Get an existing saved Timeline or Timeline template
Query parameters
-
template_timeline_id
string The ID of the template timeline to resolve
-
id
string The ID of the timeline to resolve
GET
/api/timeline/resolve
curl \
--request GET 'http://localhost:5622/api/timeline/resolve' \
--header "Authorization: $API_KEY"
Response examples (200)
{
"alias_purpose": "savedObjectConversion",
"alias_target_id": "string",
"outcome": "exactMatch",
"timeline": {
"columns": [
{
"id": "@timestamp",
"columnHeaderType": "not-filtered"
},
{
"id": "event.category",
"columnHeaderType": "not-filtered"
}
],
"created": 1587468588922,
"createdBy": "casetester",
"dataProviders": [
{
"id": "id-d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b",
"name": "d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b",
"enabled": true,
"excluded": false,
"queryMatch": {
"field": "_id,",
"value": "d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b,",
"operator": ":"
}
}
],
"dataViewId": "security-solution-default",
"dateRange": {
"end": 1587456479201,
"start": 1587370079200
},
"description": "Investigating exposure of CVE XYZ",
"eqlOptions": {
"size": 100,
"query": "sequence\\n[process where process.name == \"sudo\"]\\n[any where true]",
"timestampField": "@timestamp",
"eventCategoryField": "event.category"
},
"eventType": "all",
"excludedRowRendererIds": [
"alert"
],
"favorite": [
{
"userName": "elastic",
"favoriteDate": 1741337636741
}
],
"filters": [
{
"meta": {
"key": "@timestamp",
"type": "exists",
"alias": "Custom filter name",
"index": ".alerts-security.alerts-default,logs-*",
"value": "exists",
"negate": "false,",
"disabled": false
},
"query": "{\"exists\":{\"field\":\"@timestamp\"}}"
}
],
"indexNames": [
".logs*"
],
"kqlMode": "search",
"kqlQuery": {
"kuery": {
"kind": "kuery",
"expression": "_id : *"
},
"filterQuery": null,
"serializedQuery": "{\"bool\":{\"should\":[{\"exists\":{\"field\":\"_id\"}}],\"minimum_should_match\":1}}"
},
"savedQueryId": "c7b16904-02d7-4f32-b8f2-cc20f9625d6e",
"savedSearchId": "6ce1b592-84e3-4b4a-9552-f189d4b82075",
"sort": {
"columnId": "@timestamp",
"sortDirection": "desc"
},
"status": "active",
"templateTimelineId": "6ce1b592-84e3-4b4a-9552-f189d4b82075",
"templateTimelineVersion": 12,
"timelineType": "default",
"title": "CVE XYZ investigation",
"updated": 1741344876825,
"updatedBy": "casetester",
"eventIdToNoteIds": [
{
"created": 1587468588922,
"createdBy": "casetester",
"updated": 1741344876825,
"updatedBy": "casetester",
"eventId": "d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc",
"note": "This is an example text",
"timelineId": "15c1929b-0af7-42bd-85a8-56e234cc7c4e",
"noteId": "709f99c6-89b6-4953-9160-35945c8e174e",
"version": "WzQ2LDFd"
}
],
"noteIds": [
"string"
],
"notes": [
{
"created": 1587468588922,
"createdBy": "casetester",
"updated": 1741344876825,
"updatedBy": "casetester",
"eventId": "d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc",
"note": "This is an example text",
"timelineId": "15c1929b-0af7-42bd-85a8-56e234cc7c4e",
"noteId": "709f99c6-89b6-4953-9160-35945c8e174e",
"version": "WzQ2LDFd"
}
],
"pinnedEventIds": [
"string"
],
"pinnedEventsSaveObject": [
{
"created": 1587468588922,
"createdBy": "casetester",
"updated": 1741344876825,
"updatedBy": "casetester",
"eventId": "d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc",
"timelineId": "15c1929b-0af7-42bd-85a8-56e234cc7c4e",
"pinnedEventId": "10r1929b-0af7-42bd-85a8-56e234f98h2f3",
"version": "WzQ2LDFe"
}
],
"savedObjectId": "string",
"version": "string"
}
}