Query parameters

• per_page number

  The number of rules to return per page.

  Minimum value is 0. Default value is 10.

• page number

  The page number to return.

  Minimum value is 1. Default value is 1.

• search string

  An Elasticsearch simple_query_string query that filters the objects in the response.

• default_search_operator string

  The default operator to use for the simple_query_string.

  Values are OR or AND. Default value is OR.

• search_fields array[string] | string

  The fields to perform the simple_query_string parsed query against.

• sort_field string

  Determines which field is used to sort the results. The field must exist in the attributes key of the response.

• sort_order string

  Determines the sort order.

  Values are asc or desc.

• has_reference object | null

  Filters the rules that have a relation with the reference objects with a specific type and identifier.

  Additional properties are NOT allowed.

  Hide has_reference attributes Show has_reference attributes object | null

  • id string Required
  • type string Required
• fields array[string]

  The fields to return in the attributes key of the response.

• filter string

  A KQL string that you filter with an attribute from your saved object. It should look like savedObjectType.attributes.title: "myTitle". However, if you used a direct attribute of a saved object, such as updatedAt, you must define your filter, for example, savedObjectType.updatedAt > 2018-12-22.

• filter_consumers array[string]

  List of consumers to filter.

Responses

• 200 application/json

  Indicates a successful call.

  Hide response attributes Show response attributes object

  • actions array[object] Required
    Hide actions attributes Show actions attributes object

    • alerts_filter object

      Defines a period that limits whether the action runs.

      Additional properties are NOT allowed.

      Hide alerts_filter attributes Show alerts_filter attributes object

      • query object

        Additional properties are NOT allowed.

        Hide query attributes Show query attributes object

        • dsl string

          A filter written in Elasticsearch Query Domain Specific Language (DSL).

        • filters array[object] Required

          A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the kbn-es-query package.

          Hide filters attributes Show filters attributes object

          • $state object

            Additional properties are NOT allowed.

            Hide $state attribute Show $state attribute object

            • store string Required

              A filter can be either specific to an application context or applied globally.

              Values are appState or globalState.

          • meta object Required

            Additional properties are allowed.

          • query object

            Additional properties are allowed.

        • kql string Required

          A filter written in Kibana Query Language (KQL).

      • timeframe object

        Additional properties are NOT allowed.

        Hide timeframe attributes Show timeframe attributes object

        • days array[integer] Required

          Defines the days of the week that the action can run, represented as an array of numbers. For example, 1 represents Monday. An empty array is equivalent to specifying all the days of the week.

          Values are 1, 2, 3, 4, 5, 6, or 7.

        • hours object Required

          Additional properties are NOT allowed.

          Hide hours attributes Show hours attributes object

          • end string Required

            The end of the time frame in 24-hour notation (hh:mm).

          • start string Required

            The start of the time frame in 24-hour notation (hh:mm).

        • timezone string Required

          The ISO time zone for the hours values. Values such as UTC and UTC+1 also work but lack built-in daylight savings time support and are not recommended.

    • connector_type_id string Required

      The type of connector. This property appears in responses but cannot be set in requests.

    • frequency object

      Additional properties are NOT allowed.

      Hide frequency attributes Show frequency attributes object

      • notify_when string Required

        Indicates how often alerts generate actions. Valid values include: onActionGroupChange: Actions run when the alert status changes; onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify notify_when at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

        Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.

      • summary boolean Required

        Indicates whether the action is a summary.

      • throttle string | null Required

        The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if 'notify_when' is set to 'onThrottleInterval'. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

    • group string

      The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to default.

    • id string Required

      The identifier for the connector saved object.

    • params object Required

      The parameters for the action, which are sent to the connector. The params are handled as Mustache templates and passed a default set of context.

      Additional properties are allowed.

    • use_alert_data_for_template boolean

      Indicates whether to use alert data as a template.

    • uuid string

      A universally unique identifier (UUID) for the action.

  • active_snoozes array[string]

    List of active snoozes for the rule.

  • alert_delay object

    Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.

    Additional properties are NOT allowed.

    Hide alert_delay attribute Show alert_delay attribute object

    • active number Required

      The number of consecutive runs that must meet the rule conditions.

  • api_key_created_by_user boolean | null

    Indicates whether the API key that is associated with the rule was created by the user.

  • api_key_owner string | null Required

    The owner of the API key that is associated with the rule and used to run background tasks.

  • consumer string Required

    The name of the application or feature that owns the rule. For example: alerts, apm, discover, infrastructure, logs, metrics, ml, monitoring, securitySolution, siem, stackAlerts, or uptime.

  • created_at string Required

    The date and time that the rule was created.

  • created_by string | null Required

    The identifier for the user that created the rule.

  • enabled boolean Required

    Indicates whether you want to run the rule on an interval basis after it is created.

  • execution_status object Required

    Additional properties are NOT allowed.

    Hide execution_status attributes Show execution_status attributes object

    • error object

      Additional properties are NOT allowed.

      Hide error attributes Show error attributes object

      • message string Required

        Error message.

      • reason string Required

        Reason for error.

        Values are read, decrypt, execute, unknown, license, timeout, disabled, or validate.

    • last_duration number

      Duration of last execution of the rule.

    • last_execution_date string Required

      The date and time when rule was executed last.

    • status string Required

      Status of rule execution.

      Values are ok, active, error, warning, pending, or unknown.

    • warning object

      Additional properties are NOT allowed.

      Hide warning attributes Show warning attributes object

      • message string Required

        Warning message.

      • reason string Required

        Reason for warning.

        Values are maxExecutableActions, maxAlerts, maxQueuedActions, or ruleExecution.

  • flapping object | null

    When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.

    Additional properties are NOT allowed.

    Hide flapping attributes Show flapping attributes object | null

    • look_back_window number Required

      The minimum number of runs in which the threshold must be met.

      Minimum value is 2, maximum value is 20.

    • status_change_threshold number Required

      The minimum number of times an alert must switch states in the look back window.

      Minimum value is 2, maximum value is 20.

  • id string Required

    The identifier for the rule.

  • is_snoozed_until string | null

    The date when the rule will no longer be snoozed.

  • last_run object | null

    Additional properties are NOT allowed.

    Hide last_run attributes Show last_run attributes object | null

    • alerts_count object Required

      Additional properties are NOT allowed.

      Hide alerts_count attributes Show alerts_count attributes object

      • active number | null

        Number of active alerts during last run.

      • ignored number | null

        Number of ignored alerts during last run.

      • new number | null

        Number of new alerts during last run.

      • recovered number | null

        Number of recovered alerts during last run.

    • outcome string Required

      Outcome of last run of the rule. Value could be succeeded, warning or failed.

      Values are succeeded, warning, or failed.

    • outcome_msg array[string] | null

      Outcome message generated during last rule run.

    • outcome_order number

      Order of the outcome.

    • warning string | null

      Warning of last rule execution.

      Values are read, decrypt, execute, unknown, license, timeout, disabled, validate, maxExecutableActions, maxAlerts, maxQueuedActions, or ruleExecution.

  • mapped_params object

    Additional properties are allowed.

  • monitoring object

    Monitoring details of the rule.

    Additional properties are NOT allowed.

    Hide monitoring attribute Show monitoring attribute object

    • run object Required

      Rule run details.

      Additional properties are NOT allowed.

      Hide run attributes Show run attributes object

      • calculated_metrics object Required

        Calculation of different percentiles and success ratio.

        Additional properties are NOT allowed.

        Hide calculated_metrics attributes Show calculated_metrics attributes object

        • p50 number
        • p95 number
        • p99 number
        • success_ratio number Required
      • history array[object] Required

        History of the rule run.

        Hide history attributes Show history attributes object

        • duration number

          Duration of the rule run.

        • outcome string

          Outcome of last run of the rule. Value could be succeeded, warning or failed.

          Values are succeeded, warning, or failed.

        • success boolean Required

          Indicates whether the rule run was successful.

        • timestamp number Required

          Time of rule run.

      • last_run object Required

        Additional properties are NOT allowed.

        Hide last_run attributes Show last_run attributes object

        • metrics object Required

          Additional properties are NOT allowed.

          Hide metrics attributes Show metrics attributes object

          • duration number

            Duration of most recent rule run.

          • gap_duration_s number | null

            Duration in seconds of rule run gap.

          • gap_range object | null

            Additional properties are NOT allowed.

            Hide gap_range attributes Show gap_range attributes object | null

            • gte string Required

              End of the gap range.

            • lte string Required

              Start of the gap range.

          • total_alerts_created number | null

            Total number of alerts created during last rule run.

          • total_alerts_detected number | null

            Total number of alerts detected during last rule run.

          • total_indexing_duration_ms number | null

            Total time spent indexing documents during last rule run in milliseconds.

          • total_search_duration_ms number | null

            Total time spent performing Elasticsearch searches as measured by Kibana; includes network latency and time spent serializing or deserializing the request and response.

        • timestamp string Required

          Time of the most recent rule run.

  • mute_all boolean Required

    Indicates whether all alerts are muted.

  • muted_alert_ids array[string] Required

    List of identifiers of muted alerts.

  • name string Required

    The name of the rule.

  • next_run string | null

    Date and time of the next run of the rule.

  • notify_when string | null

    Indicates how often alerts generate actions. Valid values include: onActionGroupChange: Actions run when the alert status changes; onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify notify_when at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

    Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.

  • params object Required

    The parameters for the rule.

    Additional properties are allowed.

  • revision number Required

    The rule revision number.

  • rule_type_id string Required

    The rule type identifier.

  • running boolean | null

    Indicates whether the rule is running.

  • schedule object Required

    Additional properties are NOT allowed.

    Hide schedule attribute Show schedule attribute object

    • interval string Required

      The interval is specified in seconds, minutes, hours, or days.

  • scheduled_task_id string

    Identifier of the scheduled task.

  • snooze_schedule array[object]
    Hide snooze_schedule attributes Show snooze_schedule attributes object

    • duration number Required

      Duration of the rule snooze schedule.

    • id string

      Identifier of the rule snooze schedule.

    • rRule object Required

      Additional properties are NOT allowed.

      Hide rRule attributes Show rRule attributes object

      • byhour array[number] | null

        Indicates hours of the day to recur.

      • byminute array[number] | null

        Indicates minutes of the hour to recur.

      • bymonth array[number] | null

        Indicates months of the year that this rule should recur.

      • bymonthday array[number] | null

        Indicates the days of the month to recur.

      • bysecond array[number] | null

        Indicates seconds of the day to recur.

      • bysetpos array[number] | null

        A positive or negative integer affecting the nth day of the month. For example, -2 combined with byweekday of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use byweekday.

      • byweekday array[string | number] | null

        Indicates the days of the week to recur or else nth-day-of-month strings. For example, "+2TU" second Tuesday of month, "-1FR" last Friday of the month, which are internally converted to a byweekday/bysetpos combination.

      • byweekno array[number] | null

        Indicates number of the week hours to recur.

      • byyearday array[number] | null

        Indicates the days of the year that this rule should recur.

      • count number

        Number of times the rule should recur until it stops.

      • dtstart string Required

        Rule start date in Coordinated Universal Time (UTC).

      • freq integer

        Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY.

        Values are 0, 1, 2, 3, 4, 5, or 6.

      • interval number

        Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks.

      • tzid string Required

        Indicates timezone abbreviation.

      • until string

        Recur the rule until this date.

      • wkst string

        Indicates the start of week, defaults to Monday.

        Values are MO, TU, WE, TH, FR, SA, or SU.

    • skipRecurrences array[string]

      Skips recurrence of rule on this date.

  • tags array[string] Required

    The tags for the rule.

  • throttle string | null Deprecated

    Deprecated in 8.13.0. Use the throttle property in the action frequency object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

  • updated_at string Required

    The date and time that the rule was updated most recently.

  • updated_by string | null Required

    The identifier for the user that updated this rule most recently.

  • view_in_app_relative_url string | null

    Relative URL to view rule in the app.

• 400

  Indicates an invalid schema or parameters.

• 403

  Indicates that this call is forbidden.

Headers

• elastic-api-version string Required

  The version of the API to use

  Value is 2023-10-31. Default value is 2023-10-31.

Query parameters

• serviceName string Required

  The name of the service

Responses

• 200 application/json

  Successful response

  Hide response attribute Show response attribute object

  • agentName string

    Agent name

• 400 application/json

  Bad Request response

  Hide response attributes Show response attributes object

  • error string

    Error type

  • message string

    Error message

  • statusCode number

    Error status code

• 401 application/json

  Unauthorized response

  Hide response attributes Show response attributes object

  • error string

    Error type

  • message string

    Error message

  • statusCode number

    Error status code

• 404 application/json

  Not found response

  Hide response attributes Show response attributes object

  • error string

    Error type

  • message string

    Error message

  • statusCode number

    Error status code

Path parameters

• caseId string Required

  The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded.

Responses

• 200 application/json

  Indicates a successful call.

  Hide response attributes Show response attributes object

  • attached_at string(date-time)
  • id string

    The alert identifier.

  • index string

    The alert index.

• 401 application/json

  Authorization information is missing or invalid.

  Hide response attributes Show response attributes object

  • error string
  • message string
  • statusCode integer

Headers

• kbn-xsrf string Required

  Cross-site request forgery protection

Path parameters

• caseId string Required

  The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded.

• commentId string Required

  The identifier for the comment. To retrieve comment IDs, use the get case or find cases APIs.

Responses

• 204

  Indicates a successful call.

• 401 application/json

  Authorization information is missing or invalid.

  Hide response attributes Show response attributes object

  • error string
  • message string
  • statusCode integer

Headers

• kbn-xsrf string Required

  Cross-site request forgery protection

Path parameters

• configurationId string Required

  An identifier for the configuration.

Responses

• 200 application/json

  Indicates a successful call.

  Hide response attributes Show response attributes object

  • closure_type string

    Indicates whether a case is automatically closed when it is pushed to external systems (close-by-pushing) or not automatically closed (close-by-user).

    Values are close-by-pushing or close-by-user.

  • connector object

    Additional properties are allowed.

    Hide connector attributes Show connector attributes object

    • fields object | null

      The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to null.

      Additional properties are allowed.

    • id string

      The identifier for the connector. If you do not want a default connector, use none. To retrieve connector IDs, use the find connectors API.

    • name string

      The name of the connector. If you do not want a default connector, use none. To retrieve connector names, use the find connectors API.

    • type string

      The type of connector.

      Values are .cases-webhook, .jira, .none, .resilient, .servicenow, .servicenow-sir, or .swimlane.

  • created_at string(date-time)
  • created_by object

    Additional properties are allowed.

    Hide created_by attributes Show created_by attributes object

    • email string | null Required
    • full_name string | null Required
    • profile_uid string
    • username string | null Required
  • customFields array[object]

    Custom fields configuration details.

    Hide customFields attributes Show customFields attributes object

    • defaultValue string | boolean

      A default value for the custom field. If the type is text, the default value must be a string. If the type is toggle, the default value must be boolean.

      One of:

      string-1 string boolean-2 boolean
    • key string

      A unique key for the custom field. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific custom field.

      Minimum length is 1, maximum length is 36.

    • label string

      The custom field label that is displayed in the case.

      Minimum length is 1, maximum length is 50.

    • type string

      The type of the custom field.

      Values are text or toggle.

    • required boolean

      Indicates whether the field is required. If false, the custom field can be set to null or omitted when a case is created or updated.

  • error string | null
  • id string
  • mappings array[object]
    Hide mappings attributes Show mappings attributes object

    • action_type string
    • source string
    • target string
  • owner string

    The application that owns the cases: Stack Management, Observability, or Elastic Security.

    Values are cases, observability, or securitySolution.

  • templates array[object] Technical preview
    Hide templates attributes Show templates attributes object

    • caseFields object

      Additional properties are allowed.

      Hide caseFields attributes Show caseFields attributes object

      • assignees array[object] | null

        An array containing users that are assigned to the case.

        Not more than 10 elements.

        Hide assignees attribute Show assignees attribute object

        • uid string Required

          A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.

      • category string

        A word or phrase that categorizes the case.

        Maximum length is 50.

      • connector object

        Additional properties are allowed.

        Hide connector attributes Show connector attributes object

        • fields object | null

          The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to null.

          Additional properties are allowed.

        • id string

          The identifier for the connector. If you do not want a default connector, use none. To retrieve connector IDs, use the find connectors API.

        • name string

          The name of the connector. If you do not want a default connector, use none. To retrieve connector names, use the find connectors API.

        • type string

          The type of connector.

          Values are .cases-webhook, .jira, .none, .resilient, .servicenow, .servicenow-sir, or .swimlane.

      • customFields array[object] Technical preview

        Custom field values in the template.

        Hide customFields attributes Show customFields attributes object

        • key string

          The unique key for the custom field.

        • type string

          The type of the custom field.

          Values are text or toggle.

        • value string | boolean

          The default value for the custom field when a case uses the template. If the type is text, the default value must be a string. If the type is toggle, the default value must be boolean.

          One of:

          string-1 string boolean-2 boolean
      • description string

        The description for the case.

        Maximum length is 30000.

      • settings object

        An object that contains the case settings.

        Additional properties are allowed.

        Hide settings attribute Show settings attribute object

        • syncAlerts boolean Required

          Turns alert syncing on or off.

      • severity string

        The severity of the case.

        Values are critical, high, low, or medium. Default value is low.

      • tags array[string]

        The words and phrases that help categorize cases. It can be an empty array.

        Not more than 200 elements. Maximum length of each is 256.

      • title string

        A title for the case.

        Maximum length is 160.

    • description string

      A description for the template.

    • key string

      A unique key for the template. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific template.

    • name string

      The name of the template.

    • tags array[string]

      The words and phrases that help categorize templates. It can be an empty array.

      Not more than 200 elements. Maximum length of each is 256.

  • updated_at string(date-time) | null
  • updated_by object | null

    Additional properties are allowed.

    Hide updated_by attributes Show updated_by attributes object | null

    • email string | null Required
    • full_name string | null Required
    • profile_uid string
    • username string | null Required
  • version string
• 401 application/json

  Authorization information is missing or invalid.

  Hide response attributes Show response attributes object

  • error string
  • message string
  • statusCode integer

Path parameters

• id string Required

  An identifier for the connector.

Responses

• 200 application/json

  Indicates a successful call.

  Hide response attributes Show response attributes object

  • config object

    Additional properties are allowed.

  • connector_type_id string Required

    The connector type identifier.

  • id string Required

    The identifier for the connector.

  • is_deprecated boolean Required

    Indicates whether the connector is deprecated.

  • is_missing_secrets boolean

    Indicates whether the connector is missing secrets.

  • is_preconfigured boolean Required

    Indicates whether the connector is preconfigured. If true, the config and is_missing_secrets properties are omitted from the response.

  • is_system_action boolean Required

    Indicates whether the connector is used for system actions.

  • name string Required

    The name of the rule.

Headers

• kbn-xsrf string Required

  A required header to protect against CSRF attacks

Path parameters

• id string Required

  An identifier for the connector.

Responses

• 204

  Indicates a successful call.

Query parameters

• type string

  Values are logs, metrics, traces, synthetics, or profiling.

• datasetQuery string
• sortOrder string

  Values are asc or desc. Default value is asc.

• uncategorisedOnly boolean

  Default value is false.

Responses

• 200 application/json
  Hide response attribute Show response attribute object

  • items array[object] Required
    Hide items attribute Show items attribute object

    • name string Required
• 400 application/json
  Hide response attributes Show response attributes object

  • error string
  • message string Required
  • statusCode number

Path parameters

• viewId string Required

  An identifier for the data view.

Responses

• 200 application/json

  Indicates a successful call.

  Hide response attribute Show response attribute object

  • data_view object

    Additional properties are allowed.

    Hide data_view attributes Show data_view attributes object

    • allowNoIndex boolean

      Allows the data view saved object to exist before the data is available.

    • fieldAttrs object
      Hide fieldAttrs attribute Show fieldAttrs attribute object

      • * object Additional properties

        A map of field attributes by field name.

        Additional properties are allowed.

        Hide * attributes Show * attributes object

        • count integer

          Popularity count for the field.

        • customDescription string

          Custom description for the field.

          Maximum length is 300.

        • customLabel string

          Custom label for the field.

    • fieldFormats object

      A map of field formats by field name.

      Additional properties are allowed.

    • fields object

      Additional properties are allowed.

    • id string
    • name string

      The data view name.

    • namespaces array[string]

      An array of space identifiers for sharing the data view between multiple spaces.

      Default value is default.

    • runtimeFieldMap object
      Hide runtimeFieldMap attribute Show runtimeFieldMap attribute object

      • * object Additional properties

        A map of runtime field definitions by field name.

        Additional properties are allowed.

        Hide * attributes Show * attributes object

        • script object Required

          Additional properties are allowed.

          Hide script attribute Show script attribute object

          • source string

            Script for the runtime field.

        • type string Required

          Mapping type of the runtime field.

    • sourceFilters array[object]

      The array of field names you want to filter out in Discover.

      Hide sourceFilters attribute Show sourceFilters attribute object

      • value string Required
    • timeFieldName string

      The timestamp field name, which you use for time-based data views.

    • title string

      Comma-separated list of data streams, indices, and aliases that you want to search. Supports wildcards (*).

    • typeMeta object | null

      When you use rollup indices, contains the field list for the rollup data view API endpoints.

      Additional properties are allowed.

      Hide typeMeta attributes Show typeMeta attributes object | null

      • aggs object

        A map of rollup restrictions by aggregation type and field name.

        Additional properties are allowed.

      • params object

        Properties for retrieving rollup fields.

        Additional properties are allowed.

    • version string
• 404 application/json

  Object is not found.

  Hide response attributes Show response attributes object

  • error string

    Value is Not Found.

  • message string
  • statusCode integer

    Value is 404.

Headers

• kbn-xsrf string Required

  Cross-site request forgery protection

Path parameters

• viewId string Required

  An identifier for the data view.

Responses

• 200 application/json

  Indicates a successful call.

  Hide response attribute Show response attribute object

  • data_view object

    Additional properties are allowed.

    Hide data_view attributes Show data_view attributes object

    • allowNoIndex boolean

      Allows the data view saved object to exist before the data is available.

    • fieldAttrs object
      Hide fieldAttrs attribute Show fieldAttrs attribute object

      • * object Additional properties

        A map of field attributes by field name.

        Additional properties are allowed.

        Hide * attributes Show * attributes object

        • count integer

          Popularity count for the field.

        • customDescription string

          Custom description for the field.

          Maximum length is 300.

        • customLabel string

          Custom label for the field.

    • fieldFormats object

      A map of field formats by field name.

      Additional properties are allowed.

    • fields object

      Additional properties are allowed.

    • id string
    • name string

      The data view name.

    • namespaces array[string]

      An array of space identifiers for sharing the data view between multiple spaces.

      Default value is default.

    • runtimeFieldMap object
      Hide runtimeFieldMap attribute Show runtimeFieldMap attribute object

      • * object Additional properties

        A map of runtime field definitions by field name.

        Additional properties are allowed.

        Hide * attributes Show * attributes object

        • script object Required

          Additional properties are allowed.

          Hide script attribute Show script attribute object

          • source string

            Script for the runtime field.

        • type string Required

          Mapping type of the runtime field.

    • sourceFilters array[object]

      The array of field names you want to filter out in Discover.

      Hide sourceFilters attribute Show sourceFilters attribute object

      • value string Required
    • timeFieldName string

      The timestamp field name, which you use for time-based data views.

    • title string

      Comma-separated list of data streams, indices, and aliases that you want to search. Supports wildcards (*).

    • typeMeta object | null

      When you use rollup indices, contains the field list for the rollup data view API endpoints.

      Additional properties are allowed.

      Hide typeMeta attributes Show typeMeta attributes object | null

      • aggs object

        A map of rollup restrictions by aggregation type and field name.

        Additional properties are allowed.

      • params object

        Properties for retrieving rollup fields.

        Additional properties are allowed.

    • version string
• 400 application/json

  Bad request

  Hide response attributes Show response attributes object

  • error string Required
  • message string Required
  • statusCode number Required

Responses

• 200 application/json

  Indicates a successful call.

  Hide response attribute Show response attribute object

  • data_view_id string
• 400 application/json

  Bad request

  Hide response attributes Show response attributes object

  • error string Required
  • message string Required
  • statusCode number Required

Headers

• kbn-xsrf string Required

  Cross-site request forgery protection

Responses

• 200 application/json

  Indicates a successful call.

  Hide response attributes Show response attributes object

  • deleteStatus object

    Additional properties are allowed.

    Hide deleteStatus attributes Show deleteStatus attributes object

    • deletePerformed boolean
    • remainingRefs integer
  • result array[object]
    Hide result attributes Show result attributes object

    • id string

      A saved object identifier.

    • type string

      The saved object type.

Headers

• kbn-xsrf string Required

  A required header to protect against CSRF attacks

Path parameters

• actionId string Required

Responses

• 200 application/json
  Hide response attribute Show response attribute object

  • item object Required

    Additional properties are NOT allowed.

    Hide item attributes Show item attributes object

    • agents array[string]
    • created_at string Required
    • expiration string
    • id string Required
    • minimum_execution_duration number
    • namespaces array[string]
    • rollout_duration_seconds number
    • sent_at string
    • source_uri string
    • start_time string
    • total number
    • type string Required
• 400 application/json
  Hide response attributes Show response attributes object

  • error string
  • message string Required
  • statusCode number