Get an existing saved Timeline or Timeline template

GET /api/timeline/resolve

Query parameters

template_timeline_id string

The ID of the template timeline to resolve
id string

The ID of the timeline to resolve

Responses

200 application/json; Elastic-Api-Version=2023-10-31

The (template) Timeline has been found
Hide response attributes Show response attributes object
- alias_purpose string
  
  Values are savedObjectConversion or savedObjectImport.
- alias_target_id string
- outcome string Required
  
  Values are exactMatch, aliasMatch, or conflict.
- timeline object | null Required
  
  Additional properties are allowed.
  
  Hide timeline attributes Show timeline attributes object | null
  
  columns array[object] | null
  
  Hide columns attributes Show columns attributes object
  
  aggregatable boolean | null
  
  category string | null
  
  columnHeaderType string | null
  
  description string | null
  
  example string | null
  
  id string | null
  
  indexes array[string] | null
  
  name string | null
  
  placeholder string | null
  
  searchable boolean | null
  
  type string | null
  
  created number | null
  
  createdBy string | null
  
  dataProviders array[object] | null
  
  Hide dataProviders attributes Show dataProviders attributes object
  
  and array[object] | null
  
  Hide and attributes Show and attributes object
  
  enabled boolean | null
  
  excluded boolean | null
  
  id string | null
  
  kqlQuery string | null
  
  name string | null
  
  queryMatch object | null
  
  Additional properties are allowed.
  
  Hide queryMatch attributes Show queryMatch attributes object | null
  
  displayField string | null
  
  displayValue string | null
  
  field string | null
  
  operator string | null
  
  value string | null | array[string]
  
  One of:
  string-1 string | null array-2 array[string] | null
  
  type string | null
  
  The type of data provider to create. Valid values are default and template.
  
  Values are default or template.
  
  enabled boolean | null
  
  excluded boolean | null
  
  id string | null
  
  kqlQuery string | null
  
  name string | null
  
  queryMatch object | null
  
  Additional properties are allowed.
  
  Hide queryMatch attributes Show queryMatch attributes object | null
  
  displayField string | null
  
  displayValue string | null
  
  field string | null
  
  operator string | null
  
  value string | null | array[string]
  
  One of:
  string-1 string | null array-2 array[string] | null
  
  type string | null
  
  The type of data provider to create. Valid values are default and template.
  
  Values are default or template.
  
  dataViewId string | null
  
  dateRange object | null
  
  Additional properties are allowed.
  
  Hide dateRange attributes Show dateRange attributes object | null
  
  end string | null | number
  
  One of:
  string-1 string | null number-2 number | null
  
  start string | null | number
  
  One of:
  string-1 string | null number-2 number | null
  
  description string | null
  
  eqlOptions object | null
  
  Additional properties are allowed.
  
  Hide eqlOptions attributes Show eqlOptions attributes object | null
  
  eventCategoryField string | null
  
  query string | null
  
  size string | null | number
  
  One of:
  string-1 string | null number-2 number | null
  
  tiebreakerField string | null
  
  timestampField string | null
  
  eventType string | null
  
  excludedRowRendererIds array[string] | null
  
  Values are alert, alerts, auditd, auditd_file, library, netflow, plain, registry, suricata, system, system_dns, system_endgame_process, system_file, system_fim, system_security_event, system_socket, threat_match, or zeek.
  
  favorite array[object] | null
  
  Hide favorite attributes Show favorite attributes object
  
  favoriteDate number | null
  
  fullName string | null
  
  userName string | null
  
  filters array[object] | null
  
  Hide filters attributes Show filters attributes object
  
  exists string | null
  
  match_all string | null
  
  meta object | null
  
  Additional properties are allowed.
  
  Hide meta attributes Show meta attributes object | null
  
  alias string | null
  
  controlledBy string | null
  
  disabled boolean | null
  
  field string | null
  
  formattedValue string | null
  
  index string | null
  
  key string | null
  
  negate boolean | null
  
  params string | null
  
  type string | null
  
  value string | null
  
  missing string | null
  
  query string | null
  
  range string | null
  
  script string | null
  
  indexNames array[string] | null
  
  kqlMode string | null
  
  kqlQuery object | null
  
  Additional properties are allowed.
  
  Hide kqlQuery attribute Show kqlQuery attribute object | null
  
  filterQuery object | null
  
  Additional properties are allowed.
  
  Hide filterQuery attributes Show filterQuery attributes object | null
  
  kuery object | null
  
  Additional properties are allowed.
  
  Hide kuery attributes Show kuery attributes object | null
  
  expression string | null
  
  kind string | null
  
  serializedQuery string | null
  
  savedQueryId string | null
  
  savedSearchId string | null
  
  sort object | null | array[object]
  
  One of:
  Security_Timeline_API_SortObject object | null array-2 array[object] | null
  
  Hide attributes Show attributes object
  
  columnId string | null
  
  columnType string | null
  
  sortDirection string | null
  
  status string | null
  
  Values are active, draft, or immutable.
  
  templateTimelineId string | null
  
  templateTimelineVersion number | null
  
  timelineType string | null
  
  The type of timeline to create. Valid values are default and template.
  
  Values are default or template.
  
  title string | null
  
  updated number | null
  
  updatedBy string | null
  
  eventIdToNoteIds array[object] | null
  
  Hide eventIdToNoteIds attributes Show eventIdToNoteIds attributes object
  
  created number | null
  
  createdBy string | null
  
  eventId string | null
  
  note string | null
  
  timelineId string Required
  
  updated number | null
  
  updatedBy string | null
  
  noteId string Required
  
  version string Required
  
  noteIds array[string] | null
  
  notes array[object] | null
  
  Hide notes attributes Show notes attributes object
  
  created number | null
  
  createdBy string | null
  
  eventId string | null
  
  note string | null
  
  timelineId string Required
  
  updated number | null
  
  updatedBy string | null
  
  noteId string Required
  
  version string Required
  
  pinnedEventIds array[string] | null
  
  pinnedEventsSaveObject array[object] | null
  
  Hide pinnedEventsSaveObject attributes Show pinnedEventsSaveObject attributes object
  
  created number | null
  
  createdBy string | null
  
  eventId string Required
  
  timelineId string Required
  
  updated number | null
  
  updatedBy string | null
  
  pinnedEventId string Required
  
  version string Required
  
  savedObjectId string Required
  
  version string Required
400

The request is missing parameters
404

The (template) Timeline was not found

GET /api/timeline/resolve

curl \
 -X GET https://localhost:5601/api/timeline/resolve

Response examples (200)

{
  "alias_purpose": "savedObjectConversion",
  "alias_target_id": "string",
  "outcome": "exactMatch",
  "timeline": {
    "columns": [
      {
        "aggregatable": true,
        "category": "string",
        "columnHeaderType": "string",
        "description": "string",
        "example": "string",
        "id": "string",
        "indexes": [
          "string"
        ],
        "name": "string",
        "placeholder": "string",
        "searchable": true,
        "type": "string"
      }
    ],
    "created": 42.0,
    "createdBy": "string",
    "dataProviders": [
      {
        "and": [
          {
            "enabled": true,
            "excluded": true,
            "id": "string",
            "kqlQuery": "string",
            "name": "string",
            "queryMatch": {
              "displayField": "string",
              "displayValue": "string",
              "field": "string",
              "operator": "string",
              "value": "string"
            },
            "type": "default"
          }
        ],
        "enabled": true,
        "excluded": true,
        "id": "string",
        "kqlQuery": "string",
        "name": "string",
        "queryMatch": {
          "displayField": "string",
          "displayValue": "string",
          "field": "string",
          "operator": "string",
          "value": "string"
        },
        "type": "default"
      }
    ],
    "dataViewId": "string",
    "dateRange": {
      "end": "string",
      "start": "string"
    },
    "description": "string",
    "eqlOptions": {
      "eventCategoryField": "string",
      "query": "string",
      "size": "string",
      "tiebreakerField": "string",
      "timestampField": "string"
    },
    "eventType": "string",
    "excludedRowRendererIds": [
      "alert"
    ],
    "favorite": [
      {
        "favoriteDate": 42.0,
        "fullName": "string",
        "userName": "string"
      }
    ],
    "filters": [
      {
        "exists": "string",
        "match_all": "string",
        "meta": {
          "alias": "string",
          "controlledBy": "string",
          "disabled": true,
          "field": "string",
          "formattedValue": "string",
          "index": "string",
          "key": "string",
          "negate": true,
          "params": "string",
          "type": "string",
          "value": "string"
        },
        "missing": "string",
        "query": "string",
        "range": "string",
        "script": "string"
      }
    ],
    "indexNames": [
      "string"
    ],
    "kqlMode": "string",
    "kqlQuery": {
      "filterQuery": {
        "kuery": {
          "expression": "string",
          "kind": "string"
        },
        "serializedQuery": "string"
      }
    },
    "savedQueryId": "string",
    "savedSearchId": "string",
    "sort": {
      "columnId": "string",
      "columnType": "string",
      "sortDirection": "string"
    },
    "status": "active",
    "templateTimelineId": "string",
    "templateTimelineVersion": 42.0,
    "timelineType": "default",
    "title": "string",
    "updated": 42.0,
    "updatedBy": "string",
    "eventIdToNoteIds": [
      {
        "created": 42.0,
        "createdBy": "string",
        "eventId": "string",
        "note": "string",
        "timelineId": "string",
        "updated": 42.0,
        "updatedBy": "string",
        "noteId": "string",
        "version": "string"
      }
    ],
    "noteIds": [
      "string"
    ],
    "notes": [
      {
        "created": 42.0,
        "createdBy": "string",
        "eventId": "string",
        "note": "string",
        "timelineId": "string",
        "updated": 42.0,
        "updatedBy": "string",
        "noteId": "string",
        "version": "string"
      }
    ],
    "pinnedEventIds": [
      "string"
    ],
    "pinnedEventsSaveObject": [
      {
        "created": 42.0,
        "createdBy": "string",
        "eventId": "string",
        "timelineId": "string",
        "updated": 42.0,
        "updatedBy": "string",
        "pinnedEventId": "string",
        "version": "string"
      }
    ],
    "savedObjectId": "string",
    "version": "string"
  }
}

Get an existing saved Timeline or Timeline template

Query parameters

Responses

value string | null | array[string]

value string | null | array[string]

end string | null | number

start string | null | number

size string | null | number

sort object | null | array[object]