Kibana APIs
1.0.2

Base URL
https://localhost:5601

The Kibana REST APIs enable you to manage resources such as connectors, data views, and saved objects. The API calls are stateless. Each request that you make happens in isolation from other calls and must include all of the necessary information for Kibana to fulfill the request. API requests return JSON output, which is a format that is machine-readable and works well for automation.

To interact with Kibana APIs, use the following operations:

  • GET: Fetches the information.
  • PATCH: Applies partial modifications to the existing information.
  • POST: Adds new information.
  • PUT: Updates the existing information.
  • DELETE: Removes the information.

You can prepend any Kibana API endpoint with kbn: and run the request in Dev Tools → Console. For example:

GET kbn:/api/data_views

For more information about the console, refer to Run API requests.

NOTE: Access to internal Kibana API endpoints will be restricted in Kibana version 9.0. Please move any integrations to publicly documented APIs.

Documentation source and versions

This documentation is derived from the main branch of the kibana repository. It is provided under license Attribution-NonCommercial-NoDerivatives 4.0 International.

This documentation contains work-in-progress information for future Elastic Stack releases.

This is version 1.0.2 of this API documentation. Last update on Dec 5, 2024.

Authentication

The API accepts 2 different authentication methods:

Api key auth (http_api_key)

These APIs use key-based authentication. You must create an API key and use the encoded value in the request header. For example: Authorization: ApiKey base64AccessApiKey

Basic auth (http)

Basic auth tokens are constructed with the Basic keyword, followed by a space, followed by a base64-encoded string of your username:password (separated by a : colon).

Example: send a Authorization: Basic aGVsbG86aGVsbG8= HTTP header with your requests to authenticate with the API.

Kibana spaces

Spaces enable you to organize your dashboards and other saved objects into meaningful categories. You can use the default space or create your own spaces.

To run APIs in non-default spaces, you must add s/{space_id}/ to the path. For example:

curl -X GET "http://localhost:5601/s/marketing/api/data_views"

If you use the Kibana console to send API requests, it automatically adds the appropriate space identifier.

To learn more, check out Spaces.

Alerting

Alerting enables you to define rules, which detect complex conditions within your data. When a condition is met, the rule tracks it as an alert and runs the actions that are defined in the rule. Actions typically involve the use of connectors to interact with Kibana services or third party integrations.

Get the alerting framework health

GET /api/alerting/_health

You must have read privileges for the Management > Stack Rules feature or for at least one of the Analytics > Discover, Analytics > Machine Learning, Observability, or Security features.

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • Three substates identify the health of the alerting framework: decryption_health, execution_health, and read_health.

      Additional properties are allowed.

      Hide alerting_framework_health attributes Show alerting_framework_health attributes object
      • The timestamp and status of the rule decryption.

        Additional properties are allowed.

        Hide decryption_health attributes Show decryption_health attributes object
      • The timestamp and status of the rule run.

        Additional properties are allowed.

        Hide execution_health attributes Show execution_health attributes object
      • The timestamp and status of the rule reading events.

        Additional properties are allowed.

        Hide read_health attributes Show read_health attributes object
    • If false, the encrypted saved object plugin does not have a permanent encryption key.

    • If false, security is enabled but TLS is not.

  • 401 application/json; Elastic-Api-Version=2023-10-31

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
GET /api/alerting/_health
curl \
 -X GET https://localhost:5601/api/alerting/_health
Response examples (200)
{
  "is_sufficiently_secure": true,
  "alerting_framework_health": {
    "read_health": {
      "status": "ok",
      "timestamp": "2023-01-13T01:28:00.280Z"
    },
    "execution_health": {
      "status": "ok",
      "timestamp": "2023-01-13T01:28:00.280Z"
    },
    "decryption_health": {
      "status": "ok",
      "timestamp": "2023-01-13T01:28:00.280Z"
    }
  },
  "has_permanent_encryption_key": true
}
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

Get the rule types

GET /api/alerting/rule_types

If you have read privileges for one or more Kibana features, the API response contains information about the appropriate rule types. For example, there are rule types associated with the Management > Stack Rules feature, Analytics > Discover and Machine Learning features, Observability features, and Security features. To get rule types associated with the Stack Monitoring feature, use the monitoring_user built-in role.

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • action_groups array[object]

      An explicit list of groups for which the rule type can schedule actions, each with the action group's unique ID and human readable name. Rule actions validation uses this configuration to ensure that groups are valid.

      Hide action_groups attributes Show action_groups attributes object
    • A list of action variables that the rule type makes available via context and state in action parameter templates, and a short human readable description. When you create a rule in Kibana, it uses this information to prompt you for these variables in action parameter editors.

      Additional properties are allowed.

      Hide action_variables attributes Show action_variables attributes object
    • alerts object

      Details for writing alerts as data documents for this rule type.

      Additional properties are allowed.

      Hide alerts attributes Show alerts attributes object
      • context string

        The namespace for this rule type.

        Values are ml.anomaly-detection, observability.apm, observability.logs, observability.metrics, observability.slo, observability.threshold, observability.uptime, security, or stack.

      • dynamic string

        Indicates whether new fields are added dynamically.

        Values are false, runtime, strict, or true.

      • Indicates whether the alerts are space-aware. If true, space-specific alert indices are used.

      • mappings object

        Additional properties are allowed.

        Hide mappings attribute Show mappings attribute object
        • fieldMap object

          Mapping information for each field supported in alerts as data documents for this rule type. For more information about mapping parameters, refer to the Elasticsearch documentation.

          Hide fieldMap attribute Show fieldMap attribute object
          • * object Additional properties

            Additional properties are allowed.

            Hide * attributes Show * attributes object
            • array boolean

              Indicates whether the field is an array.

            • dynamic boolean

              Indicates whether it is a dynamic field mapping.

            • format string

              Indicates the format of the field. For example, if the type is date_range, the format can be epoch_millis||strict_date_optional_time.

            • Specifies the maximum length of a string field. Longer strings are not indexed or stored.

            • index boolean

              Indicates whether field values are indexed.

            • path string

              TBD

            • Details about the object properties. This property is applicable when type is object.

              Hide properties attribute Show properties attribute object
              • * object Additional properties

                Additional properties are allowed.

                Hide * attribute Show * attribute object
                • type string

                  The data type for each object property.

            • required boolean

              Indicates whether the field is required.

            • The scaling factor to use when encoding values. This property is applicable when type is scaled_float. Values will be multiplied by this factor at index time and rounded to the closest long value.

            • type string

              Specifies the data type for the field.

      • A secondary alias. It is typically used to support the signals alias for detection rules.

      • Indicates whether the rule should write out alerts as data.

      • useEcs boolean

        Indicates whether to include the ECS component template for the alerts.

      • Indicates whether to include the legacy component template for the alerts.

        Default value is false.

    • The list of the plugins IDs that have access to the rule type.

      Additional properties are allowed.

      Hide authorized_consumers attributes Show authorized_consumers attributes object
      • alerts object

        Additional properties are allowed.

        Hide alerts attributes Show alerts attributes object
      • apm object

        Additional properties are allowed.

        Hide apm attributes Show apm attributes object
      • discover object

        Additional properties are allowed.

        Hide discover attributes Show discover attributes object
      • Additional properties are allowed.

        Hide infrastructure attributes Show infrastructure attributes object
      • logs object

        Additional properties are allowed.

        Hide logs attributes Show logs attributes object
      • ml object

        Additional properties are allowed.

        Hide ml attributes Show ml attributes object
      • Additional properties are allowed.

        Hide monitoring attributes Show monitoring attributes object
      • siem object

        Additional properties are allowed.

        Hide siem attributes Show siem attributes object
      • slo object

        Additional properties are allowed.

        Hide slo attributes Show slo attributes object
      • Additional properties are allowed.

        Hide stackAlerts attributes Show stackAlerts attributes object
      • uptime object

        Additional properties are allowed.

        Hide uptime attributes Show uptime attributes object
    • category string

      The rule category, which is used by features such as category-specific maintenance windows.

      Values are management, observability, or securitySolution.

    • The default identifier for the rule type group.

    • Indicates whether the rule passes context variables to its recovery action.

    • Indicates whether the rule type is enabled or disabled based on the subscription.

    • Indicates whether the rule type has custom mappings for the alert data.

    • id string

      The unique identifier for the rule type.

    • Indicates whether the rule type is exportable in Stack Management > Saved Objects.

    • The subscriptions required to use the rule type.

    • name string

      The descriptive name of the rule type.

    • producer string

      An identifier for the application that produces this rule type.

    • An action group to use when an alert goes from an active state to an inactive one.

      Additional properties are allowed.

      Hide recovery_action_group attributes Show recovery_action_group attributes object
  • 401 application/json; Elastic-Api-Version=2023-10-31

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
GET /api/alerting/rule_types
curl \
 -X GET https://localhost:5601/api/alerting/rule_types
Response examples (200)
[
  {
    "id": "xpack.ml.anomaly_detection_alert",
    "name": "Anomaly detection alert",
    "alerts": {
      "context": "ml.anomaly-detection",
      "mappings": {
        "fieldMap": {
          "kibana.alert.job_id": {
            "type": "keyword",
            "array": false,
            "required": true
          },
          "kibana.alert.is_interim": {
            "type": "boolean",
            "array": false,
            "required": false
          },
          "kibana.alert.top_records": {
            "type": "object",
            "array": true,
            "dynamic": false,
            "required": false,
            "properties": {
              "actual": {
                "type": "double"
              },
              "job_id": {
                "type": "keyword"
              },
              "typical": {
                "type": "double"
              },
              "function": {
                "type": "keyword"
              },
              "timestamp": {
                "type": "date"
              },
              "field_name": {
                "type": "keyword"
              },
              "is_interim": {
                "type": "boolean"
              },
              "record_score": {
                "type": "double"
              },
              "by_field_name": {
                "type": "keyword"
              },
              "by_field_value": {
                "type": "keyword"
              },
              "detector_index": {
                "type": "integer"
              },
              "over_field_name": {
                "type": "keyword"
              },
              "over_field_value": {
                "type": "keyword"
              },
              "initial_record_score": {
                "type": "double"
              },
              "partition_field_name": {
                "type": "keyword"
              },
              "partition_field_value": {
                "type": "keyword"
              }
            }
          },
          "kibana.alert.anomaly_score": {
            "type": "double",
            "array": false,
            "required": false
          },
          "kibana.alert.top_influencers": {
            "type": "object",
            "array": true,
            "dynamic": false,
            "required": false,
            "properties": {
              "job_id": {
                "type": "keyword"
              },
              "timestamp": {
                "type": "date"
              },
              "is_interim": {
                "type": "boolean"
              },
              "influencer_score": {
                "type": "double"
              },
              "influencer_field_name": {
                "type": "keyword"
              },
              "influencer_field_value": {
                "type": "keyword"
              },
              "initial_influencer_score": {
                "type": "double"
              }
            }
          },
          "kibana.alert.anomaly_timestamp": {
            "type": "date",
            "array": false,
            "required": false
          }
        }
      },
      "shouldWrite": true
    },
    "category": "management",
    "producer": "ml",
    "action_groups": [
      {
        "id": "anomaly_score_match",
        "name": "Anomaly score matched the condition"
      },
      {
        "id": "recovered",
        "name": "Recovered"
      }
    ],
    "is_exportable": true,
    "action_variables": {
      "state": [],
      "params": [],
      "context": [
        {
          "name": "timestamp",
          "description": "The bucket timestamp of the anomaly"
        },
        {
          "name": "timestampIso8601",
          "description": "The bucket time of the anomaly in ISO8601 format"
        },
        {
          "name": "jobIds",
          "description": "List of job IDs that triggered the alert"
        },
        {
          "name": "message",
          "description": "Alert info message"
        },
        {
          "name": "isInterim",
          "description": "Indicate if top hits contain interim results"
        },
        {
          "name": "score",
          "description": "Anomaly score at the time of the notification action"
        },
        {
          "name": "topRecords",
          "description": "Top records"
        },
        {
          "name": "topInfluencers",
          "description": "Top influencers"
        },
        {
          "name": "anomalyExplorerUrl",
          "description": "URL to open in the Anomaly Explorer",
          "useWithTripleBracesInTemplates": true
        }
      ]
    },
    "rule_task_timeout": "5m",
    "enabled_in_license": true,
    "has_alerts_mappings": true,
    "authorized_consumers": {
      "ml": {
        "all": true,
        "read": true
      },
      "apm": {
        "all": true,
        "read": true
      },
      "slo": {
        "all": true,
        "read": true
      },
      "logs": {
        "all": true,
        "read": true
      },
      "siem": {
        "all": true,
        "read": true
      },
      "alerts": {
        "all": true,
        "read": true
      },
      "uptime": {
        "all": true,
        "read": true
      },
      "discover": {
        "all": true,
        "read": true
      },
      "monitoring": {
        "all": true,
        "read": true
      },
      "stackAlerts": {
        "all": true,
        "read": true
      },
      "infrastructure": {
        "all": true,
        "read": true
      }
    },
    "has_fields_for_a_a_d": false,
    "recovery_action_group": {
      "id": "recovered",
      "name": "Recovered"
    },
    "default_action_group_id": "anomaly_score_match",
    "minimum_license_required": "platinum",
    "does_set_recovery_context": true
  },
  {
    "id": "xpack.ml.anomaly_detection_jobs_health",
    "name": "Anomaly detection jobs health",
    "category": "management",
    "producer": "ml",
    "action_groups": [
      {
        "id": "anomaly_detection_realtime_issue",
        "name": "Issue detected"
      },
      {
        "id": "recovered",
        "name": "Recovered"
      }
    ],
    "is_exportable": true,
    "action_variables": {
      "state": [],
      "params": [],
      "context": [
        {
          "name": "results",
          "description": "Results of the rule execution"
        },
        {
          "name": "message",
          "description": "Alert info message"
        }
      ]
    },
    "rule_task_timeout": "5m",
    "enabled_in_license": true,
    "has_alerts_mappings": false,
    "authorized_consumers": {
      "ml": {
        "all": true,
        "read": true
      },
      "apm": {
        "all": true,
        "read": true
      },
      "slo": {
        "all": true,
        "read": true
      },
      "logs": {
        "all": true,
        "read": true
      },
      "siem": {
        "all": true,
        "read": true
      },
      "alerts": {
        "all": true,
        "read": true
      },
      "uptime": {
        "all": true,
        "read": true
      },
      "discover": {
        "all": true,
        "read": true
      },
      "monitoring": {
        "all": true,
        "read": true
      },
      "stackAlerts": {
        "all": true,
        "read": true
      },
      "infrastructure": {
        "all": true,
        "read": true
      }
    },
    "has_fields_for_a_a_d": false,
    "recovery_action_group": {
      "id": "recovered",
      "name": "Recovered"
    },
    "default_action_group_id": "anomaly_detection_realtime_issue",
    "minimum_license_required": "platinum",
    "does_set_recovery_context": true
  }
]
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

Get rule details

GET /api/alerting/rule/{id}

Path parameters

  • id string Required

    The identifier for the rule.

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • actions array[object] Required
      Hide actions attributes Show actions attributes object
      • Defines a period that limits whether the action runs.

        Additional properties are NOT allowed.

        Hide alerts_filter attributes Show alerts_filter attributes object
        • query object

          Additional properties are NOT allowed.

          Hide query attributes Show query attributes object
          • dsl string

            A filter written in Elasticsearch Query Domain Specific Language (DSL).

          • filters array[object] Required

            A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the kbn-es-query package.

            Hide filters attributes Show filters attributes object
            • $state object

              Additional properties are NOT allowed.

              Hide $state attribute Show $state attribute object
              • store string Required

                A filter can be either specific to an application context or applied globally.

                Values are appState or globalState.

            • meta object Required

              Additional properties are allowed.

            • query object

              Additional properties are allowed.

          • kql string Required

            A filter written in Kibana Query Language (KQL).

        • Additional properties are NOT allowed.

          Hide timeframe attributes Show timeframe attributes object
          • days array[integer] Required

            Defines the days of the week that the action can run, represented as an array of numbers. For example, 1 represents Monday. An empty array is equivalent to specifying all the days of the week.

            Values are 1, 2, 3, 4, 5, 6, or 7.

          • hours object Required

            Additional properties are NOT allowed.

            Hide hours attributes Show hours attributes object
            • end string Required

              The end of the time frame in 24-hour notation (hh:mm).

            • start string Required

              The start of the time frame in 24-hour notation (hh:mm).

          • timezone string Required

            The ISO time zone for the hours values. Values such as UTC and UTC+1 also work but lack built-in daylight savings time support and are not recommended.

      • connector_type_id string Required

        The type of connector. This property appears in responses but cannot be set in requests.

      • Additional properties are NOT allowed.

        Hide frequency attributes Show frequency attributes object
        • notify_when string Required

          Indicates how often alerts generate actions. Valid values include: onActionGroupChange: Actions run when the alert status changes; onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify notify_when at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

          Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.

        • summary boolean Required

          Indicates whether the action is a summary.

        • throttle string | null Required

          The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if 'notify_when' is set to 'onThrottleInterval'. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

      • group string

        The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to default.

      • id string Required

        The identifier for the connector saved object.

      • params object Required

        The parameters for the action, which are sent to the connector. The params are handled as Mustache templates and passed a default set of context.

        Additional properties are allowed.

      • Indicates whether to use alert data as a template.

      • uuid string

        A universally unique identifier (UUID) for the action.

    • active_snoozes array[string]

      List of active snoozes for the rule.

    • Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.

      Additional properties are NOT allowed.

      Hide alert_delay attribute Show alert_delay attribute object
      • active number Required

        The number of consecutive runs that must meet the rule conditions.

    • Indicates whether the API key that is associated with the rule was created by the user.

    • api_key_owner string | null Required

      The owner of the API key that is associated with the rule and used to run background tasks.

    • consumer string Required

      The name of the application or feature that owns the rule. For example: alerts, apm, discover, infrastructure, logs, metrics, ml, monitoring, securitySolution, siem, stackAlerts, or uptime.

    • created_at string Required

      The date and time that the rule was created.

    • created_by string | null Required

      The identifier for the user that created the rule.

    • enabled boolean Required

      Indicates whether you want to run the rule on an interval basis after it is created.

    • execution_status object Required

      Additional properties are NOT allowed.

      Hide execution_status attributes Show execution_status attributes object
      • error object

        Additional properties are NOT allowed.

        Hide error attributes Show error attributes object
        • message string Required

          Error message.

        • reason string Required

          Reason for error.

          Values are read, decrypt, execute, unknown, license, timeout, disabled, or validate.

      • Duration of last execution of the rule.

      • last_execution_date string Required

        The date and time when rule was executed last.

      • status string Required

        Status of rule execution.

        Values are ok, active, error, warning, pending, or unknown.

      • warning object

        Additional properties are NOT allowed.

        Hide warning attributes Show warning attributes object
        • message string Required

          Warning message.

        • reason string Required

          Reason for warning.

          Values are maxExecutableActions, maxAlerts, maxQueuedActions, or ruleExecution.

    • flapping object | null

      When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.

      Additional properties are NOT allowed.

      Hide flapping attributes Show flapping attributes object | null
      • look_back_window number Required

        The minimum number of runs in which the threshold must be met.

        Minimum value is 2, maximum value is 20.

      • The minimum number of times an alert must switch states in the look back window.

        Minimum value is 2, maximum value is 20.

    • id string Required

      The identifier for the rule.

    • is_snoozed_until string | null

      The date when the rule will no longer be snoozed.

    • last_run object | null

      Additional properties are NOT allowed.

      Hide last_run attributes Show last_run attributes object | null
      • alerts_count object Required

        Additional properties are NOT allowed.

        Hide alerts_count attributes Show alerts_count attributes object
        • active number | null

          Number of active alerts during last run.

        • ignored number | null

          Number of ignored alerts during last run.

        • new number | null

          Number of new alerts during last run.

        • recovered number | null

          Number of recovered alerts during last run.

      • outcome string Required

        Outcome of last run of the rule. Value could be succeeded, warning or failed.

        Values are succeeded, warning, or failed.

      • outcome_msg array[string] | null

        Outcome message generated during last rule run.

      • Order of the outcome.

      • warning string | null

        Warning of last rule execution.

        Values are read, decrypt, execute, unknown, license, timeout, disabled, validate, maxExecutableActions, maxAlerts, maxQueuedActions, or ruleExecution.

    • Additional properties are allowed.

    • Monitoring details of the rule.

      Additional properties are NOT allowed.

      Hide monitoring attribute Show monitoring attribute object
      • run object Required

        Rule run details.

        Additional properties are NOT allowed.

        Hide run attributes Show run attributes object
        • calculated_metrics object Required

          Calculation of different percentiles and success ratio.

          Additional properties are NOT allowed.

          Hide calculated_metrics attributes Show calculated_metrics attributes object
        • history array[object] Required

          History of the rule run.

          Hide history attributes Show history attributes object
          • duration number

            Duration of the rule run.

          • outcome string

            Outcome of last run of the rule. Value could be succeeded, warning or failed.

            Values are succeeded, warning, or failed.

          • success boolean Required

            Indicates whether the rule run was successful.

          • timestamp number Required

            Time of rule run.

        • last_run object Required

          Additional properties are NOT allowed.

          Hide last_run attributes Show last_run attributes object
          • metrics object Required

            Additional properties are NOT allowed.

            Hide metrics attributes Show metrics attributes object
          • timestamp string Required

            Time of the most recent rule run.

    • mute_all boolean Required

      Indicates whether all alerts are muted.

    • muted_alert_ids array[string] Required

      List of identifiers of muted alerts.

    • name string Required

      The name of the rule.

    • next_run string | null

      Date and time of the next run of the rule.

    • notify_when string | null

      Indicates how often alerts generate actions. Valid values include: onActionGroupChange: Actions run when the alert status changes; onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify notify_when at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

      Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.

    • params object Required

      The parameters for the rule.

      Additional properties are allowed.

    • revision number Required

      The rule revision number.

    • rule_type_id string Required

      The rule type identifier.

    • running boolean | null

      Indicates whether the rule is running.

    • schedule object Required

      Additional properties are NOT allowed.

      Hide schedule attribute Show schedule attribute object
      • interval string Required

        The interval is specified in seconds, minutes, hours, or days.

    • Identifier of the scheduled task.

    • snooze_schedule array[object]
      Hide snooze_schedule attributes Show snooze_schedule attributes object
      • duration number Required

        Duration of the rule snooze schedule.

      • id string

        Identifier of the rule snooze schedule.

      • rRule object Required

        Additional properties are NOT allowed.

        Hide rRule attributes Show rRule attributes object
        • byhour array[number] | null

          Indicates hours of the day to recur.

        • byminute array[number] | null

          Indicates minutes of the hour to recur.

        • bymonth array[number] | null

          Indicates months of the year that this rule should recur.

        • bymonthday array[number] | null

          Indicates the days of the month to recur.

        • bysecond array[number] | null

          Indicates seconds of the day to recur.

        • bysetpos array[number] | null

          A positive or negative integer affecting the nth day of the month. For example, -2 combined with byweekday of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use byweekday.

        • byweekday array[string | number] | null

          Indicates the days of the week to recur or else nth-day-of-month strings. For example, "+2TU" second Tuesday of month, "-1FR" last Friday of the month, which are internally converted to a byweekday/bysetpos combination.

        • byweekno array[number] | null

          Indicates number of the week hours to recur.

        • byyearday array[number] | null

          Indicates the days of the year that this rule should recur.

        • count number

          Number of times the rule should recur until it stops.

        • dtstart string Required

          Rule start date in Coordinated Universal Time (UTC).

        • freq integer

          Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY.

          Values are 0, 1, 2, 3, 4, 5, or 6.

        • interval number

          Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks.

        • tzid string Required

          Indicates timezone abbreviation.

        • until string

          Recur the rule until this date.

        • wkst string

          Indicates the start of week, defaults to Monday.

          Values are MO, TU, WE, TH, FR, SA, or SU.

      • skipRecurrences array[string]

        Skips recurrence of rule on this date.

    • tags array[string] Required

      The tags for the rule.

    • throttle string | null Deprecated

      Deprecated in 8.13.0. Use the throttle property in the action frequency object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

    • updated_at string Required

      The date and time that the rule was updated most recently.

    • updated_by string | null Required

      The identifier for the user that updated this rule most recently.

    • Relative URL to view rule in the app.

  • Indicates an invalid schema or parameters.

  • Indicates that this call is forbidden.

  • Indicates a rule with the given ID does not exist.

GET /api/alerting/rule/{id}
curl \
 -X GET https://localhost:5601/api/alerting/rule/{id}
Response examples (200)
{
  "actions": [
    {
      "alerts_filter": {
        "query": {
          "dsl": "string",
          "filters": [
            {
              "$state": {
                "store": "appState"
              },
              "meta": {},
              "query": {}
            }
          ],
          "kql": "string"
        },
        "timeframe": {
          "days": [
            1
          ],
          "hours": {
            "end": "string",
            "start": "string"
          },
          "timezone": "string"
        }
      },
      "connector_type_id": "string",
      "frequency": {
        "notify_when": "onActionGroupChange",
        "summary": true,
        "throttle": "string"
      },
      "group": "string",
      "id": "string",
      "params": {},
      "use_alert_data_for_template": true,
      "uuid": "string"
    }
  ],
  "active_snoozes": [
    "string"
  ],
  "alert_delay": {
    "active": 42.0
  },
  "api_key_created_by_user": true,
  "api_key_owner": "string",
  "consumer": "string",
  "created_at": "string",
  "created_by": "string",
  "enabled": true,
  "execution_status": {
    "error": {
      "message": "string",
      "reason": "read"
    },
    "last_duration": 42.0,
    "last_execution_date": "string",
    "status": "ok",
    "warning": {
      "message": "string",
      "reason": "maxExecutableActions"
    }
  },
  "flapping": {
    "look_back_window": 42.0,
    "status_change_threshold": 42.0
  },
  "id": "string",
  "is_snoozed_until": "string",
  "last_run": {
    "alerts_count": {
      "active": 42.0,
      "ignored": 42.0,
      "new": 42.0,
      "recovered": 42.0
    },
    "outcome": "succeeded",
    "outcome_msg": [
      "string"
    ],
    "outcome_order": 42.0,
    "warning": "read"
  },
  "mapped_params": {},
  "monitoring": {
    "run": {
      "calculated_metrics": {
        "p50": 42.0,
        "p95": 42.0,
        "p99": 42.0,
        "success_ratio": 42.0
      },
      "history": [
        {
          "duration": 42.0,
          "outcome": "succeeded",
          "success": true,
          "timestamp": 42.0
        }
      ],
      "last_run": {
        "metrics": {
          "duration": 42.0,
          "gap_duration_s": 42.0,
          "total_alerts_created": 42.0,
          "total_alerts_detected": 42.0,
          "total_indexing_duration_ms": 42.0,
          "total_search_duration_ms": 42.0
        },
        "timestamp": "string"
      }
    }
  },
  "mute_all": true,
  "muted_alert_ids": [
    "string"
  ],
  "name": "string",
  "next_run": "string",
  "notify_when": "onActionGroupChange",
  "params": {},
  "revision": 42.0,
  "rule_type_id": "string",
  "running": true,
  "schedule": {
    "interval": "string"
  },
  "scheduled_task_id": "string",
  "snooze_schedule": [
    {
      "duration": 42.0,
      "id": "string",
      "rRule": {
        "byhour": [
          42.0
        ],
        "byminute": [
          42.0
        ],
        "bymonth": [
          42.0
        ],
        "bymonthday": [
          42.0
        ],
        "bysecond": [
          42.0
        ],
        "bysetpos": [
          42.0
        ],
        "byweekday": [
          "string"
        ],
        "byweekno": [
          42.0
        ],
        "byyearday": [
          42.0
        ],
        "count": 42.0,
        "dtstart": "string",
        "freq": 0,
        "interval": 42.0,
        "tzid": "string",
        "until": "string",
        "wkst": "MO"
      },
      "skipRecurrences": [
        "string"
      ]
    }
  ],
  "tags": [
    "string"
  ],
  "throttle": "string",
  "updated_at": "string",
  "updated_by": "string",
  "view_in_app_relative_url": "string"
}

Update a rule

PUT /api/alerting/rule/{id}

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • id string Required

    The identifier for the rule.

application/json; Elastic-Api-Version=2023-10-31

Body

  • actions array[object]

    Default value is [] (empty).

    Hide actions attributes Show actions attributes object
    • Additional properties are NOT allowed.

      Hide alerts_filter attributes Show alerts_filter attributes object
      • query object

        Additional properties are NOT allowed.

        Hide query attributes Show query attributes object
        • dsl string

          A filter written in Elasticsearch Query Domain Specific Language (DSL).

        • filters array[object] Required

          A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the kbn-es-query package.

          Hide filters attributes Show filters attributes object
          • $state object

            Additional properties are NOT allowed.

            Hide $state attribute Show $state attribute object
            • store string Required

              A filter can be either specific to an application context or applied globally.

              Values are appState or globalState.

          • meta object Required

            Additional properties are allowed.

          • query object

            Additional properties are allowed.

        • kql string Required

          A filter written in Kibana Query Language (KQL).

      • Defines a period that limits whether the action runs.

        Additional properties are NOT allowed.

        Hide timeframe attributes Show timeframe attributes object
        • days array[integer] Required

          Defines the days of the week that the action can run, represented as an array of numbers. For example, 1 represents Monday. An empty array is equivalent to specifying all the days of the week.

          Values are 1, 2, 3, 4, 5, 6, or 7.

        • hours object Required

          Defines the range of time in a day that the action can run. If the start value is 00:00 and the end value is 24:00, actions be generated all day.

          Additional properties are NOT allowed.

          Hide hours attributes Show hours attributes object
          • end string Required

            The end of the time frame in 24-hour notation (hh:mm).

          • start string Required

            The start of the time frame in 24-hour notation (hh:mm).

        • timezone string Required

          The ISO time zone for the hours values. Values such as UTC and UTC+1 also work but lack built-in daylight savings time support and are not recommended.

    • Additional properties are NOT allowed.

      Hide frequency attributes Show frequency attributes object
      • notify_when string Required

        Indicates how often alerts generate actions. Valid values include: onActionGroupChange: Actions run when the alert status changes; onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify notify_when at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

        Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.

      • summary boolean Required

        Indicates whether the action is a summary.

      • throttle string | null Required

        The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if notify_when is set to onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

    • group string

      The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to default.

    • id string Required

      The identifier for the connector saved object.

    • params object

      The parameters for the action, which are sent to the connector. The params are handled as Mustache templates and passed a default set of context.

      Default value is {} (empty). Additional properties are allowed.

    • Indicates whether to use alert data as a template.

    • uuid string

      A universally unique identifier (UUID) for the action.

  • Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.

    Additional properties are NOT allowed.

    Hide alert_delay attribute Show alert_delay attribute object
    • active number Required

      The number of consecutive runs that must meet the rule conditions.

  • flapping object | null

    When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.

    Additional properties are NOT allowed.

    Hide flapping attributes Show flapping attributes object | null
    • look_back_window number Required

      The minimum number of runs in which the threshold must be met.

      Minimum value is 2, maximum value is 20.

    • The minimum number of times an alert must switch states in the look back window.

      Minimum value is 2, maximum value is 20.

  • name string Required

    The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.

  • notify_when string | null

    Indicates how often alerts generate actions. Valid values include: onActionGroupChange: Actions run when the alert status changes; onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify notify_when at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

    Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.

  • params object

    The parameters for the rule.

    Default value is {} (empty). Additional properties are allowed.

  • schedule object Required

    Additional properties are NOT allowed.

    Hide schedule attribute Show schedule attribute object
    • interval string Required

      The interval is specified in seconds, minutes, hours, or days.

  • tags array[string]

    The tags for the rule.

    Default value is [] (empty).

  • throttle string | null

    Use the throttle property in the action frequency object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • actions array[object] Required
      Hide actions attributes Show actions attributes object
      • Defines a period that limits whether the action runs.

        Additional properties are NOT allowed.

        Hide alerts_filter attributes Show alerts_filter attributes object
        • query object

          Additional properties are NOT allowed.

          Hide query attributes Show query attributes object
          • dsl string

            A filter written in Elasticsearch Query Domain Specific Language (DSL).

          • filters array[object] Required

            A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the kbn-es-query package.

            Hide filters attributes Show filters attributes object
            • $state object

              Additional properties are NOT allowed.

              Hide $state attribute Show $state attribute object
              • store string Required

                A filter can be either specific to an application context or applied globally.

                Values are appState or globalState.

            • meta object Required

              Additional properties are allowed.

            • query object

              Additional properties are allowed.

          • kql string Required

            A filter written in Kibana Query Language (KQL).

        • Additional properties are NOT allowed.

          Hide timeframe attributes Show timeframe attributes object
          • days array[integer] Required

            Defines the days of the week that the action can run, represented as an array of numbers. For example, 1 represents Monday. An empty array is equivalent to specifying all the days of the week.

            Values are 1, 2, 3, 4, 5, 6, or 7.

          • hours object Required

            Additional properties are NOT allowed.

            Hide hours attributes Show hours attributes object
            • end string Required

              The end of the time frame in 24-hour notation (hh:mm).

            • start string Required

              The start of the time frame in 24-hour notation (hh:mm).

          • timezone string Required

            The ISO time zone for the hours values. Values such as UTC and UTC+1 also work but lack built-in daylight savings time support and are not recommended.

      • connector_type_id string Required

        The type of connector. This property appears in responses but cannot be set in requests.

      • Additional properties are NOT allowed.

        Hide frequency attributes Show frequency attributes object
        • notify_when string Required

          Indicates how often alerts generate actions. Valid values include: onActionGroupChange: Actions run when the alert status changes; onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify notify_when at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

          Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.

        • summary boolean Required

          Indicates whether the action is a summary.

        • throttle string | null Required

          The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if 'notify_when' is set to 'onThrottleInterval'. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

      • group string

        The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to default.

      • id string Required

        The identifier for the connector saved object.

      • params object Required

        The parameters for the action, which are sent to the connector. The params are handled as Mustache templates and passed a default set of context.

        Additional properties are allowed.

      • Indicates whether to use alert data as a template.

      • uuid string

        A universally unique identifier (UUID) for the action.

    • active_snoozes array[string]

      List of active snoozes for the rule.

    • Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.

      Additional properties are NOT allowed.

      Hide alert_delay attribute Show alert_delay attribute object
      • active number Required

        The number of consecutive runs that must meet the rule conditions.

    • Indicates whether the API key that is associated with the rule was created by the user.

    • api_key_owner string | null Required

      The owner of the API key that is associated with the rule and used to run background tasks.

    • consumer string Required

      The name of the application or feature that owns the rule. For example: alerts, apm, discover, infrastructure, logs, metrics, ml, monitoring, securitySolution, siem, stackAlerts, or uptime.

    • created_at string Required

      The date and time that the rule was created.

    • created_by string | null Required

      The identifier for the user that created the rule.

    • enabled boolean Required

      Indicates whether you want to run the rule on an interval basis after it is created.

    • execution_status object Required

      Additional properties are NOT allowed.

      Hide execution_status attributes Show execution_status attributes object
      • error object

        Additional properties are NOT allowed.

        Hide error attributes Show error attributes object
        • message string Required

          Error message.

        • reason string Required

          Reason for error.

          Values are read, decrypt, execute, unknown, license, timeout, disabled, or validate.

      • Duration of last execution of the rule.

      • last_execution_date string Required

        The date and time when rule was executed last.

      • status string Required

        Status of rule execution.

        Values are ok, active, error, warning, pending, or unknown.

      • warning object

        Additional properties are NOT allowed.

        Hide warning attributes Show warning attributes object
        • message string Required

          Warning message.

        • reason string Required

          Reason for warning.

          Values are maxExecutableActions, maxAlerts, maxQueuedActions, or ruleExecution.

    • flapping object | null

      When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.

      Additional properties are NOT allowed.

      Hide flapping attributes Show flapping attributes object | null
      • look_back_window number Required

        The minimum number of runs in which the threshold must be met.

        Minimum value is 2, maximum value is 20.

      • The minimum number of times an alert must switch states in the look back window.

        Minimum value is 2, maximum value is 20.

    • id string Required

      The identifier for the rule.

    • is_snoozed_until string | null

      The date when the rule will no longer be snoozed.

    • last_run object | null

      Additional properties are NOT allowed.

      Hide last_run attributes Show last_run attributes object | null
      • alerts_count object Required

        Additional properties are NOT allowed.

        Hide alerts_count attributes Show alerts_count attributes object
        • active number | null

          Number of active alerts during last run.

        • ignored number | null

          Number of ignored alerts during last run.

        • new number | null

          Number of new alerts during last run.

        • recovered number | null

          Number of recovered alerts during last run.

      • outcome string Required

        Outcome of last run of the rule. Value could be succeeded, warning or failed.

        Values are succeeded, warning, or failed.

      • outcome_msg array[string] | null

        Outcome message generated during last rule run.

      • Order of the outcome.

      • warning string | null

        Warning of last rule execution.

        Values are read, decrypt, execute, unknown, license, timeout, disabled, validate, maxExecutableActions, maxAlerts, maxQueuedActions, or ruleExecution.

    • Additional properties are allowed.

    • Monitoring details of the rule.

      Additional properties are NOT allowed.

      Hide monitoring attribute Show monitoring attribute object
      • run object Required

        Rule run details.

        Additional properties are NOT allowed.

        Hide run attributes Show run attributes object
        • calculated_metrics object Required

          Calculation of different percentiles and success ratio.

          Additional properties are NOT allowed.

          Hide calculated_metrics attributes Show calculated_metrics attributes object
        • history array[object] Required

          History of the rule run.

          Hide history attributes Show history attributes object
          • duration number

            Duration of the rule run.

          • outcome string

            Outcome of last run of the rule. Value could be succeeded, warning or failed.

            Values are succeeded, warning, or failed.

          • success boolean Required

            Indicates whether the rule run was successful.

          • timestamp number Required

            Time of rule run.

        • last_run object Required

          Additional properties are NOT allowed.

          Hide last_run attributes Show last_run attributes object
          • metrics object Required

            Additional properties are NOT allowed.

            Hide metrics attributes Show metrics attributes object
          • timestamp string Required

            Time of the most recent rule run.

    • mute_all boolean Required

      Indicates whether all alerts are muted.

    • muted_alert_ids array[string] Required

      List of identifiers of muted alerts.

    • name string Required

      The name of the rule.

    • next_run string | null

      Date and time of the next run of the rule.

    • notify_when string | null

      Indicates how often alerts generate actions. Valid values include: onActionGroupChange: Actions run when the alert status changes; onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify notify_when at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

      Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.

    • params object Required

      The parameters for the rule.

      Additional properties are allowed.

    • revision number Required

      The rule revision number.

    • rule_type_id string Required

      The rule type identifier.

    • running boolean | null

      Indicates whether the rule is running.

    • schedule object Required

      Additional properties are NOT allowed.

      Hide schedule attribute Show schedule attribute object
      • interval string Required

        The interval is specified in seconds, minutes, hours, or days.

    • Identifier of the scheduled task.

    • snooze_schedule array[object]
      Hide snooze_schedule attributes Show snooze_schedule attributes object
      • duration number Required

        Duration of the rule snooze schedule.

      • id string

        Identifier of the rule snooze schedule.

      • rRule object Required

        Additional properties are NOT allowed.

        Hide rRule attributes Show rRule attributes object
        • byhour array[number] | null

          Indicates hours of the day to recur.

        • byminute array[number] | null

          Indicates minutes of the hour to recur.

        • bymonth array[number] | null

          Indicates months of the year that this rule should recur.

        • bymonthday array[number] | null

          Indicates the days of the month to recur.

        • bysecond array[number] | null

          Indicates seconds of the day to recur.

        • bysetpos array[number] | null

          A positive or negative integer affecting the nth day of the month. For example, -2 combined with byweekday of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use byweekday.

        • byweekday array[string | number] | null

          Indicates the days of the week to recur or else nth-day-of-month strings. For example, "+2TU" second Tuesday of month, "-1FR" last Friday of the month, which are internally converted to a byweekday/bysetpos combination.

        • byweekno array[number] | null

          Indicates number of the week hours to recur.

        • byyearday array[number] | null

          Indicates the days of the year that this rule should recur.

        • count number

          Number of times the rule should recur until it stops.

        • dtstart string Required

          Rule start date in Coordinated Universal Time (UTC).

        • freq integer

          Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY.

          Values are 0, 1, 2, 3, 4, 5, or 6.

        • interval number

          Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks.

        • tzid string Required

          Indicates timezone abbreviation.

        • until string

          Recur the rule until this date.

        • wkst string

          Indicates the start of week, defaults to Monday.

          Values are MO, TU, WE, TH, FR, SA, or SU.

      • skipRecurrences array[string]

        Skips recurrence of rule on this date.

    • tags array[string] Required

      The tags for the rule.

    • throttle string | null Deprecated

      Deprecated in 8.13.0. Use the throttle property in the action frequency object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

    • updated_at string Required

      The date and time that the rule was updated most recently.

    • updated_by string | null Required

      The identifier for the user that updated this rule most recently.

    • Relative URL to view rule in the app.

  • Indicates an invalid schema or parameters.

  • Indicates that this call is forbidden.

  • Indicates a rule with the given ID does not exist.

  • Indicates that the rule has already been updated by another user.

PUT /api/alerting/rule/{id}
curl \
 -X PUT https://localhost:5601/api/alerting/rule/{id} \
 -H "Content-Type: application/json; Elastic-Api-Version=2023-10-31" \
 -H "kbn-xsrf: true"
Request example
Update an index threshold rule that uses a server log connector to send notifications when the threshold is met.
{
  "name": "new name",
  "tags": [],
  "params": {
    "index": [
      ".updated-index"
    ],
    "aggType": "avg",
    "groupBy": "top",
    "aggField": "sheet.version",
    "termSize": 6,
    "termField": "name.keyword",
    "threshold": [
      1000
    ],
    "timeField": "@timestamp",
    "timeWindowSize": 5,
    "timeWindowUnit": "m",
    "thresholdComparator": ">"
  },
  "actions": [
    {
      "id": "96b668d0-a1b6-11ed-afdf-d39a49596974",
      "group": "threshold met",
      "params": {
        "level": "info",
        "message": "Rule {{rule.name}} is active for group {{context.group}}:\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}\n- Timestamp: {{context.date}}"
      },
      "frequency": {
        "summary": false,
        "notify_when": "onActionGroupChange"
      }
    }
  ],
  "schedule": {
    "interval": "1m"
  }
}
Response examples (200)
The response for successfully updating an index threshold rule.
{
  "id": "ac4e6b90-6be7-11eb-ba0d-9b1c1f912d74",
  "name": "new name",
  "tags": [],
  "params": {
    "index": [
      ".updated-index"
    ],
    "aggType": "avg",
    "groupBy": "top",
    "aggField": "sheet.version",
    "termSize": 6,
    "termField": "name.keyword",
    "threshold": [
      1000
    ],
    "timeField": "@timestamp",
    "timeWindowSize": 5,
    "timeWindowUnit": "m",
    "thresholdComparator": ">"
  },
  "actions": [
    {
      "id": "96b668d0-a1b6-11ed-afdf-d39a49596974",
      "uuid": "07aef2a0-9eed-4ef9-94ec-39ba58eb609d",
      "group": "threshold met",
      "params": {
        "level": "info",
        "message": "Rule {{rule.name}} is active for group {{context.group}}:\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}\n- Timestamp: {{context.date}"
      },
      "frequency": {
        "summary": false,
        "throttle": null,
        "notify_when": "onActionGroupChange"
      },
      "connector_type_id": ".server-log"
    }
  ],
  "enabled": true,
  "running": false,
  "consumer": "alerts",
  "last_run": {
    "outcome": "succeeded",
    "warning": null,
    "outcome_msg": null,
    "alerts_count": {
      "new": 0,
      "active": 0,
      "ignored": 0,
      "recovered": 0
    }
  },
  "mute_all": false,
  "next_run": "2024-03-26T23:23:51.316Z",
  "revision": 1,
  "schedule": {
    "interval": "1m"
  },
  "throttle": null,
  "created_at": "2024-03-26T23:13:20.985Z",
  "created_by": "elastic",
  "updated_at": "2024-03-26T23:22:59.949Z",
  "updated_by": "elastic",
  "rule_type_id": ".index-threshold",
  "api_key_owner": "elastic",
  "muted_alert_ids": [],
  "execution_status": {
    "status": "ok",
    "last_duration": 52,
    "last_execution_date": "2024-03-26T23:22:51.390Z"
  },
  "scheduled_task_id": "4c5eda00-e74f-11ec-b72f-5b18752ff9ea",
  "api_key_created_by_user": false
}

Create a rule

POST /api/alerting/rule/{id}

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • id string Required

    The identifier for the rule. If it is omitted, an ID is randomly generated.

application/json; Elastic-Api-Version=2023-10-31

Body

  • actions array[object]

    Default value is [] (empty).

    Hide actions attributes Show actions attributes object
    • Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.

      Additional properties are NOT allowed.

      Hide alerts_filter attributes Show alerts_filter attributes object
      • query object

        Additional properties are NOT allowed.

        Hide query attributes Show query attributes object
        • dsl string

          A filter written in Elasticsearch Query Domain Specific Language (DSL).

        • filters array[object] Required

          A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the kbn-es-query package.

          Hide filters attributes Show filters attributes object
          • $state object

            Additional properties are NOT allowed.

            Hide $state attribute Show $state attribute object
            • store string Required

              A filter can be either specific to an application context or applied globally.

              Values are appState or globalState.

          • meta object Required

            Additional properties are allowed.

          • query object

            Additional properties are allowed.

        • kql string Required

          A filter written in Kibana Query Language (KQL).

      • Defines a period that limits whether the action runs.

        Additional properties are NOT allowed.

        Hide timeframe attributes Show timeframe attributes object
        • days array[integer] Required

          Defines the days of the week that the action can run, represented as an array of numbers. For example, 1 represents Monday. An empty array is equivalent to specifying all the days of the week.

          Values are 1, 2, 3, 4, 5, 6, or 7.

        • hours object Required

          Defines the range of time in a day that the action can run. If the start value is 00:00 and the end value is 24:00, actions be generated all day.

          Additional properties are NOT allowed.

          Hide hours attributes Show hours attributes object
          • end string Required

            The end of the time frame in 24-hour notation (hh:mm).

          • start string Required

            The start of the time frame in 24-hour notation (hh:mm).

        • timezone string Required

          The ISO time zone for the hours values. Values such as UTC and UTC+1 also work but lack built-in daylight savings time support and are not recommended.

    • Additional properties are NOT allowed.

      Hide frequency attributes Show frequency attributes object
      • notify_when string Required

        Indicates how often alerts generate actions. Valid values include: onActionGroupChange: Actions run when the alert status changes; onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify notify_when at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

        Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.

      • summary boolean Required

        Indicates whether the action is a summary.

      • throttle string | null Required

        The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if notify_when is set to onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

    • group string

      The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to default.

    • id string Required

      The identifier for the connector saved object.

    • params object

      The parameters for the action, which are sent to the connector. The params are handled as Mustache templates and passed a default set of context.

      Default value is {} (empty). Additional properties are allowed.

    • Indicates whether to use alert data as a template.

    • uuid string

      A universally unique identifier (UUID) for the action.

  • Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.

    Additional properties are NOT allowed.

    Hide alert_delay attribute Show alert_delay attribute object
    • active number Required

      The number of consecutive runs that must meet the rule conditions.

  • consumer string Required

    The name of the application or feature that owns the rule. For example: alerts, apm, discover, infrastructure, logs, metrics, ml, monitoring, securitySolution, siem, stackAlerts, or uptime.

  • enabled boolean

    Indicates whether you want to run the rule on an interval basis after it is created.

    Default value is true.

  • flapping object | null

    When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.

    Additional properties are NOT allowed.

    Hide flapping attributes Show flapping attributes object | null
    • look_back_window number Required

      The minimum number of runs in which the threshold must be met.

      Minimum value is 2, maximum value is 20.

    • The minimum number of times an alert must switch states in the look back window.

      Minimum value is 2, maximum value is 20.

  • name string Required

    The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.

  • notify_when string | null

    Indicates how often alerts generate actions. Valid values include: onActionGroupChange: Actions run when the alert status changes; onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify notify_when at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

    Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.

  • rule_type_id string Required

    The rule type identifier.

  • schedule object Required

    The check interval, which specifies how frequently the rule conditions are checked.

    Additional properties are NOT allowed.

    Hide schedule attribute Show schedule attribute object
    • interval string Required

      The interval is specified in seconds, minutes, hours, or days.

  • tags array[string]

    The tags for the rule.

    Default value is [] (empty).

  • throttle string | null

    Use the throttle property in the action frequency object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

  • params object

    The parameters for the rule.

    Any of:
    Hide attributes Show attributes

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • actions array[object] Required
      Hide actions attributes Show actions attributes object
      • Defines a period that limits whether the action runs.

        Additional properties are NOT allowed.

        Hide alerts_filter attributes Show alerts_filter attributes object
        • query object

          Additional properties are NOT allowed.

          Hide query attributes Show query attributes object
          • dsl string

            A filter written in Elasticsearch Query Domain Specific Language (DSL).

          • filters array[object] Required

            A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the kbn-es-query package.

            Hide filters attributes Show filters attributes object
            • $state object

              Additional properties are NOT allowed.

              Hide $state attribute Show $state attribute object
              • store string Required

                A filter can be either specific to an application context or applied globally.

                Values are appState or globalState.

            • meta object Required

              Additional properties are allowed.

            • query object

              Additional properties are allowed.

          • kql string Required

            A filter written in Kibana Query Language (KQL).

        • Additional properties are NOT allowed.

          Hide timeframe attributes Show timeframe attributes object
          • days array[integer] Required

            Defines the days of the week that the action can run, represented as an array of numbers. For example, 1 represents Monday. An empty array is equivalent to specifying all the days of the week.

            Values are 1, 2, 3, 4, 5, 6, or 7.

          • hours object Required

            Additional properties are NOT allowed.

            Hide hours attributes Show hours attributes object
            • end string Required

              The end of the time frame in 24-hour notation (hh:mm).

            • start string Required

              The start of the time frame in 24-hour notation (hh:mm).

          • timezone string Required

            The ISO time zone for the hours values. Values such as UTC and UTC+1 also work but lack built-in daylight savings time support and are not recommended.

      • connector_type_id string Required

        The type of connector. This property appears in responses but cannot be set in requests.

      • Additional properties are NOT allowed.

        Hide frequency attributes Show frequency attributes object
        • notify_when string Required

          Indicates how often alerts generate actions. Valid values include: onActionGroupChange: Actions run when the alert status changes; onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify notify_when at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

          Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.

        • summary boolean Required

          Indicates whether the action is a summary.

        • throttle string | null Required

          The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if 'notify_when' is set to 'onThrottleInterval'. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

      • group string

        The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to default.

      • id string Required

        The identifier for the connector saved object.

      • params object Required

        The parameters for the action, which are sent to the connector. The params are handled as Mustache templates and passed a default set of context.

        Additional properties are allowed.

      • Indicates whether to use alert data as a template.

      • uuid string

        A universally unique identifier (UUID) for the action.

    • active_snoozes array[string]

      List of active snoozes for the rule.

    • Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.

      Additional properties are NOT allowed.

      Hide alert_delay attribute Show alert_delay attribute object
      • active number Required

        The number of consecutive runs that must meet the rule conditions.

    • Indicates whether the API key that is associated with the rule was created by the user.

    • api_key_owner string | null Required

      The owner of the API key that is associated with the rule and used to run background tasks.

    • consumer string Required

      The name of the application or feature that owns the rule. For example: alerts, apm, discover, infrastructure, logs, metrics, ml, monitoring, securitySolution, siem, stackAlerts, or uptime.

    • created_at string Required

      The date and time that the rule was created.

    • created_by string | null Required

      The identifier for the user that created the rule.

    • enabled boolean Required

      Indicates whether you want to run the rule on an interval basis after it is created.

    • execution_status object Required

      Additional properties are NOT allowed.

      Hide execution_status attributes Show execution_status attributes object
      • error object

        Additional properties are NOT allowed.

        Hide error attributes Show error attributes object
        • message string Required

          Error message.

        • reason string Required

          Reason for error.

          Values are read, decrypt, execute, unknown, license, timeout, disabled, or validate.

      • Duration of last execution of the rule.

      • last_execution_date string Required

        The date and time when rule was executed last.

      • status string Required

        Status of rule execution.

        Values are ok, active, error, warning, pending, or unknown.

      • warning object

        Additional properties are NOT allowed.

        Hide warning attributes Show warning attributes object
        • message string Required

          Warning message.

        • reason string Required

          Reason for warning.

          Values are maxExecutableActions, maxAlerts, maxQueuedActions, or ruleExecution.

    • flapping object | null

      When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.

      Additional properties are NOT allowed.

      Hide flapping attributes Show flapping attributes object | null
      • look_back_window number Required

        The minimum number of runs in which the threshold must be met.

        Minimum value is 2, maximum value is 20.

      • The minimum number of times an alert must switch states in the look back window.

        Minimum value is 2, maximum value is 20.

    • id string Required

      The identifier for the rule.

    • is_snoozed_until string | null

      The date when the rule will no longer be snoozed.

    • last_run object | null

      Additional properties are NOT allowed.

      Hide last_run attributes Show last_run attributes object | null
      • alerts_count object Required

        Additional properties are NOT allowed.

        Hide alerts_count attributes Show alerts_count attributes object
        • active number | null

          Number of active alerts during last run.

        • ignored number | null

          Number of ignored alerts during last run.

        • new number | null

          Number of new alerts during last run.

        • recovered number | null

          Number of recovered alerts during last run.

      • outcome string Required

        Outcome of last run of the rule. Value could be succeeded, warning or failed.

        Values are succeeded, warning, or failed.

      • outcome_msg array[string] | null

        Outcome message generated during last rule run.

      • Order of the outcome.

      • warning string | null

        Warning of last rule execution.

        Values are read, decrypt, execute, unknown, license, timeout, disabled, validate, maxExecutableActions, maxAlerts, maxQueuedActions, or ruleExecution.

    • Additional properties are allowed.

    • Monitoring details of the rule.

      Additional properties are NOT allowed.

      Hide monitoring attribute Show monitoring attribute object
      • run object Required

        Rule run details.

        Additional properties are NOT allowed.

        Hide run attributes Show run attributes object
        • calculated_metrics object Required

          Calculation of different percentiles and success ratio.

          Additional properties are NOT allowed.

          Hide calculated_metrics attributes Show calculated_metrics attributes object
        • history array[object] Required

          History of the rule run.

          Hide history attributes Show history attributes object
          • duration number

            Duration of the rule run.

          • outcome string

            Outcome of last run of the rule. Value could be succeeded, warning or failed.

            Values are succeeded, warning, or failed.

          • success boolean Required

            Indicates whether the rule run was successful.

          • timestamp number Required

            Time of rule run.

        • last_run object Required

          Additional properties are NOT allowed.

          Hide last_run attributes Show last_run attributes object
          • metrics object Required

            Additional properties are NOT allowed.

            Hide metrics attributes Show metrics attributes object
          • timestamp string Required

            Time of the most recent rule run.

    • mute_all boolean Required

      Indicates whether all alerts are muted.

    • muted_alert_ids array[string] Required

      List of identifiers of muted alerts.

    • name string Required

      The name of the rule.

    • next_run string | null

      Date and time of the next run of the rule.

    • notify_when string | null

      Indicates how often alerts generate actions. Valid values include: onActionGroupChange: Actions run when the alert status changes; onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify notify_when at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

      Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.

    • params object Required

      The parameters for the rule.

      Additional properties are allowed.

    • revision number Required

      The rule revision number.

    • rule_type_id string Required

      The rule type identifier.

    • running boolean | null

      Indicates whether the rule is running.

    • schedule object Required

      Additional properties are NOT allowed.

      Hide schedule attribute Show schedule attribute object
      • interval string Required

        The interval is specified in seconds, minutes, hours, or days.

    • Identifier of the scheduled task.

    • snooze_schedule array[object]
      Hide snooze_schedule attributes Show snooze_schedule attributes object
      • duration number Required

        Duration of the rule snooze schedule.

      • id string

        Identifier of the rule snooze schedule.

      • rRule object Required

        Additional properties are NOT allowed.

        Hide rRule attributes Show rRule attributes object
        • byhour array[number] | null

          Indicates hours of the day to recur.

        • byminute array[number] | null

          Indicates minutes of the hour to recur.

        • bymonth array[number] | null

          Indicates months of the year that this rule should recur.

        • bymonthday array[number] | null

          Indicates the days of the month to recur.

        • bysecond array[number] | null

          Indicates seconds of the day to recur.

        • bysetpos array[number] | null

          A positive or negative integer affecting the nth day of the month. For example, -2 combined with byweekday of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use byweekday.

        • byweekday array[string | number] | null

          Indicates the days of the week to recur or else nth-day-of-month strings. For example, "+2TU" second Tuesday of month, "-1FR" last Friday of the month, which are internally converted to a byweekday/bysetpos combination.

        • byweekno array[number] | null

          Indicates number of the week hours to recur.

        • byyearday array[number] | null

          Indicates the days of the year that this rule should recur.

        • count number

          Number of times the rule should recur until it stops.

        • dtstart string Required

          Rule start date in Coordinated Universal Time (UTC).

        • freq integer

          Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY.

          Values are 0, 1, 2, 3, 4, 5, or 6.

        • interval number

          Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks.

        • tzid string Required

          Indicates timezone abbreviation.

        • until string

          Recur the rule until this date.

        • wkst string

          Indicates the start of week, defaults to Monday.

          Values are MO, TU, WE, TH, FR, SA, or SU.

      • skipRecurrences array[string]

        Skips recurrence of rule on this date.

    • tags array[string] Required

      The tags for the rule.

    • throttle string | null Deprecated

      Deprecated in 8.13.0. Use the throttle property in the action frequency object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

    • updated_at string Required

      The date and time that the rule was updated most recently.

    • updated_by string | null Required

      The identifier for the user that updated this rule most recently.

    • Relative URL to view rule in the app.

  • Indicates an invalid schema or parameters.

  • Indicates that this call is forbidden.

  • Indicates that the rule id is already in use.

POST /api/alerting/rule/{id}
curl \
 -X POST https://localhost:5601/api/alerting/rule/{id} \
 -H "Content-Type: application/json; Elastic-Api-Version=2023-10-31" \
 -H "kbn-xsrf: true"
Create an Elasticsearch query rule that uses Elasticsearch Query Language (ES|QL) to define its query and a server log connector to send notifications.
{
  "name": "my Elasticsearch query ESQL rule",
  "params": {
    "size": 0,
    "esqlQuery": {
      "esql": "FROM kibana_sample_data_logs | KEEP bytes, clientip, host, geo.dest | where geo.dest != \"GB\" | STATS sumbytes = sum(bytes) by clientip, host | WHERE sumbytes > 5000 | SORT sumbytes desc | LIMIT 10"
    },
    "threshold": [
      0
    ],
    "timeField": "@timestamp",
    "searchType": "esqlQuery",
    "timeWindowSize": 1,
    "timeWindowUnit": "d",
    "thresholdComparator": ">"
  },
  "actions": [
    {
      "id": "d0db1fe0-78d6-11ee-9177-f7d404c8c945",
      "group": "query matched",
      "params": {
        "level": "info",
        "message": "Elasticsearch query rule '{{rule.name}}' is active:\n- Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} - Link: {{context.link}}"
      },
      "frequency": {
        "summary": false,
        "notify_when": "onActiveAlert"
      }
    }
  ],
  "consumer": "stackAlerts",
  "schedule": {
    "interval": "1d"
  },
  "rule_type_id": ".es-query"
}
Create an Elasticsearch query rule that uses Elasticsearch query domain specific language (DSL) to define its query and a server log connector to send notifications.
{
  "name": "my Elasticsearch query rule",
  "params": {
    "size": 100,
    "index": [
      "kibana_sample_data_logs"
    ],
    "esQuery": "\"\"\"{\"query\":{\"match_all\" : {}}}\"\"\"",
    "threshold": [
      100
    ],
    "timeField": "@timestamp",
    "timeWindowSize": 1,
    "timeWindowUnit": "d",
    "thresholdComparator": ">"
  },
  "actions": [
    {
      "id": "fdbece50-406c-11ee-850e-c71febc4ca7f",
      "group": "query matched",
      "params": {
        "level": "info",
        "message": "The system has detected {{alerts.new.count}} new, {{alerts.ongoing.count}} ongoing, and {{alerts.recovered.count}} recovered alerts."
      },
      "frequency": {
        "summary": true,
        "throttle": "1d",
        "notify_when": "onThrottleInterval"
      }
    },
    {
      "id": "fdbece50-406c-11ee-850e-c71febc4ca7f",
      "group": "recovered",
      "params": {
        "level": "info",
        "message": "Recovered"
      },
      "frequency": {
        "summary": false,
        "notify_when": "onActionGroupChange"
      }
    }
  ],
  "consumer": "alerts",
  "schedule": {
    "interval": "1d"
  },
  "rule_type_id": ".es-query"
}
Create an Elasticsearch query rule that uses Kibana query language (KQL).
{
  "name": "my Elasticsearch query KQL rule",
  "params": {
    "size": 100,
    "aggType": "count",
    "groupBy": "all",
    "threshold": [
      1000
    ],
    "searchType": "searchSource",
    "timeWindowSize": 5,
    "timeWindowUnit": "m",
    "searchConfiguration": {
      "index": "90943e30-9a47-11e8-b64d-95841ca0b247",
      "query": {
        "query": "\"\"geo.src : \"US\" \"\"",
        "language": "kuery"
      }
    },
    "thresholdComparator": ">",
    "excludeHitsFromPreviousRun": true
  },
  "consumer": "alerts",
  "schedule": {
    "interval": "1m"
  },
  "rule_type_id": ".es-query"
}
Create an index threshold rule that uses a server log connector to send notifications when the threshold is met.
{
  "name": "my rule",
  "tags": [
    "cpu"
  ],
  "params": {
    "index": [
      ".test-index"
    ],
    "aggType": "avg",
    "groupBy": "top",
    "aggField": "sheet.version",
    "termSize": 6,
    "termField": "name.keyword",
    "threshold": [
      1000
    ],
    "timeField": "@timestamp",
    "timeWindowSize": 5,
    "timeWindowUnit": "m",
    "thresholdComparator": ">"
  },
  "actions": [
    {
      "id": "48de3460-f401-11ed-9f8e-399c75a2deeb",
      "group": "threshold met",
      "params": {
        "level": "info",
        "message": "Rule '{{rule.name}}' is active for group '{{context.group}}':\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}\n- Timestamp: {{context.date}}"
      },
      "frequency": {
        "summary": false,
        "notify_when": "onActionGroupChange"
      }
    }
  ],
  "consumer": "alerts",
  "schedule": {
    "interval": "1m"
  },
  "alert_delay": {
    "active": 3
  },
  "rule_type_id": ".index-threshold"
}
Create a tracking containment rule that checks when an entity is contained or no longer contained within a boundary.
{
  "name": "my tracking rule",
  "params": {
    "index": "kibana_sample_data_logs",
    "entity": "agent.keyword",
    "indexId": "90943e30-9a47-11e8-b64d-95841ca0b247",
    "geoField": "geo.coordinates",
    "dateField\"": "@timestamp",
    "boundaryType": "entireIndex",
    "boundaryIndexId": "0cd90abf-abe7-44c7-909a-f621bbbcfefc",
    "boundaryGeoField": "location",
    "boundaryNameField": "name",
    "boundaryIndexTitle": "boundary*"
  },
  "consumer": "alerts",
  "schedule": {
    "interval": "1h"
  },
  "rule_type_id": ".geo-containment"
}
The response for successfully creating an Elasticsearch query rule that uses Elasticsearch Query Language (ES|QL).
{
  "id": "e0d62360-78e8-11ee-9177-f7d404c8c945",
  "name": "my Elasticsearch query ESQL rule",
  "tags": [],
  "params": {
    "size": 0,
    "aggType": "count",
    "groupBy": "all",
    "esqlQuery": {
      "esql": "FROM kibana_sample_data_logs | keep bytes, clientip, host, geo.dest | WHERE geo.dest != \"GB\" | stats sumbytes = sum(bytes) by clientip, host | WHERE sumbytes > 5000 | sort sumbytes desc | limit 10"
    },
    "threshold": [
      0
    ],
    "timeField": "@timestamp",
    "searchType": "esqlQuery",
    "timeWindowSize": 1,
    "timeWindowUnit": "d",
    "thresholdComparator": ">",
    "excludeHitsFromPreviousRun\"": "true,"
  },
  "actions": [
    {
      "id": "d0db1fe0-78d6-11ee-9177-f7d404c8c945",
      "uuid": "bfe370a3-531b-4855-bbe6-ad739f578844",
      "group": "query matched",
      "params": {
        "level": "info",
        "message": "Elasticsearch query rule '{{rule.name}}' is active:\n- Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} - Link: {{context.link}}"
      },
      "frequency": {
        "summary": false,
        "throttle": null,
        "notify_when": "onActiveAlert"
      },
      "connector_type_id": ".server-log"
    }
  ],
  "enabled": true,
  "running": false,
  "consumer": "stackAlerts",
  "mute_all": false,
  "revision": 0,
  "schedule": {
    "interval": "1d"
  },
  "throttle": null,
  "created_at": "2023-11-01T19:00:10.453Z",
  "created_by": "elastic",
  "updated_at": "2023-11-01T19:00:10.453Z",
  "updated_by": "elastic\",",
  "notify_when": null,
  "rule_type_id": ".es-query",
  "api_key_owner": "elastic",
  "muted_alert_ids": [],
  "execution_status": {
    "status": "pending",
    "last_execution_date": "2023-11-01T19:00:10.453Z"
  },
  "scheduled_task_id": "e0d62360-78e8-11ee-9177-f7d404c8c945",
  "api_key_created_by_user": false
}
The response for successfully creating an Elasticsearch query rule that uses Elasticsearch query domain specific language (DSL).
{
  "id": "58148c70-407f-11ee-850e-c71febc4ca7f",
  "name": "my Elasticsearch query rule",
  "tags": [],
  "params": {
    "size": 100,
    "index": [
      "kibana_sample_data_logs"
    ],
    "aggType": "count",
    "esQuery": "\"\"\"{\"query\":{\"match_all\" : {}}}\"\"\"",
    "groupBy": "all",
    "threshold": [
      100
    ],
    "timeField": "@timestamp",
    "searchType": "esQuery",
    "timeWindowSize": 1,
    "timeWindowUnit": "d",
    "thresholdComparator": ">",
    "excludeHitsFromPreviousRun": true
  },
  "actions": [
    {
      "id": "fdbece50-406c-11ee-850e-c71febc4ca7f",
      "uuid": "53f3c2a3-e5d0-4cfa-af3b-6f0881385e78",
      "group": "query matched",
      "params": {
        "level": "info",
        "message": "The system has detected {{alerts.new.count}} new, {{alerts.ongoing.count}} ongoing, and {{alerts.recovered.count}} recovered alerts."
      },
      "frequency": {
        "summary": true,
        "throttle": "1d",
        "notify_when": "onThrottleInterval"
      },
      "connector_type_id": ".server-log"
    },
    {
      "id": "fdbece50-406c-11ee-850e-c71febc4ca7f",
      "uuid": "2324e45b-c0df-45c7-9d70-4993e30be758",
      "group": "recovered",
      "params": {
        "level": "info",
        "message": "Recovered"
      },
      "frequency": {
        "summary": false,
        "throttle": null,
        "notify_when": "onActionGroupChange"
      },
      "connector_type_id": ".server-log"
    }
  ],
  "enabled": true,
  "running": false,
  "consumer": "alerts",
  "mute_all": false,
  "revision": 0,
  "schedule": {
    "interval": "1d"
  },
  "throttle": null,
  "created_at": "2023-08-22T00:03:38.263Z",
  "created_by": "elastic",
  "updated_at": "2023-08-22T00:03:38.263Z",
  "updated_by": "elastic",
  "notify_when": null,
  "rule_type_id": ".es-query",
  "api_key_owner": "elastic",
  "muted_alert_ids": [],
  "execution_status": {
    "status": "pending",
    "last_execution_date": "2023-08-22T00:03:38.263Z"
  },
  "scheduled_task_id": "58148c70-407f-11ee-850e-c71febc4ca7f",
  "api_key_created_by_user": false
}
The response for successfully creating an Elasticsearch query rule that uses Kibana query language (KQL).
{
  "id": "7bd506d0-2284-11ee-8fad-6101956ced88",
  "name": "my Elasticsearch query KQL rule\"",
  "tags": [],
  "params": {
    "size": 100,
    "aggType": "count",
    "groupBy": "all",
    "threshold": [
      1000
    ],
    "searchType": "searchSource",
    "timeWindowSize": 5,
    "timeWindowUnit": "m",
    "searchConfiguration": {
      "index": "90943e30-9a47-11e8-b64d-95841ca0b247",
      "query": {
        "query": "\"\"geo.src : \"US\" \"\"",
        "language": "kuery"
      }
    },
    "thresholdComparator": ">",
    "excludeHitsFromPreviousRun": true
  },
  "actions": [],
  "enabled": true,
  "running": false,
  "consumer": "alerts",
  "mute_all": false,
  "revision": 0,
  "schedule": {
    "interval": "1m"
  },
  "throttle": null,
  "created_at": "2023-07-14T20:24:50.729Z",
  "created_by": "elastic",
  "updated_at": "2023-07-14T20:24:50.729Z",
  "updated_by": "elastic",
  "notify_when": null,
  "rule_type_id": ".es-query",
  "api_key_owner": "elastic",
  "muted_alert_ids": [],
  "execution_status": {
    "status": "pending",
    "last_execution_date": "2023-07-14T20:24:50.729Z"
  },
  "scheduled_task_id": "7bd506d0-2284-11ee-8fad-6101956ced88",
  "api_key_created_by_user": false
}
The response for successfully creating an index threshold rule.
{
  "id": "41893910-6bca-11eb-9e0d-85d233e3ee35",
  "name": "my rule",
  "tags": [
    "cpu"
  ],
  "params": {
    "index": [
      ".test-index"
    ],
    "aggType": "avg",
    "groupBy": "top",
    "aggField": "sheet.version",
    "termSize": 6,
    "termField": "name.keyword",
    "threshold": [
      1000
    ],
    "timeField": "@timestamp",
    "timeWindowSize": 5,
    "timeWindowUnit": "m",
    "thresholdComparator": ">"
  },
  "actions": [
    {
      "id": "dceeb5d0-6b41-11eb-802b-85b0c1bc8ba2",
      "uuid": "07aef2a0-9eed-4ef9-94ec-39ba58eb609d",
      "group": "threshold met",
      "params": {
        "level": "info",
        "message": "Rule {{rule.name}} is active for group {{context.group} :\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}\n- Timestamp: {{context.date}}"
      },
      "frequency": {
        "summary": false,
        "throttle": null,
        "notify_when": "onActionGroupChange"
      },
      "connector_type_id": ".server-log"
    }
  ],
  "enabled": true,
  "running": false,
  "consumer": "alerts",
  "mute_all": false,
  "revision": 0,
  "schedule": {
    "interval": "1m"
  },
  "throttle": null,
  "created_at": "2022-06-08T17:20:31.632Z",
  "created_by": "elastic",
  "updated_at": "2022-06-08T17:20:31.632Z",
  "updated_by": "elastic",
  "alert_delay": {
    "active": 3
  },
  "notify_when": null,
  "rule_type_id": ".index-threshold",
  "api_key_owner": "elastic",
  "muted_alert_ids": [],
  "execution_status": {
    "status": "pending",
    "last_execution_date": "2022-06-08T17:20:31.632Z"
  },
  "scheduled_task_id": "425b0800-6bca-11eb-9e0d-85d233e3ee35",
  "api_key_created_by_user": false
}
The response for successfully creating a tracking containment rule.
{
  "id": "b6883f9d-5f70-4758-a66e-369d7c26012f",
  "name": "my tracking rule",
  "tags": [],
  "params": {
    "index": "kibana_sample_data_logs",
    "entity": "agent.keyword",
    "indexId": "90943e30-9a47-11e8-b64d-95841ca0b247",
    "geoField": "geo.coordinates",
    "dateField": "@timestamp",
    "boundaryType": "entireIndex",
    "boundaryIndexId": "0cd90abf-abe7-44c7-909a-f621bbbcfefc",
    "boundaryGeoField": "location",
    "boundaryNameField": "name",
    "boundaryIndexTitle": "boundary*"
  },
  "actions": [],
  "enabled": true,
  "running": false,
  "consumer": "alerts",
  "last_run": {
    "outcome": "succeeded",
    "warning": null,
    "outcome_msg": null,
    "alerts_count": {
      "new": 0,
      "active": 0,
      "ignored": 0,
      "recovered": 0
    },
    "outcome_order": 0
  },
  "mute_all": false,
  "next_run": "2024-02-15T03:26:38.033Z",
  "revision": 1,
  "schedule": {
    "interval": "1h"
  },
  "throttle": null,
  "created_at": "2024-02-14T19:52:55.920Z",
  "created_by": "elastic",
  "updated_at": "2024-02-15T03:24:32.574Z",
  "updated_by": "elastic",
  "notify_when": null,
  "rule_type_id": ".geo-containment",
  "api_key_owner": "elastic",
  "muted_alert_ids": [],
  "execution_status": {
    "status": "ok",
    "last_duration": 74,
    "last_execution_date": "2024-02-15T03:25:38.125Z"
  },
  "scheduled_task_id": "b6883f9d-5f70-4758-a66e-369d7c26012f",
  "api_key_created_by_user": false
}

Delete a rule

DELETE /api/alerting/rule/{id}

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • id string Required

    The identifier for the rule.

Responses

  • Indicates a successful call.

  • Indicates an invalid schema or parameters.

  • Indicates that this call is forbidden.

  • Indicates a rule with the given ID does not exist.

DELETE /api/alerting/rule/{id}
curl \
 -X DELETE https://localhost:5601/api/alerting/rule/{id} \
 -H "kbn-xsrf: true"

Disable a rule

POST /api/alerting/rule/{id}/_disable

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • id string Required

    The identifier for the rule.

application/json; Elastic-Api-Version=2023-10-31

Body

  • untrack boolean

    Defines whether this rule's alerts should be untracked.

Responses

  • Indicates a successful call.

  • Indicates an invalid schema.

  • Indicates that this call is forbidden.

  • Indicates a rule with the given ID does not exist.

POST /api/alerting/rule/{id}/_disable
curl \
 -X POST https://localhost:5601/api/alerting/rule/{id}/_disable \
 -H "Content-Type: application/json; Elastic-Api-Version=2023-10-31" \
 -H "kbn-xsrf: true"
Request examples
# Headers
kbn-xsrf: true

# Payload
{
  "untrack": true
}

Enable a rule

POST /api/alerting/rule/{id}/_enable

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • id string Required

    The identifier for the rule.

Responses

  • Indicates a successful call.

  • Indicates an invalid schema or parameters.

  • Indicates that this call is forbidden.

  • Indicates a rule with the given ID does not exist.

POST /api/alerting/rule/{id}/_enable
curl \
 -X POST https://localhost:5601/api/alerting/rule/{id}/_enable \
 -H "kbn-xsrf: true"

Mute all alerts

POST /api/alerting/rule/{id}/_mute_all

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • id string Required

    The identifier for the rule.

Responses

  • Indicates a successful call.

  • Indicates an invalid schema or parameters.

  • Indicates that this call is forbidden.

  • Indicates a rule with the given ID does not exist.

POST /api/alerting/rule/{id}/_mute_all
curl \
 -X POST https://localhost:5601/api/alerting/rule/{id}/_mute_all \
 -H "kbn-xsrf: true"

Unmute all alerts

POST /api/alerting/rule/{id}/_unmute_all

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • id string Required

    The identifier for the rule.

Responses

  • Indicates a successful call.

  • Indicates an invalid schema or parameters.

  • Indicates that this call is forbidden.

  • Indicates a rule with the given ID does not exist.

POST /api/alerting/rule/{id}/_unmute_all
curl \
 -X POST https://localhost:5601/api/alerting/rule/{id}/_unmute_all \
 -H "kbn-xsrf: true"

Update the API key for a rule

POST /api/alerting/rule/{id}/_update_api_key

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • id string Required

    The identifier for the rule.

Responses

  • Indicates a successful call.

  • Indicates an invalid schema or parameters.

  • Indicates that this call is forbidden.

  • Indicates a rule with the given ID does not exist.

  • Indicates that the rule has already been updated by another user.

POST /api/alerting/rule/{id}/_update_api_key
curl \
 -X POST https://localhost:5601/api/alerting/rule/{id}/_update_api_key \
 -H "kbn-xsrf: true"

Mute an alert

POST /api/alerting/rule/{rule_id}/alert/{alert_id}/_mute

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • rule_id string Required

    The identifier for the rule.

  • alert_id string Required

    The identifier for the alert.

Responses

  • Indicates a successful call.

  • Indicates an invalid schema or parameters.

  • Indicates that this call is forbidden.

  • Indicates a rule or alert with the given ID does not exist.

POST /api/alerting/rule/{rule_id}/alert/{alert_id}/_mute
curl \
 -X POST https://localhost:5601/api/alerting/rule/{rule_id}/alert/{alert_id}/_mute \
 -H "kbn-xsrf: true"

Unmute an alert

POST /api/alerting/rule/{rule_id}/alert/{alert_id}/_unmute

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • rule_id string Required

    The identifier for the rule.

  • alert_id string Required

    The identifier for the alert.

Responses

  • Indicates a successful call.

  • Indicates an invalid schema or parameters.

  • Indicates that this call is forbidden.

  • Indicates a rule or alert with the given ID does not exist.

POST /api/alerting/rule/{rule_id}/alert/{alert_id}/_unmute
curl \
 -X POST https://localhost:5601/api/alerting/rule/{rule_id}/alert/{alert_id}/_unmute \
 -H "kbn-xsrf: true"

Get information about rules

GET /api/alerting/rules/_find

Query parameters

  • per_page number

    The number of rules to return per page.

    Minimum value is 0. Default value is 10.

  • page number

    The page number to return.

    Minimum value is 1. Default value is 1.

  • The default operator to use for the simple_query_string.

    Values are OR or AND. Default value is OR.

  • search_fields array[string] | string

    The fields to perform the simple_query_string parsed query against.

  • Determines which field is used to sort the results. The field must exist in the attributes key of the response.

  • Determines the sort order.

    Values are asc or desc.

  • has_reference object | null

    Filters the rules that have a relation with the reference objects with a specific type and identifier.

    Additional properties are NOT allowed.

    Hide has_reference attributes Show has_reference attributes object | null
  • fields array[string]

    The fields to return in the attributes key of the response.

  • filter string

    A KQL string that you filter with an attribute from your saved object. It should look like savedObjectType.attributes.title: "myTitle". However, if you used a direct attribute of a saved object, such as updatedAt, you must define your filter, for example, savedObjectType.updatedAt > 2018-12-22.

  • filter_consumers array[string]

    List of consumers to filter.

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • actions array[object] Required
      Hide actions attributes Show actions attributes object
      • Defines a period that limits whether the action runs.

        Additional properties are NOT allowed.

        Hide alerts_filter attributes Show alerts_filter attributes object
        • query object

          Additional properties are NOT allowed.

          Hide query attributes Show query attributes object
          • dsl string

            A filter written in Elasticsearch Query Domain Specific Language (DSL).

          • filters array[object] Required

            A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the kbn-es-query package.

            Hide filters attributes Show filters attributes object
            • $state object

              Additional properties are NOT allowed.

              Hide $state attribute Show $state attribute object
              • store string Required

                A filter can be either specific to an application context or applied globally.

                Values are appState or globalState.

            • meta object Required

              Additional properties are allowed.

            • query object

              Additional properties are allowed.

          • kql string Required

            A filter written in Kibana Query Language (KQL).

        • Additional properties are NOT allowed.

          Hide timeframe attributes Show timeframe attributes object
          • days array[integer] Required

            Defines the days of the week that the action can run, represented as an array of numbers. For example, 1 represents Monday. An empty array is equivalent to specifying all the days of the week.

            Values are 1, 2, 3, 4, 5, 6, or 7.

          • hours object Required

            Additional properties are NOT allowed.

            Hide hours attributes Show hours attributes object
            • end string Required

              The end of the time frame in 24-hour notation (hh:mm).

            • start string Required

              The start of the time frame in 24-hour notation (hh:mm).

          • timezone string Required

            The ISO time zone for the hours values. Values such as UTC and UTC+1 also work but lack built-in daylight savings time support and are not recommended.

      • connector_type_id string Required

        The type of connector. This property appears in responses but cannot be set in requests.

      • Additional properties are NOT allowed.

        Hide frequency attributes Show frequency attributes object
        • notify_when string Required

          Indicates how often alerts generate actions. Valid values include: onActionGroupChange: Actions run when the alert status changes; onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify notify_when at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

          Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.

        • summary boolean Required

          Indicates whether the action is a summary.

        • throttle string | null Required

          The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if 'notify_when' is set to 'onThrottleInterval'. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

      • group string

        The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to default.

      • id string Required

        The identifier for the connector saved object.

      • params object Required

        The parameters for the action, which are sent to the connector. The params are handled as Mustache templates and passed a default set of context.

        Additional properties are allowed.

      • Indicates whether to use alert data as a template.

      • uuid string

        A universally unique identifier (UUID) for the action.

    • active_snoozes array[string]

      List of active snoozes for the rule.

    • Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.

      Additional properties are NOT allowed.

      Hide alert_delay attribute Show alert_delay attribute object
      • active number Required

        The number of consecutive runs that must meet the rule conditions.

    • Indicates whether the API key that is associated with the rule was created by the user.

    • api_key_owner string | null Required

      The owner of the API key that is associated with the rule and used to run background tasks.

    • consumer string Required

      The name of the application or feature that owns the rule. For example: alerts, apm, discover, infrastructure, logs, metrics, ml, monitoring, securitySolution, siem, stackAlerts, or uptime.

    • created_at string Required

      The date and time that the rule was created.

    • created_by string | null Required

      The identifier for the user that created the rule.

    • enabled boolean Required

      Indicates whether you want to run the rule on an interval basis after it is created.

    • execution_status object Required

      Additional properties are NOT allowed.

      Hide execution_status attributes Show execution_status attributes object
      • error object

        Additional properties are NOT allowed.

        Hide error attributes Show error attributes object
        • message string Required

          Error message.

        • reason string Required

          Reason for error.

          Values are read, decrypt, execute, unknown, license, timeout, disabled, or validate.

      • Duration of last execution of the rule.

      • last_execution_date string Required

        The date and time when rule was executed last.

      • status string Required

        Status of rule execution.

        Values are ok, active, error, warning, pending, or unknown.

      • warning object

        Additional properties are NOT allowed.

        Hide warning attributes Show warning attributes object
        • message string Required

          Warning message.

        • reason string Required

          Reason for warning.

          Values are maxExecutableActions, maxAlerts, maxQueuedActions, or ruleExecution.

    • flapping object | null

      When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.

      Additional properties are NOT allowed.

      Hide flapping attributes Show flapping attributes object | null
      • look_back_window number Required

        The minimum number of runs in which the threshold must be met.

        Minimum value is 2, maximum value is 20.

      • The minimum number of times an alert must switch states in the look back window.

        Minimum value is 2, maximum value is 20.

    • id string Required

      The identifier for the rule.

    • is_snoozed_until string | null

      The date when the rule will no longer be snoozed.

    • last_run object | null

      Additional properties are NOT allowed.

      Hide last_run attributes Show last_run attributes object | null
      • alerts_count object Required

        Additional properties are NOT allowed.

        Hide alerts_count attributes Show alerts_count attributes object
        • active number | null

          Number of active alerts during last run.

        • ignored number | null

          Number of ignored alerts during last run.

        • new number | null

          Number of new alerts during last run.

        • recovered number | null

          Number of recovered alerts during last run.

      • outcome string Required

        Outcome of last run of the rule. Value could be succeeded, warning or failed.

        Values are succeeded, warning, or failed.

      • outcome_msg array[string] | null

        Outcome message generated during last rule run.

      • Order of the outcome.

      • warning string | null

        Warning of last rule execution.

        Values are read, decrypt, execute, unknown, license, timeout, disabled, validate, maxExecutableActions, maxAlerts, maxQueuedActions, or ruleExecution.

    • Additional properties are allowed.

    • Monitoring details of the rule.

      Additional properties are NOT allowed.

      Hide monitoring attribute Show monitoring attribute object
      • run object Required

        Rule run details.

        Additional properties are NOT allowed.

        Hide run attributes Show run attributes object
        • calculated_metrics object Required

          Calculation of different percentiles and success ratio.

          Additional properties are NOT allowed.

          Hide calculated_metrics attributes Show calculated_metrics attributes object
        • history array[object] Required

          History of the rule run.

          Hide history attributes Show history attributes object
          • duration number

            Duration of the rule run.

          • outcome string

            Outcome of last run of the rule. Value could be succeeded, warning or failed.

            Values are succeeded, warning, or failed.

          • success boolean Required

            Indicates whether the rule run was successful.

          • timestamp number Required

            Time of rule run.

        • last_run object Required

          Additional properties are NOT allowed.

          Hide last_run attributes Show last_run attributes object
          • metrics object Required

            Additional properties are NOT allowed.

            Hide metrics attributes Show metrics attributes object
          • timestamp string Required

            Time of the most recent rule run.

    • mute_all boolean Required

      Indicates whether all alerts are muted.

    • muted_alert_ids array[string] Required

      List of identifiers of muted alerts.

    • name string Required

      The name of the rule.

    • next_run string | null

      Date and time of the next run of the rule.

    • notify_when string | null

      Indicates how often alerts generate actions. Valid values include: onActionGroupChange: Actions run when the alert status changes; onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify notify_when at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

      Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.

    • params object Required

      The parameters for the rule.

      Additional properties are allowed.

    • revision number Required

      The rule revision number.

    • rule_type_id string Required

      The rule type identifier.

    • running boolean | null

      Indicates whether the rule is running.

    • schedule object Required

      Additional properties are NOT allowed.

      Hide schedule attribute Show schedule attribute object
      • interval string Required

        The interval is specified in seconds, minutes, hours, or days.

    • Identifier of the scheduled task.

    • snooze_schedule array[object]
      Hide snooze_schedule attributes Show snooze_schedule attributes object
      • duration number Required

        Duration of the rule snooze schedule.

      • id string

        Identifier of the rule snooze schedule.

      • rRule object Required

        Additional properties are NOT allowed.

        Hide rRule attributes Show rRule attributes object
        • byhour array[number] | null

          Indicates hours of the day to recur.

        • byminute array[number] | null

          Indicates minutes of the hour to recur.

        • bymonth array[number] | null

          Indicates months of the year that this rule should recur.

        • bymonthday array[number] | null

          Indicates the days of the month to recur.

        • bysecond array[number] | null

          Indicates seconds of the day to recur.

        • bysetpos array[number] | null

          A positive or negative integer affecting the nth day of the month. For example, -2 combined with byweekday of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use byweekday.

        • byweekday array[string | number] | null

          Indicates the days of the week to recur or else nth-day-of-month strings. For example, "+2TU" second Tuesday of month, "-1FR" last Friday of the month, which are internally converted to a byweekday/bysetpos combination.

        • byweekno array[number] | null

          Indicates number of the week hours to recur.

        • byyearday array[number] | null

          Indicates the days of the year that this rule should recur.

        • count number

          Number of times the rule should recur until it stops.

        • dtstart string Required

          Rule start date in Coordinated Universal Time (UTC).

        • freq integer

          Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY.

          Values are 0, 1, 2, 3, 4, 5, or 6.

        • interval number

          Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks.

        • tzid string Required

          Indicates timezone abbreviation.

        • until string

          Recur the rule until this date.

        • wkst string

          Indicates the start of week, defaults to Monday.

          Values are MO, TU, WE, TH, FR, SA, or SU.

      • skipRecurrences array[string]

        Skips recurrence of rule on this date.

    • tags array[string] Required

      The tags for the rule.

    • throttle string | null Deprecated

      Deprecated in 8.13.0. Use the throttle property in the action frequency object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

    • updated_at string Required

      The date and time that the rule was updated most recently.

    • updated_by string | null Required

      The identifier for the user that updated this rule most recently.

    • Relative URL to view rule in the app.

  • Indicates an invalid schema or parameters.

  • Indicates that this call is forbidden.

GET /api/alerting/rules/_find
curl \
 -X GET https://localhost:5601/api/alerting/rules/_find
Response examples (200)
A response that contains information about an index threshold rule.
{
  "data": [
    {
      "id": "3583a470-74f6-11ed-9801-35303b735aef",
      "name": "my alert",
      "tags": [
        "cpu"
      ],
      "params": {
        "index": [
          "test-index"
        ],
        "aggType": "avg",
        "groupBy": "top",
        "aggField": "sheet.version",
        "termSize": 6,
        "termField": "name.keyword",
        "threshold": [
          1000
        ],
        "timeField": "@timestamp",
        "timeWindowSize": 5,
        "timeWindowUnit": "m",
        "thresholdComparator": ">"
      },
      "actions": [
        {
          "id": "9dca3e00-74f5-11ed-9801-35303b735aef",
          "uuid": "1c7a1280-f28c-4e06-96b2-e4e5f05d1d61",
          "group": "threshold met",
          "params": {
            "level": "info",
            "message": "Rule {{rule.name}} is active for group {{context.group}}:\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}\n- Timestamp: {{context.date}}",
            "connector_type_id": ".server-log"
          },
          "frequency": {
            "summary": false,
            "throttle": null,
            "notify_when": "onActionGroupChange"
          }
        }
      ],
      "enabled": true,
      "consumer": "alerts",
      "last_run": {
        "outcome": "succeeded",
        "warning": null,
        "outcome_msg": null,
        "alerts_count": {
          "new": 0,
          "active": 0,
          "ignored": 0,
          "recovered": 0
        }
      },
      "mute_all": false,
      "next_run": "2022-12-06T01:45:23.912Z",
      "revision": 1,
      "schedule": {
        "interval": "1m"
      },
      "throttle": null,
      "created_at": "2022-12-05T23:40:33.132Z",
      "created_by": "elastic",
      "updated_at": "2022-12-05T23:40:33.132Z",
      "updated_by": "elastic",
      "rule_type_id": ".index-threshold",
      "api_key_owner": "elastic",
      "muted_alert_ids": [],
      "execution_status": {
        "status": "ok",
        "last_duration": 48,
        "last_execution_date": "2022-12-06T01:44:23.983Z"
      },
      "scheduled_task_id": "3583a470-74f6-11ed-9801-35303b735aef",
      "api_key_created_by_user": false
    }
  ],
  "page": 1,
  "total": 1,
  "per_page": 10
}
A response that contains information about a security rule that has conditional actions.
{
  "data": [
    {
      "id": "6107a8f0-f401-11ed-9f8e-399c75a2deeb",
      "name": "security_rule",
      "tags": [],
      "params": {
        "to": "now",
        "from": "now-3660s",
        "meta": {
          "from": "1h",
          "kibana_siem_app_url": "https://localhost:5601/app/security"
        },
        "type": "threshold",
        "index": [
          "kibana_sample_data_logs"
        ],
        "query": "*",
        "author": [],
        "ruleId": "an_internal_rule_id",
        "threat": [],
        "filters": [],
        "license": "",
        "version": 1,
        "language": "kuery",
        "severity": "low",
        "immutable": false,
        "riskScore": 21,
        "threshold": {
          "field": [
            "bytes"
          ],
          "value": 1,
          "cardinality": []
        },
        "maxSignals": 100,
        "references": [],
        "description": "A security threshold rule.",
        "outputIndex": "",
        "exceptionsList": [],
        "falsePositives": [],
        "severityMapping": [],
        "riskScoreMapping": []
      },
      "actions": [
        {
          "id": "49eae970-f401-11ed-9f8e-399c75a2deeb",
          "uuid": "1c7a1280-f28c-4e06-96b2-e4e5f05d1d61",
          "group": "default",
          "params": {
            "documents": [
              {
                "rule_id": {
                  "[object Object]": null
                },
                "alert_id": {
                  "[object Object]": null
                },
                "rule_name": {
                  "[object Object]": null
                },
                "context_message": {
                  "[object Object]": null
                }
              }
            ]
          },
          "frequency": {
            "summary": true,
            "throttle": null,
            "notify_when": "onActiveAlert"
          },
          "alerts_filter": {
            "query": {
              "kql": "",
              "filters": [
                {
                  "meta": {
                    "key": "client.geo.region_iso_code",
                    "alias": null,
                    "field": "client.geo.region_iso_code",
                    "index": "c4bdca79-e69e-4d80-82a1-e5192c621bea",
                    "negate": false,
                    "params": {
                      "type": "phrase",
                      "query": "CA-QC"
                    },
                    "disabled": false
                  },
                  "query": {
                    "match_phrase": {
                      "client.geo.region_iso_code": "CA-QC"
                    }
                  },
                  "$state": {
                    "store": "appState"
                  }
                }
              ]
            },
            "timeframe": {
              "days": [
                7
              ],
              "hours": {
                "end": "17:00",
                "start": "08:00"
              },
              "timezone": "UTC"
            }
          },
          "connector_type_id": ".index"
        }
      ],
      "enabled": true,
      "running": false,
      "consumer": "siem",
      "last_run": {
        "outcome": "succeeded",
        "warning": null,
        "outcome_msg": [
          "Rule execution completed successfully"
        ],
        "alerts_count": {
          "new": 0,
          "active": 0,
          "ignored": 0,
          "recovered": 0
        },
        "outcome_order": 0
      },
      "mute_all": false,
      "next_run": "2023-05-16T20:27:49.507Z",
      "revision": 1,
      "schedule": {
        "interval": "1m"
      },
      "throttle": null,
      "created_at": "2023-05-16T15:50:28.358Z",
      "created_by": "elastic",
      "updated_at": "2023-05-16T20:25:42.559Z",
      "updated_by": "elastic",
      "notify_when": null,
      "rule_type_id": "siem.thresholdRule",
      "api_key_owner": "elastic",
      "muted_alert_ids": [],
      "execution_status": {
        "status": "ok",
        "last_duration": 166,
        "last_execution_date": "2023-05-16T20:26:49.590Z"
      },
      "scheduled_task_id": "6107a8f0-f401-11ed-9f8e-399c75a2deeb",
      "api_key_created_by_user": false
    }
  ],
  "page": 1,
  "total": 1,
  "per_page": 10
}

Get an alert by identifier Deprecated

GET /api/alerts/alert/{alertId}

Deprecated in 7.13.0. Use the get rule API instead.

Path parameters

  • alertId string Required

    The identifier for the alert.

Responses

GET /api/alerts/alert/{alertId}
curl \
 -X GET https://localhost:5601/api/alerts/alert/41893910-6bca-11eb-9e0d-85d233e3ee35
Response examples (200)
{
  "actions": [
    {}
  ],
  "alertTypeId": ".index-threshold",
  "apiKeyOwner": "elastic",
  "createdAt": "2022-12-05T23:36:58.284Z",
  "createdBy": "elastic",
  "enabled": true,
  "executionStatus": {
    "lastExecutionDate": "2022-12-06T00:13:43.890Z",
    "status": "ok"
  },
  "id": "b530fed0-74f5-11ed-9801-35303b735aef",
  "muteAll": false,
  "mutedInstanceIds": [
    "string"
  ],
  "name": "my alert",
  "notifyWhen": "onActionGroupChange",
  "params": {},
  "schedule": {
    "interval": "string"
  },
  "scheduledTaskId": "b530fed0-74f5-11ed-9801-35303b735aef",
  "tags": [
    "string"
  ],
  "throttle": "string",
  "updatedAt": "2022-12-05T23:36:58.284Z",
  "updatedBy": "elastic"
}
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

Update an alert Deprecated

PUT /api/alerts/alert/{alertId}

Deprecated in 7.13.0. Use the update rule API instead.

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

Path parameters

  • alertId string Required

    The identifier for the alert.

application/json; Elastic-Api-Version=2023-10-31

Body Required

  • actions array[object]
    Hide actions attributes Show actions attributes object
    • actionTypeId string Required

      The identifier for the action type.

    • group string Required

      Grouping actions is recommended for escalations for different types of alert instances. If you don't need this functionality, set it to default.

    • id string Required

      The ID of the action saved object.

    • params object Required

      The map to the params that the action type will receive. params are handled as Mustache templates and passed a default set of context.

      Additional properties are allowed.

  • name string Required

    A name to reference and search.

  • notifyWhen string Required

    The condition for throttling the notification.

    Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.

  • params object Required

    The parameters to pass to the alert type executor params value. This will also validate against the alert type params validator, if defined.

    Additional properties are allowed.

  • schedule object Required

    The schedule specifying when this alert should be run. A schedule is structured such that the key specifies the format you wish to use and its value specifies the schedule.

    Additional properties are allowed.

    Hide schedule attribute Show schedule attribute object
    • interval string

      The interval format specifies the interval in seconds, minutes, hours or days at which the alert should run.

  • tags array[string]

    A list of keywords to reference and search.

  • throttle string

    How often this alert should fire the same actions. This will prevent the alert from sending out the same notification over and over. For example, if an alert with a schedule of 1 minute stays in a triggered state for 90 minutes, setting a throttle of 10m or 1h will prevent it from sending 90 notifications during this period.

Responses

PUT /api/alerts/alert/{alertId}
curl \
 -X PUT https://localhost:5601/api/alerts/alert/41893910-6bca-11eb-9e0d-85d233e3ee35 \
 -H "Content-Type: application/json; Elastic-Api-Version=2023-10-31" \
 -H "kbn-xsrf: string"
Request examples
# Headers
kbn-xsrf: string

# Payload
{
  "actions": [
    {
      "actionTypeId": "string",
      "group": "string",
      "id": "string",
      "params": {}
    }
  ],
  "name": "string",
  "notifyWhen": "onActionGroupChange",
  "params": {},
  "schedule": {
    "interval": "1d"
  },
  "tags": [
    "string"
  ],
  "throttle": "string"
}
Response examples (200)
{
  "actions": [
    {}
  ],
  "alertTypeId": ".index-threshold",
  "apiKeyOwner": "elastic",
  "createdAt": "2022-12-05T23:36:58.284Z",
  "createdBy": "elastic",
  "enabled": true,
  "executionStatus": {
    "lastExecutionDate": "2022-12-06T00:13:43.890Z",
    "status": "ok"
  },
  "id": "b530fed0-74f5-11ed-9801-35303b735aef",
  "muteAll": false,
  "mutedInstanceIds": [
    "string"
  ],
  "name": "my alert",
  "notifyWhen": "onActionGroupChange",
  "params": {},
  "schedule": {
    "interval": "string"
  },
  "scheduledTaskId": "b530fed0-74f5-11ed-9801-35303b735aef",
  "tags": [
    "string"
  ],
  "throttle": "string",
  "updatedAt": "2022-12-05T23:36:58.284Z",
  "updatedBy": "elastic"
}
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

Create an alert Deprecated

POST /api/alerts/alert/{alertId}

Deprecated in 7.13.0. Use the create rule API instead.

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

Path parameters

  • alertId string Required

    An UUID v1 or v4 identifier for the alert. If this parameter is omitted, the identifier is randomly generated.

application/json; Elastic-Api-Version=2023-10-31

Body Required

  • actions array[object]
    Hide actions attributes Show actions attributes object
    • actionTypeId string Required

      The identifier for the action type.

    • group string Required

      Grouping actions is recommended for escalations for different types of alert instances. If you don't need this functionality, set it to default.

    • id string Required

      The ID of the action saved object.

    • params object Required

      The map to the params that the action type will receive. params are handled as Mustache templates and passed a default set of context.

      Additional properties are allowed.

  • alertTypeId string Required

    The ID of the alert type that you want to call when the alert is scheduled to run.

  • consumer string Required

    The name of the application that owns the alert. This name has to match the Kibana feature name, as that dictates the required role-based access control privileges.

  • enabled boolean

    Indicates if you want to run the alert on an interval basis after it is created.

  • name string Required

    A name to reference and search.

  • notifyWhen string Required

    The condition for throttling the notification.

    Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.

  • params object Required

    The parameters to pass to the alert type executor params value. This will also validate against the alert type params validator, if defined.

    Additional properties are allowed.

  • schedule object Required

    The schedule specifying when this alert should be run. A schedule is structured such that the key specifies the format you wish to use and its value specifies the schedule.

    Additional properties are allowed.

    Hide schedule attribute Show schedule attribute object
    • interval string

      The interval format specifies the interval in seconds, minutes, hours or days at which the alert should run.

  • tags array[string]

    A list of keywords to reference and search.

  • throttle string

    How often this alert should fire the same actions. This will prevent the alert from sending out the same notification over and over. For example, if an alert with a schedule of 1 minute stays in a triggered state for 90 minutes, setting a throttle of 10m or 1h will prevent it from sending 90 notifications during this period.

Responses

POST /api/alerts/alert/{alertId}
curl \
 -X POST https://localhost:5601/api/alerts/alert/41893910-6bca-11eb-9e0d-85d233e3ee35 \
 -H "Content-Type: application/json; Elastic-Api-Version=2023-10-31" \
 -H "kbn-xsrf: string"
Request examples
# Headers
kbn-xsrf: string

# Payload
{
  "actions": [
    {
      "actionTypeId": "string",
      "group": "string",
      "id": "string",
      "params": {}
    }
  ],
  "alertTypeId": "string",
  "consumer": "string",
  "enabled": true,
  "name": "string",
  "notifyWhen": "onActionGroupChange",
  "params": {},
  "schedule": {
    "interval": "10s"
  },
  "tags": [
    "string"
  ],
  "throttle": "string"
}
Response examples (200)
{
  "actions": [
    {}
  ],
  "alertTypeId": ".index-threshold",
  "apiKeyOwner": "elastic",
  "createdAt": "2022-12-05T23:36:58.284Z",
  "createdBy": "elastic",
  "enabled": true,
  "executionStatus": {
    "lastExecutionDate": "2022-12-06T00:13:43.890Z",
    "status": "ok"
  },
  "id": "b530fed0-74f5-11ed-9801-35303b735aef",
  "muteAll": false,
  "mutedInstanceIds": [
    "string"
  ],
  "name": "my alert",
  "notifyWhen": "onActionGroupChange",
  "params": {},
  "schedule": {
    "interval": "string"
  },
  "scheduledTaskId": "b530fed0-74f5-11ed-9801-35303b735aef",
  "tags": [
    "string"
  ],
  "throttle": "string",
  "updatedAt": "2022-12-05T23:36:58.284Z",
  "updatedBy": "elastic"
}
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

Delete an alert Deprecated

DELETE /api/alerts/alert/{alertId}

Deprecated in 7.13.0. Use the delete rule API instead. WARNING: After you delete an alert, you cannot recover it.

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

Path parameters

  • alertId string Required

    The identifier for the alert.

Responses

  • Indicates a successful call.

  • 401 application/json; Elastic-Api-Version=2023-10-31

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
DELETE /api/alerts/alert/{alertId}
curl \
 -X DELETE https://localhost:5601/api/alerts/alert/41893910-6bca-11eb-9e0d-85d233e3ee35 \
 -H "kbn-xsrf: string"
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

Disable an alert Deprecated

POST /api/alerts/alert/{alertId}/_disable

Deprecated in 7.13.0. Use the disable rule API instead.

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

Path parameters

  • alertId string Required

    The identifier for the alert.

Responses

  • Indicates a successful call.

  • 401 application/json; Elastic-Api-Version=2023-10-31

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
POST /api/alerts/alert/{alertId}/_disable
curl \
 -X POST https://localhost:5601/api/alerts/alert/41893910-6bca-11eb-9e0d-85d233e3ee35/_disable \
 -H "kbn-xsrf: string"
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

Enable an alert Deprecated

POST /api/alerts/alert/{alertId}/_enable

Deprecated in 7.13.0. Use the enable rule API instead.

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

Path parameters

  • alertId string Required

    The identifier for the alert.

Responses

  • Indicates a successful call.

  • 401 application/json; Elastic-Api-Version=2023-10-31

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
POST /api/alerts/alert/{alertId}/_enable
curl \
 -X POST https://localhost:5601/api/alerts/alert/41893910-6bca-11eb-9e0d-85d233e3ee35/_enable \
 -H "kbn-xsrf: string"
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

Mute all alert instances Deprecated

POST /api/alerts/alert/{alertId}/_mute_all

Deprecated in 7.13.0. Use the mute all alerts API instead.

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

Path parameters

  • alertId string Required

    The identifier for the alert.

Responses

  • Indicates a successful call.

  • 401 application/json; Elastic-Api-Version=2023-10-31

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
POST /api/alerts/alert/{alertId}/_mute_all
curl \
 -X POST https://localhost:5601/api/alerts/alert/41893910-6bca-11eb-9e0d-85d233e3ee35/_mute_all \
 -H "kbn-xsrf: string"
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

Unmute all alert instances Deprecated

POST /api/alerts/alert/{alertId}/_unmute_all

Deprecated in 7.13.0. Use the unmute all alerts API instead.

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

Path parameters

  • alertId string Required

    The identifier for the alert.

Responses

  • Indicates a successful call.

  • 401 application/json; Elastic-Api-Version=2023-10-31

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
POST /api/alerts/alert/{alertId}/_unmute_all
curl \
 -X POST https://localhost:5601/api/alerts/alert/41893910-6bca-11eb-9e0d-85d233e3ee35/_unmute_all \
 -H "kbn-xsrf: string"
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

Mute an alert instance Deprecated

POST /api/alerts/alert/{alertId}/alert_instance/{alertInstanceId}/_mute

Deprecated in 7.13.0. Use the mute alert API instead.

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

Path parameters

Responses

  • Indicates a successful call.

  • 401 application/json; Elastic-Api-Version=2023-10-31

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
POST /api/alerts/alert/{alertId}/alert_instance/{alertInstanceId}/_mute
curl \
 -X POST https://localhost:5601/api/alerts/alert/41893910-6bca-11eb-9e0d-85d233e3ee35/alert_instance/dceeb5d0-6b41-11eb-802b-85b0c1bc8ba2/_mute \
 -H "kbn-xsrf: string"
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

Unmute an alert instance Deprecated

POST /api/alerts/alert/{alertId}/alert_instance/{alertInstanceId}/_unmute

Deprecated in 7.13.0. Use the unmute alert API instead.

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

Path parameters

Responses

  • Indicates a successful call.

  • 401 application/json; Elastic-Api-Version=2023-10-31

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
POST /api/alerts/alert/{alertId}/alert_instance/{alertInstanceId}/_unmute
curl \
 -X POST https://localhost:5601/api/alerts/alert/41893910-6bca-11eb-9e0d-85d233e3ee35/alert_instance/dceeb5d0-6b41-11eb-802b-85b0c1bc8ba2/_unmute \
 -H "kbn-xsrf: string"
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

Get a paginated set of alerts Deprecated

GET /api/alerts/alerts/_find

Deprecated in 7.13.0. Use the find rules API instead. NOTE: Alert params are stored as a flattened field type and analyzed as keywords. As alerts change in Kibana, the results on each page of the response also change. Use the find API for traditional paginated results, but avoid using it to export large amounts of data.

Query parameters

  • The default operator to use for the simple_query_string.

    Default value is OR.

  • fields array[string]

    The fields to return in the attributes key of the response.

  • filter string

    A KQL string that you filter with an attribute from your saved object. It should look like savedObjectType.attributes.title: "myTitle". However, if you used a direct attribute of a saved object, such as updatedAt, you must define your filter, for example, savedObjectType.updatedAt > 2018-12-22.

  • Filters the rules that have a relation with the reference objects with a specific type and identifier.

    Additional properties are allowed.

    Hide has_reference attributes Show has_reference attributes object
  • page integer

    The page number to return.

    Default value is 1.

  • per_page integer

    The number of alerts to return per page.

    Default value is 20.

  • search_fields string | array[string]

    The fields to perform the simple_query_string parsed query against.

  • Determines which field is used to sort the results. The field must exist in the attributes key of the response.

  • Determines the sort order.

    Values are asc or desc. Default value is desc.

Responses

GET /api/alerts/alerts/_find
curl \
 -X GET https://localhost:5601/api/alerts/alerts/_find
Response examples (200)
{
  "data": [
    {
      "actions": [
        {}
      ],
      "alertTypeId": ".index-threshold",
      "apiKeyOwner": "elastic",
      "createdAt": "2022-12-05T23:36:58.284Z",
      "createdBy": "elastic",
      "enabled": true,
      "executionStatus": {
        "lastExecutionDate": "2022-12-06T00:13:43.890Z",
        "status": "ok"
      },
      "id": "b530fed0-74f5-11ed-9801-35303b735aef",
      "muteAll": false,
      "mutedInstanceIds": [
        "string"
      ],
      "name": "my alert",
      "notifyWhen": "onActionGroupChange",
      "params": {},
      "schedule": {
        "interval": "string"
      },
      "scheduledTaskId": "b530fed0-74f5-11ed-9801-35303b735aef",
      "tags": [
        "string"
      ],
      "throttle": "string",
      "updatedAt": "2022-12-05T23:36:58.284Z",
      "updatedBy": "elastic"
    }
  ],
  "page": 42,
  "perPage": 42,
  "total": 42
}
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

Get the alerting framework health Deprecated

GET /api/alerts/alerts/_health

Deprecated in 7.13.0. Use the get alerting framework health API instead.

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • Three substates identify the health of the alerting framework: decryptionHealth, executionHealth, and readHealth.

      Additional properties are allowed.

      Hide alertingFrameworkHealth attributes Show alertingFrameworkHealth attributes object
      • The timestamp and status of the alert decryption.

        Additional properties are allowed.

        Hide decryptionHealth attributes Show decryptionHealth attributes object
      • The timestamp and status of the alert execution.

        Additional properties are allowed.

        Hide executionHealth attributes Show executionHealth attributes object
      • The timestamp and status of the alert reading events.

        Additional properties are allowed.

        Hide readHealth attributes Show readHealth attributes object
    • If false, the encrypted saved object plugin does not have a permanent encryption key.

    • If false, security is enabled but TLS is not.

  • 401 application/json; Elastic-Api-Version=2023-10-31

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
GET /api/alerts/alerts/_health
curl \
 -X GET https://localhost:5601/api/alerts/alerts/_health
Response examples (200)
{
  "alertingFrameworkHealth": {
    "decryptionHealth": {
      "status": "ok",
      "timestamp": "2023-01-13T01:28:00.280Z"
    },
    "executionHealth": {
      "status": "ok",
      "timestamp": "2023-01-13T01:28:00.280Z"
    },
    "readHealth": {
      "status": "ok",
      "timestamp": "2023-01-13T01:28:00.280Z"
    }
  },
  "hasPermanentEncryptionKey": true,
  "isSufficientlySecure": true
}
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

Get the alert types Deprecated

GET /api/alerts/alerts/list_alert_types

Deprecated in 7.13.0. Use the get rule types API instead.

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • actionGroups array[object]

      An explicit list of groups for which the alert type can schedule actions, each with the action group's unique ID and human readable name. Alert actions validation uses this configuration to ensure that groups are valid.

      Hide actionGroups attributes Show actionGroups attributes object
    • A list of action variables that the alert type makes available via context and state in action parameter templates, and a short human readable description. The Alert UI will use this information to prompt users for these variables in action parameter editors.

      Additional properties are allowed.

      Hide actionVariables attributes Show actionVariables attributes object
    • The list of the plugins IDs that have access to the alert type.

      Additional properties are allowed.

    • The default identifier for the alert type group.

    • Indicates whether the rule type is enabled based on the subscription.

    • id string

      The unique identifier for the alert type.

    • Indicates whether the alert type is exportable in Saved Objects Management UI.

    • The subscriptions required to use the alert type.

    • name string

      The descriptive name of the alert type.

    • producer string

      An identifier for the application that produces this alert type.

    • An action group to use when an alert instance goes from an active state to an inactive one. If it is not specified, the default recovered action group is used.

      Additional properties are allowed.

      Hide recoveryActionGroup attributes Show recoveryActionGroup attributes object
  • 401 application/json; Elastic-Api-Version=2023-10-31

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
GET /api/alerts/alerts/list_alert_types
curl \
 -X GET https://localhost:5601/api/alerts/alerts/list_alert_types
Response examples (200)
[
  {
    "actionGroups": [
      {
        "id": "string",
        "name": "string"
      }
    ],
    "actionVariables": {
      "context": [
        {
          "description": "string",
          "name": "string"
        }
      ],
      "params": [
        {
          "description": "string",
          "name": "string"
        }
      ],
      "state": [
        {
          "description": "string",
          "name": "string"
        }
      ]
    },
    "authorizedConsumers": {},
    "defaultActionGroupId": "string",
    "enabledInLicense": true,
    "id": "string",
    "isExportable": true,
    "minimumLicenseRequired": "string",
    "name": "string",
    "producer": "string",
    "recoveryActionGroup": {
      "id": "string",
      "name": "string"
    }
  }
]
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

APM agent configuration

Adjust APM agent configuration without need to redeploy your application.

Get a list of agent configurations

GET /api/apm/settings/agent-configuration

Headers

  • elastic-api-version string Required

    The version of the API to use

    Value is 2023-10-31. Default value is 2023-10-31.

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31

    Successful response

    Hide response attribute Show response attribute object
    • configurations array[object]

      Agent configuration

      Hide configurations attributes Show configurations attributes object
      • @timestamp number Required

        Timestamp

      • Agent name

      • Applied by agent

      • etag string Required

        Etag

      • service object Required

        Service

        Additional properties are allowed.

        Hide service attributes Show service attributes object
      • settings object Required

        Agent configuration settings

        Hide settings attribute Show settings attribute object
        • * string Additional properties
  • 400 application/json; Elastic-Api-Version=2023-10-31

    Bad Request response

    Hide response attributes Show response attributes object
  • 401 application/json; Elastic-Api-Version=2023-10-31

    Unauthorized response

    Hide response attributes Show response attributes object
  • 404 application/json; Elastic-Api-Version=2023-10-31

    Not found response

    Hide response attributes Show response attributes object
GET /api/apm/settings/agent-configuration
curl \
 -X GET https://localhost:5601/api/apm/settings/agent-configuration \
 -H "elastic-api-version: 2023-10-31"
Response examples (200)
{
  "configurations": [
    {
      "@timestamp": 1730194190636,
      "agent_name": "string",
      "applied_by_agent": true,
      "etag": "0bc3b5ebf18fba8163fe4c96f491e3767a358f85",
      "service": {
        "environment": "prod",
        "name": "node"
      },
      "settings": {
        "additionalProperty1": "string",
        "additionalProperty2": "string"
      }
    }
  ]
}
Response examples (400)
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 400
}
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}
Response examples (404)
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 404
}

Create or update agent configuration

PUT /api/apm/settings/agent-configuration

Headers

  • elastic-api-version string Required

    The version of the API to use

    Value is 2023-10-31. Default value is 2023-10-31.

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Query parameters

  • overwrite boolean

    If the config exists ?overwrite=true is required

application/json; Elastic-Api-Version=2023-10-31

Body Required

  • Agent name

  • service object Required

    Service

    Additional properties are allowed.

    Hide service attributes Show service attributes object
  • settings object Required

    Agent configuration settings

    Hide settings attribute Show settings attribute object
    • * string Additional properties

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31

    Successful response

    Additional properties are NOT allowed.

  • 400 application/json; Elastic-Api-Version=2023-10-31

    Bad Request response

    Hide response attributes Show response attributes object
  • 401 application/json; Elastic-Api-Version=2023-10-31

    Unauthorized response

    Hide response attributes Show response attributes object
  • 403 application/json; Elastic-Api-Version=2023-10-31

    Forbidden response

    Hide response attributes Show response attributes object
  • 404 application/json; Elastic-Api-Version=2023-10-31

    Not found response

    Hide response attributes Show response attributes object
PUT /api/apm/settings/agent-configuration
curl \
 -X PUT https://localhost:5601/api/apm/settings/agent-configuration \
 -H "Content-Type: application/json; Elastic-Api-Version=2023-10-31" \
 -H "elastic-api-version: 2023-10-31" \
 -H "kbn-xsrf: true"
Request examples
# Headers
elastic-api-version: 2023-10-31
kbn-xsrf: true

# Payload
{
  "agent_name": "string",
  "service": {
    "environment": "prod",
    "name": "node"
  },
  "settings": {
    "additionalProperty1": "string",
    "additionalProperty2": "string"
  }
}
Response examples (200)
{}
Response examples (400)
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 400
}
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}
Response examples (403)
{
  "error": "Forbidden",
  "message": "string",
  "statusCode": 403
}
Response examples (404)
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 404
}

Delete agent configuration

DELETE /api/apm/settings/agent-configuration

Headers

  • elastic-api-version string Required

    The version of the API to use

    Value is 2023-10-31. Default value is 2023-10-31.

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json; Elastic-Api-Version=2023-10-31

Body Required

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31

    Successful response

    Hide response attribute Show response attribute object
  • 400 application/json; Elastic-Api-Version=2023-10-31

    Bad Request response

    Hide response attributes Show response attributes object
  • 401 application/json; Elastic-Api-Version=2023-10-31

    Unauthorized response

    Hide response attributes Show response attributes object
  • 403 application/json; Elastic-Api-Version=2023-10-31

    Forbidden response

    Hide response attributes Show response attributes object
  • 404 application/json; Elastic-Api-Version=2023-10-31

    Not found response

    Hide response attributes Show response attributes object
DELETE /api/apm/settings/agent-configuration
curl \
 -X DELETE https://localhost:5601/api/apm/settings/agent-configuration \
 -H "Content-Type: application/json; Elastic-Api-Version=2023-10-31" \
 -H "elastic-api-version: 2023-10-31" \
 -H "kbn-xsrf: true"
Request examples
# Headers
elastic-api-version: 2023-10-31
kbn-xsrf: true

# Payload
{
  "environment": "prod",
  "name": "node"
}
Response examples (200)
{
  "result": "string"
}
Response examples (400)
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 400
}
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}
Response examples (403)
{
  "error": "Forbidden",
  "message": "string",
  "statusCode": 403
}
Response examples (404)
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 404
}

Get agent name for service

GET /api/apm/settings/agent-configuration/agent_name

Retrieve agentName for a service.

Headers

  • elastic-api-version string Required

    The version of the API to use

    Value is 2023-10-31. Default value is 2023-10-31.

Query parameters

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31

    Successful response

    Hide response attribute Show response attribute object
  • 400 application/json; Elastic-Api-Version=2023-10-31

    Bad Request response

    Hide response attributes Show response attributes object
  • 401 application/json; Elastic-Api-Version=2023-10-31

    Unauthorized response

    Hide response attributes Show response attributes object
  • 404 application/json; Elastic-Api-Version=2023-10-31

    Not found response

    Hide response attributes Show response attributes object
GET /api/apm/settings/agent-configuration/agent_name
curl \
 -X GET https://localhost:5601/api/apm/settings/agent-configuration/agent_name?serviceName=node \
 -H "elastic-api-version: 2023-10-31"
Response examples (200)
{
  "agentName": "nodejs"
}
Response examples (400)
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 400
}
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}
Response examples (404)
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 404
}

Get environments for service

GET /api/apm/settings/agent-configuration/environments

Headers

  • elastic-api-version string Required

    The version of the API to use

    Value is 2023-10-31. Default value is 2023-10-31.

Query parameters

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31

    Successful response

    Hide response attribute Show response attribute object
    • environments array[object]

      Service environment list

      Hide environments attributes Show environments attributes object
  • 400 application/json; Elastic-Api-Version=2023-10-31

    Bad Request response

    Hide response attributes Show response attributes object
  • 401 application/json; Elastic-Api-Version=2023-10-31

    Unauthorized response

    Hide response attributes Show response attributes object
  • 404 application/json; Elastic-Api-Version=2023-10-31

    Not found response

    Hide response attributes Show response attributes object
GET /api/apm/settings/agent-configuration/environments
curl \
 -X GET https://localhost:5601/api/apm/settings/agent-configuration/environments \
 -H "elastic-api-version: 2023-10-31"
Response examples (200)
{
  "environments": [
    {
      "alreadyConfigured": true,
      "name": "ALL_OPTION_VALUE"
    }
  ]
}
Response examples (400)
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 400
}
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}
Response examples (404)
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 404
}

Lookup single agent configuration

POST /api/apm/settings/agent-configuration/search

This endpoint allows to search for single agent configuration and update 'applied_by_agent' field.

Headers

  • elastic-api-version string Required

    The version of the API to use

    Value is 2023-10-31. Default value is 2023-10-31.

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json; Elastic-Api-Version=2023-10-31

Body Required

  • etag string

    If etags match then applied_by_agent field will be set to true

  • markAsAppliedByAgent=true means "force setting it to true regardless of etag". This is needed for Jaeger agent that doesn't have etags

  • service object Required

    Service

    Additional properties are allowed.

    Hide service attributes Show service attributes object

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31

    Successful response

    Hide response attributes Show response attributes object
    • _id string

      Identifier

    • _index string

      Index

    • _score number

      Score

    • _source object

      Agent configuration

      Additional properties are allowed.

      Hide _source attributes Show _source attributes object
      • @timestamp number Required

        Timestamp

      • Agent name

      • Applied by agent

      • etag string Required

        Etag

      • service object Required

        Service

        Additional properties are allowed.

        Hide service attributes Show service attributes object
      • settings object Required

        Agent configuration settings

        Hide settings attribute Show settings attribute object
        • * string Additional properties
  • 400 application/json; Elastic-Api-Version=2023-10-31

    Bad Request response

    Hide response attributes Show response attributes object
  • 401 application/json; Elastic-Api-Version=2023-10-31

    Unauthorized response

    Hide response attributes Show response attributes object
  • 404 application/json; Elastic-Api-Version=2023-10-31

    Not found response

    Hide response attributes Show response attributes object
POST /api/apm/settings/agent-configuration/search
curl \
 -X POST https://localhost:5601/api/apm/settings/agent-configuration/search \
 -H "Content-Type: application/json; Elastic-Api-Version=2023-10-31" \
 -H "elastic-api-version: 2023-10-31" \
 -H "kbn-xsrf: true"
Request examples
# Headers
elastic-api-version: 2023-10-31
kbn-xsrf: true

# Payload
{
  "etag": "0bc3b5ebf18fba8163fe4c96f491e3767a358f85",
  "mark_as_applied_by_agent": true,
  "service": {
    "environment": "prod",
    "name": "node"
  }
}
Response examples (200)
{
  "_id": "string",
  "_index": "string",
  "_score": 42.0,
  "_source": {
    "@timestamp": 1730194190636,
    "agent_name": "string",
    "applied_by_agent": true,
    "etag": "0bc3b5ebf18fba8163fe4c96f491e3767a358f85",
    "service": {
      "environment": "prod",
      "name": "node"
    },
    "settings": {
      "additionalProperty1": "string",
      "additionalProperty2": "string"
    }
  }
}
Response examples (400)
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 400
}
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}
Response examples (404)
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 404
}

Get single agent configuration

GET /api/apm/settings/agent-configuration/view

Headers

  • elastic-api-version string Required

    The version of the API to use

    Value is 2023-10-31. Default value is 2023-10-31.

Query parameters

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31

    Successful response

    Hide response attributes Show response attributes object
  • 400 application/json; Elastic-Api-Version=2023-10-31

    Bad Request response

    Hide response attributes Show response attributes object
  • 401 application/json; Elastic-Api-Version=2023-10-31

    Unauthorized response

    Hide response attributes Show response attributes object
  • 404 application/json; Elastic-Api-Version=2023-10-31

    Not found response

    Hide response attributes Show response attributes object
GET /api/apm/settings/agent-configuration/view
curl \
 -X GET https://localhost:5601/api/apm/settings/agent-configuration/view \
 -H "elastic-api-version: 2023-10-31"
Response examples (200)
{
  "id": "string",
  "@timestamp": 1730194190636,
  "agent_name": "string",
  "applied_by_agent": true,
  "etag": "0bc3b5ebf18fba8163fe4c96f491e3767a358f85",
  "service": {
    "environment": "prod",
    "name": "node"
  },
  "settings": {
    "additionalProperty1": "string",
    "additionalProperty2": "string"
  }
}
Response examples (400)
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 400
}
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}
Response examples (404)
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 404
}

APM agent keys

Configure APM agent keys to authorize requests from APM agents to the APM Server.

Create an APM agent key

POST /api/apm/agent_keys

Create a new agent key for APM.

Headers

  • elastic-api-version string Required

    The version of the API to use

    Value is 2023-10-31. Default value is 2023-10-31.

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json; Elastic-Api-Version=2023-10-31

Body Required

  • name string Required

    Agent name

  • privileges array[string] Required

    Privileges configuration

    Values are event:write or config_agent:read.

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31

    Agent key created successfully

    Hide response attribute Show response attribute object
  • 400 application/json; Elastic-Api-Version=2023-10-31

    Bad Request response

    Hide response attributes Show response attributes object
  • 401 application/json; Elastic-Api-Version=2023-10-31

    Unauthorized response

    Hide response attributes Show response attributes object
  • 403 application/json; Elastic-Api-Version=2023-10-31

    Forbidden response

    Hide response attributes Show response attributes object
  • 500 application/json; Elastic-Api-Version=2023-10-31

    Internal Server Error response

    Hide response attributes Show response attributes object
POST /api/apm/agent_keys
curl \
 -X POST https://localhost:5601/api/apm/agent_keys \
 -H "Content-Type: application/json; Elastic-Api-Version=2023-10-31" \
 -H "elastic-api-version: 2023-10-31" \
 -H "kbn-xsrf: true"
Request examples
# Headers
elastic-api-version: 2023-10-31
kbn-xsrf: true

# Payload
{
  "name": "string",
  "privileges": [
    "event:write"
  ]
}
Response examples (200)
{
  "agentKey": {
    "api_key": "string",
    "encoded": "string",
    "expiration": 42,
    "id": "string",
    "name": "string"
  }
}
Response examples (400)
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 400
}
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}
Response examples (403)
{
  "error": "Forbidden",
  "message": "string",
  "statusCode": 403
}
Response examples (500)
{
  "error": "Internal Server Error",
  "message": "string",
  "statusCode": 500
}

APM annotations

Annotate visualizations in the APM app with significant events. Annotations enable you to easily see how events are impacting the performance of your applications.

Create a service annotation

POST /api/apm/services/{serviceName}/annotation

Create a new annotation for a specific service.

Headers

  • elastic-api-version string Required

    The version of the API to use

    Value is 2023-10-31. Default value is 2023-10-31.

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

application/json; Elastic-Api-Version=2023-10-31

Body Required

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31

    Annotation created successfully

    Hide response attributes Show response attributes object
  • 400 application/json; Elastic-Api-Version=2023-10-31

    Bad Request response

    Hide response attributes Show response attributes object
  • 401 application/json; Elastic-Api-Version=2023-10-31

    Unauthorized response

    Hide response attributes Show response attributes object
  • 403 application/json; Elastic-Api-Version=2023-10-31

    Forbidden response

    Hide response attributes Show response attributes object
  • 404 application/json; Elastic-Api-Version=2023-10-31

    Not found response

    Hide response attributes Show response attributes object
POST /api/apm/services/{serviceName}/annotation
curl \
 -X POST https://localhost:5601/api/apm/services/{serviceName}/annotation \
 -H "Content-Type: application/json; Elastic-Api-Version=2023-10-31" \
 -H "elastic-api-version: 2023-10-31" \
 -H "kbn-xsrf: true"
Request examples
# Headers
elastic-api-version: 2023-10-31
kbn-xsrf: true

# Payload
{
  "@timestamp": "string",
  "message": "string",
  "service": {
    "environment": "string",
    "version": "string"
  },
  "tags": [
    "string"
  ]
}
Response examples (200)
{
  "_id": "string",
  "_index": "string",
  "_source": {
    "@timestamp": "string",
    "annotation": {
      "title": "string",
      "type": "string"
    },
    "event": {
      "created": "string"
    },
    "message": "string",
    "service": {
      "environment": "string",
      "name": "string",
      "version": "string"
    },
    "tags": [
      "string"
    ]
  }
}
Response examples (400)
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 400
}
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}
Response examples (403)
{
  "error": "Forbidden",
  "message": "string",
  "statusCode": 403
}
Response examples (404)
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 404
}

Search for annotations

GET /api/apm/services/{serviceName}/annotation/search

Search for annotations related to a specific service.

Headers

  • elastic-api-version string Required

    The version of the API to use

    Value is 2023-10-31. Default value is 2023-10-31.

Path parameters

Query parameters

  • The environment to filter annotations by

  • start string

    The start date for the search

  • end string

    The end date for the search

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31

    Successful response

    Hide response attribute Show response attribute object
  • 400 application/json; Elastic-Api-Version=2023-10-31

    Bad Request response

    Hide response attributes Show response attributes object
  • 401 application/json; Elastic-Api-Version=2023-10-31

    Unauthorized response

    Hide response attributes Show response attributes object
  • 500 application/json; Elastic-Api-Version=2023-10-31

    Internal Server Error response

    Hide response attributes Show response attributes object
GET /api/apm/services/{serviceName}/annotation/search
curl \
 -X GET https://localhost:5601/api/apm/services/{serviceName}/annotation/search \
 -H "elastic-api-version: 2023-10-31"
Response examples (200)
{
  "annotations": [
    {
      "@timestamp": 42.0,
      "id": "string",
      "text": "string",
      "type": "version"
    }
  ]
}
Response examples (400)
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 400
}
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}
Response examples (500)
{
  "error": "Internal Server Error",
  "message": "string",
  "statusCode": 500
}

APM server schema

Create APM fleet server schema.

Save APM server schema

POST /api/apm/fleet/apm_server_schema

Headers

  • elastic-api-version string Required

    The version of the API to use

    Value is 2023-10-31. Default value is 2023-10-31.

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json; Elastic-Api-Version=2023-10-31

Body Required

  • schema object

    Schema object

    Additional properties are allowed.

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31

    Successful response

    Additional properties are NOT allowed.

  • 400 application/json; Elastic-Api-Version=2023-10-31

    Bad Request response

    Hide response attributes Show response attributes object
  • 401 application/json; Elastic-Api-Version=2023-10-31

    Unauthorized response

    Hide response attributes Show response attributes object
  • 403 application/json; Elastic-Api-Version=2023-10-31

    Forbidden response

    Hide response attributes Show response attributes object
  • 404 application/json; Elastic-Api-Version=2023-10-31

    Not found response

    Hide response attributes Show response attributes object
POST /api/apm/fleet/apm_server_schema
curl \
 -X POST https://localhost:5601/api/apm/fleet/apm_server_schema \
 -H "Content-Type: application/json; Elastic-Api-Version=2023-10-31" \
 -H "elastic-api-version: 2023-10-31" \
 -H "kbn-xsrf: true"
Request examples
# Headers
elastic-api-version: 2023-10-31
kbn-xsrf: true

# Payload
{
  "schema": {
    "foo": "bar"
  }
}
Response examples (200)
{}
Response examples (400)
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 400
}
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}
Response examples (403)
{
  "error": "Forbidden",
  "message": "string",
  "statusCode": 403
}
Response examples (404)
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 404
}

APM sourcemaps

Configure APM source maps.

Get source maps

GET /api/apm/sourcemaps

Returns an array of Fleet artifacts, including source map uploads.

Headers

  • elastic-api-version string Required

    The version of the API to use

    Value is 2023-10-31. Default value is 2023-10-31.

Query parameters

Responses

GET /api/apm/sourcemaps
curl \
 -X GET https://localhost:5601/api/apm/sourcemaps \
 -H "elastic-api-version: 2023-10-31"
Response examples (200)
{
  "artifacts": [
    {
      "body": {
        "bundleFilepath": "string",
        "serviceName": "string",
        "serviceVersion": "string",
        "sourceMap": {
          "file": "string",
          "mappings": "string",
          "sourceRoot": "string",
          "sources": [
            "string"
          ],
          "sourcesContent": [
            "string"
          ],
          "version": 42.0
        }
      },
      "compressionAlgorithm": "string",
      "created": "string",
      "decodedSha256": "string",
      "decodedSize": 42.0,
      "encodedSha256": "string",
      "encodedSize": 42.0,
      "encryptionAlgorithm": "string",
      "id": "string",
      "identifier": "string",
      "packageName": "string",
      "relative_url": "string",
      "type": "string"
    }
  ]
}
Response examples (400)
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 400
}
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}
Response examples (500)
{
  "error": "Internal Server Error",
  "message": "string",
  "statusCode": 500
}
Response examples (501)
{
  "error": "Not Implemented",
  "message": "Not Implemented",
  "statusCode": 501
}

Upload source map

POST /api/apm/sourcemaps

Upload a source map for a specific service and version.

Headers

  • elastic-api-version string Required

    The version of the API to use

    Value is 2023-10-31. Default value is 2023-10-31.

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

multipart/form-data; Elastic-Api-Version=2023-10-31

Body Required

Responses

POST /api/apm/sourcemaps
curl \
 -X POST https://localhost:5601/api/apm/sourcemaps \
 -H "Content-Type: multipart/form-data; Elastic-Api-Version=2023-10-31" \
 -H "elastic-api-version: 2023-10-31" \
 -H "kbn-xsrf: true"
Response examples (200)
{
  "body": "string",
  "compressionAlgorithm": "string",
  "created": "string",
  "decodedSha256": "string",
  "decodedSize": 42.0,
  "encodedSha256": "string",
  "encodedSize": 42.0,
  "encryptionAlgorithm": "string",
  "id": "string",
  "identifier": "string",
  "packageName": "string",
  "relative_url": "string",
  "type": "string"
}
Response examples (400)
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 400
}
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}
Response examples (403)
{
  "error": "Forbidden",
  "message": "string",
  "statusCode": 403
}
Response examples (500)
{
  "error": "Internal Server Error",
  "message": "string",
  "statusCode": 500
}
Response examples (501)
{
  "error": "Not Implemented",
  "message": "Not Implemented",
  "statusCode": 501
}

Delete source map

DELETE /api/apm/sourcemaps/{id}

Delete a previously uploaded source map.

Headers

  • elastic-api-version string Required

    The version of the API to use

    Value is 2023-10-31. Default value is 2023-10-31.

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • id string Required

    Source map identifier

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31

    Successful response

    Additional properties are NOT allowed.

  • 400 application/json; Elastic-Api-Version=2023-10-31

    Bad Request response

    Hide response attributes Show response attributes object
  • 401 application/json; Elastic-Api-Version=2023-10-31

    Unauthorized response

    Hide response attributes Show response attributes object
  • 403 application/json; Elastic-Api-Version=2023-10-31

    Forbidden response

    Hide response attributes Show response attributes object
  • 500 application/json; Elastic-Api-Version=2023-10-31

    Internal Server Error response

    Hide response attributes Show response attributes object
  • 501 application/json; Elastic-Api-Version=2023-10-31

    Not Implemented response

    Hide response attributes Show response attributes object
DELETE /api/apm/sourcemaps/{id}
curl \
 -X DELETE https://localhost:5601/api/apm/sourcemaps/{id} \
 -H "elastic-api-version: 2023-10-31" \
 -H "kbn-xsrf: true"
Response examples (200)
{}
Response examples (400)
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 400
}
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}
Response examples (403)
{
  "error": "Forbidden",
  "message": "string",
  "statusCode": 403
}
Response examples (500)
{
  "error": "Internal Server Error",
  "message": "string",
  "statusCode": 500
}
Response examples (501)
{
  "error": "Not Implemented",
  "message": "Not Implemented",
  "statusCode": 501
}

Cases

Cases are used to open and track issues. You can add assignees and tags to your cases, set their severity and status, and add alerts, comments, and visualizations. You can also send cases to external incident management systems by configuring connectors.

Create a case

POST /api/cases

You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're creating.

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

application/json; Elastic-Api-Version=2023-10-31

Body Required

  • assignees array[object] | null

    An array containing users that are assigned to the case.

    Not more than 10 elements.

    Hide assignees attribute Show assignees attribute object
    • uid string Required

      A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.

  • category string

    A word or phrase that categorizes the case.

    Maximum length is 50.

  • connector object Required

    One of:

    Defines properties for connectors when type is .none.

    Hide attributes Show attributes
    • fields string | null Required

      An object containing the connector fields. To create a case without a connector, specify null. To update a case to remove the connector, specify null.

    • id string Required

      The identifier for the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.

    • name string Required

      The name of the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.

    • type string Required

      The type of connector. To create a case without a connector, use .none. To update a case to remove the connector, specify .none.

      Value is .none.

  • customFields array[object]

    Custom field values for a case. Any optional custom fields that are not specified in the request are set to null.

    At least 0 but not more than 10 elements.

    Hide customFields attributes Show customFields attributes object
    • key string Required

      The unique identifier for the custom field. The key value must exist in the case configuration settings.

    • type string Required

      The custom field type. It must match the type specified in the case configuration settings.

      Values are text or toggle.

    • value string | null | boolean Required

      The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is undefined. The value returned in the API and user interface in this case is null.

      One of:

      Minimum length is 1, maximum length is 160.

  • description string Required

    The description for the case.

    Maximum length is 30000.

  • owner string Required

    The application that owns the cases: Stack Management, Observability, or Elastic Security.

    Values are cases, observability, or securitySolution.

  • settings object Required

    An object that contains the case settings.

    Additional properties are allowed.

    Hide settings attribute Show settings attribute object
    • syncAlerts boolean Required

      Turns alert syncing on or off.

  • severity string

    The severity of the case.

    Values are critical, high, low, or medium. Default value is low.

  • tags array[string] Required

    The words and phrases that help categorize cases. It can be an empty array.

    Not more than 200 elements. Maximum length of each is 256.

  • title string Required

    A title for the case.

    Maximum length is 160.

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • assignees array[object] | null

      An array containing users that are assigned to the case.

      Not more than 10 elements.

      Hide assignees attribute Show assignees attribute object
      • uid string Required

        A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.

    • category string | null

      The case category.

    • closed_at string(date-time) | null Required
    • closed_by object | null Required

      Additional properties are allowed.

      Hide closed_by attributes Show closed_by attributes object | null
    • comments array[object] Required

      An array of comment objects for the case.

      Not more than 10000 elements.

      One of:
      Hide attributes Show attributes
    • connector object Required

      One of:

      Defines properties for connectors when type is .none.

      Hide attributes Show attributes
      • fields string | null Required

        An object containing the connector fields. To create a case without a connector, specify null. To update a case to remove the connector, specify null.

      • id string Required

        The identifier for the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.

      • name string Required

        The name of the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.

      • type string Required Discriminator

        The type of connector. To create a case without a connector, use .none. To update a case to remove the connector, specify .none.

        Value is .none.

    • created_at string(date-time) Required
    • created_by object Required

      Additional properties are allowed.

      Hide created_by attributes Show created_by attributes object
    • customFields array[object]

      Custom field values for the case.

      Hide customFields attributes Show customFields attributes object
      • key string

        The unique identifier for the custom field. The key value must exist in the case configuration settings.

      • type string

        The custom field type. It must match the type specified in the case configuration settings.

        Values are text or toggle.

      • value string | null | boolean

        The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is undefined. The value returned in the API and user interface in this case is null.

        One of:

        Minimum length is 1, maximum length is 160.

    • description string Required
    • duration integer | null Required

      The elapsed time from the creation of the case to its closure (in seconds). If the case has not been closed, the duration is set to null. If the case was closed after less than half a second, the duration is rounded down to zero.

    • external_service object | null Required

      Additional properties are allowed.

      Hide external_service attributes Show external_service attributes object | null
    • id string Required
    • owner string Required

      The application that owns the cases: Stack Management, Observability, or Elastic Security.

      Values are cases, observability, or securitySolution.

    • settings object Required

      An object that contains the case settings.

      Additional properties are allowed.

      Hide settings attribute Show settings attribute object
      • syncAlerts boolean Required

        Turns alert syncing on or off.

    • severity string Required

      The severity of the case.

      Values are critical, high, low, or medium. Default value is low.

    • status string Required

      The status of the case.

      Values are closed, in-progress, or open.

    • tags array[string] Required
    • title string Required
    • totalAlerts integer Required
    • totalComment integer Required
    • updated_at string(date-time) | null Required
    • updated_by object | null Required

      Additional properties are allowed.

      Hide updated_by attributes Show updated_by attributes object | null
    • version string Required
  • 401 application/json; Elastic-Api-Version=2023-10-31

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
POST /api/cases
curl \
 -X POST https://localhost:5601/api/cases \
 -H "Content-Type: application/json; Elastic-Api-Version=2023-10-31" \
 -H "kbn-xsrf: string"
Request example
{
  "tags": [
    "tag-1"
  ],
  "owner": "cases",
  "title": "Case title 1",
  "settings": {
    "syncAlerts": true
  },
  "connector": {
    "id": "131d4448-abe0-4789-939d-8ef60680b498",
    "name": "My connector",
    "type": ".jira",
    "fields": {
      "parent": null,
      "priority": "High",
      "issueType": "10006"
    }
  },
  "description": "A case description.",
  "customFields": [
    {
      "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
      "type": "text",
      "value": "My field value"
    }
  ]
}
Response examples (200)
{
  "id": "66b9aa00-94fa-11ea-9f74-e7e108796192",
  "tags": [
    "tag 1"
  ],
  "owner": "cases",
  "title": "Case title 1",
  "status": "open",
  "version": "WzUzMiwxXQ==",
  "comments": [],
  "duration": null,
  "settings": {
    "syncAlerts": true
  },
  "severity": "low",
  "assignees": [],
  "closed_at": null,
  "closed_by": null,
  "connector": {
    "id": "131d4448-abe0-4789-939d-8ef60680b498",
    "name": "My connector",
    "type": ".jira",
    "fields": {
      "parent": null,
      "priority": "High",
      "issueType": "10006"
    }
  },
  "created_at": "2022-10-13T15:33:50.604Z",
  "created_by": {
    "email": null,
    "username": "elastic",
    "full_name": null,
    "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
  },
  "updated_at": null,
  "updated_by": null,
  "description": "A case description.",
  "totalAlerts": 0,
  "customFields": [
    {
      "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
      "type": "text",
      "value": "My field value"
    },
    {
      "key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
      "type": "toggle",
      "value": null
    }
  ],
  "totalComment": 0,
  "external_service": null
}
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

Delete cases

DELETE /api/cases

You must have read or all privileges and the delete sub-feature privilege for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're deleting.

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

Query parameters

  • ids array[string] Required

    The cases that you want to removed. All non-ASCII characters must be URL encoded.

Responses

  • Indicates a successful call.

  • 401 application/json; Elastic-Api-Version=2023-10-31

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
DELETE /api/cases
curl \
 -X DELETE https://localhost:5601/api/cases?ids=d4e7abb0-b462-11ec-9a8d-698504725a43 \
 -H "kbn-xsrf: string"
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

Update cases

PATCH /api/cases

You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're updating.

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

application/json; Elastic-Api-Version=2023-10-31

Body

  • cases array[object] Required

    An array containing one or more case objects.

    At least 1 but not more than 100 elements.

    Hide cases attributes Show cases attributes object
    • assignees array[object] | null

      An array containing users that are assigned to the case.

      Not more than 10 elements.

      Hide assignees attribute Show assignees attribute object
      • uid string Required

        A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.

    • category string

      A word or phrase that categorizes the case.

      Maximum length is 50.

    • connector object

      One of:

      Defines properties for connectors when type is .none.

      Hide attributes Show attributes
      • fields string | null Required

        An object containing the connector fields. To create a case without a connector, specify null. To update a case to remove the connector, specify null.

      • id string Required

        The identifier for the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.

      • name string Required

        The name of the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.

      • type string Required

        The type of connector. To create a case without a connector, use .none. To update a case to remove the connector, specify .none.

        Value is .none.

    • customFields array[object]

      Custom field values for a case. Any optional custom fields that are not specified in the request are set to null.

      At least 0 but not more than 10 elements.

      Hide customFields attributes Show customFields attributes object
      • key string Required

        The unique identifier for the custom field. The key value must exist in the case configuration settings.

      • type string Required

        The custom field type. It must match the type specified in the case configuration settings.

        Values are text or toggle.

      • value string | null | boolean Required

        The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is undefined. The value returned in the API and user interface in this case is null.

        One of:

        Minimum length is 1, maximum length is 160.

    • The description for the case.

      Maximum length is 30000.

    • id string Required

      The identifier for the case.

      Maximum length is 30000.

    • settings object

      An object that contains the case settings.

      Additional properties are allowed.

      Hide settings attribute Show settings attribute object
      • syncAlerts boolean Required

        Turns alert syncing on or off.

    • severity string

      The severity of the case.

      Values are critical, high, low, or medium. Default value is low.

    • status string

      The status of the case.

      Values are closed, in-progress, or open.

    • tags array[string]

      The words and phrases that help categorize cases. It can be an empty array.

      Not more than 200 elements. Maximum length of each is 256.

    • title string

      A title for the case.

      Maximum length is 160.

    • version string Required

      The current version of the case. To determine this value, use the get case or find cases APIs.

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • assignees array[object] | null

      An array containing users that are assigned to the case.

      Not more than 10 elements.

      Hide assignees attribute Show assignees attribute object
      • uid string Required

        A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.

    • category string | null

      The case category.

    • closed_at string(date-time) | null Required
    • closed_by object | null Required

      Additional properties are allowed.

      Hide closed_by attributes Show closed_by attributes object | null
    • comments array[object] Required

      An array of comment objects for the case.

      Not more than 10000 elements.

      One of:
      Hide attributes Show attributes
    • connector object Required

      One of:

      Defines properties for connectors when type is .none.

      Hide attributes Show attributes
      • fields string | null Required

        An object containing the connector fields. To create a case without a connector, specify null. To update a case to remove the connector, specify null.

      • id string Required

        The identifier for the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.

      • name string Required

        The name of the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.

      • type string Required Discriminator

        The type of connector. To create a case without a connector, use .none. To update a case to remove the connector, specify .none.

        Value is .none.

    • created_at string(date-time) Required
    • created_by object Required

      Additional properties are allowed.

      Hide created_by attributes Show created_by attributes object
    • customFields array[object]

      Custom field values for the case.

      Hide customFields attributes Show customFields attributes object
      • key string

        The unique identifier for the custom field. The key value must exist in the case configuration settings.

      • type string

        The custom field type. It must match the type specified in the case configuration settings.

        Values are text or toggle.

      • value string | null | boolean

        The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is undefined. The value returned in the API and user interface in this case is null.

        One of:

        Minimum length is 1, maximum length is 160.

    • description string Required
    • duration integer | null Required

      The elapsed time from the creation of the case to its closure (in seconds). If the case has not been closed, the duration is set to null. If the case was closed after less than half a second, the duration is rounded down to zero.

    • external_service object | null Required

      Additional properties are allowed.

      Hide external_service attributes Show external_service attributes object | null
    • id string Required
    • owner string Required

      The application that owns the cases: Stack Management, Observability, or Elastic Security.

      Values are cases, observability, or securitySolution.

    • settings object Required

      An object that contains the case settings.

      Additional properties are allowed.

      Hide settings attribute Show settings attribute object
      • syncAlerts boolean Required

        Turns alert syncing on or off.

    • severity string Required

      The severity of the case.

      Values are critical, high, low, or medium. Default value is low.

    • status string Required

      The status of the case.

      Values are closed, in-progress, or open.

    • tags array[string] Required
    • title string Required
    • totalAlerts integer Required
    • totalComment integer Required
    • updated_at string(date-time) | null Required
    • updated_by object | null Required

      Additional properties are allowed.

      Hide updated_by attributes Show updated_by attributes object | null
    • version string Required
  • 401 application/json; Elastic-Api-Version=2023-10-31

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
PATCH /api/cases
curl \
 -X PATCH https://localhost:5601/api/cases \
 -H "Content-Type: application/json; Elastic-Api-Version=2023-10-31" \
 -H "kbn-xsrf: string"
Request example
{
  "cases": [
    {
      "id": "a18b38a0-71b0-11ea-a0b2-c51ea50a58e2",
      "tags": [
        "tag-1"
      ],
      "version": "WzIzLDFd",
      "settings": {
        "syncAlerts": true
      },
      "connector": {
        "id": "131d4448-abe0-4789-939d-8ef60680b498",
        "name": "My connector",
        "type": ".jira",
        "fields": {
          "parent": null,
          "priority": null,
          "issueType": "10006"
        }
      },
      "description": "A case description.",
      "customFields": [
        {
          "key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
          "type": "toggle",
          "value": false
        },
        {
          "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
          "type": "text",
          "value": "My new field value"
        }
      ]
    }
  ]
}
Response examples (200)
[
  {
    "id": "66b9aa00-94fa-11ea-9f74-e7e108796192",
    "tags": [
      "tag-1"
    ],
    "owner": "cases",
    "title": "Case title 1",
    "status": "open",
    "version": "WzU0OCwxXQ==",
    "category": null,
    "comments": [],
    "duration": null,
    "settings": {
      "syncAlerts": true
    },
    "severity": "low",
    "assignees": [],
    "closed_at": null,
    "closed_by": null,
    "connector": {
      "id": "131d4448-abe0-4789-939d-8ef60680b498",
      "name": "My connector",
      "type": ".jira",
      "fields": {
        "parent": null,
        "priority": null,
        "issueType": "10006"
      }
    },
    "created_at": "2023-10-13T09:16:17.416Z",
    "created_by": {
      "email": null,
      "username": "elastic",
      "full_name": null,
      "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
    },
    "updated_at": "2023-10-13T09:48:33.043Z",
    "updated_by": {
      "email": null,
      "username": "elastic",
      "full_name": null,
      "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
    },
    "description": "A case description.",
    "totalAlerts": 0,
    "customFields": [
      {
        "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
        "type": "text",
        "value": "My new field value"
      },
      {
        "key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
        "type": "toggle",
        "value": false
      }
    ],
    "totalComment": 0,
    "external_service": {
      "pushed_at": "2023-10-13T09:20:40.672Z",
      "pushed_by": {
        "email": null,
        "username": "elastic",
        "full_name": null
      },
      "external_id": "10003",
      "connector_id": "05da469f-1fde-4058-99a3-91e4807e2de8",
      "external_url": "https://hms.atlassian.net/browse/IS-4",
      "connector_name": "Jira",
      "external_title": "IS-4"
    }
  }
]
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

Search cases

GET /api/cases/_find

You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're seeking.

Query parameters

  • assignees string | array[string]

    Filters the returned cases by assignees. Valid values are none or unique identifiers for the user profiles. These identifiers can be found by using the suggest user profile API.

  • category string | array[string]

    Filters the returned cases by category.

  • he default operator to use for the simple_query_string.

    Default value is OR.

  • from string

    Returns only cases that were created after a specific date. The date must be specified as a KQL data range or date match expression.

  • owner string | array[string]

    A filter to limit the response to a specific set of applications. If this parameter is omitted, the response contains information about all the cases that the user has access to read.

  • page integer

    The page number to return.

    Default value is 1.

  • perPage integer

    The number of items to return. Limited to 100 items.

    Maximum value is 100. Default value is 20.

  • reporters string | array[string]

    Filters the returned cases by the user name of the reporter.

  • searchFields string | array[string]

    The fields to perform the simple_query_string parsed query against.

  • severity string

    The severity of the case.

    Values are critical, high, low, or medium.

  • Determines which field is used to sort the results.

    Values are createdAt, updatedAt, closedAt, title, category, status, or severity. Default value is createdAt.

  • Determines the sort order.

    Values are asc or desc. Default value is desc.

  • status string

    Filters the returned cases by state.

    Values are closed, in-progress, or open.

  • tags string | array[string]

    Filters the returned cases by tags.

  • to string

    Returns only cases that were created before a specific date. The date must be specified as a KQL data range or date match expression.

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • cases array[object]

      Not more than 10000 elements.

      Hide cases attributes Show cases attributes object
      • assignees array[object] | null

        An array containing users that are assigned to the case.

        Not more than 10 elements.

        Hide assignees attribute Show assignees attribute object
        • uid string Required

          A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.

      • category string | null

        The case category.

      • closed_at string(date-time) | null Required
      • closed_by object | null Required

        Additional properties are allowed.

        Hide closed_by attributes Show closed_by attributes object | null
      • comments array[object] Required

        An array of comment objects for the case.

        Not more than 10000 elements.

        One of:
        Hide attributes Show attributes
      • connector object Required

        One of:

        Defines properties for connectors when type is .none.

        Hide attributes Show attributes
        • fields string | null Required

          An object containing the connector fields. To create a case without a connector, specify null. To update a case to remove the connector, specify null.

        • id string Required

          The identifier for the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.

        • name string Required

          The name of the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.

        • type string Required Discriminator

          The type of connector. To create a case without a connector, use .none. To update a case to remove the connector, specify .none.

          Value is .none.

      • created_at string(date-time) Required
      • created_by object Required

        Additional properties are allowed.

        Hide created_by attributes Show created_by attributes object
      • customFields array[object]

        Custom field values for the case.

        Hide customFields attributes Show customFields attributes object
        • key string

          The unique identifier for the custom field. The key value must exist in the case configuration settings.

        • type string

          The custom field type. It must match the type specified in the case configuration settings.

          Values are text or toggle.

        • value string | null | boolean

          The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is undefined. The value returned in the API and user interface in this case is null.

          One of:

          Minimum length is 1, maximum length is 160.

      • description string Required
      • duration integer | null Required

        The elapsed time from the creation of the case to its closure (in seconds). If the case has not been closed, the duration is set to null. If the case was closed after less than half a second, the duration is rounded down to zero.

      • external_service object | null Required

        Additional properties are allowed.

        Hide external_service attributes Show external_service attributes object | null
      • id string Required
      • owner string Required

        The application that owns the cases: Stack Management, Observability, or Elastic Security.

        Values are cases, observability, or securitySolution.

      • settings object Required

        An object that contains the case settings.

        Additional properties are allowed.

        Hide settings attribute Show settings attribute object
        • syncAlerts boolean Required

          Turns alert syncing on or off.

      • severity string Required

        The severity of the case.

        Values are critical, high, low, or medium. Default value is low.

      • status string Required

        The status of the case.

        Values are closed, in-progress, or open.

      • tags array[string] Required
      • title string Required
      • totalAlerts integer Required
      • totalComment integer Required
      • updated_at string(date-time) | null Required
      • updated_by object | null Required

        Additional properties are allowed.

        Hide updated_by attributes Show updated_by attributes object | null
      • version string Required
    • page integer
    • per_page integer
    • total integer
  • 401 application/json; Elastic-Api-Version=2023-10-31

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
GET /api/cases/_find
curl \
 -X GET https://localhost:5601/api/cases/_find
Response examples (200)
{
  "page": 1,
  "cases": [
    {
      "id": "abed3a70-71bd-11ea-a0b2-c51ea50a58e2",
      "tags": [
        "tag-1"
      ],
      "owner": "cases",
      "title": "Case title",
      "status": "open",
      "version": "WzExMCwxXQ==",
      "category": null,
      "comments": [],
      "duration": null,
      "settings": {
        "syncAlerts": true
      },
      "severity": "low",
      "assignees": [],
      "closed_at": null,
      "closed_by": null,
      "connector": {
        "id": "none",
        "name": "none",
        "type": ".none",
        "fields": null
      },
      "created_at": "2023-10-12T00:16:36.371Z",
      "created_by": {
        "email": null,
        "username": "elastic",
        "full_name": null,
        "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
      },
      "updated_at": "2023-10-12T00:27:58.162Z",
      "updated_by": {
        "email": null,
        "username": "elastic",
        "full_name": null,
        "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
      },
      "description": "Case description",
      "totalAlerts": 0,
      "customFields": [
        {
          "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
          "type": "text",
          "value": "My field value"
        },
        {
          "key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
          "type": "toggle",
          "value": null
        }
      ],
      "totalComment": 1,
      "external_service": null
    }
  ],
  "total": 1,
  "per_page": 5,
  "count_open_cases": 1,
  "count_closed_cases": 0,
  "count_in_progress_cases": 0
}
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

Get case information

GET /api/cases/{caseId}

You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're seeking.

Path parameters

  • caseId string Required

    The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded.

Query parameters

  • includeComments boolean Deprecated

    Deprecated in 8.1.0. This parameter is deprecated and will be removed in a future release. It determines whether case comments are returned.

    Default value is true.

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • assignees array[object] | null

      An array containing users that are assigned to the case.

      Not more than 10 elements.

      Hide assignees attribute Show assignees attribute object
      • uid string Required

        A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.

    • category string | null

      The case category.

    • closed_at string(date-time) | null Required
    • closed_by object | null Required

      Additional properties are allowed.

      Hide closed_by attributes Show closed_by attributes object | null
    • comments array[object] Required

      An array of comment objects for the case.

      Not more than 10000 elements.

      One of:
      Hide attributes Show attributes
    • connector object Required

      One of:

      Defines properties for connectors when type is .none.

      Hide attributes Show attributes
      • fields string | null Required

        An object containing the connector fields. To create a case without a connector, specify null. To update a case to remove the connector, specify null.

      • id string Required

        The identifier for the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.

      • name string Required

        The name of the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.

      • type string Required Discriminator

        The type of connector. To create a case without a connector, use .none. To update a case to remove the connector, specify .none.

        Value is .none.

    • created_at string(date-time) Required
    • created_by object Required

      Additional properties are allowed.

      Hide created_by attributes Show created_by attributes object
    • customFields array[object]

      Custom field values for the case.

      Hide customFields attributes Show customFields attributes object
      • key string

        The unique identifier for the custom field. The key value must exist in the case configuration settings.

      • type string

        The custom field type. It must match the type specified in the case configuration settings.

        Values are text or toggle.

      • value string | null | boolean

        The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is undefined. The value returned in the API and user interface in this case is null.

        One of:

        Minimum length is 1, maximum length is 160.

    • description string Required
    • duration integer | null Required

      The elapsed time from the creation of the case to its closure (in seconds). If the case has not been closed, the duration is set to null. If the case was closed after less than half a second, the duration is rounded down to zero.

    • external_service object | null Required

      Additional properties are allowed.

      Hide external_service attributes Show external_service attributes object | null
    • id string Required
    • owner string Required

      The application that owns the cases: Stack Management, Observability, or Elastic Security.

      Values are cases, observability, or securitySolution.

    • settings object Required

      An object that contains the case settings.

      Additional properties are allowed.

      Hide settings attribute Show settings attribute object
      • syncAlerts boolean Required

        Turns alert syncing on or off.

    • severity string Required

      The severity of the case.

      Values are critical, high, low, or medium. Default value is low.

    • status string Required

      The status of the case.

      Values are closed, in-progress, or open.

    • tags array[string] Required
    • title string Required
    • totalAlerts integer Required
    • totalComment integer Required
    • updated_at string(date-time) | null Required
    • updated_by object | null Required

      Additional properties are allowed.

      Hide updated_by attributes Show updated_by attributes object | null
    • version string Required
  • 401 application/json; Elastic-Api-Version=2023-10-31

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
GET /api/cases/{caseId}
curl \
 -X GET https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414
{
  "id": "31cdada0-02c1-11ed-85f2-4f7c222ca2fa",
  "tags": [
    "tag 1"
  ],
  "owner": "cases",
  "title": "Case title 1",
  "status": "open",
  "version": "WzM2LDFd",
  "category": null,
  "comments": [
    {
      "id": "2134c1d0-02c2-11ed-85f2-4f7c222ca2fa",
      "type": "user",
      "owner": "cases",
      "comment": "A new comment",
      "version": "WzM3LDFd",
      "pushed_at": null,
      "pushed_by": null,
      "created_at": "2023-10-13T15:40:32.335Z",
      "created_by": {
        "email": null,
        "username": "elastic",
        "full_name": null,
        "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
      },
      "updated_at": null,
      "updated_by": null
    }
  ],
  "duration": null,
  "settings": {
    "syncAlerts": true
  },
  "severity": "low",
  "assignees": [
    {
      "uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
    }
  ],
  "closed_at": null,
  "closed_by": null,
  "connector": {
    "id": "none",
    "name": "none",
    "type": ".none",
    "fields": null
  },
  "created_at": "2023-10-13T15:33:50.604Z",
  "created_by": {
    "email": null,
    "username": "elastic",
    "full_name": null,
    "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
  },
  "updated_at": "2023-10-13T15:40:32.335Z",
  "updated_by": {
    "email": null,
    "username": "elastic",
    "full_name": null,
    "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
  },
  "description": "A case description",
  "totalAlerts": 0,
  "customFields": [
    {
      "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
      "type": "text",
      "value": "My field value"
    },
    {
      "key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
      "type": "toggle",
      "value": null
    }
  ],
  "totalComment": 1,
  "external_service": null
}
{
  "id": "c3ff7550-def1-4e90-b6bc-c9969a4a09b1",
  "tags": [
    "observability",
    "tag 1"
  ],
  "owner": "observability",
  "title": "Observability case title 1",
  "status": "in-progress",
  "version": "WzI0NywyXQ==",
  "category": null,
  "comments": [
    {
      "id": "59d438d0-79a9-4864-8d4b-e63adacebf6e",
      "rule": {
        "id": "03e4eb87-62ca-4e5d-9570-3d7625e9669d",
        "name": "Observability rule"
      },
      "type": "alert",
      "index": [
        ".internal.alerts-observability.logs.alerts-default-000001"
      ],
      "owner": "observability",
      "alertId": [
        "a6e12ac4-7bce-457b-84f6-d7ce8deb8446"
      ],
      "version": "WzY3LDJd",
      "pushed_at": null,
      "pushed_by": null,
      "created_at": "2023-11-06T19:29:38.424Z",
      "created_by": {
        "email": null,
        "username": "elastic",
        "full_name": null,
        "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
      },
      "updated_at": null,
      "updated_by": null
    },
    {
      "id": "d99342d3-3aa3-4b80-90ec-a702607604f5",
      "type": "user",
      "owner": "observability",
      "comment": "The first comment.",
      "version": "WzcyLDJd",
      "pushed_at": null,
      "pushed_by": null,
      "created_at": "2023-11-06T19:29:57.812Z",
      "created_by": {
        "email": null,
        "username": "elastic",
        "full_name": null,
        "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
      },
      "updated_at": null,
      "updated_by": null
    }
  ],
  "duration": null,
  "settings": {
    "syncAlerts": false
  },
  "severity": "low",
  "assignees": [
    {
      "uid": "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
    }
  ],
  "closed_at": null,
  "closed_by": null,
  "connector": {
    "id": "none",
    "name": "none",
    "type": ".none",
    "fields": null
  },
  "created_at": "2023-11-06T19:29:04.086Z",
  "created_by": {
    "email": null,
    "username": "elastic",
    "full_name": null
  },
  "updated_at": "2023-11-06T19:47:55.662Z",
  "updated_by": {
    "email": null,
    "username": "elastic",
    "full_name": null,
    "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
  },
  "description": "An Observability case description.",
  "totalAlerts": 1,
  "customFields": [],
  "totalComment": 1,
  "external_service": null
}
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

Get all alerts for a case Technical preview

GET /api/cases/{caseId}/alerts

You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're seeking.

Path parameters

  • caseId string Required

    The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded.

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31

    Indicates a successful call.

    Hide response attributes Show response attributes object
  • 401 application/json; Elastic-Api-Version=2023-10-31

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
GET /api/cases/{caseId}/alerts
curl \
 -X GET https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/alerts
Response examples (200)
[
  {
    "id": "f6a7d0c3-d52d-432c-b2e6-447cd7fce04d",
    "index": ".alerts-observability.logs.alerts-default",
    "attached_at": "2022-07-25T20:09:40.963Z"
  }
]
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

Get all case comments Deprecated

GET /api/cases/{caseId}/comments

Deprecated in 8.1.0. This API is deprecated and will be removed in a future release; instead, use the get case comment API, which requires a comment identifier in the path. You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases with the comments you're seeking.

Path parameters

  • caseId string Required

    The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded.

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • assignees array[object] | null

      An array containing users that are assigned to the case.

      Not more than 10 elements.

      Hide assignees attribute Show assignees attribute object
      • uid string Required

        A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.

    • category string | null

      The case category.

    • closed_at string(date-time) | null Required
    • closed_by object | null Required

      Additional properties are allowed.

      Hide closed_by attributes Show closed_by attributes object | null
    • comments array[object] Required

      An array of comment objects for the case.

      Not more than 10000 elements.

      One of:
      Hide attributes Show attributes
    • connector object Required

      One of:

      Defines properties for connectors when type is .none.

      Hide attributes Show attributes
      • fields string | null Required

        An object containing the connector fields. To create a case without a connector, specify null. To update a case to remove the connector, specify null.

      • id string Required

        The identifier for the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.

      • name string Required

        The name of the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.

      • type string Required Discriminator

        The type of connector. To create a case without a connector, use .none. To update a case to remove the connector, specify .none.

        Value is .none.

    • created_at string(date-time) Required
    • created_by object Required

      Additional properties are allowed.

      Hide created_by attributes Show created_by attributes object
    • customFields array[object]

      Custom field values for the case.

      Hide customFields attributes Show customFields attributes object
      • key string

        The unique identifier for the custom field. The key value must exist in the case configuration settings.

      • type string

        The custom field type. It must match the type specified in the case configuration settings.

        Values are text or toggle.

      • value string | null | boolean

        The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is undefined. The value returned in the API and user interface in this case is null.

        One of:

        Minimum length is 1, maximum length is 160.

    • description string Required
    • duration integer | null Required

      The elapsed time from the creation of the case to its closure (in seconds). If the case has not been closed, the duration is set to null. If the case was closed after less than half a second, the duration is rounded down to zero.

    • external_service object | null Required

      Additional properties are allowed.

      Hide external_service attributes Show external_service attributes object | null
    • id string Required
    • owner string Required

      The application that owns the cases: Stack Management, Observability, or Elastic Security.

      Values are cases, observability, or securitySolution.

    • settings object Required

      An object that contains the case settings.

      Additional properties are allowed.

      Hide settings attribute Show settings attribute object
      • syncAlerts boolean Required

        Turns alert syncing on or off.

    • severity string Required

      The severity of the case.

      Values are critical, high, low, or medium. Default value is low.

    • status string Required

      The status of the case.

      Values are closed, in-progress, or open.

    • tags array[string] Required
    • title string Required
    • totalAlerts integer Required
    • totalComment integer Required
    • updated_at string(date-time) | null Required
    • updated_by object | null Required

      Additional properties are allowed.

      Hide updated_by attributes Show updated_by attributes object | null
    • version string Required
  • 401 application/json; Elastic-Api-Version=2023-10-31

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
GET /api/cases/{caseId}/comments
curl \
 -X GET https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/comments
Response examples (200)
{
  "assignees": [
    {
      "uid": "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
    }
  ],
  "category": "string",
  "closed_at": "2024-05-04T09:42:00+00:00",
  "closed_by": {
    "email": "string",
    "full_name": "string",
    "profile_uid": "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
    "username": "elastic"
  },
  "comments": [
    {
      "alertId": [
        "a6e12ac4-7bce-457b-84f6-d7ce8deb8446"
      ],
      "created_at": "2023-11-06T19:29:38.424Z",
      "created_by": {
        "email": "string",
        "full_name": "string",
        "profile_uid": "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
        "username": "elastic"
      },
      "id": "73362370-ab1a-11ec-985f-97e55adae8b9",
      "index": [
        ".internal.alerts-security.alerts-default-000001"
      ],
      "owner": "cases",
      "pushed_at": "2024-05-04T09:42:00+00:00",
      "pushed_by": {
        "email": "string",
        "full_name": "string",
        "profile_uid": "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
        "username": "elastic"
      },
      "rule": {
        "id": "94d80550-aaf4-11ec-985f-97e55adae8b9",
        "name": "security_rule"
      },
      "type": "alert",
      "updated_at": "2024-05-04T09:42:00+00:00",
      "updated_by": {
        "email": "string",
        "full_name": "string",
        "profile_uid": "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
        "username": "elastic"
      },
      "version": "WzMwNDgsMV0="
    }
  ],
  "connector": {
    "fields": "string",
    "id": "none",
    "name": "none",
    "type": ".none"
  },
  "created_at": "2022-05-13T09:16:17.416Z",
  "created_by": {
    "email": "string",
    "full_name": "string",
    "profile_uid": "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
    "username": "elastic"
  },
  "customFields": [
    {
      "key": "string",
      "type": "text",
      "value": "string"
    }
  ],
  "description": "A case description.",
  "duration": 120,
  "external_service": {
    "connector_id": "string",
    "connector_name": "string",
    "external_id": "string",
    "external_title": "string",
    "external_url": "string",
    "pushed_at": "2024-05-04T09:42:00+00:00",
    "pushed_by": {
      "email": "string",
      "full_name": "string",
      "profile_uid": "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
      "username": "elastic"
    }
  },
  "id": "66b9aa00-94fa-11ea-9f74-e7e108796192",
  "owner": "cases",
  "settings": {
    "syncAlerts": true
  },
  "severity": "low",
  "status": "closed",
  "tags": [
    "tag-1"
  ],
  "title": "Case title 1",
  "totalAlerts": 0,
  "totalComment": 0,
  "updated_at": "2024-05-04T09:42:00+00:00",
  "updated_by": {
    "email": "string",
    "full_name": "string",
    "profile_uid": "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
    "username": "elastic"
  },
  "version": "WzUzMiwxXQ=="
}
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

Add a case comment or alert

POST /api/cases/{caseId}/comments

You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're creating. NOTE: Each case can have a maximum of 1,000 alerts.

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

Path parameters

  • caseId string Required

    The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded.

application/json; Elastic-Api-Version=2023-10-31

Body object Required

The add comment to case API request body varies depending on whether you are adding an alert or a comment.

One of:

Defines properties for case comment requests when type is alert.

  • alertId string | array[string] Required

    The alert identifiers. It is required only when type is alert. You can use an array of strings to add multiple alerts to a case, provided that they all relate to the same rule; index must also be an array with the same length or number of elements. Adding multiple alerts in this manner is recommended rather than calling the API multiple times. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

  • index string | array[string] Required

    The alert indices. It is required only when type is alert. If you are adding multiple alerts to a case, use an array of strings; the position of each index name in the array must match the position of the corresponding alert identifier in the alertId array. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

  • owner string Required

    The application that owns the cases: Stack Management, Observability, or Elastic Security.

    Values are cases, observability, or securitySolution.

  • rule object Required Technical preview

    The rule that is associated with the alerts. It is required only when type is alert. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

    Additional properties are allowed.

    Hide rule attributes Show rule attributes object
    • id string

      The rule identifier.

    • name string

      The rule name.

  • type string Required Discriminator

    The type of comment.

    Value is alert.

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • assignees array[object] | null

      An array containing users that are assigned to the case.

      Not more than 10 elements.

      Hide assignees attribute Show assignees attribute object
      • uid string Required

        A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.

    • category string | null

      The case category.

    • closed_at string(date-time) | null Required
    • closed_by object | null Required

      Additional properties are allowed.

      Hide closed_by attributes Show closed_by attributes object | null
    • comments array[object] Required

      An array of comment objects for the case.

      Not more than 10000 elements.

      One of:
      Hide attributes Show attributes
    • connector object Required

      One of:

      Defines properties for connectors when type is .none.

      Hide attributes Show attributes
      • fields string | null Required

        An object containing the connector fields. To create a case without a connector, specify null. To update a case to remove the connector, specify null.

      • id string Required

        The identifier for the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.

      • name string Required

        The name of the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.

      • type string Required Discriminator

        The type of connector. To create a case without a connector, use .none. To update a case to remove the connector, specify .none.

        Value is .none.

    • created_at string(date-time) Required
    • created_by object Required

      Additional properties are allowed.

      Hide created_by attributes Show created_by attributes object
    • customFields array[object]

      Custom field values for the case.

      Hide customFields attributes Show customFields attributes object
      • key string

        The unique identifier for the custom field. The key value must exist in the case configuration settings.

      • type string

        The custom field type. It must match the type specified in the case configuration settings.

        Values are text or toggle.

      • value string | null | boolean

        The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is undefined. The value returned in the API and user interface in this case is null.

        One of:

        Minimum length is 1, maximum length is 160.

    • description string Required
    • duration integer | null Required

      The elapsed time from the creation of the case to its closure (in seconds). If the case has not been closed, the duration is set to null. If the case was closed after less than half a second, the duration is rounded down to zero.

    • external_service object | null Required

      Additional properties are allowed.

      Hide external_service attributes Show external_service attributes object | null
    • id string Required
    • owner string Required

      The application that owns the cases: Stack Management, Observability, or Elastic Security.

      Values are cases, observability, or securitySolution.

    • settings object Required

      An object that contains the case settings.

      Additional properties are allowed.

      Hide settings attribute Show settings attribute object
      • syncAlerts boolean Required

        Turns alert syncing on or off.

    • severity string Required

      The severity of the case.

      Values are critical, high, low, or medium. Default value is low.

    • status string Required

      The status of the case.

      Values are closed, in-progress, or open.

    • tags array[string] Required
    • title string Required
    • totalAlerts integer Required
    • totalComment integer Required
    • updated_at string(date-time) | null Required
    • updated_by object | null Required

      Additional properties are allowed.

      Hide updated_by attributes Show updated_by attributes object | null
    • version string Required
  • 401 application/json; Elastic-Api-Version=2023-10-31

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
POST /api/cases/{caseId}/comments
curl \
 -X POST https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/comments \
 -H "Content-Type: application/json; Elastic-Api-Version=2023-10-31" \
 -H "kbn-xsrf: string"
Request example
{
  "type": "user",
  "owner": "cases",
  "comment": "A new comment."
}
Response examples (200)
{
  "id": "293f1bc0-74f6-11ea-b83a-553aecdb28b6",
  "tags": [
    "tag 1"
  ],
  "owner": "cases",
  "title": "Case title 1",
  "status": "open",
  "version": "WzIzMzgsMV0=",
  "category": null,
  "comments": [
    {
      "id": "8af6ac20-74f6-11ea-b83a-553aecdb28b6",
      "type": "user",
      "owner": "cases",
      "comment": "A new comment.",
      "version": "WzIwNDMxLDFd",
      "created_at": "2022-10-02T00:49:47.716Z",
      "created_by": {
        "email": null,
        "username": "elastic",
        "full_name": null
      }
    }
  ],
  "duration": null,
  "settings": {
    "syncAlerts": false
  },
  "severity": "low",
  "assignees": [],
  "closed_at": null,
  "closed_by": null,
  "connector": {
    "id": "none",
    "name": "none",
    "type": ".none",
    "fields": null
  },
  "created_at": "2022-03-24T00:37:03.906Z",
  "created_by": {
    "email": null,
    "username": "elastic",
    "full_name": null,
    "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
  },
  "updated_at": "2022-06-03T00:49:47.716Z",
  "updated_by": {
    "email": null,
    "username": "elastic",
    "full_name": null,
    "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
  },
  "description": "A case description.",
  "totalAlerts": 0,
  "customFields": [
    {
      "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
      "type": "text",
      "value": "Field value"
    },
    {
      "key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
      "type": "toggle",
      "value": true
    }
  ],
  "totalComment": 1,
  "external_service": null
}
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

Delete all case comments and alerts

DELETE /api/cases/{caseId}/comments

Deletes all comments and alerts from a case. You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're deleting.

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

Path parameters

  • caseId string Required

    The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded.

Responses

  • Indicates a successful call.

  • 401 application/json; Elastic-Api-Version=2023-10-31

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
DELETE /api/cases/{caseId}/comments
curl \
 -X DELETE https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/comments \
 -H "kbn-xsrf: string"
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

Update a case comment or alert

PATCH /api/cases/{caseId}/comments

You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're updating. NOTE: You cannot change the comment type or the owner of a comment.

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

Path parameters

  • caseId string Required

    The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded.

application/json; Elastic-Api-Version=2023-10-31

Body object Required

The update case comment API request body varies depending on whether you are updating an alert or a comment.

One of:

Defines properties for case comment requests when type is alert.

  • alertId string | array[string] Required

    The alert identifiers. It is required only when type is alert. You can use an array of strings to add multiple alerts to a case, provided that they all relate to the same rule; index must also be an array with the same length or number of elements. Adding multiple alerts in this manner is recommended rather than calling the API multiple times. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

  • id string Required

    The identifier for the comment. To retrieve comment IDs, use the get comments API.

  • index string | array[string] Required

    The alert indices. It is required only when type is alert. If you are adding multiple alerts to a case, use an array of strings; the position of each index name in the array must match the position of the corresponding alert identifier in the alertId array. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

  • owner string Required

    The application that owns the cases: Stack Management, Observability, or Elastic Security.

    Values are cases, observability, or securitySolution.

  • rule object Required Technical preview

    The rule that is associated with the alerts. It is required only when type is alert. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

    Additional properties are allowed.

    Hide rule attributes Show rule attributes object
    • id string

      The rule identifier.

    • name string

      The rule name.

  • type string Required Discriminator

    The type of comment.

    Value is alert.

  • version string Required

    The current comment version. To retrieve version values, use the get comments API.

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • assignees array[object] | null

      An array containing users that are assigned to the case.

      Not more than 10 elements.

      Hide assignees attribute Show assignees attribute object
      • uid string Required

        A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.

    • category string | null

      The case category.

    • closed_at string(date-time) | null Required
    • closed_by object | null Required

      Additional properties are allowed.

      Hide closed_by attributes Show closed_by attributes object | null
    • comments array[object] Required

      An array of comment objects for the case.

      Not more than 10000 elements.

      One of:
      Hide attributes Show attributes
    • connector object Required

      One of:

      Defines properties for connectors when type is .none.

      Hide attributes Show attributes
      • fields string | null Required

        An object containing the connector fields. To create a case without a connector, specify null. To update a case to remove the connector, specify null.

      • id string Required

        The identifier for the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.

      • name string Required

        The name of the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.

      • type string Required Discriminator

        The type of connector. To create a case without a connector, use .none. To update a case to remove the connector, specify .none.

        Value is .none.

    • created_at string(date-time) Required
    • created_by object Required

      Additional properties are allowed.

      Hide created_by attributes Show created_by attributes object
    • customFields array[object]

      Custom field values for the case.

      Hide customFields attributes Show customFields attributes object
      • key string

        The unique identifier for the custom field. The key value must exist in the case configuration settings.

      • type string

        The custom field type. It must match the type specified in the case configuration settings.

        Values are text or toggle.

      • value string | null | boolean

        The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is undefined. The value returned in the API and user interface in this case is null.

        One of:

        Minimum length is 1, maximum length is 160.

    • description string Required
    • duration integer | null Required

      The elapsed time from the creation of the case to its closure (in seconds). If the case has not been closed, the duration is set to null. If the case was closed after less than half a second, the duration is rounded down to zero.

    • external_service object | null Required

      Additional properties are allowed.

      Hide external_service attributes Show external_service attributes object | null
    • id string Required
    • owner string Required

      The application that owns the cases: Stack Management, Observability, or Elastic Security.

      Values are cases, observability, or securitySolution.

    • settings object Required

      An object that contains the case settings.

      Additional properties are allowed.

      Hide settings attribute Show settings attribute object
      • syncAlerts boolean Required

        Turns alert syncing on or off.

    • severity string Required

      The severity of the case.

      Values are critical, high, low, or medium. Default value is low.

    • status string Required

      The status of the case.

      Values are closed, in-progress, or open.

    • tags array[string] Required
    • title string Required
    • totalAlerts integer Required
    • totalComment integer Required
    • updated_at string(date-time) | null Required
    • updated_by object | null Required

      Additional properties are allowed.

      Hide updated_by attributes Show updated_by attributes object | null
    • version string Required
  • 401 application/json; Elastic-Api-Version=2023-10-31

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
PATCH /api/cases/{caseId}/comments
curl \
 -X PATCH https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/comments \
 -H "Content-Type: application/json; Elastic-Api-Version=2023-10-31" \
 -H "kbn-xsrf: string"
Request example
{
  "id": "8af6ac20-74f6-11ea-b83a-553aecdb28b6",
  "type": "user",
  "owner": "cases",
  "comment": "An updated comment.",
  "version": "Wzk1LDFd"
}
Response examples (200)
{
  "id": "293f1bc0-74f6-11ea-b83a-553aecdb28b6",
  "tags": [
    "tag 1"
  ],
  "owner": "cases",
  "title": "Case title 1",
  "status": "open",
  "version": "WzIwNjM2LDFd",
  "category": null,
  "comments": [
    {
      "id": "8af6ac20-74f6-11ea-b83a-553aecdb28b6",
      "type": "user",
      "owner": "cases",
      "comment": "An updated comment.",
      "version": "WzIwNjM3LDFd",
      "pushed_at": null,
      "pushed_by": null,
      "created_at": "2023-10-24T00:37:10.832Z",
      "created_by": {
        "email": null,
        "username": "elastic",
        "full_name": null,
        "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
      },
      "updated_at": "2023-10-24T01:27:06.210Z",
      "updated_by": {
        "email": null,
        "username": "elastic",
        "full_name": null,
        "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
      }
    }
  ],
  "duration": null,
  "settings": {
    "syncAlerts": false
  },
  "severity": "low",
  "assignees": [],
  "closed_at": null,
  "closed_by": null,
  "connector": {
    "id": "none",
    "name": "none",
    "type": ".none",
    "fields": null
  },
  "created_at": "2023-10-24T00:37:03.906Z",
  "created_by": {
    "email": null,
    "username": "elastic",
    "full_name": null,
    "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
  },
  "updated_at": "2023-10-24T01:27:06.210Z",
  "updated_by": {
    "email": null,
    "username": "elastic",
    "full_name": null,
    "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
  },
  "description": "A case description.",
  "totalAlerts": 0,
  "customFields": [
    {
      "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
      "type": "text",
      "value": "My new field value"
    },
    {
      "key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
      "type": "toggle",
      "value": false
    }
  ],
  "totalComment": 1,
  "external_service": null
}
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

Find case comments and alerts

GET /api/cases/{caseId}/comments/_find

Retrieves a paginated list of comments for a case. You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases with the comments you're seeking.

Path parameters

  • caseId string Required

    The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded.

Query parameters

  • page integer

    The page number to return.

    Default value is 1.

  • perPage integer

    The number of items to return. Limited to 100 items.

    Maximum value is 100. Default value is 20.

  • Determines the sort order.

    Values are asc or desc. Default value is desc.

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • assignees array[object] | null

      An array containing users that are assigned to the case.

      Not more than 10 elements.

      Hide assignees attribute Show assignees attribute object
      • uid string Required

        A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.

    • category string | null

      The case category.

    • closed_at string(date-time) | null Required
    • closed_by object | null Required

      Additional properties are allowed.

      Hide closed_by attributes Show closed_by attributes object | null
    • comments array[object] Required

      An array of comment objects for the case.

      Not more than 10000 elements.

      One of:
      Hide attributes Show attributes
    • connector object Required

      One of:

      Defines properties for connectors when type is .none.

      Hide attributes Show attributes
      • fields string | null Required

        An object containing the connector fields. To create a case without a connector, specify null. To update a case to remove the connector, specify null.

      • id string Required

        The identifier for the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.

      • name string Required

        The name of the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.

      • type string Required Discriminator

        The type of connector. To create a case without a connector, use .none. To update a case to remove the connector, specify .none.

        Value is .none.

    • created_at string(date-time) Required
    • created_by object Required

      Additional properties are allowed.

      Hide created_by attributes Show created_by attributes object
    • customFields array[object]

      Custom field values for the case.

      Hide customFields attributes Show customFields attributes object
      • key string

        The unique identifier for the custom field. The key value must exist in the case configuration settings.

      • type string

        The custom field type. It must match the type specified in the case configuration settings.

        Values are text or toggle.

      • value string | null | boolean

        The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is undefined. The value returned in the API and user interface in this case is null.

        One of:

        Minimum length is 1, maximum length is 160.

    • description string Required
    • duration integer | null Required

      The elapsed time from the creation of the case to its closure (in seconds). If the case has not been closed, the duration is set to null. If the case was closed after less than half a second, the duration is rounded down to zero.

    • external_service object | null Required

      Additional properties are allowed.

      Hide external_service attributes Show external_service attributes object | null
    • id string Required
    • owner string Required

      The application that owns the cases: Stack Management, Observability, or Elastic Security.

      Values are cases, observability, or securitySolution.

    • settings object Required

      An object that contains the case settings.

      Additional properties are allowed.

      Hide settings attribute Show settings attribute object
      • syncAlerts boolean Required

        Turns alert syncing on or off.

    • severity string Required

      The severity of the case.

      Values are critical, high, low, or medium. Default value is low.

    • status string Required

      The status of the case.

      Values are closed, in-progress, or open.

    • tags array[string] Required
    • title string Required
    • totalAlerts integer Required
    • totalComment integer Required
    • updated_at string(date-time) | null Required
    • updated_by object | null Required

      Additional properties are allowed.

      Hide updated_by attributes Show updated_by attributes object | null
    • version string Required
  • 401 application/json; Elastic-Api-Version=2023-10-31

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
GET /api/cases/{caseId}/comments/_find
curl \
 -X GET https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/comments/_find
Response examples (200)
{
  "assignees": [
    {
      "uid": "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
    }
  ],
  "category": "string",
  "closed_at": "2024-05-04T09:42:00+00:00",
  "closed_by": {
    "email": "string",
    "full_name": "string",
    "profile_uid": "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
    "username": "elastic"
  },
  "comments": [
    {
      "alertId": [
        "a6e12ac4-7bce-457b-84f6-d7ce8deb8446"
      ],
      "created_at": "2023-11-06T19:29:38.424Z",
      "created_by": {
        "email": "string",
        "full_name": "string",
        "profile_uid": "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
        "username": "elastic"
      },
      "id": "73362370-ab1a-11ec-985f-97e55adae8b9",
      "index": [
        ".internal.alerts-security.alerts-default-000001"
      ],
      "owner": "cases",
      "pushed_at": "2024-05-04T09:42:00+00:00",
      "pushed_by": {
        "email": "string",
        "full_name": "string",
        "profile_uid": "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
        "username": "elastic"
      },
      "rule": {
        "id": "94d80550-aaf4-11ec-985f-97e55adae8b9",
        "name": "security_rule"
      },
      "type": "alert",
      "updated_at": "2024-05-04T09:42:00+00:00",
      "updated_by": {
        "email": "string",
        "full_name": "string",
        "profile_uid": "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
        "username": "elastic"
      },
      "version": "WzMwNDgsMV0="
    }
  ],
  "connector": {
    "fields": "string",
    "id": "none",
    "name": "none",
    "type": ".none"
  },
  "created_at": "2022-05-13T09:16:17.416Z",
  "created_by": {
    "email": "string",
    "full_name": "string",
    "profile_uid": "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
    "username": "elastic"
  },
  "customFields": [
    {
      "key": "string",
      "type": "text",
      "value": "string"
    }
  ],
  "description": "A case description.",
  "duration": 120,
  "external_service": {
    "connector_id": "string",
    "connector_name": "string",
    "external_id": "string",
    "external_title": "string",
    "external_url": "string",
    "pushed_at": "2024-05-04T09:42:00+00:00",
    "pushed_by": {
      "email": "string",
      "full_name": "string",
      "profile_uid": "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
      "username": "elastic"
    }
  },
  "id": "66b9aa00-94fa-11ea-9f74-e7e108796192",
  "owner": "cases",
  "settings": {
    "syncAlerts": true
  },
  "severity": "low",
  "status": "closed",
  "tags": [
    "tag-1"
  ],
  "title": "Case title 1",
  "totalAlerts": 0,
  "totalComment": 0,
  "updated_at": "2024-05-04T09:42:00+00:00",
  "updated_by": {
    "email": "string",
    "full_name": "string",
    "profile_uid": "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
    "username": "elastic"
  },
  "version": "WzUzMiwxXQ=="
}
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

Get a case comment or alert

GET /api/cases/{caseId}/comments/{commentId}

You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases with the comments you're seeking.

Path parameters

  • caseId string Required

    The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded.

  • commentId string Required

    The identifier for the comment. To retrieve comment IDs, use the get case or find cases APIs.

Responses

GET /api/cases/{caseId}/comments/{commentId}
curl \
 -X GET https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/comments/71ec1870-725b-11ea-a0b2-c51ea50a58e2
Response examples (200)
{
  "id": "8048b460-fe2b-11ec-b15d-779a7c8bbcc3",
  "type": "user",
  "owner": "cases",
  "comment": "A new comment",
  "version": "WzIzLDFd",
  "pushed_at": null,
  "pushed_by": null,
  "created_at": "2023-10-07T19:32:13.104Z",
  "created_by": {
    "email": null,
    "username": "elastic",
    "full_name": null,
    "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
  },
  "updated_at": null,
  "updated_by": null
}
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

Delete a case comment or alert

DELETE /api/cases/{caseId}/comments/{commentId}

You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're deleting.

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

Path parameters

  • caseId string Required

    The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded.

  • commentId string Required

    The identifier for the comment. To retrieve comment IDs, use the get case or find cases APIs.

Responses

  • Indicates a successful call.

  • 401 application/json; Elastic-Api-Version=2023-10-31

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
DELETE /api/cases/{caseId}/comments/{commentId}
curl \
 -X DELETE https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/comments/71ec1870-725b-11ea-a0b2-c51ea50a58e2 \
 -H "kbn-xsrf: string"
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

Push a case to an external service

POST /api/cases/{caseId}/connector/{connectorId}/_push

You must have all privileges for the Actions and Connectors feature in the Management section of the Kibana feature privileges. You must also have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're pushing.

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

Path parameters

  • caseId string Required

    The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded.

  • connectorId string Required

    An identifier for the connector. To retrieve connector IDs, use the find connectors API.

application/json; Elastic-Api-Version=2023-10-31

Body

object | null object | null

Additional properties are allowed.

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • assignees array[object] | null

      An array containing users that are assigned to the case.

      Not more than 10 elements.

      Hide assignees attribute Show assignees attribute object
      • uid string Required

        A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.

    • category string | null

      The case category.

    • closed_at string(date-time) | null Required
    • closed_by object | null Required

      Additional properties are allowed.

      Hide closed_by attributes Show closed_by attributes object | null
    • comments array[object] Required

      An array of comment objects for the case.

      Not more than 10000 elements.

      One of:
      Hide attributes Show attributes
    • connector object Required

      One of:

      Defines properties for connectors when type is .none.

      Hide attributes Show attributes
      • fields string | null Required

        An object containing the connector fields. To create a case without a connector, specify null. To update a case to remove the connector, specify null.

      • id string Required

        The identifier for the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.

      • name string Required

        The name of the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.

      • type string Required Discriminator

        The type of connector. To create a case without a connector, use .none. To update a case to remove the connector, specify .none.

        Value is .none.

    • created_at string(date-time) Required
    • created_by object Required

      Additional properties are allowed.

      Hide created_by attributes Show created_by attributes object
    • customFields array[object]

      Custom field values for the case.

      Hide customFields attributes Show customFields attributes object
      • key string

        The unique identifier for the custom field. The key value must exist in the case configuration settings.

      • type string

        The custom field type. It must match the type specified in the case configuration settings.

        Values are text or toggle.

      • value string | null | boolean

        The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is undefined. The value returned in the API and user interface in this case is null.

        One of:

        Minimum length is 1, maximum length is 160.

    • description string Required
    • duration integer | null Required

      The elapsed time from the creation of the case to its closure (in seconds). If the case has not been closed, the duration is set to null. If the case was closed after less than half a second, the duration is rounded down to zero.

    • external_service object | null Required

      Additional properties are allowed.

      Hide external_service attributes Show external_service attributes object | null
    • id string Required
    • owner string Required

      The application that owns the cases: Stack Management, Observability, or Elastic Security.

      Values are cases, observability, or securitySolution.

    • settings object Required

      An object that contains the case settings.

      Additional properties are allowed.

      Hide settings attribute Show settings attribute object
      • syncAlerts boolean Required

        Turns alert syncing on or off.

    • severity string Required

      The severity of the case.

      Values are critical, high, low, or medium. Default value is low.

    • status string Required

      The status of the case.

      Values are closed, in-progress, or open.

    • tags array[string] Required
    • title string Required
    • totalAlerts integer Required
    • totalComment integer Required
    • updated_at string(date-time) | null Required
    • updated_by object | null Required

      Additional properties are allowed.

      Hide updated_by attributes Show updated_by attributes object | null
    • version string Required
  • 401 application/json; Elastic-Api-Version=2023-10-31

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
POST /api/cases/{caseId}/connector/{connectorId}/_push
curl \
 -X POST https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/connector/abed3a70-71bd-11ea-a0b2-c51ea50a58e2/_push \
 -H "Content-Type: application/json; Elastic-Api-Version=2023-10-31" \
 -H "kbn-xsrf: string"
Request examples
# Headers
kbn-xsrf: string

# Payload
{}
Response examples (200)
{
  "id": "b917f300-0ed9-11ed-bd18-65557fe66949",
  "tags": [
    "tag 1"
  ],
  "owner": "cases",
  "title": "Case title 1",
  "status": "open",
  "version": "WzE3NjgsM10=",
  "comments": [],
  "duration": null,
  "settings": {
    "syncAlerts": true
  },
  "severity": "low",
  "closed_at": null,
  "closed_by": null,
  "connector": {
    "id": "09f8c0b0-0eda-11ed-bd18-65557fe66949",
    "name": "My connector",
    "type": ".jira",
    "fields": {
      "parent": null,
      "priority": "Low",
      "issueType": "10006"
    }
  },
  "created_at": "2022-07-29T00:59:39.444Z",
  "created_by": {
    "email": null,
    "username": "elastic",
    "full_name": null
  },
  "updated_at": "2022-07-29T01:20:58.436Z",
  "updated_by": {
    "email": null,
    "username": "elastic",
    "full_name": null
  },
  "description": "A case description.",
  "totalAlerts": 0,
  "totalComment": 0,
  "external_service": {
    "pushed_at": "2022-07-29T01:20:58.436Z",
    "pushed_by": {
      "email": null,
      "username": "elastic",
      "full_name": null
    },
    "external_id": "71926",
    "connector_id": "09f8c0b0-0eda-11ed-bd18-65557fe66949",
    "external_url": "https://cases.jira.com",
    "connector_name": "My connector",
    "external_title": "ES-554"
  }
}
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

Attach a file to a case

POST /api/cases/{caseId}/files

Attach a file to a case. You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're updating. The request must include:

  • The Content-Type: multipart/form-data HTTP header.
  • The location of the file that is being uploaded.

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

Path parameters

  • caseId string Required

    The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded.

multipart/form-data; Elastic-Api-Version=2023-10-31

Body Required

  • file string(binary) Required

    The file being attached to the case.

  • filename string

    The desired name of the file being attached to the case, it can be different than the name of the file in the filesystem. This should not include the file extension.

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • assignees array[object] | null

      An array containing users that are assigned to the case.

      Not more than 10 elements.

      Hide assignees attribute Show assignees attribute object
      • uid string Required

        A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.

    • category string | null

      The case category.

    • closed_at string(date-time) | null Required
    • closed_by object | null Required

      Additional properties are allowed.

      Hide closed_by attributes Show closed_by attributes object | null
    • comments array[object] Required

      An array of comment objects for the case.

      Not more than 10000 elements.

      One of:
      Hide attributes Show attributes
    • connector object Required

      One of:

      Defines properties for connectors when type is .none.

      Hide attributes Show attributes
      • fields string | null Required

        An object containing the connector fields. To create a case without a connector, specify null. To update a case to remove the connector, specify null.

      • id string Required

        The identifier for the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.

      • name string Required

        The name of the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.

      • type string Required Discriminator

        The type of connector. To create a case without a connector, use .none. To update a case to remove the connector, specify .none.

        Value is .none.

    • created_at string(date-time) Required
    • created_by object Required

      Additional properties are allowed.

      Hide created_by attributes Show created_by attributes object
    • customFields array[object]

      Custom field values for the case.

      Hide customFields attributes Show customFields attributes object
      • key string

        The unique identifier for the custom field. The key value must exist in the case configuration settings.

      • type string

        The custom field type. It must match the type specified in the case configuration settings.

        Values are text or toggle.

      • value string | null | boolean

        The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is undefined. The value returned in the API and user interface in this case is null.

        One of:

        Minimum length is 1, maximum length is 160.

    • description string Required
    • duration integer | null Required

      The elapsed time from the creation of the case to its closure (in seconds). If the case has not been closed, the duration is set to null. If the case was closed after less than half a second, the duration is rounded down to zero.

    • external_service object | null Required

      Additional properties are allowed.

      Hide external_service attributes Show external_service attributes object | null
    • id string Required
    • owner string Required

      The application that owns the cases: Stack Management, Observability, or Elastic Security.

      Values are cases, observability, or securitySolution.

    • settings object Required

      An object that contains the case settings.

      Additional properties are allowed.

      Hide settings attribute Show settings attribute object
      • syncAlerts boolean Required

        Turns alert syncing on or off.

    • severity string Required

      The severity of the case.

      Values are critical, high, low, or medium. Default value is low.

    • status string Required

      The status of the case.

      Values are closed, in-progress, or open.

    • tags array[string] Required
    • title string Required
    • totalAlerts integer Required
    • totalComment integer Required
    • updated_at string(date-time) | null Required
    • updated_by object | null Required

      Additional properties are allowed.

      Hide updated_by attributes Show updated_by attributes object | null
    • version string Required
  • 401 application/json; Elastic-Api-Version=2023-10-31

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
POST /api/cases/{caseId}/files
curl \
 -X POST https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/files \
 -H "Content-Type: multipart/form-data; Elastic-Api-Version=2023-10-31" \
 -H "kbn-xsrf: string"
Response examples (200)
{
  "id": "293f1bc0-74f6-11ea-b83a-553aecdb28b6",
  "tags": [
    "tag 1"
  ],
  "owner": "cases",
  "title": "Case title 1",
  "status": "open",
  "version": "WzIzMzgsMV0=",
  "category": null,
  "comments": [
    {
      "id": "8af6ac20-74f6-11ea-b83a-553aecdb28b6",
      "type": "user",
      "owner": "cases",
      "comment": "A new comment.",
      "version": "WzIwNDMxLDFd",
      "created_at": "2022-10-02T00:49:47.716Z",
      "created_by": {
        "email": null,
        "username": "elastic",
        "full_name": null
      }
    }
  ],
  "duration": null,
  "settings": {
    "syncAlerts": false
  },
  "severity": "low",
  "assignees": [],
  "closed_at": null,
  "closed_by": null,
  "connector": {
    "id": "none",
    "name": "none",
    "type": ".none",
    "fields": null
  },
  "created_at": "2022-03-24T00:37:03.906Z",
  "created_by": {
    "email": null,
    "username": "elastic",
    "full_name": null,
    "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
  },
  "updated_at": "2022-06-03T00:49:47.716Z",
  "updated_by": {
    "email": null,
    "username": "elastic",
    "full_name": null,
    "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
  },
  "description": "A case description.",
  "totalAlerts": 0,
  "customFields": [
    {
      "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
      "type": "text",
      "value": "Field value"
    },
    {
      "key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
      "type": "toggle",
      "value": true
    }
  ],
  "totalComment": 1,
  "external_service": null
}
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

Get case activity Deprecated

GET /api/cases/{caseId}/user_actions

Returns all user activity for a case. Deprecated in 8.1.0. This API is deprecated and will be removed in a future release; use the find user actions API instead. You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're seeking.

Path parameters

  • caseId string Required

    The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded.

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • action string Required

      Values are add, create, delete, push_to_service, or update.

    • action_id string Required
    • case_id string Required
    • comment_id string | null Required
    • created_at string(date-time) Required
    • created_by object Required

      Additional properties are allowed.

      Hide created_by attributes Show created_by attributes object
    • owner string Required

      The application that owns the cases: Stack Management, Observability, or Elastic Security.

      Values are cases, observability, or securitySolution.

    • payload object | null Required

      One of:
      Hide attribute Show attribute
    • type string Required

      The type of action.

      Values are assignees, create_case, comment, connector, delete_case, description, pushed, tags, title, status, settings, or severity.

  • 401 application/json; Elastic-Api-Version=2023-10-31

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
GET /api/cases/{caseId}/user_actions
curl \
 -X GET https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/user_actions
Response examples (200)
[
  {
    "action": "create",
    "action_id": "22fd3e30-03b1-11ed-920c-974bfa104448",
    "case_id": "22df07d0-03b1-11ed-920c-974bfa104448",
    "comment_id": "578608d0-03b1-11ed-920c-974bfa104448",
    "created_at": "2022-05-13T09:16:17.416Z",
    "created_by": {
      "email": "string",
      "full_name": "string",
      "profile_uid": "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
      "username": "elastic"
    },
    "owner": "cases",
    "payload": {
      "comment": {
        "alertId": "1c0b056b-cc9f-4b61-b5c9-cb801abd5e1d",
        "index": ".alerts-observability.logs.alerts-default",
        "owner": "cases",
        "rule": {
          "id": "94d80550-aaf4-11ec-985f-97e55adae8b9",
          "name": "security_rule"
        },
        "type": "alert"
      }
    },
    "type": "create_case"
  }
]
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

Find case activity

GET /api/cases/{caseId}/user_actions/_find

Retrives a paginated list of user activity for a case. You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're seeking.

Path parameters

  • caseId string Required

    The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded.

Query parameters

  • page integer

    The page number to return.

    Default value is 1.

  • perPage integer

    The number of items to return. Limited to 100 items.

    Maximum value is 100. Default value is 20.

  • Determines the sort order.

    Values are asc or desc. Default value is desc.

  • types array[string]

    Determines the types of user actions to return.

    Values are action, alert, assignees, attachment, comment, connector, create_case, description, pushed, settings, severity, status, tags, title, or user.

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • page integer
    • perPage integer
    • total integer
    • userActions array[object]

      Not more than 10000 elements.

      Hide userActions attributes Show userActions attributes object
      • action string Required

        Values are add, create, delete, push_to_service, or update.

      • comment_id string | null Required
      • created_at string(date-time) Required
      • created_by object Required

        Additional properties are allowed.

        Hide created_by attributes Show created_by attributes object
      • id string Required
      • owner string Required

        The application that owns the cases: Stack Management, Observability, or Elastic Security.

        Values are cases, observability, or securitySolution.

      • payload object | null Required

        One of:
        Hide attribute Show attribute
      • type string Required

        The type of action.

        Values are assignees, create_case, comment, connector, description, pushed, tags, title, status, settings, or severity.

      • version string Required
  • 401 application/json; Elastic-Api-Version=2023-10-31

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
GET /api/cases/{caseId}/user_actions/_find
curl \
 -X GET https://localhost:5601/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/user_actions/_find
Response examples (200)
{
  "page": 1,
  "total": 3,
  "perPage": 20,
  "userActions": [
    {
      "id": "b4cd0770-07c9-11ed-a5fd-47154cb8767e",
      "type": "create_case",
      "owner": "cases",
      "action": "create",
      "payload": {
        "tags": [
          "tag 1"
        ],
        "owner": "cases",
        "title": "Case title 1",
        "status": "open",
        "category": null,
        "settings": {
          "syncAlerts": false
        },
        "severity": "low",
        "assignees": [],
        "connector": {
          "id": "none",
          "name": "none",
          "type": ".none",
          "fields": null
        },
        "description": "A case description.",
        "customFields": [
          {
            "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
            "type": "text",
            "value": "My field value"
          },
          {
            "key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
            "type": "toggle",
            "value": null
          }
        ]
      },
      "version": "WzM1ODg4LDFd",
      "comment_id": null,
      "created_at": "2023-10-20T01:17:22.150Z",
      "created_by": {
        "email": null,
        "username": "elastic",
        "full_name": null,
        "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
      }
    },
    {
      "id": "57af14a0-03b1-11ed-920c-974bfa104448",
      "type": "comment",
      "owner": "cases",
      "action": "create",
      "payload": {
        "type": "user",
        "owner": "cases",
        "comment": "A new comment"
      },
      "version": "WzM1ODg4LDFa",
      "comment_id": "578608d0-03b1-11ed-920c-974bfa104448",
      "created_at": "2023-10-14T20:12:53.354Z",
      "created_by": {
        "email": null,
        "username": "elastic",
        "full_name": null,
        "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
      }
    },
    {
      "id": "573c6980-6123-11ed-aa41-81a0a61fe447",
      "type": "assignees",
      "owner": "cases",
      "action": "add",
      "payload": {
        "assignees": {
          "uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
        }
      },
      "version": "WzM1ODg4LDFb",
      "comment_id": null,
      "created_at": "2023-10-20T01:10:28.238Z",
      "created_by": {
        "email": null,
        "username": "elastic",
        "full_name": null,
        "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
      }
    }
  ]
}
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

Get cases for an alert Technical preview

GET /api/cases/alerts/{alertId}

You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're seeking.

Path parameters

  • alertId string Required

    An identifier for the alert.

Query parameters

  • owner string | array[string]

    A filter to limit the response to a specific set of applications. If this parameter is omitted, the response contains information about all the cases that the user has access to read.

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • id string

      The case identifier.

    • title string

      The case title.

  • 401 application/json; Elastic-Api-Version=2023-10-31

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
GET /api/cases/alerts/{alertId}
curl \
 -X GET https://localhost:5601/api/cases/alerts/09f0c261e39e36351d75995b78bb83673774d1bc2cca9df2d15f0e5c0a99a540
Response examples (200)
[
  {
    "id": "06116b80-e1c3-11ec-be9b-9b1838238ee6",
    "title": "security_case"
  }
]
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

Get case settings

GET /api/cases/configure

Get setting details such as the closure type, custom fields, templatse, and the default connector for cases. You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on where the cases were created.

Query parameters

  • owner string | array[string]

    A filter to limit the response to a specific set of applications. If this parameter is omitted, the response contains information about all the cases that the user has access to read.

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • Indicates whether a case is automatically closed when it is pushed to external systems (close-by-pushing) or not automatically closed (close-by-user).

      Values are close-by-pushing or close-by-user.

    • Additional properties are allowed.

      Hide connector attributes Show connector attributes object
      • fields object | null

        The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to null.

        Additional properties are allowed.

      • id string

        The identifier for the connector. If you do not want a default connector, use none. To retrieve connector IDs, use the find connectors API.

      • name string

        The name of the connector. If you do not want a default connector, use none. To retrieve connector names, use the find connectors API.

      • type string

        The type of connector.

        Values are .cases-webhook, .jira, .none, .resilient, .servicenow, .servicenow-sir, or .swimlane.

    • created_at string(date-time)
    • Additional properties are allowed.

      Hide created_by attributes Show created_by attributes object
    • customFields array[object]

      Custom fields configuration details.

      Hide customFields attributes Show customFields attributes object
      • defaultValue string | boolean

        A default value for the custom field. If the type is text, the default value must be a string. If the type is toggle, the default value must be boolean.

      • key string

        A unique key for the custom field. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific custom field.

        Minimum length is 1, maximum length is 36.

      • label string

        The custom field label that is displayed in the case.

        Minimum length is 1, maximum length is 50.

      • type string

        The type of the custom field.

        Values are text or toggle.

      • required boolean

        Indicates whether the field is required. If false, the custom field can be set to null or omitted when a case is created or updated.

    • error string | null
    • id string
    • mappings array[object]
      Hide mappings attributes Show mappings attributes object
    • owner string

      The application that owns the cases: Stack Management, Observability, or Elastic Security.

      Values are cases, observability, or securitySolution.

    • templates array[object] Technical preview
      Hide templates attributes Show templates attributes object
      • Additional properties are allowed.

        Hide caseFields attributes Show caseFields attributes object
        • assignees array[object] | null

          An array containing users that are assigned to the case.

          Not more than 10 elements.

          Hide assignees attribute Show assignees attribute object
          • uid string Required

            A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.

        • category string

          A word or phrase that categorizes the case.

          Maximum length is 50.

        • Additional properties are allowed.

          Hide connector attributes Show connector attributes object
          • fields object | null

            The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to null.

            Additional properties are allowed.

          • id string

            The identifier for the connector. If you do not want a default connector, use none. To retrieve connector IDs, use the find connectors API.

          • name string

            The name of the connector. If you do not want a default connector, use none. To retrieve connector names, use the find connectors API.

          • type string

            The type of connector.

            Values are .cases-webhook, .jira, .none, .resilient, .servicenow, .servicenow-sir, or .swimlane.

        • customFields array[object] Technical preview

          Custom field values in the template.

          Hide customFields attributes Show customFields attributes object
          • key string

            The unique key for the custom field.

          • type string

            The type of the custom field.

            Values are text or toggle.

          • value string | boolean

            The default value for the custom field when a case uses the template. If the type is text, the default value must be a string. If the type is toggle, the default value must be boolean.

        • The description for the case.

          Maximum length is 30000.

        • settings object

          An object that contains the case settings.

          Additional properties are allowed.

          Hide settings attribute Show settings attribute object
          • syncAlerts boolean Required

            Turns alert syncing on or off.

        • severity string

          The severity of the case.

          Values are critical, high, low, or medium. Default value is low.

        • tags array[string]

          The words and phrases that help categorize cases. It can be an empty array.

          Not more than 200 elements. Maximum length of each is 256.

        • title string

          A title for the case.

          Maximum length is 160.

      • A description for the template.

      • key string

        A unique key for the template. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific template.

      • name string

        The name of the template.

      • tags array[string]

        The words and phrases that help categorize templates. It can be an empty array.

        Not more than 200 elements. Maximum length of each is 256.

    • updated_at string(date-time) | null
    • updated_by object | null

      Additional properties are allowed.

      Hide updated_by attributes Show updated_by attributes object | null
    • version string
  • 401 application/json; Elastic-Api-Version=2023-10-31

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
GET /api/cases/configure
curl \
 -X GET https://localhost:5601/api/cases/configure
Response examples (200)
[
  {
    "id": "856ee650-6c82-11ee-a20a-6164169afa58",
    "error": null,
    "owner": "cases",
    "version": "WzEyLDNd",
    "mappings": [],
    "connector": {
      "id": "none",
      "name": "none",
      "type": ".none",
      "fields": null
    },
    "templates": [
      {
        "key": "505932fe-ee3a-4960-a661-c781b5acdb05",
        "name": "template-1",
        "tags": [
          "Template tag 1"
        ],
        "caseFields": {
          "tags": [
            "Default case tag"
          ],
          "title": "Default case title",
          "category": "Default-category",
          "settings": {
            "syncAlerts": false
          },
          "assignees": [
            {
              "uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
            }
          ],
          "connector": {
            "id": "none",
            "name": "none",
            "type": ".none",
            "fields": null
          },
          "description": "A default description for cases.",
          "customFields": [
            {
              "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
              "type": "text",
              "value": "Default text field value."
            }
          ]
        },
        "description": "A description of the template."
      }
    ],
    "created_at": "2024-07-01T17:07:17.767Z",
    "created_by": {
      "email": null,
      "username": "elastic",
      "full_name": null
    },
    "updated_at": null,
    "updated_by": null,
    "closure_type": "close-by-user",
    "customFields": [
      {
        "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
        "type": "text",
        "label": "my-text-field",
        "required": false,
        "defaultValue": "Custom text field value."
      }
    ]
  }
]
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

Add case settings

POST /api/cases/configure

Case settings include external connection details, custom fields, and templates. Connectors are used to interface with external systems. You must create a connector before you can use it in your cases. If you set a default connector, it is automatically selected when you create cases in Kibana. If you use the create case API, however, you must still specify all of the connector details. You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on where you are creating cases.

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

application/json; Elastic-Api-Version=2023-10-31

Body

  • closure_type string Required

    Indicates whether a case is automatically closed when it is pushed to external systems (close-by-pushing) or not automatically closed (close-by-user).

    Values are close-by-pushing or close-by-user.

  • connector object Required

    An object that contains the connector configuration.

    Additional properties are allowed.

    Hide connector attributes Show connector attributes object
    • fields object | null Required

      The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to null.

      Additional properties are allowed.

    • id string Required

      The identifier for the connector. If you do not want a default connector, use none. To retrieve connector IDs, use the find connectors API.

    • name string Required

      The name of the connector. If you do not want a default connector, use none. To retrieve connector names, use the find connectors API.

    • type string Required

      The type of connector.

      Values are .cases-webhook, .jira, .none, .resilient, .servicenow, .servicenow-sir, or .swimlane.

  • customFields array[object]

    Custom fields case configuration.

    At least 0 but not more than 10 elements.

    Hide customFields attributes Show customFields attributes object
    • defaultValue string | boolean

      A default value for the custom field. If the type is text, the default value must be a string. If the type is toggle, the default value must be boolean.

    • key string Required

      A unique key for the custom field. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific custom field.

      Minimum length is 1, maximum length is 36.

    • label string Required

      The custom field label that is displayed in the case.

      Minimum length is 1, maximum length is 50.

    • type string Required

      The type of the custom field.

      Values are text or toggle.

    • required boolean Required

      Indicates whether the field is required. If false, the custom field can be set to null or omitted when a case is created or updated.

  • owner string Required

    The application that owns the cases: Stack Management, Observability, or Elastic Security.

    Values are cases, observability, or securitySolution.

  • templates array[object] Technical preview
    Hide templates attributes Show templates attributes object
    • Additional properties are allowed.

      Hide caseFields attributes Show caseFields attributes object
      • assignees array[object] | null

        An array containing users that are assigned to the case.

        Not more than 10 elements.

        Hide assignees attribute Show assignees attribute object
        • uid string Required

          A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.

      • category string

        A word or phrase that categorizes the case.

        Maximum length is 50.

      • Additional properties are allowed.

        Hide connector attributes Show connector attributes object
        • fields object | null

          The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to null.

          Additional properties are allowed.

        • id string

          The identifier for the connector. If you do not want a default connector, use none. To retrieve connector IDs, use the find connectors API.

        • name string

          The name of the connector. If you do not want a default connector, use none. To retrieve connector names, use the find connectors API.

        • type string

          The type of connector.

          Values are .cases-webhook, .jira, .none, .resilient, .servicenow, .servicenow-sir, or .swimlane.

      • customFields array[object] Technical preview

        Custom field values in the template.

        Hide customFields attributes Show customFields attributes object
        • key string

          The unique key for the custom field.

        • type string

          The type of the custom field.

          Values are text or toggle.

        • value string | boolean

          The default value for the custom field when a case uses the template. If the type is text, the default value must be a string. If the type is toggle, the default value must be boolean.

      • The description for the case.

        Maximum length is 30000.

      • settings object

        An object that contains the case settings.

        Additional properties are allowed.

        Hide settings attribute Show settings attribute object
        • syncAlerts boolean Required

          Turns alert syncing on or off.

      • severity string

        The severity of the case.

        Values are critical, high, low, or medium. Default value is low.

      • tags array[string]

        The words and phrases that help categorize cases. It can be an empty array.

        Not more than 200 elements. Maximum length of each is 256.

      • title string

        A title for the case.

        Maximum length is 160.

    • A description for the template.

    • key string

      A unique key for the template. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific template.

    • name string

      The name of the template.

    • tags array[string]

      The words and phrases that help categorize templates. It can be an empty array.

      Not more than 200 elements. Maximum length of each is 256.

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • Indicates whether a case is automatically closed when it is pushed to external systems (close-by-pushing) or not automatically closed (close-by-user).

      Values are close-by-pushing or close-by-user.

    • Additional properties are allowed.

      Hide connector attributes Show connector attributes object
      • fields object | null

        The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to null.

        Additional properties are allowed.

      • id string

        The identifier for the connector. If you do not want a default connector, use none. To retrieve connector IDs, use the find connectors API.

      • name string

        The name of the connector. If you do not want a default connector, use none. To retrieve connector names, use the find connectors API.

      • type string

        The type of connector.

        Values are .cases-webhook, .jira, .none, .resilient, .servicenow, .servicenow-sir, or .swimlane.

    • created_at string(date-time)
    • Additional properties are allowed.

      Hide created_by attributes Show created_by attributes object
    • customFields array[object]

      Custom fields configuration details.

      Hide customFields attributes Show customFields attributes object
      • defaultValue string | boolean

        A default value for the custom field. If the type is text, the default value must be a string. If the type is toggle, the default value must be boolean.

      • key string

        A unique key for the custom field. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific custom field.

        Minimum length is 1, maximum length is 36.

      • label string

        The custom field label that is displayed in the case.

        Minimum length is 1, maximum length is 50.

      • type string

        The type of the custom field.

        Values are text or toggle.

      • required boolean

        Indicates whether the field is required. If false, the custom field can be set to null or omitted when a case is created or updated.

    • error string | null
    • id string
    • mappings array[object]
      Hide mappings attributes Show mappings attributes object
    • owner string

      The application that owns the cases: Stack Management, Observability, or Elastic Security.

      Values are cases, observability, or securitySolution.

    • templates array[object] Technical preview
      Hide templates attributes Show templates attributes object
      • Additional properties are allowed.

        Hide caseFields attributes Show caseFields attributes object
        • assignees array[object] | null

          An array containing users that are assigned to the case.

          Not more than 10 elements.

          Hide assignees attribute Show assignees attribute object
          • uid string Required

            A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.

        • category string

          A word or phrase that categorizes the case.

          Maximum length is 50.

        • Additional properties are allowed.

          Hide connector attributes Show connector attributes object
          • fields object | null

            The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to null.

            Additional properties are allowed.

          • id string

            The identifier for the connector. If you do not want a default connector, use none. To retrieve connector IDs, use the find connectors API.

          • name string

            The name of the connector. If you do not want a default connector, use none. To retrieve connector names, use the find connectors API.

          • type string

            The type of connector.

            Values are .cases-webhook, .jira, .none, .resilient, .servicenow, .servicenow-sir, or .swimlane.

        • customFields array[object] Technical preview

          Custom field values in the template.

          Hide customFields attributes Show customFields attributes object
          • key string

            The unique key for the custom field.

          • type string

            The type of the custom field.

            Values are text or toggle.

          • value string | boolean

            The default value for the custom field when a case uses the template. If the type is text, the default value must be a string. If the type is toggle, the default value must be boolean.

        • The description for the case.

          Maximum length is 30000.

        • settings object

          An object that contains the case settings.

          Additional properties are allowed.

          Hide settings attribute Show settings attribute object
          • syncAlerts boolean Required

            Turns alert syncing on or off.

        • severity string

          The severity of the case.

          Values are critical, high, low, or medium. Default value is low.

        • tags array[string]

          The words and phrases that help categorize cases. It can be an empty array.

          Not more than 200 elements. Maximum length of each is 256.

        • title string

          A title for the case.

          Maximum length is 160.

      • A description for the template.

      • key string

        A unique key for the template. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific template.

      • name string

        The name of the template.

      • tags array[string]

        The words and phrases that help categorize templates. It can be an empty array.

        Not more than 200 elements. Maximum length of each is 256.

    • updated_at string(date-time) | null
    • updated_by object | null

      Additional properties are allowed.

      Hide updated_by attributes Show updated_by attributes object | null
    • version string
  • 401 application/json; Elastic-Api-Version=2023-10-31

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
POST /api/cases/configure
curl \
 -X POST https://localhost:5601/api/cases/configure \
 -H "Content-Type: application/json; Elastic-Api-Version=2023-10-31" \
 -H "kbn-xsrf: string"
Request example
{
  "owner": "cases",
  "connector": {
    "id": "5e656730-e1ca-11ec-be9b-9b1838238ee6",
    "name": "my-jira-connector",
    "type": ".jira",
    "fields": null
  },
  "templates": [
    {
      "key": "505932fe-ee3a-4960-a661-c781b5acdb05",
      "name": "template-1",
      "tags": [
        "Template tag 1"
      ],
      "caseFields": {
        "tags": [
          "Default case tag"
        ],
        "title": "Default case title",
        "category": "Default-category",
        "assignees": [
          {
            "uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
          }
        ],
        "description": "A default description for cases.",
        "customFields": [
          {
            "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
            "type": "text",
            "value": "A text field value for the template."
          }
        ]
      },
      "description": "A description of the template."
    }
  ],
  "closure_type": "close-by-user",
  "customFields": [
    {
      "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
      "type": "text",
      "label": "my-text-field",
      "required": false,
      "defaultValue": "My custom field default value."
    }
  ]
}
Response examples (200)
{
  "id": "4a97a440-e1cd-11ec-be9b-9b1838238ee6",
  "error": null,
  "owner": "cases",
  "version": "WzIwNzMsMV0=",
  "mappings": [
    {
      "source": "title",
      "target": "summary",
      "action_type": "overwrite"
    },
    {
      "source": "description",
      "target": "description",
      "action_type": "overwrite"
    },
    {
      "source": "comments",
      "target": "comments",
      "action_type": "append"
    },
    {
      "source": "tags",
      "target": "labels",
      "action_type": "overwrite"
    }
  ],
  "connector": {
    "id": "5e656730-e1ca-11ec-be9b-9b1838238ee6",
    "name": "my-jira-connector",
    "type": ".jira",
    "fields": null
  },
  "templates": [
    {
      "key": "505932fe-ee3a-4960-a661-c781b5acdb05",
      "name": "template-1",
      "tags": [
        "Template tag 1"
      ],
      "caseFields": {
        "tags": [
          "Default case tag"
        ],
        "title": "Default case title",
        "category": "Default-category",
        "assignees": [
          {
            "uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
          }
        ],
        "description": "A default description for cases.",
        "customFields": [
          {
            "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
            "type": "text",
            "value": "A text field value for the template."
          }
        ]
      },
      "description": "A description of the template."
    }
  ],
  "created_at": "2024-07-01T17:07:17.767Z",
  "created_by": {
    "email": "null,",
    "username": "elastic",
    "full_name": null,
    "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
  },
  "updated_at": null,
  "updated_by": null,
  "closure_type": "close-by-user",
  "customFields": [
    {
      "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
      "type": "text",
      "label": "my-text-field",
      "required": false,
      "defaultValue": "My custom field default value."
    }
  ]
}
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

Update case settings

PATCH /api/cases/configure/{configurationId}

Updates setting details such as the closure type, custom fields, templates, and the default connector for cases. Connectors are used to interface with external systems. You must create a connector before you can use it in your cases. You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on where the case was created.

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

Path parameters

application/json; Elastic-Api-Version=2023-10-31

Body

  • Indicates whether a case is automatically closed when it is pushed to external systems (close-by-pushing) or not automatically closed (close-by-user).

    Values are close-by-pushing or close-by-user.

  • An object that contains the connector configuration.

    Additional properties are allowed.

    Hide connector attributes Show connector attributes object
    • fields object | null Required

      The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to null.

      Additional properties are allowed.

    • id string Required

      The identifier for the connector. If you do not want a default connector, use none. To retrieve connector IDs, use the find connectors API.

    • name string Required

      The name of the connector. If you do not want a default connector, use none. To retrieve connector names, use the find connectors API.

    • type string Required

      The type of connector.

      Values are .cases-webhook, .jira, .none, .resilient, .servicenow, .servicenow-sir, or .swimlane.

  • customFields array[object]

    Custom fields case configuration.

    Hide customFields attributes Show customFields attributes object
    • defaultValue string | boolean

      A default value for the custom field. If the type is text, the default value must be a string. If the type is toggle, the default value must be boolean.

    • key string Required

      A unique key for the custom field. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific custom field.

      Minimum length is 1, maximum length is 36.

    • label string Required

      The custom field label that is displayed in the case.

      Minimum length is 1, maximum length is 50.

    • type string Required

      The type of the custom field.

      Values are text or toggle.

    • required boolean Required

      Indicates whether the field is required. If false, the custom field can be set to null or omitted when a case is created or updated.

  • templates array[object] Technical preview
    Hide templates attributes Show templates attributes object
    • Additional properties are allowed.

      Hide caseFields attributes Show caseFields attributes object
      • assignees array[object] | null

        An array containing users that are assigned to the case.

        Not more than 10 elements.

        Hide assignees attribute Show assignees attribute object
        • uid string Required

          A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.

      • category string

        A word or phrase that categorizes the case.

        Maximum length is 50.

      • Additional properties are allowed.

        Hide connector attributes Show connector attributes object
        • fields object | null

          The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to null.

          Additional properties are allowed.

        • id string

          The identifier for the connector. If you do not want a default connector, use none. To retrieve connector IDs, use the find connectors API.

        • name string

          The name of the connector. If you do not want a default connector, use none. To retrieve connector names, use the find connectors API.

        • type string

          The type of connector.

          Values are .cases-webhook, .jira, .none, .resilient, .servicenow, .servicenow-sir, or .swimlane.

      • customFields array[object] Technical preview

        Custom field values in the template.

        Hide customFields attributes Show customFields attributes object
        • key string

          The unique key for the custom field.

        • type string

          The type of the custom field.

          Values are text or toggle.

        • value string | boolean

          The default value for the custom field when a case uses the template. If the type is text, the default value must be a string. If the type is toggle, the default value must be boolean.

      • The description for the case.

        Maximum length is 30000.

      • settings object

        An object that contains the case settings.

        Additional properties are allowed.

        Hide settings attribute Show settings attribute object
        • syncAlerts boolean Required

          Turns alert syncing on or off.

      • severity string

        The severity of the case.

        Values are critical, high, low, or medium. Default value is low.

      • tags array[string]

        The words and phrases that help categorize cases. It can be an empty array.

        Not more than 200 elements. Maximum length of each is 256.

      • title string

        A title for the case.

        Maximum length is 160.

    • A description for the template.

    • key string

      A unique key for the template. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific template.

    • name string

      The name of the template.

    • tags array[string]

      The words and phrases that help categorize templates. It can be an empty array.

      Not more than 200 elements. Maximum length of each is 256.

  • version string Required

    The version of the connector. To retrieve the version value, use the get configuration API.

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • Indicates whether a case is automatically closed when it is pushed to external systems (close-by-pushing) or not automatically closed (close-by-user).

      Values are close-by-pushing or close-by-user.

    • Additional properties are allowed.

      Hide connector attributes Show connector attributes object
      • fields object | null

        The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to null.

        Additional properties are allowed.

      • id string

        The identifier for the connector. If you do not want a default connector, use none. To retrieve connector IDs, use the find connectors API.

      • name string

        The name of the connector. If you do not want a default connector, use none. To retrieve connector names, use the find connectors API.

      • type string

        The type of connector.

        Values are .cases-webhook, .jira, .none, .resilient, .servicenow, .servicenow-sir, or .swimlane.

    • created_at string(date-time)
    • Additional properties are allowed.

      Hide created_by attributes Show created_by attributes object
    • customFields array[object]

      Custom fields configuration details.

      Hide customFields attributes Show customFields attributes object
      • defaultValue string | boolean

        A default value for the custom field. If the type is text, the default value must be a string. If the type is toggle, the default value must be boolean.

      • key string

        A unique key for the custom field. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific custom field.

        Minimum length is 1, maximum length is 36.

      • label string

        The custom field label that is displayed in the case.

        Minimum length is 1, maximum length is 50.

      • type string

        The type of the custom field.

        Values are text or toggle.

      • required boolean

        Indicates whether the field is required. If false, the custom field can be set to null or omitted when a case is created or updated.

    • error string | null
    • id string
    • mappings array[object]
      Hide mappings attributes Show mappings attributes object
    • owner string

      The application that owns the cases: Stack Management, Observability, or Elastic Security.

      Values are cases, observability, or securitySolution.

    • templates array[object] Technical preview
      Hide templates attributes Show templates attributes object
      • Additional properties are allowed.

        Hide caseFields attributes Show caseFields attributes object
        • assignees array[object] | null

          An array containing users that are assigned to the case.

          Not more than 10 elements.

          Hide assignees attribute Show assignees attribute object
          • uid string Required

            A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.

        • category string

          A word or phrase that categorizes the case.

          Maximum length is 50.

        • Additional properties are allowed.

          Hide connector attributes Show connector attributes object
          • fields object | null

            The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to null.

            Additional properties are allowed.

          • id string

            The identifier for the connector. If you do not want a default connector, use none. To retrieve connector IDs, use the find connectors API.

          • name string

            The name of the connector. If you do not want a default connector, use none. To retrieve connector names, use the find connectors API.

          • type string

            The type of connector.

            Values are .cases-webhook, .jira, .none, .resilient, .servicenow, .servicenow-sir, or .swimlane.

        • customFields array[object] Technical preview

          Custom field values in the template.

          Hide customFields attributes Show customFields attributes object
          • key string

            The unique key for the custom field.

          • type string

            The type of the custom field.

            Values are text or toggle.

          • value string | boolean

            The default value for the custom field when a case uses the template. If the type is text, the default value must be a string. If the type is toggle, the default value must be boolean.

        • The description for the case.

          Maximum length is 30000.

        • settings object

          An object that contains the case settings.

          Additional properties are allowed.

          Hide settings attribute Show settings attribute object
          • syncAlerts boolean Required

            Turns alert syncing on or off.

        • severity string

          The severity of the case.

          Values are critical, high, low, or medium. Default value is low.

        • tags array[string]

          The words and phrases that help categorize cases. It can be an empty array.

          Not more than 200 elements. Maximum length of each is 256.

        • title string

          A title for the case.

          Maximum length is 160.

      • A description for the template.

      • key string

        A unique key for the template. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific template.

      • name string

        The name of the template.

      • tags array[string]

        The words and phrases that help categorize templates. It can be an empty array.

        Not more than 200 elements. Maximum length of each is 256.

    • updated_at string(date-time) | null
    • updated_by object | null

      Additional properties are allowed.

      Hide updated_by attributes Show updated_by attributes object | null
    • version string
  • 401 application/json; Elastic-Api-Version=2023-10-31

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
PATCH /api/cases/configure/{configurationId}
curl \
 -X PATCH https://localhost:5601/api/cases/configure/3297a0f0-b5ec-11ec-b141-0fdb20a7f9a9 \
 -H "Content-Type: application/json; Elastic-Api-Version=2023-10-31" \
 -H "kbn-xsrf: string"
Request example
{
  "version": "WzExOSw0XQ==",
  "connector": {
    "id": "5e656730-e1ca-11ec-be9b-9b1838238ee6",
    "name": "my-jira-connector",
    "type": ".jira",
    "fields": null
  },
  "closure_type": "close-by-user",
  "customFields": [
    {
      "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
      "type": "text",
      "label": "my-text-field",
      "required": true,
      "defaultValue": "A new default value."
    },
    {
      "key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
      "type": "toggle",
      "label": "my-toggle",
      "required": false
    }
  ]
}
Response examples (200)
{
  "id": "4a97a440-e1cd-11ec-be9b-9b1838238ee6",
  "error": null,
  "owner": "cases",
  "version": "WzI2LDNd",
  "mappings": [
    {
      "source": "title",
      "target": "summary",
      "action_type": "overwrite"
    },
    {
      "source": "description",
      "target": "description",
      "action_type": "overwrite"
    },
    {
      "source": "tags",
      "target": "labels",
      "action_type": "overwrite"
    },
    {
      "source": "comments",
      "target": "comments",
      "action_type": "append"
    }
  ],
  "connector": {
    "id": "5e656730-e1ca-11ec-be9b-9b1838238ee6",
    "name": "my-jira-connector",
    "type": ".jira",
    "fields": null
  },
  "templates": [],
  "created_at": "2024-07-01T17:07:17.767Z",
  "created_by": {
    "email": null,
    "username": "elastic",
    "full_name": null,
    "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
  },
  "updated_at": "2024-07-19T00:52:42.401Z",
  "updated_by": {
    "email": null,
    "username": "elastic",
    "full_name": null,
    "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
  },
  "closure_type": "close-by-user",
  "customFields": [
    {
      "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
      "type": "text",
      "label": "my-text-field",
      "required": true,
      "defaultValue": "A new default value."
    },
    {
      "key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
      "type": "toggle",
      "label": "my-toggle",
      "required": false
    }
  ]
}
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

Get case connectors

GET /api/cases/configure/connectors/_find

Get information about connectors that are supported for use in cases. You must have read privileges for the Actions and Connectors feature in the Management section of the Kibana feature privileges.

Responses

GET /api/cases/configure/connectors/_find
curl \
 -X GET https://localhost:5601/api/cases/configure/connectors/_find
Response examples (200)
[
  {
    "id": "61787f53-4eee-4741-8df6-8fe84fa616f7",
    "name": "my-Jira",
    "config": {
      "apiUrl": "https://elastic.atlassian.net/",
      "projectKey": "ES"
    },
    "actionTypeId": ".jira",
    "isDeprecated": false,
    "isPreconfigured": false,
    "isMissingSecrets": false,
    "referencedByCount": 0
  }
]
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

Get case creators

GET /api/cases/reporters

Returns information about the users who opened cases. You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases. The API returns information about the users as they existed at the time of the case creation, including their name, full name, and email address. If any of those details change thereafter or if a user is deleted, the information returned by this API is unchanged.

Query parameters

  • owner string | array[string]

    A filter to limit the response to a specific set of applications. If this parameter is omitted, the response contains information about all the cases that the user has access to read.

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31

    Indicates a successful call.

    Hide response attributes Show response attributes object
  • 401 application/json; Elastic-Api-Version=2023-10-31

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
GET /api/cases/reporters
curl \
 -X GET https://localhost:5601/api/cases/reporters
Response examples (200)
[
  {
    "email": null,
    "username": "elastic",
    "full_name": null,
    "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
  },
  {
    "email": "jdoe@example.com",
    "username": "jdoe",
    "full_name": "Jane Doe",
    "profile_uid": "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
  }
]
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

Get case status summary Deprecated

GET /api/cases/status

Returns the number of cases that are open, closed, and in progress. Deprecated in 8.1.0. This API is deprecated and will be removed in a future release; use the find cases API instead. You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're seeking.

Query parameters

  • owner string | array[string]

    A filter to limit the response to a specific set of applications. If this parameter is omitted, the response contains information about all the cases that the user has access to read.

Responses

GET /api/cases/status
curl \
 -X GET https://localhost:5601/api/cases/status
Response examples (200)
{
  "count_closed_cases": 42,
  "count_in_progress_cases": 42,
  "count_open_cases": 42
}
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

Get case tags

GET /api/cases/tags

Aggregates and returns a list of case tags. You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're seeking.

Query parameters

  • owner string | array[string]

    A filter to limit the response to a specific set of applications. If this parameter is omitted, the response contains information about all the cases that the user has access to read.

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31

    Indicates a successful call.

    Not more than 10000 elements.

  • 401 application/json; Elastic-Api-Version=2023-10-31

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
GET /api/cases/tags
curl \
 -X GET https://localhost:5601/api/cases/tags
Response examples (200)
[
  "observability",
  "security",
  "tag 1",
  "tag 2"
]
Response examples (401)
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

Connectors

Connectors provide a central place to store connection information for services and integrations with Elastic or third party systems. Alerting rules can use connectors to run actions when rule conditions are met.

Get connector types

GET /api/actions/connector_types

You do not need any Kibana feature privileges to run this API.

Query parameters

  • A filter to limit the retrieved connector types to those that support a specific feature (such as alerting or cases).

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31

    Indicates a successful call.

GET /api/actions/connector_types
curl \
 -X GET https://localhost:5601/api/actions/connector_types
Response examples (200)
[
  {
    "id": ".gen-ai",
    "name": "OpenAI",
    "enabled": true,
    "enabled_in_config": true,
    "enabled_in_license": true,
    "is_system_action_type": false,
    "supported_feature_ids": [
      "generativeAIForSecurity",
      "generativeAIForObservability",
      "generativeAIForSearchPlayground"
    ],
    "minimum_license_required": "enterprise"
  },
  {
    "id": ".bedrock",
    "name": "AWS Bedrock",
    "enabled": true,
    "enabled_in_config": true,
    "enabled_in_license": true,
    "is_system_action_type": false,
    "supported_feature_ids": [
      "generativeAIForSecurity",
      "generativeAIForObservability",
      "generativeAIForSearchPlayground"
    ],
    "minimum_license_required": "enterprise"
  },
  {
    "id": ".gemini",
    "name": "Google Gemini",
    "enabled": true,
    "enabled_in_config": true,
    "enabled_in_license": true,
    "is_system_action_type": false,
    "supported_feature_ids": [
      "generativeAIForSecurity"
    ],
    "minimum_license_required": "enterprise"
  }
]

Get connector information

GET /api/actions/connector/{id}

Path parameters

  • id string Required

    An identifier for the connector.

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • config object

      Additional properties are allowed.

    • connector_type_id string Required

      The connector type identifier.

    • id string Required

      The identifier for the connector.

    • is_deprecated boolean Required

      Indicates whether the connector is deprecated.

    • Indicates whether the connector is missing secrets.

    • is_preconfigured boolean Required

      Indicates whether the connector is preconfigured. If true, the config and is_missing_secrets properties are omitted from the response.

    • is_system_action boolean Required

      Indicates whether the connector is used for system actions.

    • name string Required

      The name of the rule.

GET /api/actions/connector/{id}
curl \
 -X GET https://localhost:5601/api/actions/connector/{id}
Response examples (200)
{
  "id": "df770e30-8b8b-11ed-a780-3b746c987a81",
  "name": "my_server_log_connector",
  "config": {},
  "is_deprecated": false,
  "is_preconfigured": false,
  "is_system_action": false,
  "connector_type_id": ".server-log",
  "is_missing_secrets": false
}

Update a connector

PUT /api/actions/connector/{id}

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • id string Required

    An identifier for the connector.

application/json; Elastic-Api-Version=2023-10-31

Body

  • name string Required

    The display name for the connector.

  • config object

    The connector configuration details.

    One of:

    Defines properties for connectors when type is .bedrock.

    Hide attributes Show attributes
    • apiUrl string Required

      The Amazon Bedrock request URL.

    • The generative artificial intelligence model for Amazon Bedrock to use. Current support is for the Anthropic Claude models.

      Default value is anthropic.claude-3-5-sonnet-20240620-v1:0.

  • secrets object

    One of:

    Defines secrets for connectors when type is .bedrock.

    Hide attributes Show attributes
    • accessKey string Required

      The AWS access key for authentication.

    • secret string Required

      The AWS secret for authentication.

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • config object

      Additional properties are allowed.

    • connector_type_id string Required

      The connector type identifier.

    • id string Required

      The identifier for the connector.

    • is_deprecated boolean Required

      Indicates whether the connector is deprecated.

    • Indicates whether the connector is missing secrets.

    • is_preconfigured boolean Required

      Indicates whether the connector is preconfigured. If true, the config and is_missing_secrets properties are omitted from the response.

    • is_system_action boolean Required

      Indicates whether the connector is used for system actions.

    • name string Required

      The name of the rule.

PUT /api/actions/connector/{id}
curl \
 -X PUT https://localhost:5601/api/actions/connector/{id} \
 -H "Content-Type: application/json; Elastic-Api-Version=2023-10-31" \
 -H "kbn-xsrf: true"
Request example
{
  "name": "updated-connector",
  "config": {
    "index": "updated-index"
  }
}
Response examples (200)
{
  "config": {},
  "connector_type_id": "string",
  "id": "string",
  "is_deprecated": true,
  "is_missing_secrets": true,
  "is_preconfigured": true,
  "is_system_action": true,
  "name": "string"
}

Create a connector

POST /api/actions/connector/{id}

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • id string Required

    An identifier for the connector.

application/json; Elastic-Api-Version=2023-10-31

Body

  • connector_type_id string Required

    The type of connector.

  • name string Required

    The display name for the connector.

  • config object

    The connector configuration details.

    One of:

    Defines properties for connectors when type is .bedrock.

    Hide attributes Show attributes
    • apiUrl string Required

      The Amazon Bedrock request URL.

    • The generative artificial intelligence model for Amazon Bedrock to use. Current support is for the Anthropic Claude models.

      Default value is anthropic.claude-3-5-sonnet-20240620-v1:0.

  • secrets object

    One of:

    Defines secrets for connectors when type is .bedrock.

    Hide attributes Show attributes
    • accessKey string Required

      The AWS access key for authentication.

    • secret string Required

      The AWS secret for authentication.

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • config object

      Additional properties are allowed.

    • connector_type_id string Required

      The connector type identifier.

    • id string Required

      The identifier for the connector.

    • is_deprecated boolean Required

      Indicates whether the connector is deprecated.

    • Indicates whether the connector is missing secrets.

    • is_preconfigured boolean Required

      Indicates whether the connector is preconfigured. If true, the config and is_missing_secrets properties are omitted from the response.

    • is_system_action boolean Required

      Indicates whether the connector is used for system actions.

    • name string Required

      The name of the rule.

POST /api/actions/connector/{id}
curl \
 -X POST https://localhost:5601/api/actions/connector/{id} \
 -H "Content-Type: application/json; Elastic-Api-Version=2023-10-31" \
 -H "kbn-xsrf: true"
{
  "name": "email-connector-1",
  "config": {
    "from": "tester@example.com",
    "host": "https://example.com",
    "port": 1025,
    "secure": false,
    "hasAuth": true,
    "service": "other"
  },
  "secrets": {
    "user": "username",
    "password": "password"
  },
  "connector_type_id": ".email"
}
{
  "name": "my-connector",
  "config": {
    "index": "test-index"
  },
  "connector_type_id": ".index"
}
{
  "name": "my-webhook-connector",
  "config": {
    "url": "https://example.com",
    "method": "post",
    "authType": "webhook-authentication-ssl",
    "certType": "ssl-crt-key"
  },
  "secrets": {
    "crt": "QmFnIEF0dH...",
    "key": "LS0tLS1CRUdJ...",
    "password": "my-passphrase"
  },
  "connector_type_id": ".webhook"
}
{
  "name": "my-xmatters-connector",
  "config": {
    "usesBasic": false
  },
  "secrets": {
    "secretsUrl": "https://example.com?apiKey=xxxxx"
  },
  "connector_type_id": ".xmatters"
}
{
  "id": "90a82c60-478f-11ee-a343-f98a117c727f",
  "name": "email-connector-1",
  "config": {
    "from": "tester@example.com",
    "host": "https://example.com",
    "port": 1025,
    "secure": false,
    "hasAuth": true,
    "service": "other",
    "clientId": null,
    "tenantId": null,
    "oauthTokenUrl": null
  },
  "is_deprecated": false,
  "is_preconfigured": false,
  "is_system_action": false,
  "connector_type_id": ".email",
  "is_missing_secrets": false
}
{
  "id": "c55b6eb0-6bad-11eb-9f3b-611eebc6c3ad",
  "name": "my-connector",
  "config": {
    "index": "test-index",
    "refresh": false,
    "executionTimeField": null
  },
  "is_deprecated": false,
  "is_preconfigured": false,
  "is_system_action": false,
  "connector_type_id": ".index",
  "is_missing_secrets": false
}
{
  "id": "900eb010-3b9d-11ee-a642-8ffbb94e38bd",
  "name": "my-webhook-connector",
  "config": {
    "url": "https://example.com",
    "method": "post",
    "hasAuth": true,
    "headers": null,
    "authType": "webhook-authentication-ssl",
    "certType": "ssl-crt-key",
    "verificationMode": "full"
  },
  "is_deprecated": false,
  "is_preconfigured": false,
  "is_system_action": false,
  "connector_type_id": ".webhook",
  "is_missing_secrets": false
}
{
  "id": "df770e30-8b8b-11ed-a780-3b746c987a81",
  "name": "my_server_log_connector",
  "config": {},
  "is_deprecated": false,
  "is_preconfigured": false,
  "is_system_action": false,
  "connector_type_id": ".server-log",
  "is_missing_secrets": false
}

Delete a connector

DELETE /api/actions/connector/{id}

WARNING: When you delete a connector, it cannot be recovered.

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • id string Required

    An identifier for the connector.

Responses

  • Indicates a successful call.

DELETE /api/actions/connector/{id}
curl \
 -X DELETE https://localhost:5601/api/actions/connector/{id} \
 -H "kbn-xsrf: true"

Run a connector

POST /api/actions/connector/{id}/_execute

You can use this API to test an action that involves interaction with Kibana services or integrations with third-party systems.

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • id string Required

    An identifier for the connector.

application/json; Elastic-Api-Version=2023-10-31

Body

  • params object Required

    One of:

    Test an action that acknowledges or resolves a PagerDuty alert.

    Hide attributes Show attributes
    • dedupKey string Required

      The deduplication key for the PagerDuty alert.

      Maximum length is 255.

    • eventAction string Required

      The type of event.

      Values are acknowledge or resolve.

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • config object

      Additional properties are allowed.

    • connector_type_id string Required

      The connector type identifier.

    • id string Required

      The identifier for the connector.

    • is_deprecated boolean Required

      Indicates whether the connector is deprecated.

    • Indicates whether the connector is missing secrets.

    • is_preconfigured boolean Required

      Indicates whether the connector is preconfigured. If true, the config and is_missing_secrets properties are omitted from the response.

    • is_system_action boolean Required

      Indicates whether the connector is used for system actions.

    • name string Required

      The name of the rule.

POST /api/actions/connector/{id}/_execute
curl \
 -X POST https://localhost:5601/api/actions/connector/{id}/_execute \
 -H "Content-Type: application/json; Elastic-Api-Version=2023-10-31" \
 -H "kbn-xsrf: true"
{
  "params": {
    "documents": [
      {
        "id": "my_doc_id",
        "name": "my_doc_name",
        "message": "hello, world"
      }
    ]
  }
}
{
  "params": {
    "subAction": "issueTypes"
  }
}
{
  "params": {
    "subAction": "getChoices",
    "subActionParams": {
      "fields": [
        "severity",
        "urgency"
      ]
    }
  }
}
{
  "params": {
    "subAction": "postMessage",
    "subActionParams": {
      "text": "A test message.",
      "channelIds": [
        "C123ABC456"
      ]
    }
  }
}
{
  "params": {
    "subAction": "pushToService",
    "subActionParams": {
      "comments": [
        {
          "comment": "A comment about the incident.",
          "commentId": 1
        }
      ],
      "incident": {
        "caseId": "1000",
        "caseName": "Case name",
        "description": "Description of the incident."
      }
    }
  }
}
{
  "data": {
    "took": 135,
    "items": [
      {
        "create": {
          "_id": "4JtvwYUBrcyxt2NnfW3y",
          "_index": "my-index",
          "result": "created",
          "status": 201,
          "_seq_no": 0,
          "_shards": {
            "total": 2,
            "failed": 0,
            "successful": 1
          },
          "_version": 1,
          "_primary_term": 1
        }
      }
    ],
    "errors": false
  },
  "status": "ok",
  "connector_id": "fd38c600-96a5-11ed-bb79-353b74189cba"
}
{
  "data": [
    {
      "id": 10024,
      "name": "Improvement"
    },
    {
      "id": 10006,
      "name": "Task"
    },
    {
      "id": 10007,
      "name": "Sub-task"
    },
    {
      "id": 10025,
      "name": "New Feature"
    },
    {
      "id": 10023,
      "name": "Bug"
    },
    {
      "id": 10000,
      "name": "Epic"
    }
  ],
  "status": "ok",
  "connector_id": "b3aad810-edbe-11ec-82d1-11348ecbf4a6"
}
{
  "status": "ok",
  "connector_id": "7fc7b9a0-ecc9-11ec-8736-e7d63118c907"
}
{
  "data": [
    {
      "label": "Critical",
      "value": 1,
      "element": "severity",
      "dependent_value": ""
    },
    {
      "label": "Major",
      "value": 2,
      "element": "severity",
      "dependent_value": ""
    },
    {
      "label": "Minor",
      "value": 3,
      "element": "severity",
      "dependent_value": ""
    },
    {
      "label": "Warning",
      "value": 4,
      "element": "severity",
      "dependent_value": ""
    },
    {
      "label": "OK",
      "value": 5,
      "element": "severity",
      "dependent_value": ""
    },
    {
      "label": "Clear",
      "value": 0,
      "element": "severity",
      "dependent_value": ""
    },
    {
      "label": "1 - High",
      "value": 1,
      "element": "urgency",
      "dependent_value": ""
    },
    {
      "label": "2 - Medium",
      "value": 2,
      "element": "urgency",
      "dependent_value": ""
    },
    {
      "label": "3 - Low",
      "value": 3,
      "element": "urgency",
      "dependent_value": ""
    }
  ],
  "status": "ok",
  "connector_id": "9d9be270-2fd2-11ed-b0e0-87533c532698"
}
{
  "data": {
    "ok": true,
    "ts": "1234567890.123456",
    "channel": "C123ABC456",
    "message": {
      "ts": "1234567890.123456",
      "team": "T01ABCDE2F",
      "text": "A test message",
      "type": "message",
      "user": "U12A345BC6D",
      "app_id": "A01BC2D34EF",
      "blocks": [
        {
          "type": "rich_text",
          "block_id": "/NXe",
          "elements": [
            {
              "type": "rich_text_section",
              "elements": [
                {
                  "text": "A test message.",
                  "type": "text"
                }
              ]
            }
          ]
        }
      ],
      "bot_id": "B12BCDEFGHI",
      "bot_profile": {
        "id": "B12BCDEFGHI",
        "name": "test",
        "icons": {
          "image_36": "https://a.slack-edge.com/80588/img/plugins/app/bot_36.png"
        },
        "app_id": "A01BC2D34EF",
        "deleted": false,
        "team_id": "T01ABCDE2F",
        "updated": 1672169705
      }
    }
  },
  "status": "ok",
  "connector_id": ".slack_api"
}
{
  "data": {
    "id": "aKPmBHWzmdRQtx6Mx",
    "url": "https://elastic.swimlane.url.us/record/aNcL2xniGHGpa2AHb/aKPmBHWzmdRQtx6Mx",
    "title": "TEST-457",
    "comments": [
      {
        "commentId": 1,
        "pushedDate": "2022-09-08T16:52:27.865Z"
      }
    ],
    "pushedDate": "2022-09-08T16:52:27.866Z"
  },
  "status": "ok",
  "connector_id": "a4746470-2f94-11ed-b0e0-87533c532698"
}

Get all connectors

GET /api/actions/connectors

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31

    Indicates a successful call.

GET /api/actions/connectors
curl \
 -X GET https://localhost:5601/api/actions/connectors
Response examples (200)
[
  {
    "id": "preconfigured-email-connector",
    "name": "my-preconfigured-email-notification",
    "is_deprecated": false,
    "is_preconfigured": true,
    "is_system_action": false,
    "connector_type_id": ".email",
    "referenced_by_count": 0
  },
  {
    "id": "e07d0c80-8b8b-11ed-a780-3b746c987a81",
    "name": "my-index-connector",
    "config": {
      "index": "test-index",
      "refresh": false,
      "executionTimeField": null
    },
    "is_deprecated": false,
    "is_preconfigured": false,
    "is_system_action": false,
    "connector_type_id": ".index",
    "is_missing_secrets": false,
    "referenced_by_count": 2
  }
]

Get a list of dashboards Technical Preview

GET /api/dashboards/dashboard

This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

Query parameters

  • page number

    The page number to return. Default is "1".

    Minimum value is 1. Default value is 1.

  • perPage number

    The number of dashboards to display on each page (max 1000). Default is "20".

    Minimum value is 1, maximum value is 1000.

Responses

GET /api/dashboards/dashboard
curl \
 -X GET https://localhost:5601/api/dashboards/dashboard
Response examples (200)
{
  "items": [
    {
      "attributes": {
        "description": "",
        "timeRestore": false,
        "title": "string"
      },
      "createdAt": "string",
      "createdBy": "string",
      "error": {
        "error": "string",
        "message": "string",
        "metadata": {},
        "statusCode": 42.0
      },
      "id": "string",
      "managed": true,
      "namespaces": [
        "string"
      ],
      "originId": "string",
      "references": [
        {
          "id": "string",
          "name": "string",
          "type": "string"
        }
      ],
      "type": "string",
      "updatedAt": "string",
      "updatedBy": "string",
      "version": "string"
    }
  ],
  "total": 42.0
}

Get a dashboard Technical Preview

GET /api/dashboards/dashboard/{id}

This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

Path parameters

  • id string Required

    A unique identifier for the dashboard.

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31
    Hide response attributes Show response attributes object
    • item object Required

      Additional properties are allowed.

      Hide item attributes Show item attributes object
      • attributes object Required

        Additional properties are NOT allowed.

        Hide attributes attributes Show attributes attributes object
        • Additional properties are NOT allowed.

          Hide controlGroupInput attributes Show controlGroupInput attributes object
          • Show apply selections button in controls.

            Default value is true.

          • The chaining strategy for multiple controls. For example, "HIERARCHICAL" or "NONE".

            Values are NONE or HIERARCHICAL. Default value is HIERARCHICAL.

          • controls array[object]

            An array of control panels and their state in the control group.

            Default value is [] (empty).

            Hide controls attributes Show controls attributes object
            • Additional properties are allowed.

            • grow boolean

              Expand width of the control panel to fit available space.

              Default value is false.

            • id string

              The unique ID of the control.

            • order number Required

              The order of the control panel in the control group.

            • type string Required

              The type of the control panel.

            • width string

              Minimum width of the control panel in the control group.

              Values are small, medium, or large. Default value is medium.

          • Additional properties are allowed.

          • ignoreParentSettings object Required

            Additional properties are NOT allowed.

            Hide ignoreParentSettings attributes Show ignoreParentSettings attributes object
            • Ignore global filters in controls.

              Default value is false.

            • Ignore the global query bar in controls.

              Default value is false.

            • Ignore the global time range in controls.

              Default value is false.

            • Ignore validations in controls.

              Default value is false.

          • Position of the labels for controls. For example, "oneLine", "twoLine".

            Values are oneLine or twoLine. Default value is oneLine.

        • A short description.

          Default value is empty.

        • A container for various metadata

          Default value is {} (empty). Additional properties are NOT allowed.

          Hide kibanaSavedObjectMeta attribute Show kibanaSavedObjectMeta attribute object
          • Additional properties are allowed.

            Hide searchSource attributes Show searchSource attributes object
            • filter array[object]
              Hide filter attributes Show filter attributes object
              • $state object

                Additional properties are NOT allowed.

                Hide $state attribute Show $state attribute object
                • store string Required

                  Denote whether a filter is specific to an application's context (e.g. 'appState') or whether it should be applied globally (e.g. 'globalState').

                  Values are appState or globalState.

              • meta object Required

                Additional properties are allowed.

                Hide meta attributes Show meta attributes object
              • query object

                Additional properties are allowed.

            • query object

              Additional properties are NOT allowed.

              Hide query attributes Show query attributes object
            • sort array[object]
            • type string
        • options object Required

          Additional properties are NOT allowed.

          Hide options attributes Show options attributes object
          • Hide the panel titles in the dashboard.

            Default value is false.

          • syncColors boolean

            Synchronize colors between related panels in the dashboard.

            Default value is true.

          • syncCursor boolean

            Synchronize cursor position between related panels in the dashboard.

            Default value is true.

          • Synchronize tooltips between related panels in the dashboard.

            Default value is true.

          • useMargins boolean

            Show margins between panels in the dashboard layout.

            Default value is true.

        • panels array[object]

          Default value is [] (empty).

          Hide panels attributes Show panels attributes object
          • gridData object Required

            Additional properties are NOT allowed.

            Hide gridData attributes Show gridData attributes object
            • h number

              The height of the panel in grid units

              Minimum value is 1. Default value is 15.

            • i string Required
            • w number

              The width of the panel in grid units

              Minimum value is 1, maximum value is 48. Default value is 24.

            • x number Required

              The x coordinate of the panel in grid units

            • y number Required

              The y coordinate of the panel in grid units

          • id string

            The saved object id for by reference panels

          • panelConfig object Required

            Additional properties are allowed.

            Hide panelConfig attributes Show panelConfig attributes object
          • panelIndex string Required
          • title string

            The title of the panel

          • type string Required

            The embeddable type

          • version string Deprecated

            The version was used to store Kibana version information from versions 7.3.0 -> 8.11.0. As of version 8.11.0, the versioning information is now per-embeddable-type and is stored on the embeddable's input. (panelConfig in this type).

        • A container for various refresh interval settings

          Additional properties are NOT allowed.

          Hide refreshInterval attributes Show refreshInterval attributes object
          • display string Deprecated

            A human-readable string indicating the refresh frequency. No longer used.

          • pause boolean Required

            Whether the refresh interval is set to be paused while viewing the dashboard.

          • section number Deprecated

            No longer used.

          • value number Required

            A numeric value indicating refresh frequency in milliseconds.

        • timeFrom string

          An ISO string indicating when to restore time from

        • Whether to restore time upon viewing this dashboard

          Default value is false.

        • timeTo string

          An ISO string indicating when to restore time from

        • title string Required

          A human-readable title for the dashboard

        • version number Deprecated
      • error object

        Additional properties are NOT allowed.

        Hide error attributes Show error attributes object
      • id string Required
      • managed boolean
      • namespaces array[string]
      • originId string
      • references array[object] Required
        Hide references attributes Show references attributes object
      • type string Required
      • version string
    • meta object Required

      Additional properties are NOT allowed.

      Hide meta attributes Show meta attributes object
GET /api/dashboards/dashboard/{id}
curl \
 -X GET https://localhost:5601/api/dashboards/dashboard/{id}
Response examples (200)
{
  "item": {
    "attributes": {
      "controlGroupInput": {
        "autoApplySelections": true,
        "chainingSystem": "HIERARCHICAL",
        "controls": [
          {
            "controlConfig": {},
            "grow": false,
            "id": "string",
            "order": 42.0,
            "type": "string",
            "width": "medium"
          }
        ],
        "enhancements": {},
        "ignoreParentSettings": {
          "ignoreFilters": false,
          "ignoreQuery": false,
          "ignoreTimerange": false,
          "ignoreValidations": false
        },
        "labelPosition": "oneLine"
      },
      "description": "",
      "kibanaSavedObjectMeta": {
        "searchSource": {
          "filter": [
            {
              "$state": {
                "store": "appState"
              },
              "meta": {
                "alias": "string",
                "controlledBy": "string",
                "disabled": true,
                "field": "string",
                "group": "string",
                "index": "string",
                "isMultiIndex": true,
                "key": "string",
                "negate": true,
                "type": "string",
                "value": "string"
              },
              "query": {}
            }
          ],
          "query": {
            "language": "string",
            "query": "string"
          },
          "sort": [
            {}
          ],
          "type": "string"
        }
      },
      "options": {
        "hidePanelTitles": false,
        "syncColors": true,
        "syncCursor": true,
        "syncTooltips": true,
        "useMargins": true
      },
      "panels": [
        {
          "gridData": {
            "h": 15,
            "i": "string",
            "w": 24,
            "x": 42.0,
            "y": 42.0
          },
          "id": "string",
          "panelConfig": {
            "description": "string",
            "enhancements": {},
            "hidePanelTitles": true,
            "savedObjectId": "string",
            "title": "string",
            "version": "string"
          },
          "panelIndex": "string",
          "panelRefName": "string",
          "title": "string",
          "type": "string",
          "version": "string"
        }
      ],
      "refreshInterval": {
        "display": "string",
        "pause": true,
        "section": 42.0,
        "value": 42.0
      },
      "timeFrom": "string",
      "timeRestore": false,
      "timeTo": "string",
      "title": "string",
      "version": 42.0
    },
    "createdAt": "string",
    "createdBy": "string",
    "error": {
      "error": "string",
      "message": "string",
      "metadata": {},
      "statusCode": 42.0
    },
    "id": "string",
    "managed": true,
    "namespaces": [
      "string"
    ],
    "originId": "string",
    "references": [
      {
        "id": "string",
        "name": "string",
        "type": "string"
      }
    ],
    "type": "string",
    "updatedAt": "string",
    "updatedBy": "string",
    "version": "string"
  },
  "meta": {
    "aliasPurpose": "savedObjectConversion",
    "aliasTargetId": "string",
    "outcome": "exactMatch"
  }
}

Update an existing dashboard Technical Preview

PUT /api/dashboards/dashboard/{id}

This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • id string Required

    A unique identifier for the dashboard.

application/json; Elastic-Api-Version=2023-10-31

Body

  • attributes object Required

    Additional properties are NOT allowed.

    Hide attributes attributes Show attributes attributes object
    • Additional properties are NOT allowed.

      Hide controlGroupInput attributes Show controlGroupInput attributes object
      • Show apply selections button in controls.

        Default value is true.

      • The chaining strategy for multiple controls. For example, "HIERARCHICAL" or "NONE".

        Values are NONE or HIERARCHICAL. Default value is HIERARCHICAL.

      • controls array[object]

        An array of control panels and their state in the control group.

        Default value is [] (empty).

        Hide controls attributes Show controls attributes object
        • Additional properties are allowed.

        • grow boolean

          Expand width of the control panel to fit available space.

          Default value is false.

        • id string

          The unique ID of the control.

        • order number Required

          The order of the control panel in the control group.

        • type string Required

          The type of the control panel.

        • width string

          Minimum width of the control panel in the control group.

          Values are small, medium, or large. Default value is medium.

      • Additional properties are allowed.

      • ignoreParentSettings object Required

        Additional properties are NOT allowed.

        Hide ignoreParentSettings attributes Show ignoreParentSettings attributes object
        • Ignore global filters in controls.

          Default value is false.

        • Ignore the global query bar in controls.

          Default value is false.

        • Ignore the global time range in controls.

          Default value is false.

        • Ignore validations in controls.

          Default value is false.

      • Position of the labels for controls. For example, "oneLine", "twoLine".

        Values are oneLine or twoLine. Default value is oneLine.

    • A short description.

      Default value is empty.

    • A container for various metadata

      Default value is {} (empty). Additional properties are NOT allowed.

      Hide kibanaSavedObjectMeta attribute Show kibanaSavedObjectMeta attribute object
      • Additional properties are allowed.

        Hide searchSource attributes Show searchSource attributes object
        • filter array[object]
          Hide filter attributes Show filter attributes object
          • $state object

            Additional properties are NOT allowed.

            Hide $state attribute Show $state attribute object
            • store string Required

              Denote whether a filter is specific to an application's context (e.g. 'appState') or whether it should be applied globally (e.g. 'globalState').

              Values are appState or globalState.

          • meta object Required

            Additional properties are allowed.

            Hide meta attributes Show meta attributes object
          • query object

            Additional properties are allowed.

        • query object

          Additional properties are NOT allowed.

          Hide query attributes Show query attributes object
        • sort array[object]
        • type string
    • options object Required

      Additional properties are NOT allowed.

      Hide options attributes Show options attributes object
      • Hide the panel titles in the dashboard.

        Default value is false.

      • syncColors boolean

        Synchronize colors between related panels in the dashboard.

        Default value is true.

      • syncCursor boolean

        Synchronize cursor position between related panels in the dashboard.

        Default value is true.

      • Synchronize tooltips between related panels in the dashboard.

        Default value is true.

      • useMargins boolean

        Show margins between panels in the dashboard layout.

        Default value is true.

    • panels array[object]

      Default value is [] (empty).

      Hide panels attributes Show panels attributes object
      • gridData object Required

        Additional properties are NOT allowed.

        Hide gridData attributes Show gridData attributes object
        • h number

          The height of the panel in grid units

          Minimum value is 1. Default value is 15.

        • i string

          The unique identifier of the panel

        • w number

          The width of the panel in grid units

          Minimum value is 1, maximum value is 48. Default value is 24.

        • x number Required

          The x coordinate of the panel in grid units

        • y number Required

          The y coordinate of the panel in grid units

      • id string

        The saved object id for by reference panels

      • panelConfig object Required

        Additional properties are allowed.

        Hide panelConfig attributes Show panelConfig attributes object
      • The unique ID of the panel.

      • title string

        The title of the panel

      • type string Required

        The embeddable type

      • version string Deprecated

        The version was used to store Kibana version information from versions 7.3.0 -> 8.11.0. As of version 8.11.0, the versioning information is now per-embeddable-type and is stored on the embeddable's input. (panelConfig in this type).

    • A container for various refresh interval settings

      Additional properties are NOT allowed.

      Hide refreshInterval attributes Show refreshInterval attributes object
      • display string Deprecated

        A human-readable string indicating the refresh frequency. No longer used.

      • pause boolean Required

        Whether the refresh interval is set to be paused while viewing the dashboard.

      • section number Deprecated

        No longer used.

      • value number Required

        A numeric value indicating refresh frequency in milliseconds.

    • timeFrom string

      An ISO string indicating when to restore time from

    • Whether to restore time upon viewing this dashboard

      Default value is false.

    • timeTo string

      An ISO string indicating when to restore time from

    • title string Required

      A human-readable title for the dashboard

    • version number Deprecated
  • references array[object]
    Hide references attributes Show references attributes object

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31
    Hide response attribute Show response attribute object
    • item object Required

      Additional properties are allowed.

      Hide item attributes Show item attributes object
      • attributes object Required

        Additional properties are NOT allowed.

        Hide attributes attributes Show attributes attributes object
        • Additional properties are NOT allowed.

          Hide controlGroupInput attributes Show controlGroupInput attributes object
          • Show apply selections button in controls.

            Default value is true.

          • The chaining strategy for multiple controls. For example, "HIERARCHICAL" or "NONE".

            Values are NONE or HIERARCHICAL. Default value is HIERARCHICAL.

          • controls array[object]

            An array of control panels and their state in the control group.

            Default value is [] (empty).

            Hide controls attributes Show controls attributes object
            • Additional properties are allowed.

            • grow boolean

              Expand width of the control panel to fit available space.

              Default value is false.

            • id string

              The unique ID of the control.

            • order number Required

              The order of the control panel in the control group.

            • type string Required

              The type of the control panel.

            • width string

              Minimum width of the control panel in the control group.

              Values are small, medium, or large. Default value is medium.

          • Additional properties are allowed.

          • ignoreParentSettings object Required

            Additional properties are NOT allowed.

            Hide ignoreParentSettings attributes Show ignoreParentSettings attributes object
            • Ignore global filters in controls.

              Default value is false.

            • Ignore the global query bar in controls.

              Default value is false.

            • Ignore the global time range in controls.

              Default value is false.

            • Ignore validations in controls.

              Default value is false.

          • Position of the labels for controls. For example, "oneLine", "twoLine".

            Values are oneLine or twoLine. Default value is oneLine.

        • A short description.

          Default value is empty.

        • A container for various metadata

          Default value is {} (empty). Additional properties are NOT allowed.

          Hide kibanaSavedObjectMeta attribute Show kibanaSavedObjectMeta attribute object
          • Additional properties are allowed.

            Hide searchSource attributes Show searchSource attributes object
            • filter array[object]
              Hide filter attributes Show filter attributes object
              • $state object

                Additional properties are NOT allowed.

                Hide $state attribute Show $state attribute object
                • store string Required

                  Denote whether a filter is specific to an application's context (e.g. 'appState') or whether it should be applied globally (e.g. 'globalState').

                  Values are appState or globalState.

              • meta object Required

                Additional properties are allowed.

                Hide meta attributes Show meta attributes object
              • query object

                Additional properties are allowed.

            • query object

              Additional properties are NOT allowed.

              Hide query attributes Show query attributes object
            • sort array[object]
            • type string
        • options object Required

          Additional properties are NOT allowed.

          Hide options attributes Show options attributes object
          • Hide the panel titles in the dashboard.

            Default value is false.

          • syncColors boolean

            Synchronize colors between related panels in the dashboard.

            Default value is true.

          • syncCursor boolean

            Synchronize cursor position between related panels in the dashboard.

            Default value is true.

          • Synchronize tooltips between related panels in the dashboard.

            Default value is true.

          • useMargins boolean

            Show margins between panels in the dashboard layout.

            Default value is true.

        • panels array[object]

          Default value is [] (empty).

          Hide panels attributes Show panels attributes object
          • gridData object Required

            Additional properties are NOT allowed.

            Hide gridData attributes Show gridData attributes object
            • h number

              The height of the panel in grid units

              Minimum value is 1. Default value is 15.

            • i string Required
            • w number

              The width of the panel in grid units

              Minimum value is 1, maximum value is 48. Default value is 24.

            • x number Required

              The x coordinate of the panel in grid units

            • y number Required

              The y coordinate of the panel in grid units

          • id string

            The saved object id for by reference panels

          • panelConfig object Required

            Additional properties are allowed.

            Hide panelConfig attributes Show panelConfig attributes object
          • panelIndex string Required
          • title string

            The title of the panel

          • type string Required

            The embeddable type

          • version string Deprecated

            The version was used to store Kibana version information from versions 7.3.0 -> 8.11.0. As of version 8.11.0, the versioning information is now per-embeddable-type and is stored on the embeddable's input. (panelConfig in this type).

        • A container for various refresh interval settings

          Additional properties are NOT allowed.

          Hide refreshInterval attributes Show refreshInterval attributes object
          • display string Deprecated

            A human-readable string indicating the refresh frequency. No longer used.

          • pause boolean Required

            Whether the refresh interval is set to be paused while viewing the dashboard.

          • section number Deprecated

            No longer used.

          • value number Required

            A numeric value indicating refresh frequency in milliseconds.

        • timeFrom string

          An ISO string indicating when to restore time from

        • Whether to restore time upon viewing this dashboard

          Default value is false.

        • timeTo string

          An ISO string indicating when to restore time from

        • title string Required

          A human-readable title for the dashboard

        • version number Deprecated
      • error object

        Additional properties are NOT allowed.

        Hide error attributes Show error attributes object
      • id string Required
      • managed boolean
      • namespaces array[string]
      • originId string
      • references array[object] Required
        Hide references attributes Show references attributes object
      • type string Required
      • version string
PUT /api/dashboards/dashboard/{id}
curl \
 -X PUT https://localhost:5601/api/dashboards/dashboard/{id} \
 -H "Content-Type: application/json; Elastic-Api-Version=2023-10-31" \
 -H "kbn-xsrf: true"
Request examples
# Headers
kbn-xsrf: true

# Payload
{
  "attributes": {
    "controlGroupInput": {
      "autoApplySelections": true,
      "chainingSystem": "HIERARCHICAL",
      "controls": [
        {
          "controlConfig": {},
          "grow": false,
          "id": "string",
          "order": 42.0,
          "type": "string",
          "width": "medium"
        }
      ],
      "enhancements": {},
      "ignoreParentSettings": {
        "ignoreFilters": false,
        "ignoreQuery": false,
        "ignoreTimerange": false,
        "ignoreValidations": false
      },
      "labelPosition": "oneLine"
    },
    "description": "",
    "kibanaSavedObjectMeta": {
      "searchSource": {
        "filter": [
          {
            "$state": {
              "store": "appState"
            },
            "meta": {
              "alias": "string",
              "controlledBy": "string",
              "disabled": true,
              "field": "string",
              "group": "string",
              "index": "string",
              "isMultiIndex": true,
              "key": "string",
              "negate": true,
              "type": "string",
              "value": "string"
            },
            "query": {}
          }
        ],
        "query": {
          "language": "string",
          "query": "string"
        },
        "sort": [
          {}
        ],
        "type": "string"
      }
    },
    "options": {
      "hidePanelTitles": false,
      "syncColors": true,
      "syncCursor": true,
      "syncTooltips": true,
      "useMargins": true
    },
    "panels": [
      {
        "gridData": {
          "h": 15,
          "i": "string",
          "w": 24,
          "x": 42.0,
          "y": 42.0
        },
        "id": "string",
        "panelConfig": {
          "description": "string",
          "enhancements": {},
          "hidePanelTitles": true,
          "savedObjectId": "string",
          "title": "string",
          "version": "string"
        },
        "panelIndex": "string",
        "panelRefName": "string",
        "title": "string",
        "type": "string",
        "version": "string"
      }
    ],
    "refreshInterval": {
      "display": "string",
      "pause": true,
      "section": 42.0,
      "value": 42.0
    },
    "timeFrom": "string",
    "timeRestore": false,
    "timeTo": "string",
    "title": "string",
    "version": 42.0
  },
  "references": [
    {
      "id": "string",
      "name": "string",
      "type": "string"
    }
  ]
}
Response examples (200)
{
  "item": {
    "attributes": {
      "controlGroupInput": {
        "autoApplySelections": true,
        "chainingSystem": "HIERARCHICAL",
        "controls": [
          {
            "controlConfig": {},
            "grow": false,
            "id": "string",
            "order": 42.0,
            "type": "string",
            "width": "medium"
          }
        ],
        "enhancements": {},
        "ignoreParentSettings": {
          "ignoreFilters": false,
          "ignoreQuery": false,
          "ignoreTimerange": false,
          "ignoreValidations": false
        },
        "labelPosition": "oneLine"
      },
      "description": "",
      "kibanaSavedObjectMeta": {
        "searchSource": {
          "filter": [
            {
              "$state": {
                "store": "appState"
              },
              "meta": {
                "alias": "string",
                "controlledBy": "string",
                "disabled": true,
                "field": "string",
                "group": "string",
                "index": "string",
                "isMultiIndex": true,
                "key": "string",
                "negate": true,
                "type": "string",
                "value": "string"
              },
              "query": {}
            }
          ],
          "query": {
            "language": "string",
            "query": "string"
          },
          "sort": [
            {}
          ],
          "type": "string"
        }
      },
      "options": {
        "hidePanelTitles": false,
        "syncColors": true,
        "syncCursor": true,
        "syncTooltips": true,
        "useMargins": true
      },
      "panels": [
        {
          "gridData": {
            "h": 15,
            "i": "string",
            "w": 24,
            "x": 42.0,
            "y": 42.0
          },
          "id": "string",
          "panelConfig": {
            "description": "string",
            "enhancements": {},
            "hidePanelTitles": true,
            "savedObjectId": "string",
            "title": "string",
            "version": "string"
          },
          "panelIndex": "string",
          "panelRefName": "string",
          "title": "string",
          "type": "string",
          "version": "string"
        }
      ],
      "refreshInterval": {
        "display": "string",
        "pause": true,
        "section": 42.0,
        "value": 42.0
      },
      "timeFrom": "string",
      "timeRestore": false,
      "timeTo": "string",
      "title": "string",
      "version": 42.0
    },
    "createdAt": "string",
    "createdBy": "string",
    "error": {
      "error": "string",
      "message": "string",
      "metadata": {},
      "statusCode": 42.0
    },
    "id": "string",
    "managed": true,
    "namespaces": [
      "string"
    ],
    "originId": "string",
    "references": [
      {
        "id": "string",
        "name": "string",
        "type": "string"
      }
    ],
    "type": "string",
    "updatedAt": "string",
    "updatedBy": "string",
    "version": "string"
  }
}

Create a dashboard Technical Preview

POST /api/dashboards/dashboard/{id}

This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • id string

    A unique identifier for the dashboard.

application/json; Elastic-Api-Version=2023-10-31

Body

  • attributes object Required

    Additional properties are NOT allowed.

    Hide attributes attributes Show attributes attributes object
    • Additional properties are NOT allowed.

      Hide controlGroupInput attributes Show controlGroupInput attributes object
      • Show apply selections button in controls.

        Default value is true.

      • The chaining strategy for multiple controls. For example, "HIERARCHICAL" or "NONE".

        Values are NONE or HIERARCHICAL. Default value is HIERARCHICAL.

      • controls array[object]

        An array of control panels and their state in the control group.

        Default value is [] (empty).

        Hide controls attributes Show controls attributes object
        • Additional properties are allowed.

        • grow boolean

          Expand width of the control panel to fit available space.

          Default value is false.

        • id string

          The unique ID of the control.

        • order number Required

          The order of the control panel in the control group.

        • type string Required

          The type of the control panel.

        • width string

          Minimum width of the control panel in the control group.

          Values are small, medium, or large. Default value is medium.

      • Additional properties are allowed.

      • ignoreParentSettings object Required

        Additional properties are NOT allowed.

        Hide ignoreParentSettings attributes Show ignoreParentSettings attributes object
        • Ignore global filters in controls.

          Default value is false.

        • Ignore the global query bar in controls.

          Default value is false.

        • Ignore the global time range in controls.

          Default value is false.

        • Ignore validations in controls.

          Default value is false.

      • Position of the labels for controls. For example, "oneLine", "twoLine".

        Values are oneLine or twoLine. Default value is oneLine.

    • A short description.

      Default value is empty.

    • A container for various metadata

      Default value is {} (empty). Additional properties are NOT allowed.

      Hide kibanaSavedObjectMeta attribute Show kibanaSavedObjectMeta attribute object
      • Additional properties are allowed.

        Hide searchSource attributes Show searchSource attributes object
        • filter array[object]
          Hide filter attributes Show filter attributes object
          • $state object

            Additional properties are NOT allowed.

            Hide $state attribute Show $state attribute object
            • store string Required

              Denote whether a filter is specific to an application's context (e.g. 'appState') or whether it should be applied globally (e.g. 'globalState').

              Values are appState or globalState.

          • meta object Required

            Additional properties are allowed.

            Hide meta attributes Show meta attributes object
          • query object

            Additional properties are allowed.

        • query object

          Additional properties are NOT allowed.

          Hide query attributes Show query attributes object
        • sort array[object]
        • type string
    • options object Required

      Additional properties are NOT allowed.

      Hide options attributes Show options attributes object
      • Hide the panel titles in the dashboard.

        Default value is false.

      • syncColors boolean

        Synchronize colors between related panels in the dashboard.

        Default value is true.

      • syncCursor boolean

        Synchronize cursor position between related panels in the dashboard.

        Default value is true.

      • Synchronize tooltips between related panels in the dashboard.

        Default value is true.

      • useMargins boolean

        Show margins between panels in the dashboard layout.

        Default value is true.

    • panels array[object]

      Default value is [] (empty).

      Hide panels attributes Show panels attributes object
      • gridData object Required

        Additional properties are NOT allowed.

        Hide gridData attributes Show gridData attributes object
        • h number

          The height of the panel in grid units

          Minimum value is 1. Default value is 15.

        • i string

          The unique identifier of the panel

        • w number

          The width of the panel in grid units

          Minimum value is 1, maximum value is 48. Default value is 24.

        • x number Required

          The x coordinate of the panel in grid units

        • y number Required

          The y coordinate of the panel in grid units

      • id string

        The saved object id for by reference panels

      • panelConfig object Required

        Additional properties are allowed.

        Hide panelConfig attributes Show panelConfig attributes object
      • The unique ID of the panel.

      • title string

        The title of the panel

      • type string Required

        The embeddable type

      • version string Deprecated

        The version was used to store Kibana version information from versions 7.3.0 -> 8.11.0. As of version 8.11.0, the versioning information is now per-embeddable-type and is stored on the embeddable's input. (panelConfig in this type).

    • A container for various refresh interval settings

      Additional properties are NOT allowed.

      Hide refreshInterval attributes Show refreshInterval attributes object
      • display string Deprecated

        A human-readable string indicating the refresh frequency. No longer used.

      • pause boolean Required

        Whether the refresh interval is set to be paused while viewing the dashboard.

      • section number Deprecated

        No longer used.

      • value number Required

        A numeric value indicating refresh frequency in milliseconds.

    • timeFrom string

      An ISO string indicating when to restore time from

    • Whether to restore time upon viewing this dashboard

      Default value is false.

    • timeTo string

      An ISO string indicating when to restore time from

    • title string Required

      A human-readable title for the dashboard

    • version number Deprecated
  • references array[object]
    Hide references attributes Show references attributes object
  • spaces array[string]

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31
    Hide response attribute Show response attribute object
    • item object Required

      Additional properties are allowed.

      Hide item attributes Show item attributes object
      • attributes object Required

        Additional properties are NOT allowed.

        Hide attributes attributes Show attributes attributes object
        • Additional properties are NOT allowed.

          Hide controlGroupInput attributes Show controlGroupInput attributes object
          • Show apply selections button in controls.

            Default value is true.

          • The chaining strategy for multiple controls. For example, "HIERARCHICAL" or "NONE".

            Values are NONE or HIERARCHICAL. Default value is HIERARCHICAL.

          • controls array[object]

            An array of control panels and their state in the control group.

            Default value is [] (empty).

            Hide controls attributes Show controls attributes object
            • Additional properties are allowed.

            • grow boolean

              Expand width of the control panel to fit available space.

              Default value is false.

            • id string

              The unique ID of the control.

            • order number Required

              The order of the control panel in the control group.

            • type string Required

              The type of the control panel.

            • width string

              Minimum width of the control panel in the control group.

              Values are small, medium, or large. Default value is medium.

          • Additional properties are allowed.

          • ignoreParentSettings object Required

            Additional properties are NOT allowed.

            Hide ignoreParentSettings attributes Show ignoreParentSettings attributes object
            • Ignore global filters in controls.

              Default value is false.

            • Ignore the global query bar in controls.

              Default value is false.

            • Ignore the global time range in controls.

              Default value is false.

            • Ignore validations in controls.

              Default value is false.

          • Position of the labels for controls. For example, "oneLine", "twoLine".

            Values are oneLine or twoLine. Default value is oneLine.

        • A short description.

          Default value is empty.

        • A container for various metadata

          Default value is {} (empty). Additional properties are NOT allowed.

          Hide kibanaSavedObjectMeta attribute Show kibanaSavedObjectMeta attribute object
          • Additional properties are allowed.

            Hide searchSource attributes Show searchSource attributes object
            • filter array[object]
              Hide filter attributes Show filter attributes object
              • $state object

                Additional properties are NOT allowed.

                Hide $state attribute Show $state attribute object
                • store string Required

                  Denote whether a filter is specific to an application's context (e.g. 'appState') or whether it should be applied globally (e.g. 'globalState').

                  Values are appState or globalState.

              • meta object Required

                Additional properties are allowed.

                Hide meta attributes Show meta attributes object
              • query object

                Additional properties are allowed.

            • query object

              Additional properties are NOT allowed.

              Hide query attributes Show query attributes object
            • sort array[object]
            • type string
        • options object Required

          Additional properties are NOT allowed.

          Hide options attributes Show options attributes object
          • Hide the panel titles in the dashboard.

            Default value is false.

          • syncColors boolean

            Synchronize colors between related panels in the dashboard.

            Default value is true.

          • syncCursor boolean

            Synchronize cursor position between related panels in the dashboard.

            Default value is true.

          • Synchronize tooltips between related panels in the dashboard.

            Default value is true.

          • useMargins boolean

            Show margins between panels in the dashboard layout.

            Default value is true.

        • panels array[object]

          Default value is [] (empty).

          Hide panels attributes Show panels attributes object
          • gridData object Required

            Additional properties are NOT allowed.

            Hide gridData attributes Show gridData attributes object
            • h number

              The height of the panel in grid units

              Minimum value is 1. Default value is 15.

            • i string Required
            • w number

              The width of the panel in grid units

              Minimum value is 1, maximum value is 48. Default value is 24.

            • x number Required

              The x coordinate of the panel in grid units

            • y number Required

              The y coordinate of the panel in grid units

          • id string

            The saved object id for by reference panels

          • panelConfig object Required

            Additional properties are allowed.

            Hide panelConfig attributes Show panelConfig attributes object
          • panelIndex string Required
          • title string

            The title of the panel

          • type string Required

            The embeddable type

          • version string Deprecated

            The version was used to store Kibana version information from versions 7.3.0 -> 8.11.0. As of version 8.11.0, the versioning information is now per-embeddable-type and is stored on the embeddable's input. (panelConfig in this type).

        • A container for various refresh interval settings

          Additional properties are NOT allowed.

          Hide refreshInterval attributes Show refreshInterval attributes object
          • display string Deprecated

            A human-readable string indicating the refresh frequency. No longer used.

          • pause boolean Required

            Whether the refresh interval is set to be paused while viewing the dashboard.

          • section number Deprecated

            No longer used.

          • value number Required

            A numeric value indicating refresh frequency in milliseconds.

        • timeFrom string

          An ISO string indicating when to restore time from

        • Whether to restore time upon viewing this dashboard

          Default value is false.

        • timeTo string

          An ISO string indicating when to restore time from

        • title string Required

          A human-readable title for the dashboard

        • version number Deprecated
      • error object

        Additional properties are NOT allowed.

        Hide error attributes Show error attributes object
      • id string Required
      • managed boolean
      • namespaces array[string]
      • originId string
      • references array[object] Required
        Hide references attributes Show references attributes object
      • type string Required
      • version string
POST /api/dashboards/dashboard/{id}
curl \
 -X POST https://localhost:5601/api/dashboards/dashboard/{id} \
 -H "Content-Type: application/json; Elastic-Api-Version=2023-10-31" \
 -H "kbn-xsrf: true"
Request examples
# Headers
kbn-xsrf: true

# Payload
{
  "attributes": {
    "controlGroupInput": {
      "autoApplySelections": true,
      "chainingSystem": "HIERARCHICAL",
      "controls": [
        {
          "controlConfig": {},
          "grow": false,
          "id": "string",
          "order": 42.0,
          "type": "string",
          "width": "medium"
        }
      ],
      "enhancements": {},
      "ignoreParentSettings": {
        "ignoreFilters": false,
        "ignoreQuery": false,
        "ignoreTimerange": false,
        "ignoreValidations": false
      },
      "labelPosition": "oneLine"
    },
    "description": "",
    "kibanaSavedObjectMeta": {
      "searchSource": {
        "filter": [
          {
            "$state": {
              "store": "appState"
            },
            "meta": {
              "alias": "string",
              "controlledBy": "string",
              "disabled": true,
              "field": "string",
              "group": "string",
              "index": "string",
              "isMultiIndex": true,
              "key": "string",
              "negate": true,
              "type": "string",
              "value": "string"
            },
            "query": {}
          }
        ],
        "query": {
          "language": "string",
          "query": "string"
        },
        "sort": [
          {}
        ],
        "type": "string"
      }
    },
    "options": {
      "hidePanelTitles": false,
      "syncColors": true,
      "syncCursor": true,
      "syncTooltips": true,
      "useMargins": true
    },
    "panels": [
      {
        "gridData": {
          "h": 15,
          "i": "string",
          "w": 24,
          "x": 42.0,
          "y": 42.0
        },
        "id": "string",
        "panelConfig": {
          "description": "string",
          "enhancements": {},
          "hidePanelTitles": true,
          "savedObjectId": "string",
          "title": "string",
          "version": "string"
        },
        "panelIndex": "string",
        "panelRefName": "string",
        "title": "string",
        "type": "string",
        "version": "string"
      }
    ],
    "refreshInterval": {
      "display": "string",
      "pause": true,
      "section": 42.0,
      "value": 42.0
    },
    "timeFrom": "string",
    "timeRestore": false,
    "timeTo": "string",
    "title": "string",
    "version": 42.0
  },
  "references": [
    {
      "id": "string",
      "name": "string",
      "type": "string"
    }
  ],
  "spaces": [
    "string"
  ]
}
Response examples (200)
{
  "item": {
    "attributes": {
      "controlGroupInput": {
        "autoApplySelections": true,
        "chainingSystem": "HIERARCHICAL",
        "controls": [
          {
            "controlConfig": {},
            "grow": false,
            "id": "string",
            "order": 42.0,
            "type": "string",
            "width": "medium"
          }
        ],
        "enhancements": {},
        "ignoreParentSettings": {
          "ignoreFilters": false,
          "ignoreQuery": false,
          "ignoreTimerange": false,
          "ignoreValidations": false
        },
        "labelPosition": "oneLine"
      },
      "description": "",
      "kibanaSavedObjectMeta": {
        "searchSource": {
          "filter": [
            {
              "$state": {
                "store": "appState"
              },
              "meta": {
                "alias": "string",
                "controlledBy": "string",
                "disabled": true,
                "field": "string",
                "group": "string",
                "index": "string",
                "isMultiIndex": true,
                "key": "string",
                "negate": true,
                "type": "string",
                "value": "string"
              },
              "query": {}
            }
          ],
          "query": {
            "language": "string",
            "query": "string"
          },
          "sort": [
            {}
          ],
          "type": "string"
        }
      },
      "options": {
        "hidePanelTitles": false,
        "syncColors": true,
        "syncCursor": true,
        "syncTooltips": true,
        "useMargins": true
      },
      "panels": [
        {
          "gridData": {
            "h": 15,
            "i": "string",
            "w": 24,
            "x": 42.0,
            "y": 42.0
          },
          "id": "string",
          "panelConfig": {
            "description": "string",
            "enhancements": {},
            "hidePanelTitles": true,
            "savedObjectId": "string",
            "title": "string",
            "version": "string"
          },
          "panelIndex": "string",
          "panelRefName": "string",
          "title": "string",
          "type": "string",
          "version": "string"
        }
      ],
      "refreshInterval": {
        "display": "string",
        "pause": true,
        "section": 42.0,
        "value": 42.0
      },
      "timeFrom": "string",
      "timeRestore": false,
      "timeTo": "string",
      "title": "string",
      "version": 42.0
    },
    "createdAt": "string",
    "createdBy": "string",
    "error": {
      "error": "string",
      "message": "string",
      "metadata": {},
      "statusCode": 42.0
    },
    "id": "string",
    "managed": true,
    "namespaces": [
      "string"
    ],
    "originId": "string",
    "references": [
      {
        "id": "string",
        "name": "string",
        "type": "string"
      }
    ],
    "type": "string",
    "updatedAt": "string",
    "updatedBy": "string",
    "version": "string"
  }
}

Delete a dashboard Technical Preview

DELETE /api/dashboards/dashboard/{id}

This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • id string Required

    A unique identifier for the dashboard.

DELETE /api/dashboards/dashboard/{id}
curl \
 -X DELETE https://localhost:5601/api/dashboards/dashboard/{id} \
 -H "kbn-xsrf: true"

Get data streams

GET /api/fleet/data_streams

Responses

GET /api/fleet/data_streams
curl \
 -X GET https://localhost:5601/api/fleet/data_streams
Response examples (200)
{
  "data_streams": [
    {
      "dashboards": [
        {
          "id": "string",
          "title": "string"
        }
      ],
      "dataset": "string",
      "index": "string",
      "last_activity_ms": 42.0,
      "namespace": "string",
      "package": "string",
      "package_version": "string",
      "serviceDetails": {
        "environment": "string",
        "serviceName": "string"
      },
      "size_in_bytes": 42.0,
      "size_in_bytes_formatted": 42.0,
      "type": "string"
    }
  ]
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Get data streams

GET /api/fleet/epm/data_streams

Query parameters

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31
    Hide response attribute Show response attribute object
    • items array[object] Required
      Hide items attribute Show items attribute object
  • 400 application/json; Elastic-Api-Version=2023-10-31
    Hide response attributes Show response attributes object
GET /api/fleet/epm/data_streams
curl \
 -X GET https://localhost:5601/api/fleet/epm/data_streams
Response examples (200)
{
  "items": [
    {
      "name": "string"
    }
  ]
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Data views

Data view APIs enable you to manage data views, formerly known as Kibana index patterns.

Get all data views

GET /api/data_views

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31

    Indicates a successful call.

    Hide response attribute Show response attribute object
  • 400 application/json; Elastic-Api-Version=2023-10-31

    Bad request

    Hide response attributes Show response attributes object
GET /api/data_views
curl \
 -X GET https://localhost:5601/api/data_views
Response examples (200)
{
  "data_view": [
    {
      "id": "ff959d40-b880-11e8-a6d9-e546fe2bba5f",
      "name": "Kibana Sample Data eCommerce",
      "title": "kibana_sample_data_ecommerce",
      "typeMeta": {},
      "namespaces": [
        "default"
      ]
    },
    {
      "id": "d3d7af60-4c81-11e8-b3d7-01146121b73d",
      "name": "Kibana Sample Data Flights",
      "title": "kibana_sample_data_flights",
      "namespaces": [
        "default"
      ]
    },
    {
      "id": "90943e30-9a47-11e8-b64d-95841ca0b247",
      "name": "Kibana Sample Data Logs",
      "title": "kibana_sample_data_logs",
      "namespaces": [
        "default"
      ]
    }
  ]
}
Response examples (400)
{
  "error": "Bad Request",
  "message": "string",
  "statusCode": 400
}

Create a data view

POST /api/data_views/data_view

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

application/json; Elastic-Api-Version=2023-10-31

Body Required

  • data_view object Required

    The data view object.

    Additional properties are allowed.

    Hide data_view attributes Show data_view attributes object
    • Allows the data view saved object to exist before the data is available.

    • Hide fieldAttrs attribute Show fieldAttrs attribute object
      • * object Additional properties

        A map of field attributes by field name.

        Additional properties are allowed.

        Hide * attributes Show * attributes object
    • A map of field formats by field name.

      Additional properties are allowed.

    • fields object

      Additional properties are allowed.

    • id string
    • name string

      The data view name.

    • namespaces array[string]

      An array of space identifiers for sharing the data view between multiple spaces.

      Default value is default.

    • Hide runtimeFieldMap attribute Show runtimeFieldMap attribute object
      • * object Additional properties

        A map of runtime field definitions by field name.

        Additional properties are allowed.

        Hide * attributes Show * attributes object
        • script object Required

          Additional properties are allowed.

          Hide script attribute Show script attribute object
          • source string

            Script for the runtime field.

        • type string Required

          Mapping type of the runtime field.

    • sourceFilters array[object]

      The array of field names you want to filter out in Discover.

      Hide sourceFilters attribute Show sourceFilters attribute object
    • The timestamp field name, which you use for time-based data views.

    • title string Required

      Comma-separated list of data streams, indices, and aliases that you want to search. Supports wildcards (*).

    • type string

      When set to rollup, identifies the rollup data views.

    • typeMeta object

      When you use rollup indices, contains the field list for the rollup data view API endpoints.

      Additional properties are allowed.

      Hide typeMeta attributes Show typeMeta attributes object
      • aggs object Required

        A map of rollup restrictions by aggregation type and field name.

        Additional properties are allowed.

      • params object Required

        Properties for retrieving rollup fields.

        Additional properties are allowed.

    • version string
  • override boolean

    Override an existing data view if a data view with the provided title already exists.

    Default value is false.

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31

    Indicates a successful call.

    Hide response attribute Show response attribute object
    • Additional properties are allowed.

      Hide data_view attributes Show data_view attributes object
      • Allows the data view saved object to exist before the data is available.

      • Hide fieldAttrs attribute Show fieldAttrs attribute object
        • * object Additional properties

          A map of field attributes by field name.

          Additional properties are allowed.

          Hide * attributes Show * attributes object
      • A map of field formats by field name.

        Additional properties are allowed.

      • fields object

        Additional properties are allowed.

      • id string
      • name string

        The data view name.

      • namespaces array[string]

        An array of space identifiers for sharing the data view between multiple spaces.

        Default value is default.

      • Hide runtimeFieldMap attribute Show runtimeFieldMap attribute object
        • * object Additional properties

          A map of runtime field definitions by field name.

          Additional properties are allowed.

          Hide * attributes Show * attributes object
          • script object Required

            Additional properties are allowed.

            Hide script attribute Show script attribute object
            • source string

              Script for the runtime field.

          • type string Required

            Mapping type of the runtime field.

      • sourceFilters array[object]

        The array of field names you want to filter out in Discover.

        Hide sourceFilters attribute Show sourceFilters attribute object
      • The timestamp field name, which you use for time-based data views.

      • title string

        Comma-separated list of data streams, indices, and aliases that you want to search. Supports wildcards (*).

      • typeMeta object | null

        When you use rollup indices, contains the field list for the rollup data view API endpoints.

        Additional properties are allowed.

        Hide typeMeta attributes Show typeMeta attributes object | null
        • aggs object

          A map of rollup restrictions by aggregation type and field name.

          Additional properties are allowed.

        • params object

          Properties for retrieving rollup fields.

          Additional properties are allowed.

      • version string
  • 400 application/json; Elastic-Api-Version=2023-10-31

    Bad request

    Hide response attributes Show response attributes object
POST /api/data_views/data_view
curl \
 -X POST https://localhost:5601/api/data_views/data_view \
 -H "Content-Type: application/json; Elastic-Api-Version=2023-10-31" \
 -H "kbn-xsrf: string"
Request example
{
  "data_view": {
    "name": "My Logstash data view",
    "title": "logstash-*",
    "runtimeFieldMap": {
      "runtime_shape_name": {
        "type": "keyword",
        "script": {
          "source": "emit(doc['shape_name'].value)"
        }
      }
    }
  }
}
Response examples (200)
{
  "data_view": {
    "allowNoIndex": true,
    "fieldAttrs": {
      "additionalProperty1": {
        "count": 42,
        "customDescription": "string",
        "customLabel": "string"
      },
      "additionalProperty2": {
        "count": 42,
        "customDescription": "string",
        "customLabel": "string"
      }
    },
    "fieldFormats": {},
    "fields": {},
    "id": "ff959d40-b880-11e8-a6d9-e546fe2bba5f",
    "name": "string",
    "namespaces": [
      "default"
    ],
    "runtimeFieldMap": {
      "additionalProperty1": {
        "script": {
          "source": "string"
        },
        "type": "string"
      },
      "additionalProperty2": {
        "script": {
          "source": "string"
        },
        "type": "string"
      }
    },
    "sourceFilters": [
      {
        "value": "string"
      }
    ],
    "timeFieldName": "string",
    "title": "string",
    "typeMeta": {
      "aggs": {},
      "params": {}
    },
    "version": "WzQ2LDJd"
  }
}
Response examples (400)
{
  "error": "Bad Request",
  "message": "string",
  "statusCode": 400
}

Get a data view

GET /api/data_views/data_view/{viewId}

Path parameters

  • viewId string Required

    An identifier for the data view.

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31

    Indicates a successful call.

    Hide response attribute Show response attribute object
    • Additional properties are allowed.

      Hide data_view attributes Show data_view attributes object
      • Allows the data view saved object to exist before the data is available.

      • Hide fieldAttrs attribute Show fieldAttrs attribute object
        • * object Additional properties

          A map of field attributes by field name.

          Additional properties are allowed.

          Hide * attributes Show * attributes object
      • A map of field formats by field name.

        Additional properties are allowed.

      • fields object

        Additional properties are allowed.

      • id string
      • name string

        The data view name.

      • namespaces array[string]

        An array of space identifiers for sharing the data view between multiple spaces.

        Default value is default.

      • Hide runtimeFieldMap attribute Show runtimeFieldMap attribute object
        • * object Additional properties

          A map of runtime field definitions by field name.

          Additional properties are allowed.

          Hide * attributes Show * attributes object
          • script object Required

            Additional properties are allowed.

            Hide script attribute Show script attribute object
            • source string

              Script for the runtime field.

          • type string Required

            Mapping type of the runtime field.

      • sourceFilters array[object]

        The array of field names you want to filter out in Discover.

        Hide sourceFilters attribute Show sourceFilters attribute object
      • The timestamp field name, which you use for time-based data views.

      • title string

        Comma-separated list of data streams, indices, and aliases that you want to search. Supports wildcards (*).

      • typeMeta object | null

        When you use rollup indices, contains the field list for the rollup data view API endpoints.

        Additional properties are allowed.

        Hide typeMeta attributes Show typeMeta attributes object | null
        • aggs object

          A map of rollup restrictions by aggregation type and field name.

          Additional properties are allowed.

        • params object

          Properties for retrieving rollup fields.

          Additional properties are allowed.

      • version string
  • 404 application/json; Elastic-Api-Version=2023-10-31

    Object is not found.

    Hide response attributes Show response attributes object
GET /api/data_views/data_view/{viewId}
curl \
 -X GET https://localhost:5601/api/data_views/data_view/ff959d40-b880-11e8-a6d9-e546fe2bba5f
Response examples (200)
{
  "data_view": {
    "id": "ff959d40-b880-11e8-a6d9-e546fe2bba5f",
    "name": "Kibana Sample Data eCommerce",
    "title": "kibana_sample_data_ecommerce",
    "fields": {
      "_id": {
        "name": "_id",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "_id"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": false,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "sku": {
        "name": "sku",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "type": {
        "name": "type",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "user": {
        "name": "user",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "email": {
        "name": "email",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "_index": {
        "name": "_index",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "_index"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "_score": {
        "name": "_score",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number"
        },
        "isMapped": true,
        "scripted": false,
        "searchable": false,
        "aggregatable": false,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "_source": {
        "name": "_source",
        "type": "_source",
        "count": 0,
        "format": {
          "id": "_source"
        },
        "esTypes": [
          "_source"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": false,
        "aggregatable": false,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "category": {
        "name": "category",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "text"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": false,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "currency": {
        "name": "currency",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "order_id": {
        "name": "order_id",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "order_date": {
        "name": "order_date",
        "type": "date",
        "count": 0,
        "format": {
          "id": "date"
        },
        "esTypes": [
          "date"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "customer_id": {
        "name": "customer_id",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "day_of_week": {
        "name": "day_of_week",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "manufacturer": {
        "name": "manufacturer",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "text"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": false,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "products._id": {
        "name": "products._id",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "text"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": false,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "products.sku": {
        "name": "products.sku",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "day_of_week_i": {
        "name": "day_of_week_i",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number"
        },
        "esTypes": [
          "integer"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "event.dataset": {
        "name": "event.dataset",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "customer_phone": {
        "name": "customer_phone",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "geoip.location": {
        "name": "geoip.location",
        "type": "geo_point",
        "count": 0,
        "format": {
          "id": "geo_point",
          "params": {
            "transform": "wkt"
          }
        },
        "esTypes": [
          "geo_point"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "products.price": {
        "name": "products.price",
        "type": "number",
        "count": 1,
        "format": {
          "id": "number",
          "params": {
            "pattern": "$0,0.00"
          }
        },
        "esTypes": [
          "half_float"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "total_quantity": {
        "name": "total_quantity",
        "type": "number",
        "count": 1,
        "format": {
          "id": "number"
        },
        "esTypes": [
          "integer"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "customer_gender": {
        "name": "customer_gender",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "geoip.city_name": {
        "name": "geoip.city_name",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "category.keyword": {
        "name": "category.keyword",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "subType": {
          "multi": {
            "parent": "category"
          }
        },
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "geoip.region_name": {
        "name": "geoip.region_name",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "products.category": {
        "name": "products.category",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "text"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": false,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "products.quantity": {
        "name": "products.quantity",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number"
        },
        "esTypes": [
          "integer"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "customer_full_name": {
        "name": "customer_full_name",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "text"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": false,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "customer_last_name": {
        "name": "customer_last_name",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "text"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": false,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "products.min_price": {
        "name": "products.min_price",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number",
          "params": {
            "pattern": "$0,0.00"
          }
        },
        "esTypes": [
          "half_float"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "taxful_total_price": {
        "name": "taxful_total_price",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number",
          "params": {
            "pattern": "$0,0.[00]"
          }
        },
        "esTypes": [
          "half_float"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "customer_birth_date": {
        "name": "customer_birth_date",
        "type": "date",
        "count": 0,
        "format": {
          "id": "date"
        },
        "esTypes": [
          "date"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "customer_first_name": {
        "name": "customer_first_name",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "text"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": false,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "products.base_price": {
        "name": "products.base_price",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number",
          "params": {
            "pattern": "$0,0.00"
          }
        },
        "esTypes": [
          "half_float"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "products.created_on": {
        "name": "products.created_on",
        "type": "date",
        "count": 0,
        "format": {
          "id": "date"
        },
        "esTypes": [
          "date"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "products.product_id": {
        "name": "products.product_id",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number"
        },
        "esTypes": [
          "long"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "products.tax_amount": {
        "name": "products.tax_amount",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number"
        },
        "esTypes": [
          "half_float"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "taxless_total_price": {
        "name": "taxless_total_price",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number",
          "params": {
            "pattern": "$0,0.00"
          }
        },
        "esTypes": [
          "half_float"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "geoip.continent_name": {
        "name": "geoip.continent_name",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "manufacturer.keyword": {
        "name": "manufacturer.keyword",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "subType": {
          "multi": {
            "parent": "manufacturer"
          }
        },
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "products._id.keyword": {
        "name": "products._id.keyword",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "subType": {
          "multi": {
            "parent": "products._id"
          }
        },
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "products.manufacturer": {
        "name": "products.manufacturer",
        "type": "string",
        "count": 1,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "text"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": false,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "products.product_name": {
        "name": "products.product_name",
        "type": "string",
        "count": 1,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "text"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": false,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "products.taxful_price": {
        "name": "products.taxful_price",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number",
          "params": {
            "pattern": "$0,0.00"
          }
        },
        "esTypes": [
          "half_float"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "total_unique_products": {
        "name": "total_unique_products",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number"
        },
        "esTypes": [
          "integer"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "geoip.country_iso_code": {
        "name": "geoip.country_iso_code",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "products.taxless_price": {
        "name": "products.taxless_price",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number",
          "params": {
            "pattern": "$0,0.00"
          }
        },
        "esTypes": [
          "half_float"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "products.base_unit_price": {
        "name": "products.base_unit_price",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number",
          "params": {
            "pattern": "$0,0.00"
          }
        },
        "esTypes": [
          "half_float"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "products.discount_amount": {
        "name": "products.discount_amount",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number"
        },
        "esTypes": [
          "half_float"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "products.category.keyword": {
        "name": "products.category.keyword",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "subType": {
          "multi": {
            "parent": "products.category"
          }
        },
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "customer_full_name.keyword": {
        "name": "customer_full_name.keyword",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "subType": {
          "multi": {
            "parent": "customer_full_name"
          }
        },
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "customer_last_name.keyword": {
        "name": "customer_last_name.keyword",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "subType": {
          "multi": {
            "parent": "customer_last_name"
          }
        },
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "customer_first_name.keyword": {
        "name": "customer_first_name.keyword",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "subType": {
          "multi": {
            "parent": "customer_first_name"
          }
        },
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "products.discount_percentage": {
        "name": "products.discount_percentage",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number"
        },
        "esTypes": [
          "half_float"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "products.manufacturer.keyword": {
        "name": "products.manufacturer.keyword",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "subType": {
          "multi": {
            "parent": "products.manufacturer"
          }
        },
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "products.product_name.keyword": {
        "name": "products.product_name.keyword",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "subType": {
          "multi": {
            "parent": "products.product_name"
          }
        },
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "products.unit_discount_amount": {
        "name": "products.unit_discount_amount",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number"
        },
        "esTypes": [
          "half_float"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      }
    },
    "version": "WzUsMV0=",
    "typeMeta": {},
    "fieldAttrs": {
      "products.price": {
        "count": 1
      },
      "total_quantity": {
        "count": 1
      },
      "products.manufacturer": {
        "count": 1
      },
      "products.product_name": {
        "count": 1
      }
    },
    "namespaces": [
      "default"
    ],
    "allowNoIndex": false,
    "fieldFormats": {
      "products.price": {
        "id": "number",
        "params": {
          "pattern": "$0,0.00"
        }
      },
      "products.min_price": {
        "id": "number",
        "params": {
          "pattern": "$0,0.00"
        }
      },
      "taxful_total_price": {
        "id": "number",
        "params": {
          "pattern": "$0,0.[00]"
        }
      },
      "products.base_price": {
        "id": "number",
        "params": {
          "pattern": "$0,0.00"
        }
      },
      "taxless_total_price": {
        "id": "number",
        "params": {
          "pattern": "$0,0.00"
        }
      },
      "products.taxful_price": {
        "id": "number",
        "params": {
          "pattern": "$0,0.00"
        }
      },
      "products.taxless_price": {
        "id": "number",
        "params": {
          "pattern": "$0,0.00"
        }
      },
      "products.base_unit_price": {
        "id": "number",
        "params": {
          "pattern": "$0,0.00"
        }
      }
    },
    "sourceFilters": [],
    "timeFieldName": "order_date",
    "runtimeFieldMap": {}
  }
}
Response examples (404)
{
  "error": "Not Found",
  "message": "Saved object [index-pattern/caaad6d0-920c-11ed-b36a-874bd1548a00] not found",
  "statusCode": 404
}

Update a data view

POST /api/data_views/data_view/{viewId}

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

Path parameters

  • viewId string Required

    An identifier for the data view.

application/json; Elastic-Api-Version=2023-10-31

Body Required

  • data_view object Required

    The data view properties you want to update. Only the specified properties are updated in the data view. Unspecified fields stay as they are persisted.

    Additional properties are allowed.

    Hide data_view attributes Show data_view attributes object
    • Allows the data view saved object to exist before the data is available.

    • A map of field formats by field name.

      Additional properties are allowed.

    • fields object

      Additional properties are allowed.

    • name string
    • Hide runtimeFieldMap attribute Show runtimeFieldMap attribute object
      • * object Additional properties

        A map of runtime field definitions by field name.

        Additional properties are allowed.

        Hide * attributes Show * attributes object
        • script object Required

          Additional properties are allowed.

          Hide script attribute Show script attribute object
          • source string

            Script for the runtime field.

        • type string Required

          Mapping type of the runtime field.

    • sourceFilters array[object]

      The array of field names you want to filter out in Discover.

      Hide sourceFilters attribute Show sourceFilters attribute object
    • The timestamp field name, which you use for time-based data views.

    • title string

      Comma-separated list of data streams, indices, and aliases that you want to search. Supports wildcards (*).

    • type string

      When set to rollup, identifies the rollup data views.

    • typeMeta object

      When you use rollup indices, contains the field list for the rollup data view API endpoints.

      Additional properties are allowed.

      Hide typeMeta attributes Show typeMeta attributes object
      • aggs object Required

        A map of rollup restrictions by aggregation type and field name.

        Additional properties are allowed.

      • params object Required

        Properties for retrieving rollup fields.

        Additional properties are allowed.

  • Reloads the data view fields after the data view is updated.

    Default value is false.

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31

    Indicates a successful call.

    Hide response attribute Show response attribute object
    • Additional properties are allowed.

      Hide data_view attributes Show data_view attributes object
      • Allows the data view saved object to exist before the data is available.

      • Hide fieldAttrs attribute Show fieldAttrs attribute object
        • * object Additional properties

          A map of field attributes by field name.

          Additional properties are allowed.

          Hide * attributes Show * attributes object
      • A map of field formats by field name.

        Additional properties are allowed.

      • fields object

        Additional properties are allowed.

      • id string
      • name string

        The data view name.

      • namespaces array[string]

        An array of space identifiers for sharing the data view between multiple spaces.

        Default value is default.

      • Hide runtimeFieldMap attribute Show runtimeFieldMap attribute object
        • * object Additional properties

          A map of runtime field definitions by field name.

          Additional properties are allowed.

          Hide * attributes Show * attributes object
          • script object Required

            Additional properties are allowed.

            Hide script attribute Show script attribute object
            • source string

              Script for the runtime field.

          • type string Required

            Mapping type of the runtime field.

      • sourceFilters array[object]

        The array of field names you want to filter out in Discover.

        Hide sourceFilters attribute Show sourceFilters attribute object
      • The timestamp field name, which you use for time-based data views.

      • title string

        Comma-separated list of data streams, indices, and aliases that you want to search. Supports wildcards (*).

      • typeMeta object | null

        When you use rollup indices, contains the field list for the rollup data view API endpoints.

        Additional properties are allowed.

        Hide typeMeta attributes Show typeMeta attributes object | null
        • aggs object

          A map of rollup restrictions by aggregation type and field name.

          Additional properties are allowed.

        • params object

          Properties for retrieving rollup fields.

          Additional properties are allowed.

      • version string
  • 400 application/json; Elastic-Api-Version=2023-10-31

    Bad request

    Hide response attributes Show response attributes object
POST /api/data_views/data_view/{viewId}
curl \
 -X POST https://localhost:5601/api/data_views/data_view/ff959d40-b880-11e8-a6d9-e546fe2bba5f \
 -H "Content-Type: application/json; Elastic-Api-Version=2023-10-31" \
 -H "kbn-xsrf: string"
Request example
{
  "data_view": {
    "name": "Kibana Sample Data eCommerce",
    "title": "kibana_sample_data_ecommerce",
    "allowNoIndex": false,
    "timeFieldName": "order_date"
  },
  "refresh_fields": true
}
Response examples (200)
{
  "data_view": {
    "allowNoIndex": true,
    "fieldAttrs": {
      "additionalProperty1": {
        "count": 42,
        "customDescription": "string",
        "customLabel": "string"
      },
      "additionalProperty2": {
        "count": 42,
        "customDescription": "string",
        "customLabel": "string"
      }
    },
    "fieldFormats": {},
    "fields": {},
    "id": "ff959d40-b880-11e8-a6d9-e546fe2bba5f",
    "name": "string",
    "namespaces": [
      "default"
    ],
    "runtimeFieldMap": {
      "additionalProperty1": {
        "script": {
          "source": "string"
        },
        "type": "string"
      },
      "additionalProperty2": {
        "script": {
          "source": "string"
        },
        "type": "string"
      }
    },
    "sourceFilters": [
      {
        "value": "string"
      }
    ],
    "timeFieldName": "string",
    "title": "string",
    "typeMeta": {
      "aggs": {},
      "params": {}
    },
    "version": "WzQ2LDJd"
  }
}
Response examples (400)
{
  "error": "Bad Request",
  "message": "string",
  "statusCode": 400
}

Delete a data view

DELETE /api/data_views/data_view/{viewId}

WARNING: When you delete a data view, it cannot be recovered.

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

Path parameters

  • viewId string Required

    An identifier for the data view.

Responses

  • Indicates a successful call.

  • 404 application/json; Elastic-Api-Version=2023-10-31

    Object is not found.

    Hide response attributes Show response attributes object
DELETE /api/data_views/data_view/{viewId}
curl \
 -X DELETE https://localhost:5601/api/data_views/data_view/ff959d40-b880-11e8-a6d9-e546fe2bba5f \
 -H "kbn-xsrf: string"
Response examples (404)
{
  "error": "Not Found",
  "message": "Saved object [index-pattern/caaad6d0-920c-11ed-b36a-874bd1548a00] not found",
  "statusCode": 404
}

Update data view fields metadata

POST /api/data_views/data_view/{viewId}/fields

Update fields presentation metadata such as count, customLabel, customDescription, and format.

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

Path parameters

  • viewId string Required

    An identifier for the data view.

application/json; Elastic-Api-Version=2023-10-31

Body Required

  • fields object Required

    The field object.

    Additional properties are allowed.

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31

    Indicates a successful call.

    Hide response attribute Show response attribute object
  • 400 application/json; Elastic-Api-Version=2023-10-31

    Bad request

    Hide response attributes Show response attributes object
POST /api/data_views/data_view/{viewId}/fields
curl \
 -X POST https://localhost:5601/api/data_views/data_view/ff959d40-b880-11e8-a6d9-e546fe2bba5f/fields \
 -H "Content-Type: application/json; Elastic-Api-Version=2023-10-31" \
 -H "kbn-xsrf: string"
Request example
{
  "fields": {
    "field1": {
      "count": 123,
      "customLabel": "Field 1 label"
    },
    "field2": {
      "customLabel": "Field 2 label",
      "customDescription": "Field 2 description"
    }
  }
}
Response examples (200)
{
  "acknowledged": true
}
Response examples (400)
{
  "error": "Bad Request",
  "message": "string",
  "statusCode": 400
}

Create or update a runtime field

PUT /api/data_views/data_view/{viewId}/runtime_field

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

Path parameters

  • viewId string Required

    The ID of the data view fields you want to update.

application/json; Elastic-Api-Version=2023-10-31

Body Required

  • name string Required

    The name for a runtime field.

  • runtimeField object Required

    The runtime field definition object.

    Additional properties are allowed.

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • Additional properties are allowed.

    • fields array[object]

      Additional properties are allowed.

  • 400 application/json; Elastic-Api-Version=2023-10-31

    Bad request

    Hide response attributes Show response attributes object
PUT /api/data_views/data_view/{viewId}/runtime_field
curl \
 -X PUT https://localhost:5601/api/data_views/data_view/{viewId}/runtime_field \
 -H "Content-Type: application/json; Elastic-Api-Version=2023-10-31" \
 -H "kbn-xsrf: string"
Request example
{
  "name": "runtimeFoo",
  "runtimeField": {
    "type": "long",
    "script": {
      "source": "emit(doc[\"foo\"].value)"
    }
  }
}
Response examples (200)
{
  "data_view": {},
  "fields": [
    {}
  ]
}
Response examples (400)
{
  "error": "Bad Request",
  "message": "string",
  "statusCode": 400
}

Create a runtime field

POST /api/data_views/data_view/{viewId}/runtime_field

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

Path parameters

  • viewId string Required

    An identifier for the data view.

application/json; Elastic-Api-Version=2023-10-31

Body Required

  • name string Required

    The name for a runtime field.

  • runtimeField object Required

    The runtime field definition object.

    Additional properties are allowed.

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31

    Indicates a successful call.

    Additional properties are allowed.

POST /api/data_views/data_view/{viewId}/runtime_field
curl \
 -X POST https://localhost:5601/api/data_views/data_view/ff959d40-b880-11e8-a6d9-e546fe2bba5f/runtime_field \
 -H "Content-Type: application/json; Elastic-Api-Version=2023-10-31" \
 -H "kbn-xsrf: string"
Request example
{
  "name": "runtimeFoo",
  "runtimeField": {
    "type": "long",
    "script": {
      "source": "emit(doc[\"foo\"].value)"
    }
  }
}
Response examples (200)
{}

Get a runtime field

GET /api/data_views/data_view/{viewId}/runtime_field/{fieldName}

Path parameters

  • fieldName string Required

    The name of the runtime field.

  • viewId string Required

    An identifier for the data view.

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • Additional properties are allowed.

    • fields array[object]

      Additional properties are allowed.

  • 404 application/json; Elastic-Api-Version=2023-10-31

    Object is not found.

    Hide response attributes Show response attributes object
GET /api/data_views/data_view/{viewId}/runtime_field/{fieldName}
curl \
 -X GET https://localhost:5601/api/data_views/data_view/ff959d40-b880-11e8-a6d9-e546fe2bba5f/runtime_field/hour_of_day
Response examples (200)
{
  "fields": [
    {
      "name": "hour_of_day",
      "type": "number",
      "count": 0,
      "esTypes": [
        "long"
      ],
      "scripted": false,
      "searchable": true,
      "aggregatable": true,
      "runtimeField": {
        "type": "long",
        "script": {
          "source": "emit(doc['timestamp'].value.getHour());"
        }
      },
      "shortDotsEnable": false,
      "readFromDocValues": false
    }
  ],
  "data_view": {
    "id": "d3d7af60-4c81-11e8-b3d7-01146121b73d",
    "name": "Kibana Sample Data Flights",
    "title": "kibana_sample_data_flights",
    "fields": {
      "_id": {
        "name": "_id",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "_id"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": false,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "Dest": {
        "name": "Dest",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "Origin": {
        "name": "Origin",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "_index": {
        "name": "_index",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "_index"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "_score": {
        "name": "_score",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number"
        },
        "isMapped": true,
        "scripted": false,
        "searchable": false,
        "aggregatable": false,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "Carrier": {
        "name": "Carrier",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "_source": {
        "name": "_source",
        "type": "_source",
        "count": 0,
        "format": {
          "id": "_source"
        },
        "esTypes": [
          "_source"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": false,
        "aggregatable": false,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "Cancelled": {
        "name": "Cancelled",
        "type": "boolean",
        "count": 0,
        "format": {
          "id": "boolean"
        },
        "esTypes": [
          "boolean"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "FlightNum": {
        "name": "FlightNum",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "dayOfWeek": {
        "name": "dayOfWeek",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number"
        },
        "esTypes": [
          "integer"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "timestamp": {
        "name": "timestamp",
        "type": "date",
        "count": 0,
        "format": {
          "id": "date"
        },
        "esTypes": [
          "date"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "DestRegion": {
        "name": "DestRegion",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "DestCountry": {
        "name": "DestCountry",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "DestWeather": {
        "name": "DestWeather",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "FlightDelay": {
        "name": "FlightDelay",
        "type": "boolean",
        "count": 0,
        "format": {
          "id": "boolean"
        },
        "esTypes": [
          "boolean"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "hour_of_day": {
        "name": "hour_of_day",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number",
          "params": {
            "pattern": "00"
          }
        },
        "esTypes": [
          "long"
        ],
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "runtimeField": {
          "type": "long",
          "script": {
            "source": "emit(doc['timestamp'].value.getHour());"
          }
        },
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "DestCityName": {
        "name": "DestCityName",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "DestLocation": {
        "name": "DestLocation",
        "type": "geo_point",
        "count": 0,
        "format": {
          "id": "geo_point",
          "params": {
            "transform": "wkt"
          }
        },
        "esTypes": [
          "geo_point"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "OriginRegion": {
        "name": "OriginRegion",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "DestAirportID": {
        "name": "DestAirportID",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "DistanceMiles": {
        "name": "DistanceMiles",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number"
        },
        "esTypes": [
          "float"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "FlightTimeMin": {
        "name": "FlightTimeMin",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number"
        },
        "esTypes": [
          "float"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "OriginCountry": {
        "name": "OriginCountry",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "OriginWeather": {
        "name": "OriginWeather",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "AvgTicketPrice": {
        "name": "AvgTicketPrice",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number",
          "params": {
            "pattern": "$0,0.[00]"
          }
        },
        "esTypes": [
          "float"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "FlightDelayMin": {
        "name": "FlightDelayMin",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number"
        },
        "esTypes": [
          "integer"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "FlightTimeHour": {
        "name": "FlightTimeHour",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "OriginCityName": {
        "name": "OriginCityName",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "OriginLocation": {
        "name": "OriginLocation",
        "type": "geo_point",
        "count": 0,
        "format": {
          "id": "geo_point",
          "params": {
            "transform": "wkt"
          }
        },
        "esTypes": [
          "geo_point"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "FlightDelayType": {
        "name": "FlightDelayType",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "OriginAirportID": {
        "name": "OriginAirportID",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "DistanceKilometers": {
        "name": "DistanceKilometers",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number"
        },
        "esTypes": [
          "float"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      }
    },
    "version": "WzM2LDJd",
    "fieldAttrs": {},
    "allowNoIndex": false,
    "fieldFormats": {
      "hour_of_day": {
        "id": "number",
        "params": {
          "pattern": "00"
        }
      },
      "AvgTicketPrice": {
        "id": "number",
        "params": {
          "pattern": "$0,0.[00]"
        }
      }
    },
    "sourceFilters": [],
    "timeFieldName": "timestamp",
    "runtimeFieldMap": {
      "hour_of_day": {
        "type": "long",
        "script": {
          "source": "emit(doc['timestamp'].value.getHour());"
        }
      }
    }
  }
}
Response examples (404)
{
  "error": "Not Found",
  "message": "Saved object [index-pattern/caaad6d0-920c-11ed-b36a-874bd1548a00] not found",
  "statusCode": 404
}

Update a runtime field

POST /api/data_views/data_view/{viewId}/runtime_field/{fieldName}

Path parameters

  • fieldName string Required

    The name of the runtime field.

  • viewId string Required

    An identifier for the data view.

application/json; Elastic-Api-Version=2023-10-31

Body Required

  • runtimeField object Required

    The runtime field definition object.

    You can update following fields:

    • type
    • script

    Additional properties are allowed.

Responses

  • Indicates a successful call.

  • 400 application/json; Elastic-Api-Version=2023-10-31

    Bad request

    Hide response attributes Show response attributes object
POST /api/data_views/data_view/{viewId}/runtime_field/{fieldName}
curl \
 -X POST https://localhost:5601/api/data_views/data_view/ff959d40-b880-11e8-a6d9-e546fe2bba5f/runtime_field/hour_of_day \
 -H "Content-Type: application/json; Elastic-Api-Version=2023-10-31"
Request example
{
  "runtimeField": {
    "script": {
      "source": "emit(doc[\"bar\"].value)"
    }
  }
}
Response examples (400)
{
  "error": "Bad Request",
  "message": "string",
  "statusCode": 400
}

Delete a runtime field from a data view

DELETE /api/data_views/data_view/{viewId}/runtime_field/{fieldName}

Path parameters

  • fieldName string Required

    The name of the runtime field.

  • viewId string Required

    An identifier for the data view.

Responses

  • Indicates a successful call.

  • 404 application/json; Elastic-Api-Version=2023-10-31

    Object is not found.

    Hide response attributes Show response attributes object
DELETE /api/data_views/data_view/{viewId}/runtime_field/{fieldName}
curl \
 -X DELETE https://localhost:5601/api/data_views/data_view/ff959d40-b880-11e8-a6d9-e546fe2bba5f/runtime_field/hour_of_day
Response examples (404)
{
  "error": "Not Found",
  "message": "Saved object [index-pattern/caaad6d0-920c-11ed-b36a-874bd1548a00] not found",
  "statusCode": 404
}

Get the default data view

GET /api/data_views/default

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31

    Indicates a successful call.

    Hide response attribute Show response attribute object
  • 400 application/json; Elastic-Api-Version=2023-10-31

    Bad request

    Hide response attributes Show response attributes object
GET /api/data_views/default
curl \
 -X GET https://localhost:5601/api/data_views/default
Response examples (200)
{
  "data_view_id": "ff959d40-b880-11e8-a6d9-e546fe2bba5f"
}
Response examples (400)
{
  "error": "Bad Request",
  "message": "string",
  "statusCode": 400
}

Set the default data view

POST /api/data_views/default

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

application/json; Elastic-Api-Version=2023-10-31

Body Required

  • data_view_id string | null Required

    The data view identifier. NOTE: The API does not validate whether it is a valid identifier. Use null to unset the default data view.

  • force boolean

    Update an existing default data view identifier.

    Default value is false.

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31

    Indicates a successful call.

    Hide response attribute Show response attribute object
  • 400 application/json; Elastic-Api-Version=2023-10-31

    Bad request

    Hide response attributes Show response attributes object
POST /api/data_views/default
curl \
 -X POST https://localhost:5601/api/data_views/default \
 -H "Content-Type: application/json; Elastic-Api-Version=2023-10-31" \
 -H "kbn-xsrf: string"
Request example
{
  "force": true,
  "data_view_id": "ff959d40-b880-11e8-a6d9-e546fe2bba5f"
}
Response examples (200)
{
  "acknowledged": true
}
Response examples (400)
{
  "error": "Bad Request",
  "message": "string",
  "statusCode": 400
}

Swap saved object references

POST /api/data_views/swap_references

Changes saved object references from one data view identifier to another. WARNING: Misuse can break large numbers of saved objects! Practicing with a backup is recommended.

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

application/json; Elastic-Api-Version=2023-10-31

Body Required

  • delete boolean

    Deletes referenced saved object if all references are removed.

  • forId string | array[string]

    Limit the affected saved objects to one or more by identifier.

  • forType string

    Limit the affected saved objects by type.

  • fromId string Required

    The saved object reference to change.

  • fromType string

    Specify the type of the saved object reference to alter. The default value is index-pattern for data views.

  • toId string Required

    New saved object reference value to replace the old value.

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31

    Indicates a successful call.

    Hide response attributes Show response attributes object
POST /api/data_views/swap_references
curl \
 -X POST https://localhost:5601/api/data_views/swap_references \
 -H "Content-Type: application/json; Elastic-Api-Version=2023-10-31" \
 -H "kbn-xsrf: string"
Request example
{
  "toId": "xyz-123",
  "delete": true,
  "fromId": "abcd-efg"
}
Response examples (200)
{
  "deleteStatus": {
    "deletePerformed": true,
    "remainingRefs": 42
  },
  "result": [
    {
      "id": "string",
      "type": "string"
    }
  ]
}

Preview a saved object reference swap

POST /api/data_views/swap_references/_preview

Preview the impact of swapping saved object references from one data view identifier to another.

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

application/json; Elastic-Api-Version=2023-10-31

Body Required

  • delete boolean

    Deletes referenced saved object if all references are removed.

  • forId string | array[string]

    Limit the affected saved objects to one or more by identifier.

  • forType string

    Limit the affected saved objects by type.

  • fromId string Required

    The saved object reference to change.

  • fromType string

    Specify the type of the saved object reference to alter. The default value is index-pattern for data views.

  • toId string Required

    New saved object reference value to replace the old value.

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31

    Indicates a successful call.

    Hide response attribute Show response attribute object
    • result array[object]
      Hide result attributes Show result attributes object
      • id string

        A saved object identifier.

      • type string

        The saved object type.

POST /api/data_views/swap_references/_preview
curl \
 -X POST https://localhost:5601/api/data_views/swap_references/_preview \
 -H "Content-Type: application/json; Elastic-Api-Version=2023-10-31" \
 -H "kbn-xsrf: string"
Request example
{
  "toId": "xyz-123",
  "fromId": "abcd-efg"
}
Response examples (200)
{
  "result": [
    {
      "id": "string",
      "type": "string"
    }
  ]
}

Create an agent action

POST /api/fleet/agents/{agentId}/actions

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

application/json; Elastic-Api-Version=2023-10-31

Body

Responses

POST /api/fleet/agents/{agentId}/actions
curl \
 -X POST https://localhost:5601/api/fleet/agents/{agentId}/actions \
 -H "Content-Type: application/json; Elastic-Api-Version=2023-10-31" \
 -H "kbn-xsrf: true"
Request examples
# Headers
kbn-xsrf: true

# Payload
{
  "action": {
    "type": "UNENROLL"
  }
}
Response examples (200)
{
  "item": {
    "agents": [
      "string"
    ],
    "created_at": "string",
    "expiration": "string",
    "id": "string",
    "minimum_execution_duration": 42.0,
    "namespaces": [
      "string"
    ],
    "rollout_duration_seconds": 42.0,
    "sent_at": "string",
    "source_uri": "string",
    "start_time": "string",
    "total": 42.0,
    "type": "string"
  }
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Reassign an agent

POST /api/fleet/agents/{agentId}/reassign

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

application/json; Elastic-Api-Version=2023-10-31

Body

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31

    Additional properties are NOT allowed.

  • 400 application/json; Elastic-Api-Version=2023-10-31
    Hide response attributes Show response attributes object
POST /api/fleet/agents/{agentId}/reassign
curl \
 -X POST https://localhost:5601/api/fleet/agents/{agentId}/reassign \
 -H "Content-Type: application/json; Elastic-Api-Version=2023-10-31" \
 -H "kbn-xsrf: true"
Request examples
# Headers
kbn-xsrf: true

# Payload
{
  "policy_id": "string"
}
Response examples (200)
{}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Request agent diagnostics

POST /api/fleet/agents/{agentId}/request_diagnostics

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

application/json; Elastic-Api-Version=2023-10-31

Body

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31
    Hide response attribute Show response attribute object
  • 400 application/json; Elastic-Api-Version=2023-10-31
    Hide response attributes Show response attributes object
POST /api/fleet/agents/{agentId}/request_diagnostics
curl \
 -X POST https://localhost:5601/api/fleet/agents/{agentId}/request_diagnostics \
 -H "Content-Type: application/json; Elastic-Api-Version=2023-10-31" \
 -H "kbn-xsrf: true"
Request examples
# Headers
kbn-xsrf: true

# Payload
{
  "additional_metrics": [
    "CPU"
  ]
}
Response examples (200)
{
  "actionId": "string"
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Unenroll an agent

POST /api/fleet/agents/{agentId}/unenroll

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

application/json; Elastic-Api-Version=2023-10-31

Body

POST /api/fleet/agents/{agentId}/unenroll
curl \
 -X POST https://localhost:5601/api/fleet/agents/{agentId}/unenroll \
 -H "Content-Type: application/json; Elastic-Api-Version=2023-10-31" \
 -H "kbn-xsrf: true"
Request examples
# Headers
kbn-xsrf: true

# Payload
{
  "force": true,
  "revoke": true
}

Upgrade an agent

POST /api/fleet/agents/{agentId}/upgrade

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

application/json; Elastic-Api-Version=2023-10-31

Body

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31

    Additional properties are NOT allowed.

  • 400 application/json; Elastic-Api-Version=2023-10-31
    Hide response attributes Show response attributes object
POST /api/fleet/agents/{agentId}/upgrade
curl \
 -X POST https://localhost:5601/api/fleet/agents/{agentId}/upgrade \
 -H "Content-Type: application/json; Elastic-Api-Version=2023-10-31" \
 -H "kbn-xsrf: true"
Request examples
# Headers
kbn-xsrf: true

# Payload
{
  "force": true,
  "skipRateLimitCheck": true,
  "source_uri": "string",
  "version": "string"
}
Response examples (200)
{}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Get an agent action status

GET /api/fleet/agents/action_status

Query parameters

Responses

GET /api/fleet/agents/action_status
curl \
 -X GET https://localhost:5601/api/fleet/agents/action_status
Response examples (200)
{
  "items": [
    {
      "actionId": "string",
      "cancellationTime": "string",
      "completionTime": "string",
      "creationTime": "string",
      "expiration": "string",
      "hasRolloutPeriod": true,
      "latestErrors": [
        {
          "agentId": "string",
          "error": "string",
          "hostname": "string",
          "timestamp": "string"
        }
      ],
      "nbAgentsAck": 42.0,
      "nbAgentsActionCreated": 42.0,
      "nbAgentsActioned": 42.0,
      "nbAgentsFailed": 42.0,
      "newPolicyId": "string",
      "policyId": "string",
      "revision": 42.0,
      "startTime": "string",
      "status": "COMPLETE",
      "type": "UPGRADE",
      "version": "string"
    }
  ]
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Cancel an agent action

POST /api/fleet/agents/actions/{actionId}/cancel

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

Responses

POST /api/fleet/agents/actions/{actionId}/cancel
curl \
 -X POST https://localhost:5601/api/fleet/agents/actions/{actionId}/cancel \
 -H "kbn-xsrf: true"
Response examples (200)
{
  "item": {
    "agents": [
      "string"
    ],
    "created_at": "string",
    "expiration": "string",
    "id": "string",
    "minimum_execution_duration": 42.0,
    "namespaces": [
      "string"
    ],
    "rollout_duration_seconds": 42.0,
    "sent_at": "string",
    "source_uri": "string",
    "start_time": "string",
    "total": 42.0,
    "type": "string"
  }
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Bulk reassign agents

POST /api/fleet/agents/bulk_reassign

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json; Elastic-Api-Version=2023-10-31

Body

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31
    Hide response attribute Show response attribute object
  • 400 application/json; Elastic-Api-Version=2023-10-31
    Hide response attributes Show response attributes object
POST /api/fleet/agents/bulk_reassign
curl \
 -X POST https://localhost:5601/api/fleet/agents/bulk_reassign \
 -H "Content-Type: application/json; Elastic-Api-Version=2023-10-31" \
 -H "kbn-xsrf: true"
Request examples
# Headers
kbn-xsrf: true

# Payload
{
  "agents": [
    "string"
  ],
  "batchSize": 42.0,
  "includeInactive": false,
  "policy_id": "string"
}
Response examples (200)
{
  "actionId": "string"
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Bulk request diagnostics from agents

POST /api/fleet/agents/bulk_request_diagnostics

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json; Elastic-Api-Version=2023-10-31

Body

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31
    Hide response attribute Show response attribute object
  • 400 application/json; Elastic-Api-Version=2023-10-31
    Hide response attributes Show response attributes object
POST /api/fleet/agents/bulk_request_diagnostics
curl \
 -X POST https://localhost:5601/api/fleet/agents/bulk_request_diagnostics \
 -H "Content-Type: application/json; Elastic-Api-Version=2023-10-31" \
 -H "kbn-xsrf: true"
Request examples
# Headers
kbn-xsrf: true

# Payload
{
  "additional_metrics": [
    "CPU"
  ],
  "agents": [
    "string"
  ],
  "batchSize": 42.0
}
Response examples (200)
{
  "actionId": "string"
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Bulk unenroll agents

POST /api/fleet/agents/bulk_unenroll

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json; Elastic-Api-Version=2023-10-31

Body

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31
    Hide response attribute Show response attribute object
  • 400 application/json; Elastic-Api-Version=2023-10-31
    Hide response attributes Show response attributes object
POST /api/fleet/agents/bulk_unenroll
curl \
 -X POST https://localhost:5601/api/fleet/agents/bulk_unenroll \
 -H "Content-Type: application/json; Elastic-Api-Version=2023-10-31" \
 -H "kbn-xsrf: true"
Request examples
# Headers
kbn-xsrf: true

# Payload
{
  "agents": [
    "string"
  ],
  "batchSize": 42.0,
  "force": true,
  "includeInactive": true,
  "revoke": true
}
Response examples (200)
{
  "actionId": "string"
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Bulk update agent tags

POST /api/fleet/agents/bulk_update_agent_tags

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json; Elastic-Api-Version=2023-10-31

Body

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31
    Hide response attribute Show response attribute object
  • 400 application/json; Elastic-Api-Version=2023-10-31
    Hide response attributes Show response attributes object
POST /api/fleet/agents/bulk_update_agent_tags
curl \
 -X POST https://localhost:5601/api/fleet/agents/bulk_update_agent_tags \
 -H "Content-Type: application/json; Elastic-Api-Version=2023-10-31" \
 -H "kbn-xsrf: true"
Request examples
# Headers
kbn-xsrf: true

# Payload
{
  "agents": [
    "string"
  ],
  "batchSize": 42.0,
  "includeInactive": false,
  "tagsToAdd": [
    "string"
  ],
  "tagsToRemove": [
    "string"
  ]
}
Response examples (200)
{
  "actionId": "string"
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Bulk upgrade agents

POST /api/fleet/agents/bulk_upgrade

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json; Elastic-Api-Version=2023-10-31

Body

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31
    Hide response attribute Show response attribute object
  • 400 application/json; Elastic-Api-Version=2023-10-31
    Hide response attributes Show response attributes object
POST /api/fleet/agents/bulk_upgrade
curl \
 -X POST https://localhost:5601/api/fleet/agents/bulk_upgrade \
 -H "Content-Type: application/json; Elastic-Api-Version=2023-10-31" \
 -H "kbn-xsrf: true"
Request examples
# Headers
kbn-xsrf: true

# Payload
{
  "agents": [
    "string"
  ],
  "batchSize": 42.0,
  "force": true,
  "includeInactive": false,
  "rollout_duration_seconds": 42.0,
  "skipRateLimitCheck": true,
  "source_uri": "string",
  "start_time": "string",
  "version": "string"
}
Response examples (200)
{
  "actionId": "string"
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Get agent binary download sources

GET /api/fleet/agent_download_sources

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31
    Hide response attributes Show response attributes object
    • items array[object] Required
      Hide items attributes Show items attributes object
      • host string(uri) Required
      • id string Required
      • is_default boolean

        Default value is false.

      • name string Required
      • proxy_id string | null

        The ID of the proxy to use for this download source. See the proxies API for more information.

    • page number Required
    • perPage number Required
    • total number Required
  • 400 application/json; Elastic-Api-Version=2023-10-31
    Hide response attributes Show response attributes object
GET /api/fleet/agent_download_sources
curl \
 -X GET https://localhost:5601/api/fleet/agent_download_sources
Response examples (200)
{
  "items": [
    {
      "host": "https://example.com",
      "id": "string",
      "is_default": false,
      "name": "string",
      "proxy_id": "string"
    }
  ],
  "page": 42.0,
  "perPage": 42.0,
  "total": 42.0
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Create an agent binary download source

POST /api/fleet/agent_download_sources

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json; Elastic-Api-Version=2023-10-31

Body

  • host string(uri) Required
  • id string
  • is_default boolean

    Default value is false.

  • name string Required
  • proxy_id string | null

    The ID of the proxy to use for this download source. See the proxies API for more information.

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31
    Hide response attribute Show response attribute object
    • item object Required

      Additional properties are NOT allowed.

      Hide item attributes Show item attributes object
      • host string(uri) Required
      • id string Required
      • is_default boolean

        Default value is false.

      • name string Required
      • proxy_id string | null

        The ID of the proxy to use for this download source. See the proxies API for more information.

  • 400 application/json; Elastic-Api-Version=2023-10-31
    Hide response attributes Show response attributes object
POST /api/fleet/agent_download_sources
curl \
 -X POST https://localhost:5601/api/fleet/agent_download_sources \
 -H "Content-Type: application/json; Elastic-Api-Version=2023-10-31" \
 -H "kbn-xsrf: true"
Request examples
# Headers
kbn-xsrf: true

# Payload
{
  "host": "https://example.com",
  "id": "string",
  "is_default": false,
  "name": "string",
  "proxy_id": "string"
}
Response examples (200)
{
  "item": {
    "host": "https://example.com",
    "id": "string",
    "is_default": false,
    "name": "string",
    "proxy_id": "string"
  }
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Get an agent binary download source

GET /api/fleet/agent_download_sources/{sourceId}

Get an agent binary download source by ID.

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31
    Hide response attribute Show response attribute object
    • item object Required

      Additional properties are NOT allowed.

      Hide item attributes Show item attributes object
      • host string(uri) Required
      • id string Required
      • is_default boolean

        Default value is false.

      • name string Required
      • proxy_id string | null

        The ID of the proxy to use for this download source. See the proxies API for more information.

  • 400 application/json; Elastic-Api-Version=2023-10-31
    Hide response attributes Show response attributes object
GET /api/fleet/agent_download_sources/{sourceId}
curl \
 -X GET https://localhost:5601/api/fleet/agent_download_sources/{sourceId}
Response examples (200)
{
  "item": {
    "host": "https://example.com",
    "id": "string",
    "is_default": false,
    "name": "string",
    "proxy_id": "string"
  }
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Update an agent binary download source

PUT /api/fleet/agent_download_sources/{sourceId}

Update an agent binary download source by ID.

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json; Elastic-Api-Version=2023-10-31

Body

  • host string(uri) Required
  • id string
  • is_default boolean

    Default value is false.

  • name string Required
  • proxy_id string | null

    The ID of the proxy to use for this download source. See the proxies API for more information.

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31
    Hide response attribute Show response attribute object
    • item object Required

      Additional properties are NOT allowed.

      Hide item attributes Show item attributes object
      • host string(uri) Required
      • id string Required
      • is_default boolean

        Default value is false.

      • name string Required
      • proxy_id string | null

        The ID of the proxy to use for this download source. See the proxies API for more information.

  • 400 application/json; Elastic-Api-Version=2023-10-31
    Hide response attributes Show response attributes object
PUT /api/fleet/agent_download_sources/{sourceId}
curl \
 -X PUT https://localhost:5601/api/fleet/agent_download_sources/{sourceId} \
 -H "Content-Type: application/json; Elastic-Api-Version=2023-10-31" \
 -H "kbn-xsrf: true"
Request examples
# Headers
kbn-xsrf: true

# Payload
{
  "host": "https://example.com",
  "id": "string",
  "is_default": false,
  "name": "string",
  "proxy_id": "string"
}
Response examples (200)
{
  "item": {
    "host": "https://example.com",
    "id": "string",
    "is_default": false,
    "name": "string",
    "proxy_id": "string"
  }
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Delete an agent binary download source

DELETE /api/fleet/agent_download_sources/{sourceId}

Delete an agent binary download source by ID.

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31
    Hide response attribute Show response attribute object
    • id string Required
  • 400 application/json; Elastic-Api-Version=2023-10-31
    Hide response attributes Show response attributes object
DELETE /api/fleet/agent_download_sources/{sourceId}
curl \
 -X DELETE https://localhost:5601/api/fleet/agent_download_sources/{sourceId} \
 -H "kbn-xsrf: true"
Response examples (200)
{
  "id": "string"
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Get agent policies

GET /api/fleet/agent_policies

Query parameters

Responses

GET /api/fleet/agent_policies
curl \
 -X GET https://localhost:5601/api/fleet/agent_policies
Response examples (200)
{
  "items": [
    {
      "advanced_settings": {},
      "agent_features": [
        {
          "enabled": true,
          "name": "string"
        }
      ],
      "agents": 42.0,
      "data_output_id": "string",
      "description": "string",
      "download_source_id": "string",
      "fleet_server_host_id": "string",
      "global_data_tags": [
        {
          "name": "string",
          "value": "string"
        }
      ],
      "has_fleet_server": true,
      "id": "string",
      "inactivity_timeout": 1209600,
      "is_default": true,
      "is_default_fleet_server": true,
      "is_managed": true,
      "is_preconfigured": true,
      "is_protected": true,
      "keep_monitoring_alive": false,
      "monitoring_diagnostics": {
        "limit": {
          "burst": 42.0,
          "interval": "string"
        },
        "uploader": {
          "init_dur": "string",
          "max_dur": "string",
          "max_retries": 42.0
        }
      },
      "monitoring_enabled": [
        "logs"
      ],
      "monitoring_http": {
        "buffer": {
          "enabled": false
        },
        "enabled": true,
        "host": "string",
        "port": 42.0
      },
      "monitoring_output_id": "string",
      "monitoring_pprof_enabled": true,
      "name": "string",
      "namespace": "string",
      "overrides": {},
      "package_policies": [
        "string"
      ],
      "revision": 42.0,
      "schema_version": "string",
      "space_ids": [
        "string"
      ],
      "status": "active",
      "supports_agentless": false,
      "unenroll_timeout": 42.0,
      "unprivileged_agents": 42.0,
      "updated_at": "string",
      "updated_by": "string",
      "version": "string"
    }
  ],
  "page": 42.0,
  "perPage": 42.0,
  "total": 42.0
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Create an agent policy

POST /api/fleet/agent_policies

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Query parameters

application/json; Elastic-Api-Version=2023-10-31

Body

Responses

POST /api/fleet/agent_policies
curl \
 -X POST https://localhost:5601/api/fleet/agent_policies \
 -H "Content-Type: application/json; Elastic-Api-Version=2023-10-31" \
 -H "kbn-xsrf: true"
Request examples
# Headers
kbn-xsrf: true

# Payload
{
  "advanced_settings": {},
  "agent_features": [
    {
      "enabled": true,
      "name": "string"
    }
  ],
  "data_output_id": "string",
  "description": "string",
  "download_source_id": "string",
  "fleet_server_host_id": "string",
  "force": true,
  "global_data_tags": [
    {
      "name": "string",
      "value": "string"
    }
  ],
  "has_fleet_server": true,
  "id": "string",
  "inactivity_timeout": 1209600,
  "is_default": true,
  "is_default_fleet_server": true,
  "is_managed": true,
  "is_protected": true,
  "keep_monitoring_alive": false,
  "monitoring_diagnostics": {
    "limit": {
      "burst": 42.0,
      "interval": "string"
    },
    "uploader": {
      "init_dur": "string",
      "max_dur": "string",
      "max_retries": 42.0
    }
  },
  "monitoring_enabled": [
    "logs"
  ],
  "monitoring_http": {
    "buffer": {
      "enabled": false
    },
    "enabled": true,
    "host": "string",
    "port": 42.0
  },
  "monitoring_output_id": "string",
  "monitoring_pprof_enabled": true,
  "name": "string",
  "namespace": "string",
  "overrides": {},
  "space_ids": [
    "string"
  ],
  "supports_agentless": false,
  "unenroll_timeout": 42.0
}
Response examples (200)
{
  "item": {
    "advanced_settings": {},
    "agent_features": [
      {
        "enabled": true,
        "name": "string"
      }
    ],
    "agents": 42.0,
    "data_output_id": "string",
    "description": "string",
    "download_source_id": "string",
    "fleet_server_host_id": "string",
    "global_data_tags": [
      {
        "name": "string",
        "value": "string"
      }
    ],
    "has_fleet_server": true,
    "id": "string",
    "inactivity_timeout": 1209600,
    "is_default": true,
    "is_default_fleet_server": true,
    "is_managed": true,
    "is_preconfigured": true,
    "is_protected": true,
    "keep_monitoring_alive": false,
    "monitoring_diagnostics": {
      "limit": {
        "burst": 42.0,
        "interval": "string"
      },
      "uploader": {
        "init_dur": "string",
        "max_dur": "string",
        "max_retries": 42.0
      }
    },
    "monitoring_enabled": [
      "logs"
    ],
    "monitoring_http": {
      "buffer": {
        "enabled": false
      },
      "enabled": true,
      "host": "string",
      "port": 42.0
    },
    "monitoring_output_id": "string",
    "monitoring_pprof_enabled": true,
    "name": "string",
    "namespace": "string",
    "overrides": {},
    "package_policies": [
      "string"
    ],
    "revision": 42.0,
    "schema_version": "string",
    "space_ids": [
      "string"
    ],
    "status": "active",
    "supports_agentless": false,
    "unenroll_timeout": 42.0,
    "unprivileged_agents": 42.0,
    "updated_at": "string",
    "updated_by": "string",
    "version": "string"
  }
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Bulk get agent policies

POST /api/fleet/agent_policies/_bulk_get

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Query parameters

  • format string

    Values are simplified or legacy.

application/json; Elastic-Api-Version=2023-10-31

Body

  • full boolean

    get full policies with package policies populated

  • ids array[string] Required

    list of package policy ids

Responses

POST /api/fleet/agent_policies/_bulk_get
curl \
 -X POST https://localhost:5601/api/fleet/agent_policies/_bulk_get \
 -H "Content-Type: application/json; Elastic-Api-Version=2023-10-31" \
 -H "kbn-xsrf: true"
Request examples
# Headers
kbn-xsrf: true

# Payload
{
  "full": true,
  "ids": [
    "string"
  ],
  "ignoreMissing": true
}
Response examples (200)
{
  "items": [
    {
      "advanced_settings": {},
      "agent_features": [
        {
          "enabled": true,
          "name": "string"
        }
      ],
      "agents": 42.0,
      "data_output_id": "string",
      "description": "string",
      "download_source_id": "string",
      "fleet_server_host_id": "string",
      "global_data_tags": [
        {
          "name": "string",
          "value": "string"
        }
      ],
      "has_fleet_server": true,
      "id": "string",
      "inactivity_timeout": 1209600,
      "is_default": true,
      "is_default_fleet_server": true,
      "is_managed": true,
      "is_preconfigured": true,
      "is_protected": true,
      "keep_monitoring_alive": false,
      "monitoring_diagnostics": {
        "limit": {
          "burst": 42.0,
          "interval": "string"
        },
        "uploader": {
          "init_dur": "string",
          "max_dur": "string",
          "max_retries": 42.0
        }
      },
      "monitoring_enabled": [
        "logs"
      ],
      "monitoring_http": {
        "buffer": {
          "enabled": false
        },
        "enabled": true,
        "host": "string",
        "port": 42.0
      },
      "monitoring_output_id": "string",
      "monitoring_pprof_enabled": true,
      "name": "string",
      "namespace": "string",
      "overrides": {},
      "package_policies": [
        "string"
      ],
      "revision": 42.0,
      "schema_version": "string",
      "space_ids": [
        "string"
      ],
      "status": "active",
      "supports_agentless": false,
      "unenroll_timeout": 42.0,
      "unprivileged_agents": 42.0,
      "updated_at": "string",
      "updated_by": "string",
      "version": "string"
    }
  ]
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Get an agent policy

GET /api/fleet/agent_policies/{agentPolicyId}

Get an agent policy by ID.

Query parameters

  • format string

    Values are simplified or legacy.

Responses

GET /api/fleet/agent_policies/{agentPolicyId}
curl \
 -X GET https://localhost:5601/api/fleet/agent_policies/{agentPolicyId}
Response examples (200)
{
  "item": {
    "advanced_settings": {},
    "agent_features": [
      {
        "enabled": true,
        "name": "string"
      }
    ],
    "agents": 42.0,
    "data_output_id": "string",
    "description": "string",
    "download_source_id": "string",
    "fleet_server_host_id": "string",
    "global_data_tags": [
      {
        "name": "string",
        "value": "string"
      }
    ],
    "has_fleet_server": true,
    "id": "string",
    "inactivity_timeout": 1209600,
    "is_default": true,
    "is_default_fleet_server": true,
    "is_managed": true,
    "is_preconfigured": true,
    "is_protected": true,
    "keep_monitoring_alive": false,
    "monitoring_diagnostics": {
      "limit": {
        "burst": 42.0,
        "interval": "string"
      },
      "uploader": {
        "init_dur": "string",
        "max_dur": "string",
        "max_retries": 42.0
      }
    },
    "monitoring_enabled": [
      "logs"
    ],
    "monitoring_http": {
      "buffer": {
        "enabled": false
      },
      "enabled": true,
      "host": "string",
      "port": 42.0
    },
    "monitoring_output_id": "string",
    "monitoring_pprof_enabled": true,
    "name": "string",
    "namespace": "string",
    "overrides": {},
    "package_policies": [
      "string"
    ],
    "revision": 42.0,
    "schema_version": "string",
    "space_ids": [
      "string"
    ],
    "status": "active",
    "supports_agentless": false,
    "unenroll_timeout": 42.0,
    "unprivileged_agents": 42.0,
    "updated_at": "string",
    "updated_by": "string",
    "version": "string"
  }
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Update an agent policy

PUT /api/fleet/agent_policies/{agentPolicyId}

Update an agent policy by ID.

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Query parameters

  • format string

    Values are simplified or legacy.

application/json; Elastic-Api-Version=2023-10-31

Body

Responses

PUT /api/fleet/agent_policies/{agentPolicyId}
curl \
 -X PUT https://localhost:5601/api/fleet/agent_policies/{agentPolicyId} \
 -H "Content-Type: application/json; Elastic-Api-Version=2023-10-31" \
 -H "kbn-xsrf: true"
Request examples
# Headers
kbn-xsrf: true

# Payload
{
  "advanced_settings": {},
  "agent_features": [
    {
      "enabled": true,
      "name": "string"
    }
  ],
  "data_output_id": "string",
  "description": "string",
  "download_source_id": "string",
  "fleet_server_host_id": "string",
  "force": true,
  "global_data_tags": [
    {
      "name": "string",
      "value": "string"
    }
  ],
  "has_fleet_server": true,
  "id": "string",
  "inactivity_timeout": 1209600,
  "is_default": true,
  "is_default_fleet_server": true,
  "is_managed": true,
  "is_protected": true,
  "keep_monitoring_alive": false,
  "monitoring_diagnostics": {
    "limit": {
      "burst": 42.0,
      "interval": "string"
    },
    "uploader": {
      "init_dur": "string",
      "max_dur": "string",
      "max_retries": 42.0
    }
  },
  "monitoring_enabled": [
    "logs"
  ],
  "monitoring_http": {
    "buffer": {
      "enabled": false
    },
    "enabled": true,
    "host": "string",
    "port": 42.0
  },
  "monitoring_output_id": "string",
  "monitoring_pprof_enabled": true,
  "name": "string",
  "namespace": "string",
  "overrides": {},
  "space_ids": [
    "string"
  ],
  "supports_agentless": false,
  "unenroll_timeout": 42.0
}
Response examples (200)
{
  "item": {
    "advanced_settings": {},
    "agent_features": [
      {
        "enabled": true,
        "name": "string"
      }
    ],
    "agents": 42.0,
    "data_output_id": "string",
    "description": "string",
    "download_source_id": "string",
    "fleet_server_host_id": "string",
    "global_data_tags": [
      {
        "name": "string",
        "value": "string"
      }
    ],
    "has_fleet_server": true,
    "id": "string",
    "inactivity_timeout": 1209600,
    "is_default": true,
    "is_default_fleet_server": true,
    "is_managed": true,
    "is_preconfigured": true,
    "is_protected": true,
    "keep_monitoring_alive": false,
    "monitoring_diagnostics": {
      "limit": {
        "burst": 42.0,
        "interval": "string"
      },
      "uploader": {
        "init_dur": "string",
        "max_dur": "string",
        "max_retries": 42.0
      }
    },
    "monitoring_enabled": [
      "logs"
    ],
    "monitoring_http": {
      "buffer": {
        "enabled": false
      },
      "enabled": true,
      "host": "string",
      "port": 42.0
    },
    "monitoring_output_id": "string",
    "monitoring_pprof_enabled": true,
    "name": "string",
    "namespace": "string",
    "overrides": {},
    "package_policies": [
      "string"
    ],
    "revision": 42.0,
    "schema_version": "string",
    "space_ids": [
      "string"
    ],
    "status": "active",
    "supports_agentless": false,
    "unenroll_timeout": 42.0,
    "unprivileged_agents": 42.0,
    "updated_at": "string",
    "updated_by": "string",
    "version": "string"
  }
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Copy an agent policy

POST /api/fleet/agent_policies/{agentPolicyId}/copy

Copy an agent policy by ID.

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

Query parameters

  • format string

    Values are simplified or legacy.

application/json; Elastic-Api-Version=2023-10-31

Body

Responses

POST /api/fleet/agent_policies/{agentPolicyId}/copy
curl \
 -X POST https://localhost:5601/api/fleet/agent_policies/{agentPolicyId}/copy \
 -H "Content-Type: application/json; Elastic-Api-Version=2023-10-31" \
 -H "kbn-xsrf: true"
Request examples
# Headers
kbn-xsrf: true

# Payload
{
  "description": "string",
  "name": "string"
}
Response examples (200)
{
  "item": {
    "advanced_settings": {},
    "agent_features": [
      {
        "enabled": true,
        "name": "string"
      }
    ],
    "agents": 42.0,
    "data_output_id": "string",
    "description": "string",
    "download_source_id": "string",
    "fleet_server_host_id": "string",
    "global_data_tags": [
      {
        "name": "string",
        "value": "string"
      }
    ],
    "has_fleet_server": true,
    "id": "string",
    "inactivity_timeout": 1209600,
    "is_default": true,
    "is_default_fleet_server": true,
    "is_managed": true,
    "is_preconfigured": true,
    "is_protected": true,
    "keep_monitoring_alive": false,
    "monitoring_diagnostics": {
      "limit": {
        "burst": 42.0,
        "interval": "string"
      },
      "uploader": {
        "init_dur": "string",
        "max_dur": "string",
        "max_retries": 42.0
      }
    },
    "monitoring_enabled": [
      "logs"
    ],
    "monitoring_http": {
      "buffer": {
        "enabled": false
      },
      "enabled": true,
      "host": "string",
      "port": 42.0
    },
    "monitoring_output_id": "string",
    "monitoring_pprof_enabled": true,
    "name": "string",
    "namespace": "string",
    "overrides": {},
    "package_policies": [
      "string"
    ],
    "revision": 42.0,
    "schema_version": "string",
    "space_ids": [
      "string"
    ],
    "status": "active",
    "supports_agentless": false,
    "unenroll_timeout": 42.0,
    "unprivileged_agents": 42.0,
    "updated_at": "string",
    "updated_by": "string",
    "version": "string"
  }
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Download an agent policy

GET /api/fleet/agent_policies/{agentPolicyId}/download

Download an agent policy by ID.

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31
  • 400 application/json; Elastic-Api-Version=2023-10-31
    Hide response attributes Show response attributes object
  • 404 application/json; Elastic-Api-Version=2023-10-31
    Hide response attributes Show response attributes object
GET /api/fleet/agent_policies/{agentPolicyId}/download
curl \
 -X GET https://localhost:5601/api/fleet/agent_policies/{agentPolicyId}/download
Response examples (200)
string
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}
Response examples (404)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Get a full agent policy

GET /api/fleet/agent_policies/{agentPolicyId}/full

Get a full agent policy by ID.

Responses

GET /api/fleet/agent_policies/{agentPolicyId}/full
curl \
 -X GET https://localhost:5601/api/fleet/agent_policies/{agentPolicyId}/full
Response examples (200)
{
  "item": "string"
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Get outputs for an agent policy

GET /api/fleet/agent_policies/{agentPolicyId}/outputs

Get a list of outputs associated with agent policy by policy id.

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31
    Hide response attribute Show response attribute object
    • item object Required

      Additional properties are NOT allowed.

      Hide item attributes Show item attributes object
      • data object Required

        Additional properties are NOT allowed.

        Hide data attributes Show data attributes object
      • monitoring object Required

        Additional properties are NOT allowed.

        Hide monitoring attribute Show monitoring attribute object
        • output object Required

          Additional properties are NOT allowed.

          Hide output attributes Show output attributes object
  • 400 application/json; Elastic-Api-Version=2023-10-31
    Hide response attributes Show response attributes object
GET /api/fleet/agent_policies/{agentPolicyId}/outputs
curl \
 -X GET https://localhost:5601/api/fleet/agent_policies/{agentPolicyId}/outputs
Response examples (200)
{
  "item": {
    "agentPolicyId": "string",
    "data": {
      "integrations": [
        {
          "id": "string",
          "integrationPolicyName": "string",
          "name": "string",
          "pkgName": "string"
        }
      ],
      "output": {
        "id": "string",
        "name": "string"
      }
    },
    "monitoring": {
      "output": {
        "id": "string",
        "name": "string"
      }
    }
  }
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Delete an agent policy

POST /api/fleet/agent_policies/delete

Delete an agent policy by ID.

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json; Elastic-Api-Version=2023-10-31

Body

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31
    Hide response attributes Show response attributes object
  • 400 application/json; Elastic-Api-Version=2023-10-31
    Hide response attributes Show response attributes object
POST /api/fleet/agent_policies/delete
curl \
 -X POST https://localhost:5601/api/fleet/agent_policies/delete \
 -H "Content-Type: application/json; Elastic-Api-Version=2023-10-31" \
 -H "kbn-xsrf: true"
Request examples
# Headers
kbn-xsrf: true

# Payload
{
  "agentPolicyId": "string",
  "force": true
}
Response examples (200)
{
  "id": "string",
  "name": "string"
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Get outputs for agent policies

POST /api/fleet/agent_policies/outputs

Get a list of outputs associated with agent policies.

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json; Elastic-Api-Version=2023-10-31

Body

  • ids array[string] Required

    list of package policy ids

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31
    Hide response attribute Show response attribute object
    • items array[object] Required
      Hide items attributes Show items attributes object
      • data object Required

        Additional properties are NOT allowed.

        Hide data attributes Show data attributes object
      • monitoring object Required

        Additional properties are NOT allowed.

        Hide monitoring attribute Show monitoring attribute object
        • output object Required

          Additional properties are NOT allowed.

          Hide output attributes Show output attributes object
  • 400 application/json; Elastic-Api-Version=2023-10-31
    Hide response attributes Show response attributes object
POST /api/fleet/agent_policies/outputs
curl \
 -X POST https://localhost:5601/api/fleet/agent_policies/outputs \
 -H "Content-Type: application/json; Elastic-Api-Version=2023-10-31" \
 -H "kbn-xsrf: true"
Request examples
# Headers
kbn-xsrf: true

# Payload
{
  "ids": [
    "string"
  ]
}
Response examples (200)
{
  "items": [
    {
      "agentPolicyId": "string",
      "data": {
        "integrations": [
          {
            "id": "string",
            "integrationPolicyName": "string",
            "name": "string",
            "pkgName": "string"
          }
        ],
        "output": {
          "id": "string",
          "name": "string"
        }
      },
      "monitoring": {
        "output": {
          "id": "string",
          "name": "string"
        }
      }
    }
  ]
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Get a full K8s agent manifest

GET /api/fleet/kubernetes

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31
    Hide response attribute Show response attribute object
  • 400 application/json; Elastic-Api-Version=2023-10-31
    Hide response attributes Show response attributes object
GET /api/fleet/kubernetes
curl \
 -X GET https://localhost:5601/api/fleet/kubernetes
Response examples (200)
{
  "item": "string"
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Download an agent manifest

GET /api/fleet/kubernetes/download

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31
  • 400 application/json; Elastic-Api-Version=2023-10-31
    Hide response attributes Show response attributes object
  • 404 application/json; Elastic-Api-Version=2023-10-31
    Hide response attributes Show response attributes object
GET /api/fleet/kubernetes/download
curl \
 -X GET https://localhost:5601/api/fleet/kubernetes/download
Response examples (200)
string
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}
Response examples (404)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Get an agent status summary

GET /api/fleet/agent_status

Query parameters

Responses

GET /api/fleet/agent_status
curl \
 -X GET https://localhost:5601/api/fleet/agent_status
Response examples (200)
{
  "results": {
    "active": 42.0,
    "all": 42.0,
    "error": 42.0,
    "events": 42.0,
    "inactive": 42.0,
    "offline": 42.0,
    "online": 42.0,
    "other": 42.0,
    "unenrolled": 42.0,
    "updating": 42.0
  }
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Get incoming agent data

GET /api/fleet/agent_status/data

Query parameters

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31
    Hide response attributes Show response attributes object
    • dataPreview array Required
    • items array[object] Required
      Hide items attribute Show items attribute object
      • * object Additional properties

        Additional properties are NOT allowed.

        Hide * attribute Show * attribute object
  • 400 application/json; Elastic-Api-Version=2023-10-31
    Hide response attributes Show response attributes object
GET /api/fleet/agent_status/data
curl \
 -X GET https://localhost:5601/api/fleet/agent_status/data?agentsIds=string
Response examples (200)
{
  "dataPreview": [],
  "items": [
    {
      "additionalProperty1": {
        "data": true
      },
      "additionalProperty2": {
        "data": true
      }
    }
  ]
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Get agents

GET /api/fleet/agents

Query parameters

Responses

GET /api/fleet/agents
curl \
 -X GET https://localhost:5601/api/fleet/agents
Response examples (200)
{
  "items": [
    {
      "access_api_key": "string",
      "access_api_key_id": "string",
      "active": true,
      "agent": {
        "id": "string",
        "version": "string"
      },
      "components": [
        {
          "id": "string",
          "message": "string",
          "status": "STARTING",
          "type": "string",
          "units": [
            {
              "id": "string",
              "message": "string",
              "payload": {},
              "status": "STARTING",
              "type": "input"
            }
          ]
        }
      ],
      "default_api_key": "string",
      "default_api_key_history": [
        {
          "id": "string",
          "retired_at": "string"
        }
      ],
      "default_api_key_id": "string",
      "enrolled_at": "string",
      "id": "string",
      "last_checkin": "string",
      "last_checkin_message": "string",
      "last_checkin_status": "error",
      "local_metadata": {},
      "metrics": {
        "cpu_avg": 42.0,
        "memory_size_byte_avg": 42.0
      },
      "namespaces": [
        "string"
      ],
      "outputs": {
        "additionalProperty1": {
          "api_key_id": "string",
          "to_retire_api_key_ids": [
            {
              "id": "string",
              "retired_at": "string"
            }
          ],
          "type": "string"
        },
        "additionalProperty2": {
          "api_key_id": "string",
          "to_retire_api_key_ids": [
            {
              "id": "string",
              "retired_at": "string"
            }
          ],
          "type": "string"
        }
      },
      "packages": [
        "string"
      ],
      "policy_id": "string",
      "policy_revision": 42.0,
      "sort": [
        42.0
      ],
      "status": "offline",
      "tags": [
        "string"
      ],
      "type": "PERMANENT",
      "unenrolled_at": "string",
      "unenrollment_started_at": "string",
      "unhealthy_reason": [
        "input"
      ],
      "upgrade_details": {
        "action_id": "string",
        "metadata": {
          "download_percent": 42.0,
          "download_rate": 42.0,
          "error_msg": "string",
          "failed_state": "UPG_REQUESTED",
          "retry_error_msg": "string",
          "retry_until": "string",
          "scheduled_at": "string"
        },
        "state": "UPG_REQUESTED",
        "target_version": "string"
      },
      "upgrade_started_at": "string",
      "upgraded_at": "string",
      "user_provided_metadata": {}
    }
  ],
  "page": 42.0,
  "perPage": 42.0,
  "statusSummary": {
    "additionalProperty1": 42.0,
    "additionalProperty2": 42.0
  },
  "total": 42.0
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Get agents by action ids

POST /api/fleet/agents

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json; Elastic-Api-Version=2023-10-31

Body

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31
    Hide response attribute Show response attribute object
  • 400 application/json; Elastic-Api-Version=2023-10-31
    Hide response attributes Show response attributes object
POST /api/fleet/agents
curl \
 -X POST https://localhost:5601/api/fleet/agents \
 -H "Content-Type: application/json; Elastic-Api-Version=2023-10-31" \
 -H "kbn-xsrf: true"
Request examples
# Headers
kbn-xsrf: true

# Payload
{
  "actionIds": [
    "string"
  ]
}
Response examples (200)
{
  "items": [
    "string"
  ]
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Get an agent

GET /api/fleet/agents/{agentId}

Get an agent by ID.

Query parameters

Responses

GET /api/fleet/agents/{agentId}
curl \
 -X GET https://localhost:5601/api/fleet/agents/{agentId}
Response examples (200)
{
  "item": {
    "access_api_key": "string",
    "access_api_key_id": "string",
    "active": true,
    "agent": {
      "id": "string",
      "version": "string"
    },
    "components": [
      {
        "id": "string",
        "message": "string",
        "status": "STARTING",
        "type": "string",
        "units": [
          {
            "id": "string",
            "message": "string",
            "payload": {},
            "status": "STARTING",
            "type": "input"
          }
        ]
      }
    ],
    "default_api_key": "string",
    "default_api_key_history": [
      {
        "id": "string",
        "retired_at": "string"
      }
    ],
    "default_api_key_id": "string",
    "enrolled_at": "string",
    "id": "string",
    "last_checkin": "string",
    "last_checkin_message": "string",
    "last_checkin_status": "error",
    "local_metadata": {},
    "metrics": {
      "cpu_avg": 42.0,
      "memory_size_byte_avg": 42.0
    },
    "namespaces": [
      "string"
    ],
    "outputs": {
      "additionalProperty1": {
        "api_key_id": "string",
        "to_retire_api_key_ids": [
          {
            "id": "string",
            "retired_at": "string"
          }
        ],
        "type": "string"
      },
      "additionalProperty2": {
        "api_key_id": "string",
        "to_retire_api_key_ids": [
          {
            "id": "string",
            "retired_at": "string"
          }
        ],
        "type": "string"
      }
    },
    "packages": [
      "string"
    ],
    "policy_id": "string",
    "policy_revision": 42.0,
    "sort": [
      42.0
    ],
    "status": "offline",
    "tags": [
      "string"
    ],
    "type": "PERMANENT",
    "unenrolled_at": "string",
    "unenrollment_started_at": "string",
    "unhealthy_reason": [
      "input"
    ],
    "upgrade_details": {
      "action_id": "string",
      "metadata": {
        "download_percent": 42.0,
        "download_rate": 42.0,
        "error_msg": "string",
        "failed_state": "UPG_REQUESTED",
        "retry_error_msg": "string",
        "retry_until": "string",
        "scheduled_at": "string"
      },
      "state": "UPG_REQUESTED",
      "target_version": "string"
    },
    "upgrade_started_at": "string",
    "upgraded_at": "string",
    "user_provided_metadata": {}
  }
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Update an agent

PUT /api/fleet/agents/{agentId}

Update an agent by ID.

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json; Elastic-Api-Version=2023-10-31

Body

Responses

PUT /api/fleet/agents/{agentId}
curl \
 -X PUT https://localhost:5601/api/fleet/agents/{agentId} \
 -H "Content-Type: application/json; Elastic-Api-Version=2023-10-31" \
 -H "kbn-xsrf: true"
Request examples
# Headers
kbn-xsrf: true

# Payload
{
  "tags": [
    "string"
  ],
  "user_provided_metadata": {}
}
Response examples (200)
{
  "item": {
    "access_api_key": "string",
    "access_api_key_id": "string",
    "active": true,
    "agent": {
      "id": "string",
      "version": "string"
    },
    "components": [
      {
        "id": "string",
        "message": "string",
        "status": "STARTING",
        "type": "string",
        "units": [
          {
            "id": "string",
            "message": "string",
            "payload": {},
            "status": "STARTING",
            "type": "input"
          }
        ]
      }
    ],
    "default_api_key": "string",
    "default_api_key_history": [
      {
        "id": "string",
        "retired_at": "string"
      }
    ],
    "default_api_key_id": "string",
    "enrolled_at": "string",
    "id": "string",
    "last_checkin": "string",
    "last_checkin_message": "string",
    "last_checkin_status": "error",
    "local_metadata": {},
    "metrics": {
      "cpu_avg": 42.0,
      "memory_size_byte_avg": 42.0
    },
    "namespaces": [
      "string"
    ],
    "outputs": {
      "additionalProperty1": {
        "api_key_id": "string",
        "to_retire_api_key_ids": [
          {
            "id": "string",
            "retired_at": "string"
          }
        ],
        "type": "string"
      },
      "additionalProperty2": {
        "api_key_id": "string",
        "to_retire_api_key_ids": [
          {
            "id": "string",
            "retired_at": "string"
          }
        ],
        "type": "string"
      }
    },
    "packages": [
      "string"
    ],
    "policy_id": "string",
    "policy_revision": 42.0,
    "sort": [
      42.0
    ],
    "status": "offline",
    "tags": [
      "string"
    ],
    "type": "PERMANENT",
    "unenrolled_at": "string",
    "unenrollment_started_at": "string",
    "unhealthy_reason": [
      "input"
    ],
    "upgrade_details": {
      "action_id": "string",
      "metadata": {
        "download_percent": 42.0,
        "download_rate": 42.0,
        "error_msg": "string",
        "failed_state": "UPG_REQUESTED",
        "retry_error_msg": "string",
        "retry_until": "string",
        "scheduled_at": "string"
      },
      "state": "UPG_REQUESTED",
      "target_version": "string"
    },
    "upgrade_started_at": "string",
    "upgraded_at": "string",
    "user_provided_metadata": {}
  }
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Delete an agent

DELETE /api/fleet/agents/{agentId}

Delete an agent by ID.

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31
    Hide response attribute Show response attribute object
    • action string Required

      Value is deleted.

  • 400 application/json; Elastic-Api-Version=2023-10-31
    Hide response attributes Show response attributes object
DELETE /api/fleet/agents/{agentId}
curl \
 -X DELETE https://localhost:5601/api/fleet/agents/{agentId} \
 -H "kbn-xsrf: true"
Response examples (200)
{
  "action": "deleted"
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Get agent uploads

GET /api/fleet/agents/{agentId}/uploads

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31
    Hide response attribute Show response attribute object
  • 400 application/json; Elastic-Api-Version=2023-10-31
    Hide response attributes Show response attributes object
GET /api/fleet/agents/{agentId}/uploads
curl \
 -X GET https://localhost:5601/api/fleet/agents/{agentId}/uploads
Response examples (200)
{
  "items": [
    {
      "actionId": "string",
      "createTime": "string",
      "error": "string",
      "filePath": "string",
      "id": "string",
      "name": "string",
      "status": "READY"
    }
  ]
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Get available agent versions

GET /api/fleet/agents/available_versions

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31
    Hide response attribute Show response attribute object
  • 400 application/json; Elastic-Api-Version=2023-10-31
    Hide response attributes Show response attributes object
GET /api/fleet/agents/available_versions
curl \
 -X GET https://localhost:5601/api/fleet/agents/available_versions
Response examples (200)
{
  "items": [
    "string"
  ]
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Delete an uploaded file

DELETE /api/fleet/agents/files/{fileId}

Delete a file uploaded by an agent.

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31
    Hide response attributes Show response attributes object
  • 400 application/json; Elastic-Api-Version=2023-10-31
    Hide response attributes Show response attributes object
DELETE /api/fleet/agents/files/{fileId}
curl \
 -X DELETE https://localhost:5601/api/fleet/agents/files/{fileId} \
 -H "kbn-xsrf: true"
Response examples (200)
{
  "deleted": true,
  "id": "string"
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Get an uploaded file

GET /api/fleet/agents/files/{fileId}/{fileName}

Get a file uploaded by an agent.

Path parameters

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31

    Additional properties are allowed.

  • 400 application/json; Elastic-Api-Version=2023-10-31
    Hide response attributes Show response attributes object
GET /api/fleet/agents/files/{fileId}/{fileName}
curl \
 -X GET https://localhost:5601/api/fleet/agents/files/{fileId}/{fileName}
Response examples (200)
{}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Get agent setup info

GET /api/fleet/agents/setup

Responses

GET /api/fleet/agents/setup
curl \
 -X GET https://localhost:5601/api/fleet/agents/setup
Response examples (200)
{
  "is_secrets_storage_enabled": true,
  "is_space_awareness_enabled": true,
  "isReady": true,
  "missing_optional_features": [
    "encrypted_saved_object_encryption_key_required"
  ],
  "missing_requirements": [
    "security_required"
  ],
  "package_verification_key_id": "string"
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Initiate agent setup

POST /api/fleet/agents/setup

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31
    Hide response attributes Show response attributes object
  • 400 application/json; Elastic-Api-Version=2023-10-31
    Hide response attributes Show response attributes object
POST /api/fleet/agents/setup
curl \
 -X POST https://localhost:5601/api/fleet/agents/setup \
 -H "kbn-xsrf: true"
Response examples (200)
{
  "isInitialized": true,
  "nonFatalErrors": [
    {
      "message": "string",
      "name": "string"
    }
  ]
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Get agent tags

GET /api/fleet/agents/tags

Query parameters

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31
    Hide response attribute Show response attribute object
  • 400 application/json; Elastic-Api-Version=2023-10-31
    Hide response attributes Show response attributes object
GET /api/fleet/agents/tags
curl \
 -X GET https://localhost:5601/api/fleet/agents/tags
Response examples (200)
{
  "items": [
    "string"
  ]
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Bulk get assets

POST /api/fleet/epm/bulk_assets

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json; Elastic-Api-Version=2023-10-31

Body

  • assetIds array[object] Required
    Hide assetIds attributes Show assetIds attributes object

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31
    Hide response attribute Show response attribute object
  • 400 application/json; Elastic-Api-Version=2023-10-31
    Hide response attributes Show response attributes object
POST /api/fleet/epm/bulk_assets
curl \
 -X POST https://localhost:5601/api/fleet/epm/bulk_assets \
 -H "Content-Type: application/json; Elastic-Api-Version=2023-10-31" \
 -H "kbn-xsrf: true"
Request examples
# Headers
kbn-xsrf: true

# Payload
{
  "assetIds": [
    {
      "id": "string",
      "type": "string"
    }
  ]
}
Response examples (200)
{
  "items": [
    {
      "appLink": "string",
      "attributes": {
        "description": "string",
        "service": "string",
        "title": "string"
      },
      "id": "string",
      "type": "string",
      "updatedAt": "string"
    }
  ]
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Get package categories

GET /api/fleet/epm/categories

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31
    Hide response attribute Show response attribute object
  • 400 application/json; Elastic-Api-Version=2023-10-31
    Hide response attributes Show response attributes object
GET /api/fleet/epm/categories
curl \
 -X GET https://localhost:5601/api/fleet/epm/categories
Response examples (200)
{
  "items": [
    {
      "count": 42.0,
      "id": "string",
      "parent_id": "string",
      "parent_title": "string",
      "title": "string"
    }
  ]
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Create a custom integration

POST /api/fleet/epm/custom_integrations

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json; Elastic-Api-Version=2023-10-31

Body

  • datasets array[object] Required
    Hide datasets attributes Show datasets attributes object
    • name string Required
    • type string Required

      Values are logs, metrics, traces, synthetics, or profiling.

  • force boolean
  • integrationName string Required

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31
    Hide response attributes Show response attributes object
    • _meta object Required

      Additional properties are NOT allowed.

      Hide _meta attribute Show _meta attribute object
    • items array[object] Required
      Any of:
      Hide attributes Show attributes
      • id string Required
      • originId string
      • type string Required

        Values are dashboard, lens, visualization, search, index-pattern, map, ml-module, security-rule, csp-rule-template, osquery-pack-asset, osquery-saved-query, or tag.

  • 400 application/json; Elastic-Api-Version=2023-10-31
    Hide response attributes Show response attributes object
POST /api/fleet/epm/custom_integrations
curl \
 -X POST https://localhost:5601/api/fleet/epm/custom_integrations \
 -H "Content-Type: application/json; Elastic-Api-Version=2023-10-31" \
 -H "kbn-xsrf: true"
Request examples
# Headers
kbn-xsrf: true

# Payload
{
  "datasets": [
    {
      "name": "string",
      "type": "logs"
    }
  ],
  "force": true,
  "integrationName": "string"
}
Response examples (200)
{
  "_meta": {
    "install_source": "string"
  },
  "items": [
    {
      "id": "string",
      "originId": "string",
      "type": "dashboard"
    }
  ]
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Get packages

GET /api/fleet/epm/packages

Responses

GET /api/fleet/epm/packages
curl \
 -X GET https://localhost:5601/api/fleet/epm/packages
Response examples (200)
{
  "items": [
    {
      "categories": [
        "string"
      ],
      "conditions": {
        "elastic": {
          "capabilities": [
            "string"
          ],
          "subscription": "string"
        },
        "kibana": {
          "version": "string"
        }
      },
      "data_streams": [
        {}
      ],
      "description": "string",
      "discovery": {
        "fields": [
          {
            "name": "string"
          }
        ]
      },
      "download": "string",
      "format_version": "string",
      "icons": [
        {
          "dark_mode": true,
          "path": "string",
          "size": "string",
          "src": "string",
          "title": "string",
          "type": "string"
        }
      ],
      "id": "string",
      "installationInfo": {
        "additional_spaces_installed_kibana": {
          "additionalProperty1": [
            {
              "id": "string",
              "originId": "string",
              "type": "dashboard"
            }
          ],
          "additionalProperty2": [
            {
              "id": "string",
              "originId": "string",
              "type": "dashboard"
            }
          ]
        },
        "created_at": "string",
        "experimental_data_stream_features": [
          {
            "data_stream": "string",
            "features": {
              "doc_value_only_numeric": true,
              "doc_value_only_other": true,
              "synthetic_source": true,
              "tsdb": true
            }
          }
        ],
        "install_format_schema_version": "string",
        "install_source": "registry",
        "install_status": "installed",
        "installed_es": [
          {
            "deferred": true,
            "id": "string",
            "type": "index",
            "version": "string"
          }
        ],
        "installed_kibana": [
          {
            "id": "string",
            "originId": "string",
            "type": "dashboard"
          }
        ],
        "installed_kibana_space_id": "string",
        "latest_executed_state": {
          "error": "string",
          "name": "string",
          "started_at": "string"
        },
        "latest_install_failed_attempts": [
          {
            "created_at": "string",
            "error": {
              "message": "string",
              "name": "string",
              "stack": "string"
            },
            "target_version": "string"
          }
        ],
        "name": "string",
        "namespaces": [
          "string"
        ],
        "type": "string",
        "updated_at": "string",
        "verification_key_id": "string",
        "verification_status": "unverified",
        "version": "string"
      },
      "integration": "string",
      "internal": true,
      "latestVersion": "string",
      "name": "string",
      "owner": {
        "github": "string",
        "type": "elastic"
      },
      "path": "string",
      "policy_templates": [
        {}
      ],
      "readme": "string",
      "release": "ga",
      "signature_path": "string",
      "source": {
        "license": "string"
      },
      "status": "string",
      "title": "string",
      "type": "integration",
      "vars": [
        {}
      ],
      "version": "string"
    }
  ]
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Install a package by upload

POST /api/fleet/epm/packages

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Query parameters

application/gzip; application/zip; Elastic-Api-Version=2023-10-31

Body

string(binary) string(binary)

Responses

  • 200 application/gzip; application/zip; Elastic-Api-Version=2023-10-31
    Hide response attributes Show response attributes object
    • _meta object Required

      Additional properties are NOT allowed.

      Hide _meta attribute Show _meta attribute object
    • items array[object] Required
      Any of:
      Hide attributes Show attributes
      • id string Required
      • originId string
      • type string Required

        Values are dashboard, lens, visualization, search, index-pattern, map, ml-module, security-rule, csp-rule-template, osquery-pack-asset, osquery-saved-query, or tag.

  • 400 application/gzip; application/zip; Elastic-Api-Version=2023-10-31
    Hide response attributes Show response attributes object
POST /api/fleet/epm/packages
curl \
 -X POST https://localhost:5601/api/fleet/epm/packages \
 -H "Content-Type: application/gzip; application/zip; Elastic-Api-Version=2023-10-31" \
 -H "kbn-xsrf: true"

Bulk install packages

POST /api/fleet/epm/packages/_bulk

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Query parameters

application/json; Elastic-Api-Version=2023-10-31

Body

Responses

POST /api/fleet/epm/packages/_bulk
curl \
 -X POST https://localhost:5601/api/fleet/epm/packages/_bulk \
 -H "Content-Type: application/json; Elastic-Api-Version=2023-10-31" \
 -H "kbn-xsrf: true"
Request examples
# Headers
kbn-xsrf: true

# Payload
{
  "force": false,
  "packages": [
    "string"
  ]
}
Response examples (200)
{
  "items": [
    {
      "name": "string",
      "result": {
        "assets": [
          {
            "id": "string",
            "originId": "string",
            "type": "dashboard"
          }
        ],
        "installSource": "string",
        "installType": "string",
        "status": "installed"
      },
      "version": "string"
    }
  ]
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Get a package

GET /api/fleet/epm/packages/{pkgName}/{pkgVersion}

Query parameters

Responses

GET /api/fleet/epm/packages/{pkgName}/{pkgVersion}
curl \
 -X GET https://localhost:5601/api/fleet/epm/packages/{pkgName}/{pkgVersion}
Response examples (200)
{
  "item": {
    "agent": {
      "privileges": {
        "root": true
      }
    },
    "asset_tags": [
      {
        "asset_ids": [
          "string"
        ],
        "asset_types": [
          "string"
        ],
        "text": "string"
      }
    ],
    "assets": {},
    "categories": [
      "string"
    ],
    "conditions": {
      "elastic": {
        "capabilities": [
          "string"
        ],
        "subscription": "string"
      },
      "kibana": {
        "version": "string"
      }
    },
    "data_streams": [
      {}
    ],
    "description": "string",
    "discovery": {
      "fields": [
        {
          "name": "string"
        }
      ]
    },
    "download": "string",
    "elasticsearch": {},
    "format_version": "string",
    "icons": [
      {
        "dark_mode": true,
        "path": "string",
        "size": "string",
        "src": "string",
        "title": "string",
        "type": "string"
      }
    ],
    "installationInfo": {
      "additional_spaces_installed_kibana": {
        "additionalProperty1": [
          {
            "id": "string",
            "originId": "string",
            "type": "dashboard"
          }
        ],
        "additionalProperty2": [
          {
            "id": "string",
            "originId": "string",
            "type": "dashboard"
          }
        ]
      },
      "created_at": "string",
      "experimental_data_stream_features": [
        {
          "data_stream": "string",
          "features": {
            "doc_value_only_numeric": true,
            "doc_value_only_other": true,
            "synthetic_source": true,
            "tsdb": true
          }
        }
      ],
      "install_format_schema_version": "string",
      "install_source": "registry",
      "install_status": "installed",
      "installed_es": [
        {
          "deferred": true,
          "id": "string",
          "type": "index",
          "version": "string"
        }
      ],
      "installed_kibana": [
        {
          "id": "string",
          "originId": "string",
          "type": "dashboard"
        }
      ],
      "installed_kibana_space_id": "string",
      "latest_executed_state": {
        "error": "string",
        "name": "string",
        "started_at": "string"
      },
      "latest_install_failed_attempts": [
        {
          "created_at": "string",
          "error": {
            "message": "string",
            "name": "string",
            "stack": "string"
          },
          "target_version": "string"
        }
      ],
      "name": "string",
      "namespaces": [
        "string"
      ],
      "type": "string",
      "updated_at": "string",
      "verification_key_id": "string",
      "verification_status": "unverified",
      "version": "string"
    },
    "internal": true,
    "keepPoliciesUpToDate": true,
    "latestVersion": "string",
    "license": "string",
    "licensePath": "string",
    "name": "string",
    "notice": "string",
    "owner": {
      "github": "string",
      "type": "elastic"
    },
    "path": "string",
    "policy_templates": [
      {}
    ],
    "readme": "string",
    "release": "ga",
    "screenshots": [
      {
        "dark_mode": true,
        "path": "string",
        "size": "string",
        "src": "string",
        "title": "string",
        "type": "string"
      }
    ],
    "signature_path": "string",
    "source": {
      "license": "string"
    },
    "status": "string",
    "title": "string",
    "type": "integration",
    "vars": [
      {}
    ],
    "version": "string"
  },
  "metadata": {
    "has_policies": true
  }
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Update package settings

PUT /api/fleet/epm/packages/{pkgName}/{pkgVersion}

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json; Elastic-Api-Version=2023-10-31

Responses

PUT /api/fleet/epm/packages/{pkgName}/{pkgVersion}
curl \
 -X PUT https://localhost:5601/api/fleet/epm/packages/{pkgName}/{pkgVersion} \
 -H "Content-Type: application/json; Elastic-Api-Version=2023-10-31" \
 -H "kbn-xsrf: true"
Request examples
# Headers
kbn-xsrf: true

# Payload
{
  "keepPoliciesUpToDate": true
}
Response examples (200)
{
  "item": {
    "agent": {
      "privileges": {
        "root": true
      }
    },
    "asset_tags": [
      {
        "asset_ids": [
          "string"
        ],
        "asset_types": [
          "string"
        ],
        "text": "string"
      }
    ],
    "assets": {},
    "categories": [
      "string"
    ],
    "conditions": {
      "elastic": {
        "capabilities": [
          "string"
        ],
        "subscription": "string"
      },
      "kibana": {
        "version": "string"
      }
    },
    "data_streams": [
      {}
    ],
    "description": "string",
    "discovery": {
      "fields": [
        {
          "name": "string"
        }
      ]
    },
    "download": "string",
    "elasticsearch": {},
    "format_version": "string",
    "icons": [
      {
        "dark_mode": true,
        "path": "string",
        "size": "string",
        "src": "string",
        "title": "string",
        "type": "string"
      }
    ],
    "installationInfo": {
      "additional_spaces_installed_kibana": {
        "additionalProperty1": [
          {
            "id": "string",
            "originId": "string",
            "type": "dashboard"
          }
        ],
        "additionalProperty2": [
          {
            "id": "string",
            "originId": "string",
            "type": "dashboard"
          }
        ]
      },
      "created_at": "string",
      "experimental_data_stream_features": [
        {
          "data_stream": "string",
          "features": {
            "doc_value_only_numeric": true,
            "doc_value_only_other": true,
            "synthetic_source": true,
            "tsdb": true
          }
        }
      ],
      "install_format_schema_version": "string",
      "install_source": "registry",
      "install_status": "installed",
      "installed_es": [
        {
          "deferred": true,
          "id": "string",
          "type": "index",
          "version": "string"
        }
      ],
      "installed_kibana": [
        {
          "id": "string",
          "originId": "string",
          "type": "dashboard"
        }
      ],
      "installed_kibana_space_id": "string",
      "latest_executed_state": {
        "error": "string",
        "name": "string",
        "started_at": "string"
      },
      "latest_install_failed_attempts": [
        {
          "created_at": "string",
          "error": {
            "message": "string",
            "name": "string",
            "stack": "string"
          },
          "target_version": "string"
        }
      ],
      "name": "string",
      "namespaces": [
        "string"
      ],
      "type": "string",
      "updated_at": "string",
      "verification_key_id": "string",
      "verification_status": "unverified",
      "version": "string"
    },
    "internal": true,
    "keepPoliciesUpToDate": true,
    "latestVersion": "string",
    "license": "string",
    "licensePath": "string",
    "name": "string",
    "notice": "string",
    "owner": {
      "github": "string",
      "type": "elastic"
    },
    "path": "string",
    "policy_templates": [
      {}
    ],
    "readme": "string",
    "release": "ga",
    "screenshots": [
      {
        "dark_mode": true,
        "path": "string",
        "size": "string",
        "src": "string",
        "title": "string",
        "type": "string"
      }
    ],
    "signature_path": "string",
    "source": {
      "license": "string"
    },
    "status": "string",
    "title": "string",
    "type": "integration",
    "vars": [
      {}
    ],
    "version": "string"
  }
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Install a package from the registry

POST /api/fleet/epm/packages/{pkgName}/{pkgVersion}

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

Query parameters

application/json; Elastic-Api-Version=2023-10-31

Body

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31
    Hide response attributes Show response attributes object
    • _meta object Required

      Additional properties are NOT allowed.

      Hide _meta attribute Show _meta attribute object
    • items array[object] Required
      Any of:
      Hide attributes Show attributes
      • id string Required
      • originId string
      • type string Required

        Values are dashboard, lens, visualization, search, index-pattern, map, ml-module, security-rule, csp-rule-template, osquery-pack-asset, osquery-saved-query, or tag.

  • 400 application/json; Elastic-Api-Version=2023-10-31
    Hide response attributes Show response attributes object
POST /api/fleet/epm/packages/{pkgName}/{pkgVersion}
curl \
 -X POST https://localhost:5601/api/fleet/epm/packages/{pkgName}/{pkgVersion} \
 -H "Content-Type: application/json; Elastic-Api-Version=2023-10-31" \
 -H "kbn-xsrf: true"
Request examples
# Headers
kbn-xsrf: true

# Payload
{
  "force": false,
  "ignore_constraints": false
}
Response examples (200)
{
  "_meta": {
    "install_source": "string"
  },
  "items": [
    {
      "id": "string",
      "originId": "string",
      "type": "dashboard"
    }
  ]
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Delete a package

DELETE /api/fleet/epm/packages/{pkgName}/{pkgVersion}

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31
    Hide response attribute Show response attribute object
    • items array[object] Required
      Any of:
      Hide attributes Show attributes
      • id string Required
      • originId string
      • type string Required

        Values are dashboard, lens, visualization, search, index-pattern, map, ml-module, security-rule, csp-rule-template, osquery-pack-asset, osquery-saved-query, or tag.

  • 400 application/json; Elastic-Api-Version=2023-10-31
    Hide response attributes Show response attributes object
DELETE /api/fleet/epm/packages/{pkgName}/{pkgVersion}
curl \
 -X DELETE https://localhost:5601/api/fleet/epm/packages/{pkgName}/{pkgVersion} \
 -H "kbn-xsrf: true"
Response examples (200)
{
  "items": [
    {
      "id": "string",
      "originId": "string",
      "type": "dashboard"
    }
  ]
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Get a package file

GET /api/fleet/epm/packages/{pkgName}/{pkgVersion}/{filePath}

Path parameters

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31
  • 400 application/json; Elastic-Api-Version=2023-10-31
    Hide response attributes Show response attributes object
GET /api/fleet/epm/packages/{pkgName}/{pkgVersion}/{filePath}
curl \
 -X GET https://localhost:5601/api/fleet/epm/packages/{pkgName}/{pkgVersion}/{filePath}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Authorize transforms

POST /api/fleet/epm/packages/{pkgName}/{pkgVersion}/transforms/authorize

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

Query parameters

application/json; Elastic-Api-Version=2023-10-31

Body

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31
    Hide response attributes Show response attributes object
  • 400 application/json; Elastic-Api-Version=2023-10-31
    Hide response attributes Show response attributes object
POST /api/fleet/epm/packages/{pkgName}/{pkgVersion}/transforms/authorize
curl \
 -X POST https://localhost:5601/api/fleet/epm/packages/{pkgName}/{pkgVersion}/transforms/authorize \
 -H "Content-Type: application/json; Elastic-Api-Version=2023-10-31" \
 -H "kbn-xsrf: true"
Request examples
# Headers
kbn-xsrf: true

# Payload
{
  "transforms": [
    {
      "transformId": "string"
    }
  ]
}
Response examples (200)
[
  {
    "success": true,
    "transformId": "string"
  }
]
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Get package stats

GET /api/fleet/epm/packages/{pkgName}/stats

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31
    Hide response attribute Show response attribute object
    • response object Required

      Additional properties are NOT allowed.

      Hide response attribute Show response attribute object
  • 400 application/json; Elastic-Api-Version=2023-10-31
    Hide response attributes Show response attributes object
GET /api/fleet/epm/packages/{pkgName}/stats
curl \
 -X GET https://localhost:5601/api/fleet/epm/packages/{pkgName}/stats
Response examples (200)
{
  "response": {
    "agent_policy_count": 42.0
  }
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Get installed packages

GET /api/fleet/epm/packages/installed

Query parameters

Responses

GET /api/fleet/epm/packages/installed
curl \
 -X GET https://localhost:5601/api/fleet/epm/packages/installed
Response examples (200)
{
  "items": [
    {
      "dataStreams": [
        {
          "name": "string",
          "title": "string"
        }
      ],
      "description": "string",
      "icons": [
        {
          "dark_mode": true,
          "path": "string",
          "size": "string",
          "src": "string",
          "title": "string",
          "type": "string"
        }
      ],
      "name": "string",
      "status": "string",
      "title": "string",
      "version": "string"
    }
  ],
  "searchAfter": [
    "string"
  ],
  "total": 42.0
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Get a limited package list

GET /api/fleet/epm/packages/limited

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31
    Hide response attribute Show response attribute object
  • 400 application/json; Elastic-Api-Version=2023-10-31
    Hide response attributes Show response attributes object
GET /api/fleet/epm/packages/limited
curl \
 -X GET https://localhost:5601/api/fleet/epm/packages/limited
Response examples (200)
{
  "items": [
    "string"
  ]
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Get an inputs template

GET /api/fleet/epm/templates/{pkgName}/{pkgVersion}/inputs

Path parameters

Query parameters

Responses

GET /api/fleet/epm/templates/{pkgName}/{pkgVersion}/inputs
curl \
 -X GET https://localhost:5601/api/fleet/epm/templates/{pkgName}/{pkgVersion}/inputs
Response examples (200)
string
{
  "inputs": [
    {
      "id": "string",
      "streams": [
        {
          "data_stream": {
            "dataset": "string",
            "type": "string"
          },
          "id": "string"
        }
      ],
      "type": "string"
    }
  ]
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Get a package signature verification key ID

GET /api/fleet/epm/verification_key_id

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31
    Hide response attribute Show response attribute object
    • id string | null Required
  • 400 application/json; Elastic-Api-Version=2023-10-31
    Hide response attributes Show response attributes object
GET /api/fleet/epm/verification_key_id
curl \
 -X GET https://localhost:5601/api/fleet/epm/verification_key_id
Response examples (200)
{
  "id": "string"
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Get enrollment API keys

GET /api/fleet/enrollment_api_keys

Query parameters

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31
    Hide response attributes Show response attributes object
    • items array[object] Required
      Hide items attributes Show items attributes object
      • active boolean Required

        When false, the enrollment API key is revoked and cannot be used for enrolling Elastic Agents.

      • api_key string Required

        The enrollment API key (token) used for enrolling Elastic Agents.

      • api_key_id string Required

        The ID of the API key in the Security API.

      • created_at string Required
      • id string Required
      • name string

        The name of the enrollment API key.

      • The ID of the agent policy the Elastic Agent will be enrolled in.

    • list array[object] Required Deprecated
      Hide list attributes Show list attributes object
      • active boolean Required

        When false, the enrollment API key is revoked and cannot be used for enrolling Elastic Agents.

      • api_key string Required

        The enrollment API key (token) used for enrolling Elastic Agents.

      • api_key_id string Required

        The ID of the API key in the Security API.

      • created_at string Required
      • id string Required
      • name string

        The name of the enrollment API key.

      • The ID of the agent policy the Elastic Agent will be enrolled in.

    • page number Required
    • perPage number Required
    • total number Required
  • 400 application/json; Elastic-Api-Version=2023-10-31
    Hide response attributes Show response attributes object
GET /api/fleet/enrollment_api_keys
curl \
 -X GET https://localhost:5601/api/fleet/enrollment_api_keys
Response examples (200)
{
  "items": [
    {
      "active": true,
      "api_key": "string",
      "api_key_id": "string",
      "created_at": "string",
      "id": "string",
      "name": "string",
      "policy_id": "string"
    }
  ],
  "list": [
    {
      "active": true,
      "api_key": "string",
      "api_key_id": "string",
      "created_at": "string",
      "id": "string",
      "name": "string",
      "policy_id": "string"
    }
  ],
  "page": 42.0,
  "perPage": 42.0,
  "total": 42.0
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Create an enrollment API key

POST /api/fleet/enrollment_api_keys

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json; Elastic-Api-Version=2023-10-31

Body

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31
    Hide response attributes Show response attributes object
    • action string Required

      Value is created.

    • item object Required

      Additional properties are NOT allowed.

      Hide item attributes Show item attributes object
      • active boolean Required

        When false, the enrollment API key is revoked and cannot be used for enrolling Elastic Agents.

      • api_key string Required

        The enrollment API key (token) used for enrolling Elastic Agents.

      • api_key_id string Required

        The ID of the API key in the Security API.

      • created_at string Required
      • id string Required
      • name string

        The name of the enrollment API key.

      • The ID of the agent policy the Elastic Agent will be enrolled in.

  • 400 application/json; Elastic-Api-Version=2023-10-31
    Hide response attributes Show response attributes object
POST /api/fleet/enrollment_api_keys
curl \
 -X POST https://localhost:5601/api/fleet/enrollment_api_keys \
 -H "Content-Type: application/json; Elastic-Api-Version=2023-10-31" \
 -H "kbn-xsrf: true"
Request examples
# Headers
kbn-xsrf: true

# Payload
{
  "expiration": "string",
  "name": "string",
  "policy_id": "string"
}
Response examples (200)
{
  "action": "created",
  "item": {
    "active": true,
    "api_key": "string",
    "api_key_id": "string",
    "created_at": "string",
    "id": "string",
    "name": "string",
    "policy_id": "string"
  }
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Get an enrollment API key

GET /api/fleet/enrollment_api_keys/{keyId}

Get an enrollment API key by ID.

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31
    Hide response attribute Show response attribute object
    • item object Required

      Additional properties are NOT allowed.

      Hide item attributes Show item attributes object
      • active boolean Required

        When false, the enrollment API key is revoked and cannot be used for enrolling Elastic Agents.

      • api_key string Required

        The enrollment API key (token) used for enrolling Elastic Agents.

      • api_key_id string Required

        The ID of the API key in the Security API.

      • created_at string Required
      • id string Required
      • name string

        The name of the enrollment API key.

      • The ID of the agent policy the Elastic Agent will be enrolled in.

  • 400 application/json; Elastic-Api-Version=2023-10-31
    Hide response attributes Show response attributes object
GET /api/fleet/enrollment_api_keys/{keyId}
curl \
 -X GET https://localhost:5601/api/fleet/enrollment_api_keys/{keyId}
Response examples (200)
{
  "item": {
    "active": true,
    "api_key": "string",
    "api_key_id": "string",
    "created_at": "string",
    "id": "string",
    "name": "string",
    "policy_id": "string"
  }
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Revoke an enrollment API key

DELETE /api/fleet/enrollment_api_keys/{keyId}

Revoke an enrollment API key by ID by marking it as inactive.

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31
    Hide response attribute Show response attribute object
    • action string Required

      Value is deleted.

  • 400 application/json; Elastic-Api-Version=2023-10-31
    Hide response attributes Show response attributes object
DELETE /api/fleet/enrollment_api_keys/{keyId}
curl \
 -X DELETE https://localhost:5601/api/fleet/enrollment_api_keys/{keyId} \
 -H "kbn-xsrf: true"
Response examples (200)
{
  "action": "deleted"
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Check permissions

GET /api/fleet/check-permissions

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31
    Hide response attributes Show response attributes object
    • error string

      Values are MISSING_SECURITY, MISSING_PRIVILEGES, or MISSING_FLEET_SERVER_SETUP_PRIVILEGES.

    • success boolean Required
  • 400 application/json; Elastic-Api-Version=2023-10-31
    Hide response attributes Show response attributes object
GET /api/fleet/check-permissions
curl \
 -X GET https://localhost:5601/api/fleet/check-permissions
Response examples (200)
{
  "error": "MISSING_SECURITY",
  "success": true
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Check Fleet Server health

POST /api/fleet/health_check

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json; Elastic-Api-Version=2023-10-31

Body

  • id string Required

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31
    Hide response attributes Show response attributes object
  • 400 application/json; Elastic-Api-Version=2023-10-31
    Hide response attributes Show response attributes object
  • 404 application/json; Elastic-Api-Version=2023-10-31
    Hide response attributes Show response attributes object
POST /api/fleet/health_check
curl \
 -X POST https://localhost:5601/api/fleet/health_check \
 -H "Content-Type: application/json; Elastic-Api-Version=2023-10-31" \
 -H "kbn-xsrf: true"
Request examples
# Headers
kbn-xsrf: true

# Payload
{
  "id": "string"
}
Response examples (200)
{
  "host_id": "string",
  "name": "string",
  "status": "string"
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}
Response examples (404)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Get settings

GET /api/fleet/settings

Responses

GET /api/fleet/settings
curl \
 -X GET https://localhost:5601/api/fleet/settings
Response examples (200)
{
  "item": {
    "delete_unenrolled_agents": {
      "enabled": true,
      "is_preconfigured": true
    },
    "has_seen_add_data_notice": true,
    "id": "string",
    "output_secret_storage_requirements_met": true,
    "preconfigured_fields": [
      "fleet_server_hosts"
    ],
    "prerelease_integrations_enabled": true,
    "secret_storage_requirements_met": true,
    "use_space_awareness_migration_started_at": "string",
    "use_space_awareness_migration_status": "pending",
    "version": "string"
  }
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}
Response examples (404)
{
  "message": "string"
}

Update settings

PUT /api/fleet/settings

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json; Elastic-Api-Version=2023-10-31

Body

Responses

PUT /api/fleet/settings
curl \
 -X PUT https://localhost:5601/api/fleet/settings \
 -H "Content-Type: application/json; Elastic-Api-Version=2023-10-31" \
 -H "kbn-xsrf: true"
Request examples
# Headers
kbn-xsrf: true

# Payload
{
  "additional_yaml_config": "string",
  "delete_unenrolled_agents": {
    "enabled": true,
    "is_preconfigured": true
  },
  "has_seen_add_data_notice": true,
  "kibana_ca_sha256": "string",
  "kibana_urls": [
    "https://example.com"
  ],
  "prerelease_integrations_enabled": true
}
Response examples (200)
{
  "item": {
    "delete_unenrolled_agents": {
      "enabled": true,
      "is_preconfigured": true
    },
    "has_seen_add_data_notice": true,
    "id": "string",
    "output_secret_storage_requirements_met": true,
    "preconfigured_fields": [
      "fleet_server_hosts"
    ],
    "prerelease_integrations_enabled": true,
    "secret_storage_requirements_met": true,
    "use_space_awareness_migration_started_at": "string",
    "use_space_awareness_migration_status": "pending",
    "version": "string"
  }
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}
Response examples (404)
{
  "message": "string"
}

Initiate Fleet setup

POST /api/fleet/setup

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31
    Hide response attributes Show response attributes object
  • 400 application/json; Elastic-Api-Version=2023-10-31
    Hide response attributes Show response attributes object
  • 500 application/json; Elastic-Api-Version=2023-10-31
    Hide response attribute Show response attribute object
POST /api/fleet/setup
curl \
 -X POST https://localhost:5601/api/fleet/setup \
 -H "kbn-xsrf: true"
Response examples (200)
{
  "isInitialized": true,
  "nonFatalErrors": [
    {
      "message": "string",
      "name": "string"
    }
  ]
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}
Response examples (500)
{
  "message": "string"
}

Generate a Logstash API key

POST /api/fleet/logstash_api_keys

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31
    Hide response attribute Show response attribute object
  • 400 application/json; Elastic-Api-Version=2023-10-31
    Hide response attributes Show response attributes object
POST /api/fleet/logstash_api_keys
curl \
 -X POST https://localhost:5601/api/fleet/logstash_api_keys \
 -H "kbn-xsrf: true"
Response examples (200)
{
  "api_key": "string"
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Get outputs

GET /api/fleet/outputs

Responses

GET /api/fleet/outputs
curl \
 -X GET https://localhost:5601/api/fleet/outputs
Response examples (200)
{
  "items": [
    {
      "allow_edit": [
        "string"
      ],
      "ca_sha256": "string",
      "ca_trusted_fingerprint": "string",
      "config_yaml": "string",
      "hosts": [
        "https://example.com"
      ],
      "id": "string",
      "is_default": false,
      "is_default_monitoring": false,
      "is_internal": true,
      "is_preconfigured": true,
      "name": "string",
      "preset": "balanced",
      "proxy_id": "string",
      "shipper": {
        "compression_level": 42.0,
        "disk_queue_compression_enabled": true,
        "disk_queue_enabled": false,
        "disk_queue_encryption_enabled": true,
        "disk_queue_max_size": 42.0,
        "disk_queue_path": "string",
        "loadbalance": true,
        "max_batch_bytes": 42.0,
        "mem_queue_events": 42.0,
        "queue_flush_timeout": 42.0
      },
      "ssl": {
        "certificate": "string",
        "certificate_authorities": [
          "string"
        ],
        "key": "string",
        "verification_mode": "full"
      },
      "type": "elasticsearch"
    }
  ],
  "page": 42.0,
  "perPage": 42.0,
  "total": 42.0
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Create output

POST /api/fleet/outputs

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json; Elastic-Api-Version=2023-10-31

Body object

Any of:

Responses

POST /api/fleet/outputs
curl \
 -X POST https://localhost:5601/api/fleet/outputs \
 -H "Content-Type: application/json; Elastic-Api-Version=2023-10-31" \
 -H "kbn-xsrf: true"
# Headers
kbn-xsrf: true

# Payload
{
  "allow_edit": [
    "string"
  ],
  "ca_sha256": "string",
  "ca_trusted_fingerprint": "string",
  "config_yaml": "string",
  "hosts": [
    "https://example.com"
  ],
  "id": "string",
  "is_default": false,
  "is_default_monitoring": false,
  "is_internal": true,
  "is_preconfigured": true,
  "name": "string",
  "preset": "balanced",
  "proxy_id": "string",
  "shipper": {
    "compression_level": 42.0,
    "disk_queue_compression_enabled": true,
    "disk_queue_enabled": false,
    "disk_queue_encryption_enabled": true,
    "disk_queue_max_size": 42.0,
    "disk_queue_path": "string",
    "loadbalance": true,
    "max_batch_bytes": 42.0,
    "mem_queue_events": 42.0,
    "queue_flush_timeout": 42.0
  },
  "ssl": {
    "certificate": "string",
    "certificate_authorities": [
      "string"
    ],
    "key": "string",
    "verification_mode": "full"
  },
  "type": "elasticsearch"
}
# Headers
kbn-xsrf: true

# Payload
{
  "allow_edit": [
    "string"
  ],
  "ca_sha256": "string",
  "ca_trusted_fingerprint": "string",
  "config_yaml": "string",
  "hosts": [
    "https://example.com"
  ],
  "id": "string",
  "is_default": false,
  "is_default_monitoring": false,
  "is_internal": true,
  "is_preconfigured": true,
  "name": "string",
  "preset": "balanced",
  "proxy_id": "string",
  "secrets": {
    "service_token": {
      "id": "string"
    }
  },
  "service_token": "string",
  "shipper": {
    "compression_level": 42.0,
    "disk_queue_compression_enabled": true,
    "disk_queue_enabled": false,
    "disk_queue_encryption_enabled": true,
    "disk_queue_max_size": 42.0,
    "disk_queue_path": "string",
    "loadbalance": true,
    "max_batch_bytes": 42.0,
    "mem_queue_events": 42.0,
    "queue_flush_timeout": 42.0
  },
  "ssl": {
    "certificate": "string",
    "certificate_authorities": [
      "string"
    ],
    "key": "string",
    "verification_mode": "full"
  },
  "type": "remote_elasticsearch"
}
# Headers
kbn-xsrf: true

# Payload
{
  "allow_edit": [
    "string"
  ],
  "ca_sha256": "string",
  "ca_trusted_fingerprint": "string",
  "config_yaml": "string",
  "hosts": [
    "string"
  ],
  "id": "string",
  "is_default": false,
  "is_default_monitoring": false,
  "is_internal": true,
  "is_preconfigured": true,
  "name": "string",
  "proxy_id": "string",
  "secrets": {
    "ssl": {
      "key": {
        "id": "string"
      }
    }
  },
  "shipper": {
    "compression_level": 42.0,
    "disk_queue_compression_enabled": true,
    "disk_queue_enabled": false,
    "disk_queue_encryption_enabled": true,
    "disk_queue_max_size": 42.0,
    "disk_queue_path": "string",
    "loadbalance": true,
    "max_batch_bytes": 42.0,
    "mem_queue_events": 42.0,
    "queue_flush_timeout": 42.0
  },
  "ssl": {
    "certificate": "string",
    "certificate_authorities": [
      "string"
    ],
    "key": "string",
    "verification_mode": "full"
  },
  "type": "logstash"
}
# Headers
kbn-xsrf: true

# Payload
{
  "allow_edit": [
    "string"
  ],
  "auth_type": "none",
  "broker_timeout": 42.0,
  "ca_sha256": "string",
  "ca_trusted_fingerprint": "string",
  "client_id": "string",
  "compression": "gzip",
  "compression_level": [],
  "config_yaml": "string",
  "connection_type": [],
  "hash": {
    "hash": "string",
    "random": true
  },
  "headers": [
    {
      "key": "string",
      "value": "string"
    }
  ],
  "hosts": [
    "string"
  ],
  "id": "string",
  "is_default": false,
  "is_default_monitoring": false,
  "is_internal": true,
  "is_preconfigured": true,
  "key": "string",
  "name": "string",
  "partition": "random",
  "password": [],
  "proxy_id": "string",
  "random": {
    "group_events": 42.0
  },
  "required_acks": 1,
  "round_robin": {
    "group_events": 42.0
  },
  "sasl": {
    "mechanism": "PLAIN"
  },
  "secrets": {
    "password": {
      "id": "string"
    },
    "ssl": {
      "key": {
        "id": "string"
      }
    }
  },
  "shipper": {
    "compression_level": 42.0,
    "disk_queue_compression_enabled": true,
    "disk_queue_enabled": false,
    "disk_queue_encryption_enabled": true,
    "disk_queue_max_size": 42.0,
    "disk_queue_path": "string",
    "loadbalance": true,
    "max_batch_bytes": 42.0,
    "mem_queue_events": 42.0,
    "queue_flush_timeout": 42.0
  },
  "ssl": {
    "certificate": "string",
    "certificate_authorities": [
      "string"
    ],
    "key": "string",
    "verification_mode": "full"
  },
  "timeout": 42.0,
  "topic": "string",
  "type": "kafka",
  "username": [],
  "version": "string"
}
Response examples (200)
{
  "item": {
    "allow_edit": [
      "string"
    ],
    "ca_sha256": "string",
    "ca_trusted_fingerprint": "string",
    "config_yaml": "string",
    "hosts": [
      "https://example.com"
    ],
    "id": "string",
    "is_default": false,
    "is_default_monitoring": false,
    "is_internal": true,
    "is_preconfigured": true,
    "name": "string",
    "preset": "balanced",
    "proxy_id": "string",
    "shipper": {
      "compression_level": 42.0,
      "disk_queue_compression_enabled": true,
      "disk_queue_enabled": false,
      "disk_queue_encryption_enabled": true,
      "disk_queue_max_size": 42.0,
      "disk_queue_path": "string",
      "loadbalance": true,
      "max_batch_bytes": 42.0,
      "mem_queue_events": 42.0,
      "queue_flush_timeout": 42.0
    },
    "ssl": {
      "certificate": "string",
      "certificate_authorities": [
        "string"
      ],
      "key": "string",
      "verification_mode": "full"
    },
    "type": "elasticsearch"
  }
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Get output

GET /api/fleet/outputs/{outputId}

Get output by ID.

Responses

GET /api/fleet/outputs/{outputId}
curl \
 -X GET https://localhost:5601/api/fleet/outputs/{outputId}
Response examples (200)
{
  "item": {
    "allow_edit": [
      "string"
    ],
    "ca_sha256": "string",
    "ca_trusted_fingerprint": "string",
    "config_yaml": "string",
    "hosts": [
      "https://example.com"
    ],
    "id": "string",
    "is_default": false,
    "is_default_monitoring": false,
    "is_internal": true,
    "is_preconfigured": true,
    "name": "string",
    "preset": "balanced",
    "proxy_id": "string",
    "shipper": {
      "compression_level": 42.0,
      "disk_queue_compression_enabled": true,
      "disk_queue_enabled": false,
      "disk_queue_encryption_enabled": true,
      "disk_queue_max_size": 42.0,
      "disk_queue_path": "string",
      "loadbalance": true,
      "max_batch_bytes": 42.0,
      "mem_queue_events": 42.0,
      "queue_flush_timeout": 42.0
    },
    "ssl": {
      "certificate": "string",
      "certificate_authorities": [
        "string"
      ],
      "key": "string",
      "verification_mode": "full"
    },
    "type": "elasticsearch"
  }
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Update output

PUT /api/fleet/outputs/{outputId}

Update output by ID.

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json; Elastic-Api-Version=2023-10-31

Body object

Any of:

Responses

PUT /api/fleet/outputs/{outputId}
curl \
 -X PUT https://localhost:5601/api/fleet/outputs/{outputId} \
 -H "Content-Type: application/json; Elastic-Api-Version=2023-10-31" \
 -H "kbn-xsrf: true"
# Headers
kbn-xsrf: true

# Payload
{
  "allow_edit": [
    "string"
  ],
  "ca_sha256": "string",
  "ca_trusted_fingerprint": "string",
  "config_yaml": "string",
  "hosts": [
    "https://example.com"
  ],
  "id": "string",
  "is_default": true,
  "is_default_monitoring": true,
  "is_internal": true,
  "is_preconfigured": true,
  "name": "string",
  "preset": "balanced",
  "proxy_id": "string",
  "shipper": {
    "compression_level": 42.0,
    "disk_queue_compression_enabled": true,
    "disk_queue_enabled": false,
    "disk_queue_encryption_enabled": true,
    "disk_queue_max_size": 42.0,
    "disk_queue_path": "string",
    "loadbalance": true,
    "max_batch_bytes": 42.0,
    "mem_queue_events": 42.0,
    "queue_flush_timeout": 42.0
  },
  "ssl": {
    "certificate": "string",
    "certificate_authorities": [
      "string"
    ],
    "key": "string",
    "verification_mode": "full"
  },
  "type": "elasticsearch"
}
# Headers
kbn-xsrf: true

# Payload
{
  "allow_edit": [
    "string"
  ],
  "ca_sha256": "string",
  "ca_trusted_fingerprint": "string",
  "config_yaml": "string",
  "hosts": [
    "https://example.com"
  ],
  "id": "string",
  "is_default": true,
  "is_default_monitoring": true,
  "is_internal": true,
  "is_preconfigured": true,
  "name": "string",
  "preset": "balanced",
  "proxy_id": "string",
  "secrets": {
    "service_token": {
      "id": "string"
    }
  },
  "service_token": "string",
  "shipper": {
    "compression_level": 42.0,
    "disk_queue_compression_enabled": true,
    "disk_queue_enabled": false,
    "disk_queue_encryption_enabled": true,
    "disk_queue_max_size": 42.0,
    "disk_queue_path": "string",
    "loadbalance": true,
    "max_batch_bytes": 42.0,
    "mem_queue_events": 42.0,
    "queue_flush_timeout": 42.0
  },
  "ssl": {
    "certificate": "string",
    "certificate_authorities": [
      "string"
    ],
    "key": "string",
    "verification_mode": "full"
  },
  "type": "remote_elasticsearch"
}
# Headers
kbn-xsrf: true

# Payload
{
  "allow_edit": [
    "string"
  ],
  "ca_sha256": "string",
  "ca_trusted_fingerprint": "string",
  "config_yaml": "string",
  "hosts": [
    "string"
  ],
  "id": "string",
  "is_default": true,
  "is_default_monitoring": true,
  "is_internal": true,
  "is_preconfigured": true,
  "name": "string",
  "proxy_id": "string",
  "secrets": {
    "ssl": {
      "key": {
        "id": "string"
      }
    }
  },
  "shipper": {
    "compression_level": 42.0,
    "disk_queue_compression_enabled": true,
    "disk_queue_enabled": false,
    "disk_queue_encryption_enabled": true,
    "disk_queue_max_size": 42.0,
    "disk_queue_path": "string",
    "loadbalance": true,
    "max_batch_bytes": 42.0,
    "mem_queue_events": 42.0,
    "queue_flush_timeout": 42.0
  },
  "ssl": {
    "certificate": "string",
    "certificate_authorities": [
      "string"
    ],
    "key": "string",
    "verification_mode": "full"
  },
  "type": "logstash"
}
# Headers
kbn-xsrf: true

# Payload
{
  "allow_edit": [
    "string"
  ],
  "auth_type": "none",
  "broker_timeout": 42.0,
  "ca_sha256": "string",
  "ca_trusted_fingerprint": "string",
  "client_id": "string",
  "compression": "gzip",
  "compression_level": [],
  "config_yaml": "string",
  "connection_type": [],
  "hash": {
    "hash": "string",
    "random": true
  },
  "headers": [
    {
      "key": "string",
      "value": "string"
    }
  ],
  "hosts": [
    "string"
  ],
  "id": "string",
  "is_default": false,
  "is_default_monitoring": false,
  "is_internal": true,
  "is_preconfigured": true,
  "key": "string",
  "name": "string",
  "partition": "random",
  "password": [],
  "proxy_id": "string",
  "random": {
    "group_events": 42.0
  },
  "required_acks": 1,
  "round_robin": {
    "group_events": 42.0
  },
  "sasl": {
    "mechanism": "PLAIN"
  },
  "secrets": {
    "password": {
      "id": "string"
    },
    "ssl": {
      "key": {
        "id": "string"
      }
    }
  },
  "shipper": {
    "compression_level": 42.0,
    "disk_queue_compression_enabled": true,
    "disk_queue_enabled": false,
    "disk_queue_encryption_enabled": true,
    "disk_queue_max_size": 42.0,
    "disk_queue_path": "string",
    "loadbalance": true,
    "max_batch_bytes": 42.0,
    "mem_queue_events": 42.0,
    "queue_flush_timeout": 42.0
  },
  "ssl": {
    "certificate": "string",
    "certificate_authorities": [
      "string"
    ],
    "key": "string",
    "verification_mode": "full"
  },
  "timeout": 42.0,
  "topic": "string",
  "type": "kafka",
  "username": [],
  "version": "string"
}
Response examples (200)
{
  "item": {
    "allow_edit": [
      "string"
    ],
    "ca_sha256": "string",
    "ca_trusted_fingerprint": "string",
    "config_yaml": "string",
    "hosts": [
      "https://example.com"
    ],
    "id": "string",
    "is_default": false,
    "is_default_monitoring": false,
    "is_internal": true,
    "is_preconfigured": true,
    "name": "string",
    "preset": "balanced",
    "proxy_id": "string",
    "shipper": {
      "compression_level": 42.0,
      "disk_queue_compression_enabled": true,
      "disk_queue_enabled": false,
      "disk_queue_encryption_enabled": true,
      "disk_queue_max_size": 42.0,
      "disk_queue_path": "string",
      "loadbalance": true,
      "max_batch_bytes": 42.0,
      "mem_queue_events": 42.0,
      "queue_flush_timeout": 42.0
    },
    "ssl": {
      "certificate": "string",
      "certificate_authorities": [
        "string"
      ],
      "key": "string",
      "verification_mode": "full"
    },
    "type": "elasticsearch"
  }
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Delete output

DELETE /api/fleet/outputs/{outputId}

Delete output by ID.

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31
    Hide response attribute Show response attribute object
    • id string Required
  • 400 application/json; Elastic-Api-Version=2023-10-31
    Hide response attributes Show response attributes object
  • 404 application/json; Elastic-Api-Version=2023-10-31
    Hide response attributes Show response attributes object
DELETE /api/fleet/outputs/{outputId}
curl \
 -X DELETE https://localhost:5601/api/fleet/outputs/{outputId} \
 -H "kbn-xsrf: true"
Response examples (200)
{
  "id": "string"
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}
Response examples (404)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Get the latest output health

GET /api/fleet/outputs/{outputId}/health

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31
    Hide response attributes Show response attributes object
    • message string Required

      long message if unhealthy

    • state string Required

      state of output, HEALTHY or DEGRADED

    • timestamp string Required

      timestamp of reported state

  • 400 application/json; Elastic-Api-Version=2023-10-31
    Hide response attributes Show response attributes object
GET /api/fleet/outputs/{outputId}/health
curl \
 -X GET https://localhost:5601/api/fleet/outputs/{outputId}/health
Response examples (200)
{
  "message": "string",
  "state": "string",
  "timestamp": "string"
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Get package policies

GET /api/fleet/package_policies

Query parameters

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31
    Hide response attributes Show response attributes object
    • items array[object] Required
      Hide items attributes Show items attributes object
      • agents number
      • created_at string Required
      • created_by string Required
      • Package policy description

      • Additional properties are allowed.

        Hide elasticsearch attribute Show elasticsearch attribute object
        • Additional properties are allowed.

          Hide privileges attribute Show privileges attribute object
      • enabled boolean Required
      • id string Required
      • inputs array[object] | object Required

        Any of:
        Hide attributes Show attributes object
        • config object

          Package variable (see integration documentation for more information)

          Hide config attribute Show config attribute object
          • * object Additional properties

            Additional properties are NOT allowed.

            Hide * attributes Show * attributes object
        • enabled boolean Required
        • id string
        • streams array[object] Required
          Hide streams attributes Show streams attributes object
          • config object

            Package variable (see integration documentation for more information)

            Hide config attribute Show config attribute object
            • * object Additional properties

              Additional properties are NOT allowed.

              Hide * attributes Show * attributes object
          • data_stream object Required

            Additional properties are NOT allowed.

            Hide data_stream attributes Show data_stream attributes object
          • enabled boolean Required
          • id string
          • release string

            Values are ga, beta, or experimental.

          • vars object

            Package variable (see integration documentation for more information)

            Hide vars attribute Show vars attribute object
            • * object Additional properties

              Additional properties are NOT allowed.

              Hide * attributes Show * attributes object
        • type string Required
        • vars object

          Package variable (see integration documentation for more information)

          Hide vars attribute Show vars attribute object
          • * object Additional properties

            Additional properties are NOT allowed.

            Hide * attributes Show * attributes object
      • is_managed boolean
      • name string Required

        Package policy name (should be unique)

      • The package policy namespace. Leave blank to inherit the agent policy's namespace.

      • output_id string | null
      • overrides object | null

        Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.

        Additional properties are NOT allowed.

        Hide overrides attribute Show overrides attribute object | null
        • inputs object

          Additional properties are allowed.

      • package object

        Additional properties are NOT allowed.

        Hide package attributes Show package attributes object
      • policy_id string | null Deprecated

        Agent policy ID where that package policy will be added

      • policy_ids array[string]

        Agent policy IDs where that package policy will be added

      • revision number Required
      • secret_references array[object]
        Hide secret_references attribute Show secret_references attribute object
        • id string Required
      • spaceIds array[string]
      • supports_agentless boolean | null

        Indicates whether the package policy belongs to an agentless agent policy.

        Default value is false.

      • updated_at string Required
      • updated_by string Required
      • vars object

        Any of:

        Package variable (see integration documentation for more information)

        Hide attribute Show attribute
        • * object Additional properties

          Additional properties are NOT allowed.

          Hide * attributes Show * attributes object
      • version string
    • page number Required
    • perPage number Required
    • total number Required
  • 400 application/json; Elastic-Api-Version=2023-10-31
    Hide response attributes Show response attributes object
GET /api/fleet/package_policies
curl \
 -X GET https://localhost:5601/api/fleet/package_policies
Response examples (200)
{
  "items": [
    {
      "agents": 42.0,
      "created_at": "string",
      "created_by": "string",
      "description": "string",
      "elasticsearch": {
        "privileges": {
          "cluster": [
            "string"
          ]
        }
      },
      "enabled": true,
      "id": "string",
      "inputs": [
        {
          "config": {
            "additionalProperty1": {
              "frozen": true,
              "type": "string"
            },
            "additionalProperty2": {
              "frozen": true,
              "type": "string"
            }
          },
          "enabled": true,
          "id": "string",
          "keep_enabled": true,
          "policy_template": "string",
          "streams": [
            {
              "config": {
                "additionalProperty1": {
                  "frozen": true,
                  "type": "string"
                },
                "additionalProperty2": {
                  "frozen": true,
                  "type": "string"
                }
              },
              "data_stream": {
                "dataset": "string",
                "elasticsearch": {
                  "dynamic_dataset": true,
                  "dynamic_namespace": true,
                  "privileges": {
                    "indices": [
                      "string"
                    ]
                  }
                },
                "type": "string"
              },
              "enabled": true,
              "id": "string",
              "keep_enabled": true,
              "release": "ga",
              "vars": {
                "additionalProperty1": {
                  "frozen": true,
                  "type": "string"
                },
                "additionalProperty2": {
                  "frozen": true,
                  "type": "string"
                }
              }
            }
          ],
          "type": "string",
          "vars": {
            "additionalProperty1": {
              "frozen": true,
              "type": "string"
            },
            "additionalProperty2": {
              "frozen": true,
              "type": "string"
            }
          }
        }
      ],
      "is_managed": true,
      "name": "string",
      "namespace": "string",
      "output_id": "string",
      "overrides": {
        "inputs": {}
      },
      "package": {
        "experimental_data_stream_features": [
          {
            "data_stream": "string",
            "features": {
              "doc_value_only_numeric": true,
              "doc_value_only_other": true,
              "synthetic_source": true,
              "tsdb": true
            }
          }
        ],
        "name": "string",
        "requires_root": true,
        "title": "string",
        "version": "string"
      },
      "policy_id": "string",
      "policy_ids": [
        "string"
      ],
      "revision": 42.0,
      "secret_references": [
        {
          "id": "string"
        }
      ],
      "spaceIds": [
        "string"
      ],
      "supports_agentless": false,
      "updated_at": "string",
      "updated_by": "string",
      "vars": {
        "additionalProperty1": {
          "frozen": true,
          "type": "string"
        },
        "additionalProperty2": {
          "frozen": true,
          "type": "string"
        }
      },
      "version": "string"
    }
  ],
  "page": 42.0,
  "perPage": 42.0,
  "total": 42.0
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Create a package policy

POST /api/fleet/package_policies

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Query parameters

  • format string

    Values are simplified or legacy.

application/json; Elastic-Api-Version=2023-10-31

Body object

You should use inputs as an object and not use the deprecated inputs array.

Any of:
  • Package policy description

  • enabled boolean
  • force boolean

    Force package policy creation even if package is not verified, or if the agent policy is managed.

  • id string

    Package policy unique identifier

  • inputs array[object] Required
    Hide inputs attributes Show inputs attributes object
    • config object

      Package variable (see integration documentation for more information)

      Hide config attribute Show config attribute object
      • * object Additional properties

        Additional properties are NOT allowed.

        Hide * attributes Show * attributes object
    • enabled boolean Required
    • id string
    • streams array[object]
      Hide streams attributes Show streams attributes object
      • config object

        Package variable (see integration documentation for more information)

        Hide config attribute Show config attribute object
        • * object Additional properties

          Additional properties are NOT allowed.

          Hide * attributes Show * attributes object
      • data_stream object Required

        Additional properties are NOT allowed.

        Hide data_stream attributes Show data_stream attributes object
      • enabled boolean Required
      • id string
      • release string

        Values are ga, beta, or experimental.

      • vars object

        Package variable (see integration documentation for more information)

        Hide vars attribute Show vars attribute object
        • * object Additional properties

          Additional properties are NOT allowed.

          Hide * attributes Show * attributes object
    • type string Required
    • vars object

      Package variable (see integration documentation for more information)

      Hide vars attribute Show vars attribute object
      • * object Additional properties

        Additional properties are NOT allowed.

        Hide * attributes Show * attributes object
  • is_managed boolean
  • name string Required

    Package policy name (should be unique)

  • The package policy namespace. Leave blank to inherit the agent policy's namespace.

  • output_id string | null
  • overrides object | null

    Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.

    Additional properties are NOT allowed.

    Hide overrides attribute Show overrides attribute object | null
    • inputs object

      Additional properties are allowed.

  • package object

    Additional properties are NOT allowed.

    Hide package attributes Show package attributes object
  • policy_id string | null Deprecated

    Agent policy ID where that package policy will be added

  • policy_ids array[string]

    Agent policy IDs where that package policy will be added

  • supports_agentless boolean | null

    Indicates whether the package policy belongs to an agentless agent policy.

    Default value is false.

  • vars object

    Package variable (see integration documentation for more information)

    Hide vars attribute Show vars attribute object
    • * object Additional properties

      Additional properties are NOT allowed.

      Hide * attributes Show * attributes object

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31
    Hide response attribute Show response attribute object
    • item object Required

      Additional properties are NOT allowed.

      Hide item attributes Show item attributes object
      • agents number
      • created_at string Required
      • created_by string Required
      • Package policy description

      • Additional properties are allowed.

        Hide elasticsearch attribute Show elasticsearch attribute object
        • Additional properties are allowed.

          Hide privileges attribute Show privileges attribute object
      • enabled boolean Required
      • id string Required
      • inputs array[object] | object Required

        Any of:
        Hide attributes Show attributes object
        • config object

          Package variable (see integration documentation for more information)

          Hide config attribute Show config attribute object
          • * object Additional properties

            Additional properties are NOT allowed.

            Hide * attributes Show * attributes object
        • enabled boolean Required
        • id string
        • streams array[object] Required
          Hide streams attributes Show streams attributes object
          • config object

            Package variable (see integration documentation for more information)

            Hide config attribute Show config attribute object
            • * object Additional properties

              Additional properties are NOT allowed.

              Hide * attributes Show * attributes object
          • data_stream object Required

            Additional properties are NOT allowed.

            Hide data_stream attributes Show data_stream attributes object
          • enabled boolean Required
          • id string
          • release string

            Values are ga, beta, or experimental.

          • vars object

            Package variable (see integration documentation for more information)

            Hide vars attribute Show vars attribute object
            • * object Additional properties

              Additional properties are NOT allowed.

              Hide * attributes Show * attributes object
        • type string Required
        • vars object

          Package variable (see integration documentation for more information)

          Hide vars attribute Show vars attribute object
          • * object Additional properties

            Additional properties are NOT allowed.

            Hide * attributes Show * attributes object
      • is_managed boolean
      • name string Required

        Package policy name (should be unique)

      • The package policy namespace. Leave blank to inherit the agent policy's namespace.

      • output_id string | null
      • overrides object | null

        Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.

        Additional properties are NOT allowed.

        Hide overrides attribute Show overrides attribute object | null
        • inputs object

          Additional properties are allowed.

      • package object

        Additional properties are NOT allowed.

        Hide package attributes Show package attributes object
      • policy_id string | null Deprecated

        Agent policy ID where that package policy will be added

      • policy_ids array[string]

        Agent policy IDs where that package policy will be added

      • revision number Required
      • secret_references array[object]
        Hide secret_references attribute Show secret_references attribute object
        • id string Required
      • spaceIds array[string]
      • supports_agentless boolean | null

        Indicates whether the package policy belongs to an agentless agent policy.

        Default value is false.

      • updated_at string Required
      • updated_by string Required
      • vars object

        Any of:

        Package variable (see integration documentation for more information)

        Hide attribute Show attribute
        • * object Additional properties

          Additional properties are NOT allowed.

          Hide * attributes Show * attributes object
      • version string
  • 400 application/json; Elastic-Api-Version=2023-10-31
    Hide response attributes Show response attributes object
  • 409 application/json; Elastic-Api-Version=2023-10-31
    Hide response attributes Show response attributes object
POST /api/fleet/package_policies
curl \
 -X POST https://localhost:5601/api/fleet/package_policies \
 -H "Content-Type: application/json; Elastic-Api-Version=2023-10-31" \
 -H "kbn-xsrf: true"
Request examples
# Headers
kbn-xsrf: true

# Payload
{
  "description": "string",
  "enabled": true,
  "force": true,
  "id": "string",
  "inputs": [
    {
      "config": {
        "additionalProperty1": {
          "frozen": true,
          "type": "string"
        },
        "additionalProperty2": {
          "frozen": true,
          "type": "string"
        }
      },
      "enabled": true,
      "id": "string",
      "keep_enabled": true,
      "policy_template": "string",
      "streams": [
        {
          "config": {
            "additionalProperty1": {
              "frozen": true,
              "type": "string"
            },
            "additionalProperty2": {
              "frozen": true,
              "type": "string"
            }
          },
          "data_stream": {
            "dataset": "string",
            "elasticsearch": {
              "dynamic_dataset": true,
              "dynamic_namespace": true,
              "privileges": {
                "indices": [
                  "string"
                ]
              }
            },
            "type": "string"
          },
          "enabled": true,
          "id": "string",
          "keep_enabled": true,
          "release": "ga",
          "vars": {
            "additionalProperty1": {
              "frozen": true,
              "type": "string"
            },
            "additionalProperty2": {
              "frozen": true,
              "type": "string"
            }
          }
        }
      ],
      "type": "string",
      "vars": {
        "additionalProperty1": {
          "frozen": true,
          "type": "string"
        },
        "additionalProperty2": {
          "frozen": true,
          "type": "string"
        }
      }
    }
  ],
  "is_managed": true,
  "name": "string",
  "namespace": "string",
  "output_id": "string",
  "overrides": {
    "inputs": {}
  },
  "package": {
    "experimental_data_stream_features": [
      {
        "data_stream": "string",
        "features": {
          "doc_value_only_numeric": true,
          "doc_value_only_other": true,
          "synthetic_source": true,
          "tsdb": true
        }
      }
    ],
    "name": "string",
    "requires_root": true,
    "title": "string",
    "version": "string"
  },
  "policy_id": "string",
  "policy_ids": [
    "string"
  ],
  "supports_agentless": false,
  "vars": {
    "additionalProperty1": {
      "frozen": true,
      "type": "string"
    },
    "additionalProperty2": {
      "frozen": true,
      "type": "string"
    }
  }
}
# Headers
kbn-xsrf: true

# Payload
{
  "description": "string",
  "force": true,
  "id": "string",
  "inputs": {
    "additionalProperty1": {
      "enabled": true,
      "streams": {
        "additionalProperty1": {
          "enabled": true,
          "vars": {}
        },
        "additionalProperty2": {
          "enabled": true,
          "vars": {}
        }
      },
      "vars": {}
    },
    "additionalProperty2": {
      "enabled": true,
      "streams": {
        "additionalProperty1": {
          "enabled": true,
          "vars": {}
        },
        "additionalProperty2": {
          "enabled": true,
          "vars": {}
        }
      },
      "vars": {}
    }
  },
  "name": "string",
  "namespace": "string",
  "output_id": "string",
  "package": {
    "experimental_data_stream_features": [
      {
        "data_stream": "string",
        "features": {
          "doc_value_only_numeric": true,
          "doc_value_only_other": true,
          "synthetic_source": true,
          "tsdb": true
        }
      }
    ],
    "name": "string",
    "requires_root": true,
    "title": "string",
    "version": "string"
  },
  "policy_id": "string",
  "policy_ids": [
    "string"
  ],
  "supports_agentless": false,
  "vars": {}
}
Response examples (200)
{
  "item": {
    "agents": 42.0,
    "created_at": "string",
    "created_by": "string",
    "description": "string",
    "elasticsearch": {
      "privileges": {
        "cluster": [
          "string"
        ]
      }
    },
    "enabled": true,
    "id": "string",
    "inputs": [
      {
        "config": {
          "additionalProperty1": {
            "frozen": true,
            "type": "string"
          },
          "additionalProperty2": {
            "frozen": true,
            "type": "string"
          }
        },
        "enabled": true,
        "id": "string",
        "keep_enabled": true,
        "policy_template": "string",
        "streams": [
          {
            "config": {
              "additionalProperty1": {
                "frozen": true,
                "type": "string"
              },
              "additionalProperty2": {
                "frozen": true,
                "type": "string"
              }
            },
            "data_stream": {
              "dataset": "string",
              "elasticsearch": {
                "dynamic_dataset": true,
                "dynamic_namespace": true,
                "privileges": {
                  "indices": [
                    "string"
                  ]
                }
              },
              "type": "string"
            },
            "enabled": true,
            "id": "string",
            "keep_enabled": true,
            "release": "ga",
            "vars": {
              "additionalProperty1": {
                "frozen": true,
                "type": "string"
              },
              "additionalProperty2": {
                "frozen": true,
                "type": "string"
              }
            }
          }
        ],
        "type": "string",
        "vars": {
          "additionalProperty1": {
            "frozen": true,
            "type": "string"
          },
          "additionalProperty2": {
            "frozen": true,
            "type": "string"
          }
        }
      }
    ],
    "is_managed": true,
    "name": "string",
    "namespace": "string",
    "output_id": "string",
    "overrides": {
      "inputs": {}
    },
    "package": {
      "experimental_data_stream_features": [
        {
          "data_stream": "string",
          "features": {
            "doc_value_only_numeric": true,
            "doc_value_only_other": true,
            "synthetic_source": true,
            "tsdb": true
          }
        }
      ],
      "name": "string",
      "requires_root": true,
      "title": "string",
      "version": "string"
    },
    "policy_id": "string",
    "policy_ids": [
      "string"
    ],
    "revision": 42.0,
    "secret_references": [
      {
        "id": "string"
      }
    ],
    "spaceIds": [
      "string"
    ],
    "supports_agentless": false,
    "updated_at": "string",
    "updated_by": "string",
    "vars": {
      "additionalProperty1": {
        "frozen": true,
        "type": "string"
      },
      "additionalProperty2": {
        "frozen": true,
        "type": "string"
      }
    },
    "version": "string"
  }
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}
Response examples (409)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Bulk get package policies

POST /api/fleet/package_policies/_bulk_get

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Query parameters

  • format string

    Values are simplified or legacy.

application/json; Elastic-Api-Version=2023-10-31

Body

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31
    Hide response attribute Show response attribute object
    • items array[object] Required
      Hide items attributes Show items attributes object
      • agents number
      • created_at string Required
      • created_by string Required
      • Package policy description

      • Additional properties are allowed.

        Hide elasticsearch attribute Show elasticsearch attribute object
        • Additional properties are allowed.

          Hide privileges attribute Show privileges attribute object
      • enabled boolean Required
      • id string Required
      • inputs array[object] | object Required

        Any of:
        Hide attributes Show attributes object
        • config object

          Package variable (see integration documentation for more information)

          Hide config attribute Show config attribute object
          • * object Additional properties

            Additional properties are NOT allowed.

            Hide * attributes Show * attributes object
        • enabled boolean Required
        • id string
        • streams array[object] Required
          Hide streams attributes Show streams attributes object
          • config object

            Package variable (see integration documentation for more information)

            Hide config attribute Show config attribute object
            • * object Additional properties

              Additional properties are NOT allowed.

              Hide * attributes Show * attributes object
          • data_stream object Required

            Additional properties are NOT allowed.

            Hide data_stream attributes Show data_stream attributes object
          • enabled boolean Required
          • id string
          • release string

            Values are ga, beta, or experimental.

          • vars object

            Package variable (see integration documentation for more information)

            Hide vars attribute Show vars attribute object
            • * object Additional properties

              Additional properties are NOT allowed.

              Hide * attributes Show * attributes object
        • type string Required
        • vars object

          Package variable (see integration documentation for more information)

          Hide vars attribute Show vars attribute object
          • * object Additional properties

            Additional properties are NOT allowed.

            Hide * attributes Show * attributes object
      • is_managed boolean
      • name string Required

        Package policy name (should be unique)

      • The package policy namespace. Leave blank to inherit the agent policy's namespace.

      • output_id string | null
      • overrides object | null

        Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.

        Additional properties are NOT allowed.

        Hide overrides attribute Show overrides attribute object | null
        • inputs object

          Additional properties are allowed.

      • package object

        Additional properties are NOT allowed.

        Hide package attributes Show package attributes object
      • policy_id string | null Deprecated

        Agent policy ID where that package policy will be added

      • policy_ids array[string]

        Agent policy IDs where that package policy will be added

      • revision number Required
      • secret_references array[object]
        Hide secret_references attribute Show secret_references attribute object
        • id string Required
      • spaceIds array[string]
      • supports_agentless boolean | null

        Indicates whether the package policy belongs to an agentless agent policy.

        Default value is false.

      • updated_at string Required
      • updated_by string Required
      • vars object

        Any of:

        Package variable (see integration documentation for more information)

        Hide attribute Show attribute
        • * object Additional properties

          Additional properties are NOT allowed.

          Hide * attributes Show * attributes object
      • version string
  • 400 application/json; Elastic-Api-Version=2023-10-31
    Hide response attributes Show response attributes object
  • 404 application/json; Elastic-Api-Version=2023-10-31
    Hide response attribute Show response attribute object
POST /api/fleet/package_policies/_bulk_get
curl \
 -X POST https://localhost:5601/api/fleet/package_policies/_bulk_get \
 -H "Content-Type: application/json; Elastic-Api-Version=2023-10-31" \
 -H "kbn-xsrf: true"
Request examples
# Headers
kbn-xsrf: true

# Payload
{
  "ids": [
    "string"
  ],
  "ignoreMissing": true
}
Response examples (200)
{
  "items": [
    {
      "agents": 42.0,
      "created_at": "string",
      "created_by": "string",
      "description": "string",
      "elasticsearch": {
        "privileges": {
          "cluster": [
            "string"
          ]
        }
      },
      "enabled": true,
      "id": "string",
      "inputs": [
        {
          "config": {
            "additionalProperty1": {
              "frozen": true,
              "type": "string"
            },
            "additionalProperty2": {
              "frozen": true,
              "type": "string"
            }
          },
          "enabled": true,
          "id": "string",
          "keep_enabled": true,
          "policy_template": "string",
          "streams": [
            {
              "config": {
                "additionalProperty1": {
                  "frozen": true,
                  "type": "string"
                },
                "additionalProperty2": {
                  "frozen": true,
                  "type": "string"
                }
              },
              "data_stream": {
                "dataset": "string",
                "elasticsearch": {
                  "dynamic_dataset": true,
                  "dynamic_namespace": true,
                  "privileges": {
                    "indices": [
                      "string"
                    ]
                  }
                },
                "type": "string"
              },
              "enabled": true,
              "id": "string",
              "keep_enabled": true,
              "release": "ga",
              "vars": {
                "additionalProperty1": {
                  "frozen": true,
                  "type": "string"
                },
                "additionalProperty2": {
                  "frozen": true,
                  "type": "string"
                }
              }
            }
          ],
          "type": "string",
          "vars": {
            "additionalProperty1": {
              "frozen": true,
              "type": "string"
            },
            "additionalProperty2": {
              "frozen": true,
              "type": "string"
            }
          }
        }
      ],
      "is_managed": true,
      "name": "string",
      "namespace": "string",
      "output_id": "string",
      "overrides": {
        "inputs": {}
      },
      "package": {
        "experimental_data_stream_features": [
          {
            "data_stream": "string",
            "features": {
              "doc_value_only_numeric": true,
              "doc_value_only_other": true,
              "synthetic_source": true,
              "tsdb": true
            }
          }
        ],
        "name": "string",
        "requires_root": true,
        "title": "string",
        "version": "string"
      },
      "policy_id": "string",
      "policy_ids": [
        "string"
      ],
      "revision": 42.0,
      "secret_references": [
        {
          "id": "string"
        }
      ],
      "spaceIds": [
        "string"
      ],
      "supports_agentless": false,
      "updated_at": "string",
      "updated_by": "string",
      "vars": {
        "additionalProperty1": {
          "frozen": true,
          "type": "string"
        },
        "additionalProperty2": {
          "frozen": true,
          "type": "string"
        }
      },
      "version": "string"
    }
  ]
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}
Response examples (404)
{
  "message": "string"
}

Get a package policy

GET /api/fleet/package_policies/{packagePolicyId}

Get a package policy by ID.

Query parameters

  • format string

    Values are simplified or legacy.

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31
    Hide response attribute Show response attribute object
    • item object Required

      Additional properties are NOT allowed.

      Hide item attributes Show item attributes object
      • agents number
      • created_at string Required
      • created_by string Required
      • Package policy description

      • Additional properties are allowed.

        Hide elasticsearch attribute Show elasticsearch attribute object
        • Additional properties are allowed.

          Hide privileges attribute Show privileges attribute object
      • enabled boolean Required
      • id string Required
      • inputs array[object] | object Required

        Any of:
        Hide attributes Show attributes object
        • config object

          Package variable (see integration documentation for more information)

          Hide config attribute Show config attribute object
          • * object Additional properties

            Additional properties are NOT allowed.

            Hide * attributes Show * attributes object
        • enabled boolean Required
        • id string
        • streams array[object] Required
          Hide streams attributes Show streams attributes object
          • config object

            Package variable (see integration documentation for more information)

            Hide config attribute Show config attribute object
            • * object Additional properties

              Additional properties are NOT allowed.

              Hide * attributes Show * attributes object
          • data_stream object Required

            Additional properties are NOT allowed.

            Hide data_stream attributes Show data_stream attributes object
          • enabled boolean Required
          • id string
          • release string

            Values are ga, beta, or experimental.

          • vars object

            Package variable (see integration documentation for more information)

            Hide vars attribute Show vars attribute object
            • * object Additional properties

              Additional properties are NOT allowed.

              Hide * attributes Show * attributes object
        • type string Required
        • vars object

          Package variable (see integration documentation for more information)

          Hide vars attribute Show vars attribute object
          • * object Additional properties

            Additional properties are NOT allowed.

            Hide * attributes Show * attributes object
      • is_managed boolean
      • name string Required

        Package policy name (should be unique)

      • The package policy namespace. Leave blank to inherit the agent policy's namespace.

      • output_id string | null
      • overrides object | null

        Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.

        Additional properties are NOT allowed.

        Hide overrides attribute Show overrides attribute object | null
        • inputs object

          Additional properties are allowed.

      • package object

        Additional properties are NOT allowed.

        Hide package attributes Show package attributes object
      • policy_id string | null Deprecated

        Agent policy ID where that package policy will be added

      • policy_ids array[string]

        Agent policy IDs where that package policy will be added

      • revision number Required
      • secret_references array[object]
        Hide secret_references attribute Show secret_references attribute object
        • id string Required
      • spaceIds array[string]
      • supports_agentless boolean | null

        Indicates whether the package policy belongs to an agentless agent policy.

        Default value is false.

      • updated_at string Required
      • updated_by string Required
      • vars object

        Any of:

        Package variable (see integration documentation for more information)

        Hide attribute Show attribute
        • * object Additional properties

          Additional properties are NOT allowed.

          Hide * attributes Show * attributes object
      • version string
  • 400 application/json; Elastic-Api-Version=2023-10-31
    Hide response attributes Show response attributes object
  • 404 application/json; Elastic-Api-Version=2023-10-31
    Hide response attribute Show response attribute object
GET /api/fleet/package_policies/{packagePolicyId}
curl \
 -X GET https://localhost:5601/api/fleet/package_policies/{packagePolicyId}
Response examples (200)
{
  "item": {
    "agents": 42.0,
    "created_at": "string",
    "created_by": "string",
    "description": "string",
    "elasticsearch": {
      "privileges": {
        "cluster": [
          "string"
        ]
      }
    },
    "enabled": true,
    "id": "string",
    "inputs": [
      {
        "config": {
          "additionalProperty1": {
            "frozen": true,
            "type": "string"
          },
          "additionalProperty2": {
            "frozen": true,
            "type": "string"
          }
        },
        "enabled": true,
        "id": "string",
        "keep_enabled": true,
        "policy_template": "string",
        "streams": [
          {
            "config": {
              "additionalProperty1": {
                "frozen": true,
                "type": "string"
              },
              "additionalProperty2": {
                "frozen": true,
                "type": "string"
              }
            },
            "data_stream": {
              "dataset": "string",
              "elasticsearch": {
                "dynamic_dataset": true,
                "dynamic_namespace": true,
                "privileges": {
                  "indices": [
                    "string"
                  ]
                }
              },
              "type": "string"
            },
            "enabled": true,
            "id": "string",
            "keep_enabled": true,
            "release": "ga",
            "vars": {
              "additionalProperty1": {
                "frozen": true,
                "type": "string"
              },
              "additionalProperty2": {
                "frozen": true,
                "type": "string"
              }
            }
          }
        ],
        "type": "string",
        "vars": {
          "additionalProperty1": {
            "frozen": true,
            "type": "string"
          },
          "additionalProperty2": {
            "frozen": true,
            "type": "string"
          }
        }
      }
    ],
    "is_managed": true,
    "name": "string",
    "namespace": "string",
    "output_id": "string",
    "overrides": {
      "inputs": {}
    },
    "package": {
      "experimental_data_stream_features": [
        {
          "data_stream": "string",
          "features": {
            "doc_value_only_numeric": true,
            "doc_value_only_other": true,
            "synthetic_source": true,
            "tsdb": true
          }
        }
      ],
      "name": "string",
      "requires_root": true,
      "title": "string",
      "version": "string"
    },
    "policy_id": "string",
    "policy_ids": [
      "string"
    ],
    "revision": 42.0,
    "secret_references": [
      {
        "id": "string"
      }
    ],
    "spaceIds": [
      "string"
    ],
    "supports_agentless": false,
    "updated_at": "string",
    "updated_by": "string",
    "vars": {
      "additionalProperty1": {
        "frozen": true,
        "type": "string"
      },
      "additionalProperty2": {
        "frozen": true,
        "type": "string"
      }
    },
    "version": "string"
  }
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}
Response examples (404)
{
  "message": "string"
}

Update a package policy

PUT /api/fleet/package_policies/{packagePolicyId}

Update a package policy by ID.

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Query parameters

  • format string

    Values are simplified or legacy.

application/json; Elastic-Api-Version=2023-10-31

Body object

Any of:
  • Package policy description

  • enabled boolean
  • force boolean
  • inputs array[object]
    Hide inputs attributes Show inputs attributes object
    • config object

      Package variable (see integration documentation for more information)

      Hide config attribute Show config attribute object
      • * object Additional properties

        Additional properties are NOT allowed.

        Hide * attributes Show * attributes object
    • enabled boolean Required
    • id string
    • streams array[object]
      Hide streams attributes Show streams attributes object
      • config object

        Package variable (see integration documentation for more information)

        Hide config attribute Show config attribute object
        • * object Additional properties

          Additional properties are NOT allowed.

          Hide * attributes Show * attributes object
      • data_stream object Required

        Additional properties are NOT allowed.

        Hide data_stream attributes Show data_stream attributes object
      • enabled boolean Required
      • id string
      • release string

        Values are ga, beta, or experimental.

      • vars object

        Package variable (see integration documentation for more information)

        Hide vars attribute Show vars attribute object
        • * object Additional properties

          Additional properties are NOT allowed.

          Hide * attributes Show * attributes object
    • type string Required
    • vars object

      Package variable (see integration documentation for more information)

      Hide vars attribute Show vars attribute object
      • * object Additional properties

        Additional properties are NOT allowed.

        Hide * attributes Show * attributes object
  • is_managed boolean
  • name string
  • The package policy namespace. Leave blank to inherit the agent policy's namespace.

  • output_id string | null
  • overrides object | null

    Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.

    Additional properties are NOT allowed.

    Hide overrides attribute Show overrides attribute object | null
    • inputs object

      Additional properties are allowed.

  • package object

    Additional properties are NOT allowed.

    Hide package attributes Show package attributes object
  • policy_id string | null Deprecated

    Agent policy ID where that package policy will be added

  • policy_ids array[string]

    Agent policy IDs where that package policy will be added

  • supports_agentless boolean | null

    Indicates whether the package policy belongs to an agentless agent policy.

    Default value is false.

  • vars object

    Package variable (see integration documentation for more information)

    Hide vars attribute Show vars attribute object
    • * object Additional properties

      Additional properties are NOT allowed.

      Hide * attributes Show * attributes object
  • version string

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31
    Hide response attribute Show response attribute object
    • item object Required

      Additional properties are NOT allowed.

      Hide item attributes Show item attributes object
      • agents number
      • created_at string Required
      • created_by string Required
      • Package policy description

      • Additional properties are allowed.

        Hide elasticsearch attribute Show elasticsearch attribute object
        • Additional properties are allowed.

          Hide privileges attribute Show privileges attribute object
      • enabled boolean Required
      • id string Required
      • inputs array[object] | object Required

        Any of:
        Hide attributes Show attributes object
        • config object

          Package variable (see integration documentation for more information)

          Hide config attribute Show config attribute object
          • * object Additional properties

            Additional properties are NOT allowed.

            Hide * attributes Show * attributes object
        • enabled boolean Required
        • id string
        • streams array[object] Required
          Hide streams attributes Show streams attributes object
          • config object

            Package variable (see integration documentation for more information)

            Hide config attribute Show config attribute object
            • * object Additional properties

              Additional properties are NOT allowed.

              Hide * attributes Show * attributes object
          • data_stream object Required

            Additional properties are NOT allowed.

            Hide data_stream attributes Show data_stream attributes object
          • enabled boolean Required
          • id string
          • release string

            Values are ga, beta, or experimental.

          • vars object

            Package variable (see integration documentation for more information)

            Hide vars attribute Show vars attribute object
            • * object Additional properties

              Additional properties are NOT allowed.

              Hide * attributes Show * attributes object
        • type string Required
        • vars object

          Package variable (see integration documentation for more information)

          Hide vars attribute Show vars attribute object
          • * object Additional properties

            Additional properties are NOT allowed.

            Hide * attributes Show * attributes object
      • is_managed boolean
      • name string Required

        Package policy name (should be unique)

      • The package policy namespace. Leave blank to inherit the agent policy's namespace.

      • output_id string | null
      • overrides object | null

        Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.

        Additional properties are NOT allowed.

        Hide overrides attribute Show overrides attribute object | null
        • inputs object

          Additional properties are allowed.

      • package object

        Additional properties are NOT allowed.

        Hide package attributes Show package attributes object
      • policy_id string | null Deprecated

        Agent policy ID where that package policy will be added

      • policy_ids array[string]

        Agent policy IDs where that package policy will be added

      • revision number Required
      • secret_references array[object]
        Hide secret_references attribute Show secret_references attribute object
        • id string Required
      • spaceIds array[string]
      • supports_agentless boolean | null

        Indicates whether the package policy belongs to an agentless agent policy.

        Default value is false.

      • updated_at string Required
      • updated_by string Required
      • vars object

        Any of:

        Package variable (see integration documentation for more information)

        Hide attribute Show attribute
        • * object Additional properties

          Additional properties are NOT allowed.

          Hide * attributes Show * attributes object
      • version string
  • 400 application/json; Elastic-Api-Version=2023-10-31
    Hide response attributes Show response attributes object
  • 403 application/json; Elastic-Api-Version=2023-10-31
    Hide response attributes Show response attributes object
PUT /api/fleet/package_policies/{packagePolicyId}
curl \
 -X PUT https://localhost:5601/api/fleet/package_policies/{packagePolicyId} \
 -H "Content-Type: application/json; Elastic-Api-Version=2023-10-31" \
 -H "kbn-xsrf: true"
Request examples
# Headers
kbn-xsrf: true

# Payload
{
  "description": "string",
  "enabled": true,
  "force": true,
  "inputs": [
    {
      "config": {
        "additionalProperty1": {
          "frozen": true,
          "type": "string"
        },
        "additionalProperty2": {
          "frozen": true,
          "type": "string"
        }
      },
      "enabled": true,
      "id": "string",
      "keep_enabled": true,
      "policy_template": "string",
      "streams": [
        {
          "config": {
            "additionalProperty1": {
              "frozen": true,
              "type": "string"
            },
            "additionalProperty2": {
              "frozen": true,
              "type": "string"
            }
          },
          "data_stream": {
            "dataset": "string",
            "elasticsearch": {
              "dynamic_dataset": true,
              "dynamic_namespace": true,
              "privileges": {
                "indices": [
                  "string"
                ]
              }
            },
            "type": "string"
          },
          "enabled": true,
          "id": "string",
          "keep_enabled": true,
          "release": "ga",
          "vars": {
            "additionalProperty1": {
              "frozen": true,
              "type": "string"
            },
            "additionalProperty2": {
              "frozen": true,
              "type": "string"
            }
          }
        }
      ],
      "type": "string",
      "vars": {
        "additionalProperty1": {
          "frozen": true,
          "type": "string"
        },
        "additionalProperty2": {
          "frozen": true,
          "type": "string"
        }
      }
    }
  ],
  "is_managed": true,
  "name": "string",
  "namespace": "string",
  "output_id": "string",
  "overrides": {
    "inputs": {}
  },
  "package": {
    "experimental_data_stream_features": [
      {
        "data_stream": "string",
        "features": {
          "doc_value_only_numeric": true,
          "doc_value_only_other": true,
          "synthetic_source": true,
          "tsdb": true
        }
      }
    ],
    "name": "string",
    "requires_root": true,
    "title": "string",
    "version": "string"
  },
  "policy_id": "string",
  "policy_ids": [
    "string"
  ],
  "supports_agentless": false,
  "vars": {
    "additionalProperty1": {
      "frozen": true,
      "type": "string"
    },
    "additionalProperty2": {
      "frozen": true,
      "type": "string"
    }
  },
  "version": "string"
}
# Headers
kbn-xsrf: true

# Payload
{
  "description": "string",
  "force": true,
  "id": "string",
  "inputs": {
    "additionalProperty1": {
      "enabled": true,
      "streams": {
        "additionalProperty1": {
          "enabled": true,
          "vars": {}
        },
        "additionalProperty2": {
          "enabled": true,
          "vars": {}
        }
      },
      "vars": {}
    },
    "additionalProperty2": {
      "enabled": true,
      "streams": {
        "additionalProperty1": {
          "enabled": true,
          "vars": {}
        },
        "additionalProperty2": {
          "enabled": true,
          "vars": {}
        }
      },
      "vars": {}
    }
  },
  "name": "string",
  "namespace": "string",
  "output_id": "string",
  "package": {
    "experimental_data_stream_features": [
      {
        "data_stream": "string",
        "features": {
          "doc_value_only_numeric": true,
          "doc_value_only_other": true,
          "synthetic_source": true,
          "tsdb": true
        }
      }
    ],
    "name": "string",
    "requires_root": true,
    "title": "string",
    "version": "string"
  },
  "policy_id": "string",
  "policy_ids": [
    "string"
  ],
  "supports_agentless": false,
  "vars": {}
}
Response examples (200)
{
  "item": {
    "agents": 42.0,
    "created_at": "string",
    "created_by": "string",
    "description": "string",
    "elasticsearch": {
      "privileges": {
        "cluster": [
          "string"
        ]
      }
    },
    "enabled": true,
    "id": "string",
    "inputs": [
      {
        "config": {
          "additionalProperty1": {
            "frozen": true,
            "type": "string"
          },
          "additionalProperty2": {
            "frozen": true,
            "type": "string"
          }
        },
        "enabled": true,
        "id": "string",
        "keep_enabled": true,
        "policy_template": "string",
        "streams": [
          {
            "config": {
              "additionalProperty1": {
                "frozen": true,
                "type": "string"
              },
              "additionalProperty2": {
                "frozen": true,
                "type": "string"
              }
            },
            "data_stream": {
              "dataset": "string",
              "elasticsearch": {
                "dynamic_dataset": true,
                "dynamic_namespace": true,
                "privileges": {
                  "indices": [
                    "string"
                  ]
                }
              },
              "type": "string"
            },
            "enabled": true,
            "id": "string",
            "keep_enabled": true,
            "release": "ga",
            "vars": {
              "additionalProperty1": {
                "frozen": true,
                "type": "string"
              },
              "additionalProperty2": {
                "frozen": true,
                "type": "string"
              }
            }
          }
        ],
        "type": "string",
        "vars": {
          "additionalProperty1": {
            "frozen": true,
            "type": "string"
          },
          "additionalProperty2": {
            "frozen": true,
            "type": "string"
          }
        }
      }
    ],
    "is_managed": true,
    "name": "string",
    "namespace": "string",
    "output_id": "string",
    "overrides": {
      "inputs": {}
    },
    "package": {
      "experimental_data_stream_features": [
        {
          "data_stream": "string",
          "features": {
            "doc_value_only_numeric": true,
            "doc_value_only_other": true,
            "synthetic_source": true,
            "tsdb": true
          }
        }
      ],
      "name": "string",
      "requires_root": true,
      "title": "string",
      "version": "string"
    },
    "policy_id": "string",
    "policy_ids": [
      "string"
    ],
    "revision": 42.0,
    "secret_references": [
      {
        "id": "string"
      }
    ],
    "spaceIds": [
      "string"
    ],
    "supports_agentless": false,
    "updated_at": "string",
    "updated_by": "string",
    "vars": {
      "additionalProperty1": {
        "frozen": true,
        "type": "string"
      },
      "additionalProperty2": {
        "frozen": true,
        "type": "string"
      }
    },
    "version": "string"
  }
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}
Response examples (403)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Delete a package policy

DELETE /api/fleet/package_policies/{packagePolicyId}

Delete a package policy by ID.

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31
    Hide response attribute Show response attribute object
    • id string Required
  • 400 application/json; Elastic-Api-Version=2023-10-31
    Hide response attributes Show response attributes object
DELETE /api/fleet/package_policies/{packagePolicyId}
curl \
 -X DELETE https://localhost:5601/api/fleet/package_policies/{packagePolicyId} \
 -H "kbn-xsrf: true"
Response examples (200)
{
  "id": "string"
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Bulk delete package policies

POST /api/fleet/package_policies/delete

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json; Elastic-Api-Version=2023-10-31

Body

Responses

POST /api/fleet/package_policies/delete
curl \
 -X POST https://localhost:5601/api/fleet/package_policies/delete \
 -H "Content-Type: application/json; Elastic-Api-Version=2023-10-31" \
 -H "kbn-xsrf: true"
Request examples
# Headers
kbn-xsrf: true

# Payload
{
  "force": true,
  "packagePolicyIds": [
    "string"
  ]
}
Response examples (200)
[
  {
    "body": {
      "message": "string"
    },
    "id": "string",
    "name": "string",
    "output_id": "string",
    "package": {
      "experimental_data_stream_features": [
        {
          "data_stream": "string",
          "features": {
            "doc_value_only_numeric": true,
            "doc_value_only_other": true,
            "synthetic_source": true,
            "tsdb": true
          }
        }
      ],
      "name": "string",
      "requires_root": true,
      "title": "string",
      "version": "string"
    },
    "policy_id": "string",
    "policy_ids": [
      "string"
    ],
    "statusCode": 42.0,
    "success": true
  }
]
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Upgrade a package policy

POST /api/fleet/package_policies/upgrade

Upgrade a package policy to a newer package version.

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json; Elastic-Api-Version=2023-10-31

Body

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31
    Hide response attributes Show response attributes object
  • 400 application/json; Elastic-Api-Version=2023-10-31
    Hide response attributes Show response attributes object
POST /api/fleet/package_policies/upgrade
curl \
 -X POST https://localhost:5601/api/fleet/package_policies/upgrade \
 -H "Content-Type: application/json; Elastic-Api-Version=2023-10-31" \
 -H "kbn-xsrf: true"
Request examples
# Headers
kbn-xsrf: true

# Payload
{
  "packagePolicyIds": [
    "string"
  ]
}
Response examples (200)
[
  {
    "body": {
      "message": "string"
    },
    "id": "string",
    "name": "string",
    "statusCode": 42.0,
    "success": true
  }
]
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Dry run a package policy upgrade

POST /api/fleet/package_policies/upgrade/dryrun

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json; Elastic-Api-Version=2023-10-31

Body

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31
    Hide response attributes Show response attributes object
    • agent_diff array[array]
      Hide agent_diff attributes Show agent_diff attributes object
      • data_stream object Required

        Additional properties are allowed.

        Hide data_stream attribute Show data_stream attribute object
      • id string Required
      • meta object

        Additional properties are allowed.

        Hide meta attribute Show meta attribute object
        • package object Required

          Additional properties are allowed.

          Hide package attributes Show package attributes object
      • name string Required
      • package_policy_id string Required
      • processors array[object]
        Hide processors attribute Show processors attribute object
        • add_fields object Required

          Additional properties are allowed.

          Hide add_fields attributes Show add_fields attributes object
      • revision number Required
      • streams array[object]
        Hide streams attributes Show streams attributes object
        • data_stream object Required

          Additional properties are allowed.

          Hide data_stream attributes Show data_stream attributes object
        • id string Required
      • type string Required
      • use_output string Required
    • body object

      Additional properties are NOT allowed.

      Hide body attribute Show body attribute object
    • diff array[object]
      Any of:
      Hide attributes Show attributes
      • agents number
      • created_at string Required
      • created_by string Required
      • Package policy description

      • Additional properties are allowed.

        Hide elasticsearch attribute Show elasticsearch attribute object
        • Additional properties are allowed.

          Hide privileges attribute Show privileges attribute object
      • enabled boolean Required
      • id string
      • inputs array[object] | object Required

        Any of:
        Hide attributes Show attributes object
        • config object

          Package variable (see integration documentation for more information)

          Hide config attribute Show config attribute object
          • * object Additional properties

            Additional properties are NOT allowed.

            Hide * attributes Show * attributes object
        • enabled boolean Required
        • id string
        • streams array[object] Required
          Hide streams attributes Show streams attributes object
          • config object

            Package variable (see integration documentation for more information)

            Hide config attribute Show config attribute object
            • * object Additional properties

              Additional properties are NOT allowed.

              Hide * attributes Show * attributes object
          • data_stream object Required

            Additional properties are NOT allowed.

            Hide data_stream attributes Show data_stream attributes object
          • enabled boolean Required
          • id string
          • release string

            Values are ga, beta, or experimental.

          • vars object

            Package variable (see integration documentation for more information)

            Hide vars attribute Show vars attribute object
            • * object Additional properties

              Additional properties are NOT allowed.

              Hide * attributes Show * attributes object
        • type string Required
        • vars object

          Package variable (see integration documentation for more information)

          Hide vars attribute Show vars attribute object
          • * object Additional properties

            Additional properties are NOT allowed.

            Hide * attributes Show * attributes object
      • is_managed boolean
      • name string Required

        Package policy name (should be unique)

      • The package policy namespace. Leave blank to inherit the agent policy's namespace.

      • output_id string | null
      • overrides object | null

        Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.

        Additional properties are NOT allowed.

        Hide overrides attribute Show overrides attribute object | null
        • inputs object

          Additional properties are allowed.

      • package object

        Additional properties are NOT allowed.

        Hide package attributes Show package attributes object
      • policy_id string | null Deprecated

        Agent policy ID where that package policy will be added

      • policy_ids array[string]

        Agent policy IDs where that package policy will be added

      • revision number Required
      • secret_references array[object]
        Hide secret_references attribute Show secret_references attribute object
        • id string Required
      • spaceIds array[string]
      • supports_agentless boolean | null

        Indicates whether the package policy belongs to an agentless agent policy.

        Default value is false.

      • updated_at string Required
      • updated_by string Required
      • vars object

        Any of:

        Package variable (see integration documentation for more information)

        Hide attribute Show attribute
        • * object Additional properties

          Additional properties are NOT allowed.

          Hide * attributes Show * attributes object
      • version string
    • hasErrors boolean Required
    • name string
  • 400 application/json; Elastic-Api-Version=2023-10-31
    Hide response attributes Show response attributes object
POST /api/fleet/package_policies/upgrade/dryrun
curl \
 -X POST https://localhost:5601/api/fleet/package_policies/upgrade/dryrun \
 -H "Content-Type: application/json; Elastic-Api-Version=2023-10-31" \
 -H "kbn-xsrf: true"
Request examples
# Headers
kbn-xsrf: true

# Payload
{
  "packagePolicyIds": [
    "string"
  ],
  "packageVersion": "string"
}
Response examples (200)
[
  {
    "agent_diff": [
      [
        {
          "data_stream": {
            "namespace": "string"
          },
          "id": "string",
          "meta": {
            "package": {
              "name": "string",
              "version": "string"
            }
          },
          "name": "string",
          "package_policy_id": "string",
          "processors": [
            {
              "add_fields": {
                "fields": {},
                "target": "string"
              }
            }
          ],
          "revision": 42.0,
          "streams": [
            {
              "data_stream": {
                "dataset": "string",
                "type": "string"
              },
              "id": "string"
            }
          ],
          "type": "string",
          "use_output": "string"
        }
      ]
    ],
    "body": {
      "message": "string"
    },
    "diff": [
      {
        "agents": 42.0,
        "created_at": "string",
        "created_by": "string",
        "description": "string",
        "elasticsearch": {
          "privileges": {
            "cluster": [
              "string"
            ]
          }
        },
        "enabled": true,
        "id": "string",
        "inputs": [
          {
            "config": {
              "additionalProperty1": {
                "frozen": true,
                "type": "string"
              },
              "additionalProperty2": {
                "frozen": true,
                "type": "string"
              }
            },
            "enabled": true,
            "id": "string",
            "keep_enabled": true,
            "policy_template": "string",
            "streams": [
              {
                "config": {
                  "additionalProperty1": {
                    "frozen": true,
                    "type": "string"
                  },
                  "additionalProperty2": {
                    "frozen": true,
                    "type": "string"
                  }
                },
                "data_stream": {
                  "dataset": "string",
                  "elasticsearch": {
                    "dynamic_dataset": true,
                    "dynamic_namespace": true,
                    "privileges": {
                      "indices": [
                        "string"
                      ]
                    }
                  },
                  "type": "string"
                },
                "enabled": true,
                "id": "string",
                "keep_enabled": true,
                "release": "ga",
                "vars": {
                  "additionalProperty1": {
                    "frozen": true,
                    "type": "string"
                  },
                  "additionalProperty2": {
                    "frozen": true,
                    "type": "string"
                  }
                }
              }
            ],
            "type": "string",
            "vars": {
              "additionalProperty1": {
                "frozen": true,
                "type": "string"
              },
              "additionalProperty2": {
                "frozen": true,
                "type": "string"
              }
            }
          }
        ],
        "is_managed": true,
        "name": "string",
        "namespace": "string",
        "output_id": "string",
        "overrides": {
          "inputs": {}
        },
        "package": {
          "experimental_data_stream_features": [
            {
              "data_stream": "string",
              "features": {
                "doc_value_only_numeric": true,
                "doc_value_only_other": true,
                "synthetic_source": true,
                "tsdb": true
              }
            }
          ],
          "name": "string",
          "requires_root": true,
          "title": "string",
          "version": "string"
        },
        "policy_id": "string",
        "policy_ids": [
          "string"
        ],
        "revision": 42.0,
        "secret_references": [
          {
            "id": "string"
          }
        ],
        "spaceIds": [
          "string"
        ],
        "supports_agentless": false,
        "updated_at": "string",
        "updated_by": "string",
        "vars": {
          "additionalProperty1": {
            "frozen": true,
            "type": "string"
          },
          "additionalProperty2": {
            "frozen": true,
            "type": "string"
          }
        },
        "version": "string"
      }
    ],
    "hasErrors": true,
    "name": "string",
    "statusCode": 42.0
  }
]
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Get proxies

GET /api/fleet/proxies

Responses

GET /api/fleet/proxies
curl \
 -X GET https://localhost:5601/api/fleet/proxies
Response examples (200)
{
  "items": [
    {
      "certificate": "string",
      "certificate_authorities": "string",
      "certificate_key": "string",
      "id": "string",
      "is_preconfigured": false,
      "name": "string",
      "proxy_headers": {},
      "url": "string"
    }
  ],
  "page": 42.0,
  "perPage": 42.0,
  "total": 42.0
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Create a proxy

POST /api/fleet/proxies

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json; Elastic-Api-Version=2023-10-31

Body

Responses

POST /api/fleet/proxies
curl \
 -X POST https://localhost:5601/api/fleet/proxies \
 -H "Content-Type: application/json; Elastic-Api-Version=2023-10-31" \
 -H "kbn-xsrf: true"
Request examples
# Headers
kbn-xsrf: true

# Payload
{
  "certificate": "string",
  "certificate_authorities": "string",
  "certificate_key": "string",
  "id": "string",
  "is_preconfigured": false,
  "name": "string",
  "proxy_headers": {},
  "url": "string"
}
Response examples (200)
{
  "item": {
    "certificate": "string",
    "certificate_authorities": "string",
    "certificate_key": "string",
    "id": "string",
    "is_preconfigured": false,
    "name": "string",
    "proxy_headers": {},
    "url": "string"
  }
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Get a proxy

GET /api/fleet/proxies/{itemId}

Get a proxy by ID.

Responses

GET /api/fleet/proxies/{itemId}
curl \
 -X GET https://localhost:5601/api/fleet/proxies/{itemId}
Response examples (200)
{
  "item": {
    "certificate": "string",
    "certificate_authorities": "string",
    "certificate_key": "string",
    "id": "string",
    "is_preconfigured": false,
    "name": "string",
    "proxy_headers": {},
    "url": "string"
  }
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Update a proxy

PUT /api/fleet/proxies/{itemId}

Update a proxy by ID.

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json; Elastic-Api-Version=2023-10-31

Body

Responses

PUT /api/fleet/proxies/{itemId}
curl \
 -X PUT https://localhost:5601/api/fleet/proxies/{itemId} \
 -H "Content-Type: application/json; Elastic-Api-Version=2023-10-31" \
 -H "kbn-xsrf: true"
Request examples
# Headers
kbn-xsrf: true

# Payload
{
  "certificate": "string",
  "certificate_authorities": "string",
  "certificate_key": "string",
  "name": "string",
  "proxy_headers": {},
  "url": "string"
}
Response examples (200)
{
  "item": {
    "certificate": "string",
    "certificate_authorities": "string",
    "certificate_key": "string",
    "id": "string",
    "is_preconfigured": false,
    "name": "string",
    "proxy_headers": {},
    "url": "string"
  }
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Delete a proxy

DELETE /api/fleet/proxies/{itemId}

Delete a proxy by ID

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31
    Hide response attribute Show response attribute object
    • id string Required
  • 400 application/json; Elastic-Api-Version=2023-10-31
    Hide response attributes Show response attributes object
DELETE /api/fleet/proxies/{itemId}
curl \
 -X DELETE https://localhost:5601/api/fleet/proxies/{itemId} \
 -H "kbn-xsrf: true"
Response examples (200)
{
  "id": "string"
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Get Fleet Server hosts

GET /api/fleet/fleet_server_hosts

Responses

GET /api/fleet/fleet_server_hosts
curl \
 -X GET https://localhost:5601/api/fleet/fleet_server_hosts
Response examples (200)
{
  "items": [
    {
      "host_urls": [
        "string"
      ],
      "id": "string",
      "is_default": false,
      "is_internal": true,
      "is_preconfigured": false,
      "name": "string",
      "proxy_id": "string"
    }
  ],
  "page": 42.0,
  "perPage": 42.0,
  "total": 42.0
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Create a Fleet Server host

POST /api/fleet/fleet_server_hosts

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json; Elastic-Api-Version=2023-10-31

Body

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31
    Hide response attribute Show response attribute object
  • 400 application/json; Elastic-Api-Version=2023-10-31
    Hide response attributes Show response attributes object
POST /api/fleet/fleet_server_hosts
curl \
 -X POST https://localhost:5601/api/fleet/fleet_server_hosts \
 -H "Content-Type: application/json; Elastic-Api-Version=2023-10-31" \
 -H "kbn-xsrf: true"
Request examples
# Headers
kbn-xsrf: true

# Payload
{
  "host_urls": [
    "string"
  ],
  "id": "string",
  "is_default": false,
  "is_internal": true,
  "is_preconfigured": false,
  "name": "string",
  "proxy_id": "string"
}
Response examples (200)
{
  "item": {
    "host_urls": [
      "string"
    ],
    "id": "string",
    "is_default": false,
    "is_internal": true,
    "is_preconfigured": false,
    "name": "string",
    "proxy_id": "string"
  }
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Get a Fleet Server host

GET /api/fleet/fleet_server_hosts/{itemId}

Get a Fleet Server host by ID.

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31
    Hide response attribute Show response attribute object
  • 400 application/json; Elastic-Api-Version=2023-10-31
    Hide response attributes Show response attributes object
GET /api/fleet/fleet_server_hosts/{itemId}
curl \
 -X GET https://localhost:5601/api/fleet/fleet_server_hosts/{itemId}
Response examples (200)
{
  "item": {
    "host_urls": [
      "string"
    ],
    "id": "string",
    "is_default": false,
    "is_internal": true,
    "is_preconfigured": false,
    "name": "string",
    "proxy_id": "string"
  }
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Update a Fleet Server host

PUT /api/fleet/fleet_server_hosts/{itemId}

Update a Fleet Server host by ID.

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json; Elastic-Api-Version=2023-10-31

Body

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31
    Hide response attribute Show response attribute object
  • 400 application/json; Elastic-Api-Version=2023-10-31
    Hide response attributes Show response attributes object
PUT /api/fleet/fleet_server_hosts/{itemId}
curl \
 -X PUT https://localhost:5601/api/fleet/fleet_server_hosts/{itemId} \
 -H "Content-Type: application/json; Elastic-Api-Version=2023-10-31" \
 -H "kbn-xsrf: true"
Request examples
# Headers
kbn-xsrf: true

# Payload
{
  "host_urls": [
    "string"
  ],
  "is_default": true,
  "is_internal": true,
  "name": "string",
  "proxy_id": "string"
}
Response examples (200)
{
  "item": {
    "host_urls": [
      "string"
    ],
    "id": "string",
    "is_default": false,
    "is_internal": true,
    "is_preconfigured": false,
    "name": "string",
    "proxy_id": "string"
  }
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Delete a Fleet Server host

DELETE /api/fleet/fleet_server_hosts/{itemId}

Delete a Fleet Server host by ID.

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31
    Hide response attribute Show response attribute object
    • id string Required
  • 400 application/json; Elastic-Api-Version=2023-10-31
    Hide response attributes Show response attributes object
DELETE /api/fleet/fleet_server_hosts/{itemId}
curl \
 -X DELETE https://localhost:5601/api/fleet/fleet_server_hosts/{itemId} \
 -H "kbn-xsrf: true"
Response examples (200)
{
  "id": "string"
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Create a service token

POST /api/fleet/service_tokens

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json; Elastic-Api-Version=2023-10-31

Body

  • remote boolean

    Default value is false.

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31
    Hide response attributes Show response attributes object
  • 400 application/json; Elastic-Api-Version=2023-10-31
    Hide response attributes Show response attributes object
POST /api/fleet/service_tokens
curl \
 -X POST https://localhost:5601/api/fleet/service_tokens \
 -H "Content-Type: application/json; Elastic-Api-Version=2023-10-31" \
 -H "kbn-xsrf: true"
Request examples
# Headers
kbn-xsrf: true

# Payload
{
  "remote": false
}
Response examples (200)
{
  "name": "string",
  "value": "string"
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Get metadata for latest uninstall tokens

GET /api/fleet/uninstall_tokens

List the metadata for the latest uninstall tokens per agent policy.

Query parameters

  • policyId string

    Partial match filtering for policy IDs

    Maximum length is 50.

  • perPage number

    The number of items to return

    Minimum value is 5.

  • page number

    Minimum value is 1.

Responses

GET /api/fleet/uninstall_tokens
curl \
 -X GET https://localhost:5601/api/fleet/uninstall_tokens
Response examples (200)
{
  "items": [
    {
      "created_at": "string",
      "id": "string",
      "namespaces": [
        "string"
      ],
      "policy_id": "string",
      "policy_name": "string"
    }
  ],
  "page": 42.0,
  "perPage": 42.0,
  "total": 42.0
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Get a decrypted uninstall token

GET /api/fleet/uninstall_tokens/{uninstallTokenId}

Get one decrypted uninstall token by its ID.

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31
    Hide response attribute Show response attribute object
  • 400 application/json; Elastic-Api-Version=2023-10-31
    Hide response attributes Show response attributes object
GET /api/fleet/uninstall_tokens/{uninstallTokenId}
curl \
 -X GET https://localhost:5601/api/fleet/uninstall_tokens/{uninstallTokenId}
Response examples (200)
{
  "item": {
    "created_at": "string",
    "id": "string",
    "namespaces": [
      "string"
    ],
    "policy_id": "string",
    "policy_name": "string",
    "token": "string"
  }
}
Response examples (400)
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}