
"params": {
"pattern": "$0,0.00"
}
},
"taxless_total_price": {
"id": "number",
"params": {
"pattern": "$0,0.00"
}
},
"products.taxful_price": {
"id": "number",
"params": {
"pattern": "$0,0.00"
}
},
"products.taxless_price": {
"id": "number",
"params": {
"pattern": "$0,0.00"
}
},
"products.base_unit_price": {
"id": "number",
"params": {
"pattern": "$0,0.00"
}
}
},
"sourceFilters": [],
"timeFieldName": "order_date",
"runtimeFieldMap": {}
}
}
{
"error": "Not Found",
"message": "Saved object [index-pattern/caaad6d0-920c-11ed-b36a-874bd1548a00] not found",
"statusCode": 404
}
Update data view fields metadata
Update fields presentation metadata such as count, customLabel, customDescription, and format.
Path parameters
-
An identifier for the data view.
curl \
--request POST https://localhost:5601/api/data_views/data_view/ff959d40-b880-11e8-a6d9-e546fe2bba5f/fields \
--header "Content-Type: application/json" \
--header "kbn-xsrf: string" \
--data '{"fields":{"field1":{"count":123,"customLabel":"Field 1 label"},"field2":{"customLabel":"Field 2 label","customDescription":"Field 2 description"}}}'
{
"fields": {
"field1": {
"count": 123,
"customLabel": "Field 1 label"
},
"field2": {
"customLabel": "Field 2 label",
"customDescription": "Field 2 description"
}
}
}
{
"acknowledged": true
}
{
"error": "Bad Request",
"message": "string",
"statusCode": 400
}
Create or update a runtime field
Path parameters
-
The ID of the data view fields you want to update.
Body Required
-
The name for a runtime field.
-
The runtime field definition object.
Additional properties are allowed.
curl \
--request PUT https://localhost:5601/api/data_views/data_view/{viewId}/runtime_field \
--header "Content-Type: application/json" \
--header "kbn-xsrf: string" \
--data '{"name":"runtimeFoo","runtimeField":{"type":"long","script":{"source":"emit(doc[\"foo\"].value)"}}}'
{
"name": "runtimeFoo",
"runtimeField": {
"type": "long",
"script": {
"source": "emit(doc[\"foo\"].value)"
}
}
}
{
"data_view": {},
"fields": [
{}
]
}
{
"error": "Bad Request",
"message": "string",
"statusCode": 400
}
Get a runtime field
Path parameters
-
The name of the runtime field.
-
An identifier for the data view.
curl \
--request GET https://localhost:5601/api/data_views/data_view/ff959d40-b880-11e8-a6d9-e546fe2bba5f/runtime_field/hour_of_day
{
"fields": [
{
"name": "hour_of_day",
"type": "number",
"count": 0,
"esTypes": [
"long"
],
"scripted": false,
"searchable": true,
"aggregatable": true,
"runtimeField": {
"type": "long",
"script": {
"source": "emit(doc['timestamp'].value.getHour());"
}
},
"shortDotsEnable": false,
"readFromDocValues": false
}
],
"data_view": {
"id": "d3d7af60-4c81-11e8-b3d7-01146121b73d",
"name": "Kibana Sample Data Flights",
"title": "kibana_sample_data_flights",
"fields": {
"_id": {
"name": "_id",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"_id"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": false,
"shortDotsEnable": false,
"readFromDocValues": false
},
"Dest": {
"name": "Dest",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"Origin": {
"name": "Origin",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"_index": {
"name": "_index",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"_index"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": false
},
"_score": {
"name": "_score",
"type": "number",
"count": 0,
"format": {
"id": "number"
},
"isMapped": true,
"scripted": false,
"searchable": false,
"aggregatable": false,
"shortDotsEnable": false,
"readFromDocValues": false
},
"Carrier": {
"name": "Carrier",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"_source": {
"name": "_source",
"type": "_source",
"count": 0,
"format": {
"id": "_source"
},
"esTypes": [
"_source"
],
"isMapped": true,
"scripted": false,
"searchable": false,
"aggregatable": false,
"shortDotsEnable": false,
"readFromDocValues": false
},
"Cancelled": {
"name": "Cancelled",
"type": "boolean",
"count": 0,
"format": {
"id": "boolean"
},
"esTypes": [
"boolean"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"FlightNum": {
"name": "FlightNum",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"dayOfWeek": {
"name": "dayOfWeek",
"type": "number",
"count": 0,
"format": {
"id": "number"
},
"esTypes": [
"integer"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"timestamp": {
"name": "timestamp",
"type": "date",
"count": 0,
"format": {
"id": "date"
},
"esTypes": [
"date"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"DestRegion": {
"name": "DestRegion",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"DestCountry": {
"name": "DestCountry",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"DestWeather": {
"name": "DestWeather",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"FlightDelay": {
"name": "FlightDelay",
"type": "boolean",
"count": 0,
"format": {
"id": "boolean"
},
"esTypes": [
"boolean"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"hour_of_day": {
"name": "hour_of_day",
"type": "number",
"count": 0,
"format": {
"id": "number",
"params": {
"pattern": "00"
}
},
"esTypes": [
"long"
],
"scripted": false,
"searchable": true,
"aggregatable": true,
"runtimeField": {
"type": "long",
"script": {
"source": "emit(doc['timestamp'].value.getHour());"
}
},
"shortDotsEnable": false,
"readFromDocValues": false
},
"DestCityName": {
"name": "DestCityName",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"DestLocation": {
"name": "DestLocation",
"type": "geo_point",
"count": 0,
"format": {
"id": "geo_point",
"params": {
"transform": "wkt"
}
},
"esTypes": [
"geo_point"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"OriginRegion": {
"name": "OriginRegion",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"DestAirportID": {
"name": "DestAirportID",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"DistanceMiles": {
"name": "DistanceMiles",
"type": "number",
"count": 0,
"format": {
"id": "number"
},
"esTypes": [
"float"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"FlightTimeMin": {
"name": "FlightTimeMin",
"type": "number",
"count": 0,
"format": {
"id": "number"
},
"esTypes": [
"float"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"OriginCountry": {
"name": "OriginCountry",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"OriginWeather": {
"name": "OriginWeather",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"AvgTicketPrice": {
"name": "AvgTicketPrice",
"type": "number",
"count": 0,
"format": {
"id": "number",
"params": {
"pattern": "$0,0.[00]"
}
},
"esTypes": [
"float"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"FlightDelayMin": {
"name": "FlightDelayMin",
"type": "number",
"count": 0,
"format": {
"id": "number"
},
"esTypes": [
"integer"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"FlightTimeHour": {
"name": "FlightTimeHour",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"OriginCityName": {
"name": "OriginCityName",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"OriginLocation": {
"name": "OriginLocation",
"type": "geo_point",
"count": 0,
"format": {
"id": "geo_point",
"params": {
"transform": "wkt"
}
},
"esTypes": [
"geo_point"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"FlightDelayType": {
"name": "FlightDelayType",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"OriginAirportID": {
"name": "OriginAirportID",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"DistanceKilometers": {
"name": "DistanceKilometers",
"type": "number",
"count": 0,
"format": {
"id": "number"
},
"esTypes": [
"float"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
}
},
"version": "WzM2LDJd",
"fieldAttrs": {},
"allowNoIndex": false,
"fieldFormats": {
"hour_of_day": {
"id": "number",
"params": {
"pattern": "00"
}
},
"AvgTicketPrice": {
"id": "number",
"params": {
"pattern": "$0,0.[00]"
}
}
},
"sourceFilters": [],
"timeFieldName": "timestamp",
"runtimeFieldMap": {
"hour_of_day": {
"type": "long",
"script": {
"source": "emit(doc['timestamp'].value.getHour());"
}
}
}
}
}
{
"error": "Not Found",
"message": "Saved object [index-pattern/caaad6d0-920c-11ed-b36a-874bd1548a00] not found",
"statusCode": 404
}
Swap saved object references
Changes saved object references from one data view identifier to another. WARNING: Misuse can break large numbers of saved objects! Practicing with a backup is recommended.
Body Required
-
delete boolean
Deletes referenced saved object if all references are removed.
forId string | array[string]
Limit the affected saved objects to one or more by identifier.
-
forType string
Limit the affected saved objects by type.
-
The saved object reference to change.
-
fromType string
Specify the type of the saved object reference to alter. The default value is
index-pattern
for data views. -
New saved object reference value to replace the old value.
curl \
--request POST https://localhost:5601/api/data_views/swap_references \
--header "Content-Type: application/json" \
--header "kbn-xsrf: string" \
--data '{"toId":"xyz-123","delete":true,"fromId":"abcd-efg"}'
{
"toId": "xyz-123",
"delete": true,
"fromId": "abcd-efg"
}
{
"deleteStatus": {
"deletePerformed": true,
"remainingRefs": 42
},
"result": [
{
"id": "string",
"type": "string"
}
]
}
Preview a saved object reference swap
Preview the impact of swapping saved object references from one data view identifier to another.
Body Required
-
delete boolean
Deletes referenced saved object if all references are removed.
forId string | array[string]
Limit the affected saved objects to one or more by identifier.
-
forType string
Limit the affected saved objects by type.
-
The saved object reference to change.
-
fromType string
Specify the type of the saved object reference to alter. The default value is
index-pattern
for data views. -
New saved object reference value to replace the old value.
curl \
--request POST https://localhost:5601/api/data_views/swap_references/_preview \
--header "Content-Type: application/json" \
--header "kbn-xsrf: string" \
--data '{"toId":"xyz-123","fromId":"abcd-efg"}'
{
"toId": "xyz-123",
"fromId": "abcd-efg"
}
{
"result": [
{
"id": "string",
"type": "string"
}
]
}
Create an agent policy
[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all].
Query parameters
-
sys_monitoring boolean
Body
-
advanced_settings object
Additional properties are NOT allowed.
-
agent_features array[object]
-
agentless object
Additional properties are NOT allowed.
-
data_output_id string | null
-
description string
-
download_source_id string | null
-
fleet_server_host_id string | null
-
force boolean
-
has_fleet_server boolean
-
id string
-
inactivity_timeout number
Minimum value is
0
. Default value is1209600
. -
is_default boolean
-
is_default_fleet_server boolean
-
is_managed boolean
-
is_protected boolean
-
keep_monitoring_alive boolean | null
When set to true, monitoring will be enabled but logs/metrics collection will be disabled
Default value is
false
. -
monitoring_diagnostics object
Additional properties are NOT allowed.
-
monitoring_enabled array[string]
Values are
logs
,metrics
, ortraces
. -
monitoring_http object
Additional properties are NOT allowed.
-
monitoring_output_id string | null
-
monitoring_pprof_enabled boolean
-
Minimum length is
1
. -
Minimum length is
1
. -
overrides object | null
Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure.
Additional properties are allowed.
-
required_versions array[object] | null
-
space_ids array[string]
-
supports_agentless boolean | null
Indicates whether the agent policy supports agentless integrations.
Default value is
false
. -
unenroll_timeout number
Minimum value is
0
.
curl \
--request POST https://localhost:5601/api/fleet/agent_policies \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"advanced_settings":{},"agent_features":[{"enabled":true,"name":"string"}],"agentless":{"resources":{"requests":{"cpu":"string","memory":"string"}}},"data_output_id":"string","description":"string","download_source_id":"string","fleet_server_host_id":"string","force":true,"global_data_tags":[{"name":"string","value":"string"}],"has_fleet_server":true,"id":"string","inactivity_timeout":1209600,"is_default":true,"is_default_fleet_server":true,"is_managed":true,"is_protected":true,"keep_monitoring_alive":false,"monitoring_diagnostics":{"limit":{"burst":42.0,"interval":"string"},"uploader":{"init_dur":"string","max_dur":"string","max_retries":42.0}},"monitoring_enabled":["logs"],"monitoring_http":{"buffer":{"enabled":false},"enabled":true,"host":"string","port":42.0},"monitoring_output_id":"string","monitoring_pprof_enabled":true,"name":"string","namespace":"string","overrides":{},"required_versions":[{"percentage":42.0,"version":"string"}],"space_ids":["string"],"supports_agentless":false,"unenroll_timeout":42.0}'
# Headers
kbn-xsrf: true
# Payload
{
"advanced_settings": {},
"agent_features": [
{
"enabled": true,
"name": "string"
}
],
"agentless": {
"resources": {
"requests": {
"cpu": "string",
"memory": "string"
}
}
},
"data_output_id": "string",
"description": "string",
"download_source_id": "string",
"fleet_server_host_id": "string",
"force": true,
"global_data_tags": [
{
"name": "string",
"value": "string"
}
],
"has_fleet_server": true,
"id": "string",
"inactivity_timeout": 1209600,
"is_default": true,
"is_default_fleet_server": true,
"is_managed": true,
"is_protected": true,
"keep_monitoring_alive": false,
"monitoring_diagnostics": {
"limit": {
"burst": 42.0,
"interval": "string"
},
"uploader": {
"init_dur": "string",
"max_dur": "string",
"max_retries": 42.0
}
},
"monitoring_enabled": [
"logs"
],
"monitoring_http": {
"buffer": {
"enabled": false
},
"enabled": true,
"host": "string",
"port": 42.0
},
"monitoring_output_id": "string",
"monitoring_pprof_enabled": true,
"name": "string",
"namespace": "string",
"overrides": {},
"required_versions": [
{
"percentage": 42.0,
"version": "string"
}
],
"space_ids": [
"string"
],
"supports_agentless": false,
"unenroll_timeout": 42.0
}
{
"item": {
"advanced_settings": {},
"agent_features": [
{
"enabled": true,
"name": "string"
}
],
"agentless": {
"resources": {
"requests": {
"cpu": "string",
"memory": "string"
}
}
},
"agents": 42.0,
"data_output_id": "string",
"description": "string",
"download_source_id": "string",
"fleet_server_host_id": "string",
"global_data_tags": [
{
"name": "string",
"value": "string"
}
],
"has_fleet_server": true,
"id": "string",
"inactivity_timeout": 1209600,
"is_default": true,
"is_default_fleet_server": true,
"is_managed": true,
"is_preconfigured": true,
"is_protected": true,
"keep_monitoring_alive": false,
"monitoring_diagnostics": {
"limit": {
"burst": 42.0,
"interval": "string"
},
"uploader": {
"init_dur": "string",
"max_dur": "string",
"max_retries": 42.0
}
},
"monitoring_enabled": [
"logs"
],
"monitoring_http": {
"buffer": {
"enabled": false
},
"enabled": true,
"host": "string",
"port": 42.0
},
"monitoring_output_id": "string",
"monitoring_pprof_enabled": true,
"name": "string",
"namespace": "string",
"overrides": {},
"package_policies": [
"string"
],
"required_versions": [
{
"percentage": 42.0,
"version": "string"
}
],
"revision": 42.0,
"schema_version": "string",
"space_ids": [
"string"
],
"status": "active",
"supports_agentless": false,
"unenroll_timeout": 42.0,
"unprivileged_agents": 42.0,
"updated_at": "string",
"updated_by": "string",
"version": "string"
}
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
Get an agent policy
Get an agent policy by ID.
[Required authorization] Route required privileges: ANY of [fleet-agent-policies-read OR fleet-agents-read OR fleet-setup].
Query parameters
-
format string
Values are
simplified
orlegacy
.
curl \
--request GET https://localhost:5601/api/fleet/agent_policies/{agentPolicyId}
{
"item": {
"advanced_settings": {},
"agent_features": [
{
"enabled": true,
"name": "string"
}
],
"agentless": {
"resources": {
"requests": {
"cpu": "string",
"memory": "string"
}
}
},
"agents": 42.0,
"data_output_id": "string",
"description": "string",
"download_source_id": "string",
"fleet_server_host_id": "string",
"global_data_tags": [
{
"name": "string",
"value": "string"
}
],
"has_fleet_server": true,
"id": "string",
"inactivity_timeout": 1209600,
"is_default": true,
"is_default_fleet_server": true,
"is_managed": true,
"is_preconfigured": true,
"is_protected": true,
"keep_monitoring_alive": false,
"monitoring_diagnostics": {
"limit": {
"burst": 42.0,
"interval": "string"
},
"uploader": {
"init_dur": "string",
"max_dur": "string",
"max_retries": 42.0
}
},
"monitoring_enabled": [
"logs"
],
"monitoring_http": {
"buffer": {
"enabled": false
},
"enabled": true,
"host": "string",
"port": 42.0
},
"monitoring_output_id": "string",
"monitoring_pprof_enabled": true,
"name": "string",
"namespace": "string",
"overrides": {},
"package_policies": [
"string"
],
"required_versions": [
{
"percentage": 42.0,
"version": "string"
}
],
"revision": 42.0,
"schema_version": "string",
"space_ids": [
"string"
],
"status": "active",
"supports_agentless": false,
"unenroll_timeout": 42.0,
"unprivileged_agents": 42.0,
"updated_at": "string",
"updated_by": "string",
"version": "string"
}
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
Update an agent policy
Update an agent policy by ID.
[Required authorization] Route required privileges: ALL of [fleet-agent-policies-all].
Query parameters
-
format string
Values are
simplified
orlegacy
.
Body
-
advanced_settings object
Additional properties are NOT allowed.
-
agent_features array[object]
-
agentless object
Additional properties are NOT allowed.
-
data_output_id string | null
-
description string
-
download_source_id string | null
-
fleet_server_host_id string | null
-
force boolean
-
has_fleet_server boolean
-
id string
-
inactivity_timeout number
Minimum value is
0
. Default value is1209600
. -
is_default boolean
-
is_default_fleet_server boolean
-
is_managed boolean
-
is_protected boolean
-
keep_monitoring_alive boolean | null
When set to true, monitoring will be enabled but logs/metrics collection will be disabled
Default value is
false
. -
monitoring_diagnostics object
Additional properties are NOT allowed.
-
monitoring_enabled array[string]
Values are
logs
,metrics
, ortraces
. -
monitoring_http object
Additional properties are NOT allowed.
-
monitoring_output_id string | null
-
monitoring_pprof_enabled boolean
-
Minimum length is
1
. -
Minimum length is
1
. -
overrides object | null
Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure.
Additional properties are allowed.
-
required_versions array[object] | null
-
space_ids array[string]
-
supports_agentless boolean | null
Indicates whether the agent policy supports agentless integrations.
Default value is
false
. -
unenroll_timeout number
Minimum value is
0
.
curl \
--request PUT https://localhost:5601/api/fleet/agent_policies/{agentPolicyId} \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"advanced_settings":{},"agent_features":[{"enabled":true,"name":"string"}],"agentless":{"resources":{"requests":{"cpu":"string","memory":"string"}}},"data_output_id":"string","description":"string","download_source_id":"string","fleet_server_host_id":"string","force":true,"global_data_tags":[{"name":"string","value":"string"}],"has_fleet_server":true,"id":"string","inactivity_timeout":1209600,"is_default":true,"is_default_fleet_server":true,"is_managed":true,"is_protected":true,"keep_monitoring_alive":false,"monitoring_diagnostics":{"limit":{"burst":42.0,"interval":"string"},"uploader":{"init_dur":"string","max_dur":"string","max_retries":42.0}},"monitoring_enabled":["logs"],"monitoring_http":{"buffer":{"enabled":false},"enabled":true,"host":"string","port":42.0},"monitoring_output_id":"string","monitoring_pprof_enabled":true,"name":"string","namespace":"string","overrides":{},"required_versions":[{"percentage":42.0,"version":"string"}],"space_ids":["string"],"supports_agentless":false,"unenroll_timeout":42.0}'
# Headers
kbn-xsrf: true
# Payload
{
"advanced_settings": {},
"agent_features": [
{
"enabled": true,
"name": "string"
}
],
"agentless": {
"resources": {
"requests": {
"cpu": "string",
"memory": "string"
}
}
},
"data_output_id": "string",
"description": "string",
"download_source_id": "string",
"fleet_server_host_id": "string",
"force": true,
"global_data_tags": [
{
"name": "string",
"value": "string"
}
],
"has_fleet_server": true,
"id": "string",
"inactivity_timeout": 1209600,
"is_default": true,
"is_default_fleet_server": true,
"is_managed": true,
"is_protected": true,
"keep_monitoring_alive": false,
"monitoring_diagnostics": {
"limit": {
"burst": 42.0,
"interval": "string"
},
"uploader": {
"init_dur": "string",
"max_dur": "string",
"max_retries": 42.0
}
},
"monitoring_enabled": [
"logs"
],
"monitoring_http": {
"buffer": {
"enabled": false
},
"enabled": true,
"host": "string",
"port": 42.0
},
"monitoring_output_id": "string",
"monitoring_pprof_enabled": true,
"name": "string",
"namespace": "string",
"overrides": {},
"required_versions": [
{
"percentage": 42.0,
"version": "string"
}
],
"space_ids": [
"string"
],
"supports_agentless": false,
"unenroll_timeout": 42.0
}
{
"item": {
"advanced_settings": {},
"agent_features": [
{
"enabled": true,
"name": "string"
}
],
"agentless": {
"resources": {
"requests": {
"cpu": "string",
"memory": "string"
}
}
},
"agents": 42.0,
"data_output_id": "string",
"description": "string",
"download_source_id": "string",
"fleet_server_host_id": "string",
"global_data_tags": [
{
"name": "string",
"value": "string"
}
],
"has_fleet_server": true,
"id": "string",
"inactivity_timeout": 1209600,
"is_default": true,
"is_default_fleet_server": true,
"is_managed": true,
"is_preconfigured": true,
"is_protected": true,
"keep_monitoring_alive": false,
"monitoring_diagnostics": {
"limit": {
"burst": 42.0,
"interval": "string"
},
"uploader": {
"init_dur": "string",
"max_dur": "string",
"max_retries": 42.0
}
},
"monitoring_enabled": [
"logs"
],
"monitoring_http": {
"buffer": {
"enabled": false
},
"enabled": true,
"host": "string",
"port": 42.0
},
"monitoring_output_id": "string",
"monitoring_pprof_enabled": true,
"name": "string",
"namespace": "string",
"overrides": {},
"package_policies": [
"string"
],
"required_versions": [
{
"percentage": 42.0,
"version": "string"
}
],
"revision": 42.0,
"schema_version": "string",
"space_ids": [
"string"
],
"status": "active",
"supports_agentless": false,
"unenroll_timeout": 42.0,
"unprivileged_agents": 42.0,
"updated_at": "string",
"updated_by": "string",
"version": "string"
}
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
Get an agent
Get an agent by ID.
[Required authorization] Route required privileges: ALL of [fleet-agents-read].
Query parameters
-
withMetrics boolean
Default value is
false
.
curl \
--request GET https://localhost:5601/api/fleet/agents/{agentId}
{
"item": {
"access_api_key": "string",
"access_api_key_id": "string",
"active": true,
"agent": {
"id": "string",
"version": "string"
},
"audit_unenrolled_reason": "string",
"components": [
{
"id": "string",
"message": "string",
"status": "STARTING",
"type": "string",
"units": [
{
"id": "string",
"message": "string",
"payload": {},
"status": "STARTING",
"type": "input"
}
]
}
],
"default_api_key": "string",
"default_api_key_history": [
{
"id": "string",
"retired_at": "string"
}
],
"default_api_key_id": "string",
"enrolled_at": "string",
"id": "string",
"last_checkin": "string",
"last_checkin_message": "string",
"last_checkin_status": "error",
"local_metadata": {},
"metrics": {
"cpu_avg": 42.0,
"memory_size_byte_avg": 42.0
},
"namespaces": [
"string"
],
"outputs": {
"additionalProperty1": {
"api_key_id": "string",
"to_retire_api_key_ids": [
{
"id": "string",
"retired_at": "string"
}
],
"type": "string"
},
"additionalProperty2": {
"api_key_id": "string",
"to_retire_api_key_ids": [
{
"id": "string",
"retired_at": "string"
}
],
"type": "string"
}
},
"packages": [
"string"
],
"policy_id": "string",
"policy_revision": 42.0,
"sort": [
42.0
],
"status": "offline",
"tags": [
"string"
],
"type": "PERMANENT",
"unenrolled_at": "string",
"unenrollment_started_at": "string",
"unhealthy_reason": [
"input"
],
"upgrade_details": {
"action_id": "string",
"metadata": {
"download_percent": 42.0,
"download_rate": 42.0,
"error_msg": "string",
"failed_state": "UPG_REQUESTED",
"retry_error_msg": "string",
"retry_until": "string",
"scheduled_at": "string"
},
"state": "UPG_REQUESTED",
"target_version": "string"
},
"upgrade_started_at": "string",
"upgraded_at": "string",
"user_provided_metadata": {}
}
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
Get agent setup info
[Required authorization] Route required privileges: ANY of [fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup].
curl \
--request GET https://localhost:5601/api/fleet/agents/setup
{
"is_secrets_storage_enabled": true,
"is_space_awareness_enabled": true,
"isReady": true,
"missing_optional_features": [
"encrypted_saved_object_encryption_key_required"
],
"missing_requirements": [
"security_required"
],
"package_verification_key_id": "string"
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
Check permissions
Query parameters
-
fleetServerSetup boolean
curl \
--request GET https://localhost:5601/api/fleet/check-permissions
{
"error": "MISSING_SECURITY",
"success": true
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
Get settings
[Required authorization] Route required privileges: ALL of [fleet-settings-read].
curl \
--request GET https://localhost:5601/api/fleet/settings
{
"item": {
"delete_unenrolled_agents": {
"enabled": true,
"is_preconfigured": true
},
"has_seen_add_data_notice": true,
"id": "string",
"output_secret_storage_requirements_met": true,
"preconfigured_fields": [
"fleet_server_hosts"
],
"prerelease_integrations_enabled": true,
"secret_storage_requirements_met": true,
"use_space_awareness_migration_started_at": "string",
"use_space_awareness_migration_status": "pending",
"version": "string"
}
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
{
"message": "string"
}
Get Fleet Server hosts
[Required authorization] Route required privileges: ANY of [fleet-agents-all OR fleet-settings-read].
curl \
--request GET https://localhost:5601/api/fleet/fleet_server_hosts
{
"items": [
{
"host_urls": [
"string"
],
"id": "string",
"is_default": false,
"is_internal": true,
"is_preconfigured": false,
"name": "string",
"proxy_id": "string"
}
],
"page": 42.0,
"perPage": 42.0,
"total": 42.0
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
Create a service token
[Required authorization] Route required privileges: ALL of [fleet-agents-all].
curl \
--request POST https://localhost:5601/api/fleet/service_tokens \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"remote":false}'
# Headers
kbn-xsrf: true
# Payload
{
"remote": false
}
{
"name": "string",
"value": "string"
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
Machine learning
Machine learning
Get all roles
Query parameters
-
replaceDeprecatedPrivileges boolean
If
true
and the response contains any privileges that are associated with deprecated features, they are omitted in favor of details about the appropriate replacement feature privileges.
curl \
--request GET https://localhost:5601/api/security/role
[
{
"name": "my_kibana_role",
"kibana": [
{
"base": [
"all"
],
"spaces": [
"*"
],
"feature": {}
}
],
"metadata": {
"version": 1
},
"description": "My kibana role description",
"elasticsearch": {
"run_as": [],
"cluster": [],
"indices": []
},
"transient_metadata": {
"enabled": true
}
},
{
"name": "my_admin_role",
"kibana": [],
"metadata": {
"version": 1
},
"description": "My admin role description",
"elasticsearch": {
"cluster": [
"all"
],
"indices": [
{
"names": [
"index1",
"index2"
],
"query": "{\\\"match\\\": {\\\"title\\\": \\\"foo\\\"}}",
"privileges": [
"all"
],
"field_security": {
"grant": [
"title",
"body"
]
}
}
]
},
"transient_metadata": {
"enabled": true
}
}
]
Resolve saved objects Deprecated
Retrieve multiple Kibana saved objects by identifier using any legacy URL aliases if they exist. Under certain circumstances when Kibana is upgraded, saved object migrations may necessitate regenerating some object IDs to enable new features. When an object's ID is regenerated, a legacy URL alias is created for that object, preserving its old ID. In such a scenario, that object can be retrieved by the bulk resolve API using either its new ID or its old ID.
curl \
--request POST https://localhost:5601/api/saved_objects/_bulk_resolve \
--header "Content-Type: application/json" \
--header "kbn-xsrf: string" \
--data '[{}]'
# Headers
kbn-xsrf: string
# Payload
[
{}
]
{}
{
"error": "Bad Request",
"message": "string",
"statusCode": 400
}
Update saved objects Deprecated
Update the attributes for multiple Kibana saved objects.
curl \
--request POST https://localhost:5601/api/saved_objects/_bulk_update \
--header "Content-Type: application/json" \
--header "kbn-xsrf: string" \
--data '[{}]'
# Headers
kbn-xsrf: string
# Payload
[
{}
]
{}
{
"error": "Bad Request",
"message": "string",
"statusCode": 400
}
Update a saved object Deprecated
Update the attributes for Kibana saved objects.
Path parameters
-
An identifier for the saved object.
-
Valid options include
visualization
,dashboard
,search
,index-pattern
,config
.
curl \
--request PUT https://localhost:5601/api/saved_objects/{type}/{id} \
--header "Content-Type: application/json" \
--header "kbn-xsrf: string"
# Headers
kbn-xsrf: string
# Payload
{}
{}
{}
{}
Apply a bulk action to anonymization fields
Apply a bulk action to multiple anonymization fields. The bulk action is applied to all anonymization fields that match the filter or to the list of anonymization fields by their IDs.
curl \
--request POST https://localhost:5601/api/security_ai_assistant/anonymization_fields/_bulk_action \
--header "Content-Type: application/json" \
--data '{"create":[{"allowed":true,"anonymized":true,"field":"string"}],"delete":{"ids":["string"],"query":"string"},"update":[{"allowed":true,"anonymized":true,"id":"string"}]}'
{
"create": [
{
"allowed": true,
"anonymized": true,
"field": "string"
}
],
"delete": {
"ids": [
"string"
],
"query": "string"
},
"update": [
{
"allowed": true,
"anonymized": true,
"id": "string"
}
]
}
{
"anonymization_fields_count": 42,
"attributes": {
"errors": [
{
"anonymization_fields": [
{
"id": "string",
"name": "string"
}
],
"err_code": "string",
"message": "string",
"status_code": 42
}
],
"results": {
"created": [
{
"allowed": true,
"anonymized": true,
"createdAt": "string",
"createdBy": "string",
"field": "string",
"id": "string",
"namespace": "string",
"timestamp": "string",
"updatedAt": "string",
"updatedBy": "string"
}
],
"deleted": [
"string"
],
"skipped": [
{
"id": "string",
"name": "string",
"skip_reason": "ANONYMIZATION_FIELD_NOT_MODIFIED"
}
],
"updated": [
{
"allowed": true,
"anonymized": true,
"createdAt": "string",
"createdBy": "string",
"field": "string",
"id": "string",
"namespace": "string",
"timestamp": "string",
"updatedAt": "string",
"updatedBy": "string"
}
]
},
"summary": {
"failed": 42,
"skipped": 42,
"succeeded": 42,
"total": 42
}
},
"message": "string",
"status_code": 42,
"success": true
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
Create a conversation
Create a new Security AI Assistant conversation.
Body Required
-
apiConfig object
LLM API configuration.
Additional properties are allowed.
-
category string
The conversation category.
Values are
assistant
orinsights
. -
excludeFromLastConversationStorage.
-
id string
The conversation id.
-
isDefault boolean
Is default conversation.
-
messages array[object]
The conversation messages.
-
replacements object
Replacements object used to anonymize/deanomymize messsages
-
The conversation title.
curl \
--request POST https://localhost:5601/api/security_ai_assistant/current_user/conversations \
--header "Content-Type: application/json" \
--data '{"apiConfig":{"actionTypeId":"string","connectorId":"string","defaultSystemPromptId":"string","model":"string","provider":"OpenAI"},"category":"assistant","excludeFromLastConversationStorage":true,"id":"string","isDefault":true,"messages":[{"content":"string","isError":true,"metadata":{"contentReferences":{}},"reader":{},"role":"system","timestamp":"string","traceData":{"traceId":"string","transactionId":"string"}}],"replacements":{"additionalProperty1":"string","additionalProperty2":"string"},"title":"string"}'
{
"apiConfig": {
"actionTypeId": "string",
"connectorId": "string",
"defaultSystemPromptId": "string",
"model": "string",
"provider": "OpenAI"
},
"category": "assistant",
"excludeFromLastConversationStorage": true,
"id": "string",
"isDefault": true,
"messages": [
{
"content": "string",
"isError": true,
"metadata": {
"contentReferences": {}
},
"reader": {},
"role": "system",
"timestamp": "string",
"traceData": {
"traceId": "string",
"transactionId": "string"
}
}
],
"replacements": {
"additionalProperty1": "string",
"additionalProperty2": "string"
},
"title": "string"
}
{
"apiConfig": {
"actionTypeId": "string",
"connectorId": "string",
"defaultSystemPromptId": "string",
"model": "string",
"provider": "OpenAI"
},
"category": "assistant",
"createdAt": "string",
"excludeFromLastConversationStorage": true,
"id": "string",
"isDefault": true,
"messages": [
{
"content": "string",
"isError": true,
"metadata": {
"contentReferences": {}
},
"reader": {},
"role": "system",
"timestamp": "string",
"traceData": {
"traceId": "string",
"transactionId": "string"
}
}
],
"namespace": "string",
"replacements": {
"additionalProperty1": "string",
"additionalProperty2": "string"
},
"summary": {
"confidence": "low",
"content": "string",
"public": true,
"timestamp": "string"
},
"timestamp": "string",
"title": "string",
"updatedAt": "string",
"users": [
{
"id": "string",
"name": "string"
}
]
}
{
"error": "string",
"message": "string",
"statusCode": 42.0
}
Security detections
Use the detections APIs to create and manage detection rules. Detection rules search events and external alerts sent to Elastic Security and generate detection alerts from any hits. Alerts are displayed on the Alerts page and can be assigned and triaged, using the alert status to mark them as open, closed, or acknowledged.
If the API key used for authorization has different privileges than the key that created or most recently updated a rule, the rule behavior might change.
If the API key that created a rule is deleted, or the user that created the rule becomes inactive, the rule will stop running.