Reset an SLO

Get the rule types

GET /api/alerting/rule_types

If you have read privileges for one or more Kibana features, the API response contains information about the appropriate rule types. For example, there are rule types associated with the Management > Stack Rules feature, Analytics > Discover and Machine Learning features, Observability features, and Security features. To get rule types associated with the Stack Monitoring feature, use the monitoring_user built-in role.

Responses

200 application/json; Elastic-Api-Version=2023-10-31

Indicates a successful call.
Hide response attributes Show response attributes object
- action_groups array[object]
  
  An explicit list of groups for which the rule type can schedule actions, each with the action group's unique ID and human readable name. Rule actions validation uses this configuration to ensure that groups are valid.
  
  Hide action_groups attributes Show action_groups attributes object
  
  id string
  
  name string
- action_variables object
  
  A list of action variables that the rule type makes available via context and state in action parameter templates, and a short human readable description. When you create a rule in Kibana, it uses this information to prompt you for these variables in action parameter editors.
  
  Hide action_variables attributes Show action_variables attributes object
  
  context array[object]
  
  Hide context attributes Show context attributes object
  
  description string
  
  name string
  
  useWithTripleBracesInTemplates boolean
  
  params array[object]
  
  Hide params attributes Show params attributes object
  
  description string
  
  name string
  
  state array[object]
  
  Hide state attributes Show state attributes object
  
  description string
  
  name string
- alerts object
  
  Details for writing alerts as data documents for this rule type.
  
  Hide alerts attributes Show alerts attributes object
  
  context string
  
  The namespace for this rule type.
  
  Values are ml.anomaly-detection, observability.apm, observability.logs, observability.metrics, observability.slo, observability.threshold, observability.uptime, security, or stack.
  
  dynamic string
  
  Indicates whether new fields are added dynamically.
  
  Values are false, runtime, strict, or true.
  
  isSpaceAware boolean
  
  Indicates whether the alerts are space-aware. If true, space-specific alert indices are used.
  
  mappings object
  
  Hide mappings attribute Show mappings attribute object
  
  fieldMap object
  
  Mapping information for each field supported in alerts as data documents for this rule type. For more information about mapping parameters, refer to the Elasticsearch documentation.
  
  Hide fieldMap attribute Show fieldMap attribute object
  
  * object Additional properties
  
  Hide * attributes Show * attributes object
  
  array boolean
  
  Indicates whether the field is an array.
  
  dynamic boolean
  
  Indicates whether it is a dynamic field mapping.
  
  format string
  
  Indicates the format of the field. For example, if the type is date_range, the format can be epoch_millis||strict_date_optional_time.
  
  ignore_above integer
  
  Specifies the maximum length of a string field. Longer strings are not indexed or stored.
  
  index boolean
  
  Indicates whether field values are indexed.
  
  path string
  
  TBD
  
  properties object
  
  Details about the object properties. This property is applicable when type is object.
  
  Hide properties attribute Show properties attribute object
  
  * object Additional properties
  
  Hide * attribute Show * attribute object
  
  type string
  
  The data type for each object property.
  
  required boolean
  
  Indicates whether the field is required.
  
  scaling_factor integer
  
  The scaling factor to use when encoding values. This property is applicable when type is scaled_float. Values will be multiplied by this factor at index time and rounded to the closest long value.
  
  type string
  
  Specifies the data type for the field.
  
  secondaryAlias string
  
  A secondary alias. It is typically used to support the signals alias for detection rules.
  
  shouldWrite boolean
  
  Indicates whether the rule should write out alerts as data.
  
  useEcs boolean
  
  Indicates whether to include the ECS component template for the alerts.
  
  useLegacyAlerts boolean
  
  Indicates whether to include the legacy component template for the alerts.
  
  Default value is false.
- authorized_consumers object
  
  The list of the plugins IDs that have access to the rule type.
  
  Hide authorized_consumers attributes Show authorized_consumers attributes object
  
  alerts object
  
  Hide alerts attributes Show alerts attributes object
  
  all boolean
  
  read boolean
  
  apm object
  
  Hide apm attributes Show apm attributes object
  
  all boolean
  
  read boolean
  
  discover object
  
  Hide discover attributes Show discover attributes object
  
  all boolean
  
  read boolean
  
  infrastructure object
  
  Hide infrastructure attributes Show infrastructure attributes object
  
  all boolean
  
  read boolean
  
  logs object
  
  Hide logs attributes Show logs attributes object
  
  all boolean
  
  read boolean
  
  ml object
  
  Hide ml attributes Show ml attributes object
  
  all boolean
  
  read boolean
  
  monitoring object
  
  Hide monitoring attributes Show monitoring attributes object
  
  all boolean
  
  read boolean
  
  siem object
  
  Hide siem attributes Show siem attributes object
  
  all boolean
  
  read boolean
  
  slo object
  
  Hide slo attributes Show slo attributes object
  
  all boolean
  
  read boolean
  
  stackAlerts object
  
  Hide stackAlerts attributes Show stackAlerts attributes object
  
  all boolean
  
  read boolean
  
  uptime object
  
  Hide uptime attributes Show uptime attributes object
  
  all boolean
  
  read boolean
- category string
  
  The rule category, which is used by features such as category-specific maintenance windows.
  
  Values are management, observability, or securitySolution.
- default_action_group_id string
  
  The default identifier for the rule type group.
- does_set_recovery_context boolean
  
  Indicates whether the rule passes context variables to its recovery action.
- enabled_in_license boolean
  
  Indicates whether the rule type is enabled or disabled based on the subscription.
- has_alerts_mappings boolean
  
  Indicates whether the rule type has custom mappings for the alert data.
- has_fields_for_a_a_d boolean
- id string
  
  The unique identifier for the rule type.
- is_exportable boolean
  
  Indicates whether the rule type is exportable in Stack Management > Saved Objects.
- minimum_license_required string
  
  The subscriptions required to use the rule type.
- name string
  
  The descriptive name of the rule type.
- producer string
  
  An identifier for the application that produces this rule type.
- recovery_action_group object
  
  An action group to use when an alert goes from an active state to an inactive one.
  
  Hide recovery_action_group attributes Show recovery_action_group attributes object
  
  id string
  
  name string
- rule_task_timeout string
401 application/json; Elastic-Api-Version=2023-10-31

Authorization information is missing or invalid.
Hide response attributes Show response attributes object
- error string
  
  Value is Unauthorized.
- message string
- statusCode integer
  
  Value is 401.

GET /api/alerting/rule_types

curl \
 --request GET 'http://localhost:5622/api/alerting/rule_types' \
 --header "Authorization: $API_KEY"

Response examples (200)

[
  {
    "id": "xpack.ml.anomaly_detection_alert",
    "name": "Anomaly detection alert",
    "alerts": {
      "context": "ml.anomaly-detection",
      "mappings": {
        "fieldMap": {
          "kibana.alert.job_id": {
            "type": "keyword",
            "array": false,
            "required": true
          },
          "kibana.alert.is_interim": {
            "type": "boolean",
            "array": false,
            "required": false
          },
          "kibana.alert.top_records": {
            "type": "object",
            "array": true,
            "dynamic": false,
            "required": false,
            "properties": {
              "actual": {
                "type": "double"
              },
              "job_id": {
                "type": "keyword"
              },
              "typical": {
                "type": "double"
              },
              "function": {
                "type": "keyword"
              },
              "timestamp": {
                "type": "date"
              },
              "field_name": {
                "type": "keyword"
              },
              "is_interim": {
                "type": "boolean"
              },
              "record_score": {
                "type": "double"
              },
              "by_field_name": {
                "type": "keyword"
              },
              "by_field_value": {
                "type": "keyword"
              },
              "detector_index": {
                "type": "integer"
              },
              "over_field_name": {
                "type": "keyword"
              },
              "over_field_value": {
                "type": "keyword"
              },
              "initial_record_score": {
                "type": "double"
              },
              "partition_field_name": {
                "type": "keyword"
              },
              "partition_field_value": {
                "type": "keyword"
              }
            }
          },
          "kibana.alert.anomaly_score": {
            "type": "double",
            "array": false,
            "required": false
          },
          "kibana.alert.top_influencers": {
            "type": "object",
            "array": true,
            "dynamic": false,
            "required": false,
            "properties": {
              "job_id": {
                "type": "keyword"
              },
              "timestamp": {
                "type": "date"
              },
              "is_interim": {
                "type": "boolean"
              },
              "influencer_score": {
                "type": "double"
              },
              "influencer_field_name": {
                "type": "keyword"
              },
              "influencer_field_value": {
                "type": "keyword"
              },
              "initial_influencer_score": {
                "type": "double"
              }
            }
          },
          "kibana.alert.anomaly_timestamp": {
            "type": "date",
            "array": false,
            "required": false
          }
        }
      },
      "shouldWrite": true
    },
    "category": "management",
    "producer": "ml",
    "action_groups": [
      {
        "id": "anomaly_score_match",
        "name": "Anomaly score matched the condition"
      },
      {
        "id": "recovered",
        "name": "Recovered"
      }
    ],
    "is_exportable": true,
    "action_variables": {
      "state": [],
      "params": [],
      "context": [
        {
          "name": "timestamp",
          "description": "The bucket timestamp of the anomaly"
        },
        {
          "name": "timestampIso8601",
          "description": "The bucket time of the anomaly in ISO8601 format"
        },
        {
          "name": "jobIds",
          "description": "List of job IDs that triggered the alert"
        },
        {
          "name": "message",
          "description": "Alert info message"
        },
        {
          "name": "isInterim",
          "description": "Indicate if top hits contain interim results"
        },
        {
          "name": "score",
          "description": "Anomaly score at the time of the notification action"
        },
        {
          "name": "topRecords",
          "description": "Top records"
        },
        {
          "name": "topInfluencers",
          "description": "Top influencers"
        },
        {
          "name": "anomalyExplorerUrl",
          "description": "URL to open in the Anomaly Explorer",
          "useWithTripleBracesInTemplates": true
        }
      ]
    },
    "rule_task_timeout": "5m",
    "enabled_in_license": true,
    "has_alerts_mappings": true,
    "authorized_consumers": {
      "ml": {
        "all": true,
        "read": true
      },
      "apm": {
        "all": true,
        "read": true
      },
      "slo": {
        "all": true,
        "read": true
      },
      "logs": {
        "all": true,
        "read": true
      },
      "siem": {
        "all": true,
        "read": true
      },
      "alerts": {
        "all": true,
        "read": true
      },
      "uptime": {
        "all": true,
        "read": true
      },
      "discover": {
        "all": true,
        "read": true
      },
      "monitoring": {
        "all": true,
        "read": true
      },
      "stackAlerts": {
        "all": true,
        "read": true
      },
      "infrastructure": {
        "all": true,
        "read": true
      }
    },
    "has_fields_for_a_a_d": false,
    "recovery_action_group": {
      "id": "recovered",
      "name": "Recovered"
    },
    "default_action_group_id": "anomaly_score_match",
    "minimum_license_required": "platinum",
    "does_set_recovery_context": true
  },
  {
    "id": "xpack.ml.anomaly_detection_jobs_health",
    "name": "Anomaly detection jobs health",
    "category": "management",
    "producer": "ml",
    "action_groups": [
      {
        "id": "anomaly_detection_realtime_issue",
        "name": "Issue detected"
      },
      {
        "id": "recovered",
        "name": "Recovered"
      }
    ],
    "is_exportable": true,
    "action_variables": {
      "state": [],
      "params": [],
      "context": [
        {
          "name": "results",
          "description": "Results of the rule execution"
        },
        {
          "name": "message",
          "description": "Alert info message"
        }
      ]
    },
    "rule_task_timeout": "5m",
    "enabled_in_license": true,
    "has_alerts_mappings": false,
    "authorized_consumers": {
      "ml": {
        "all": true,
        "read": true
      },
      "apm": {
        "all": true,
        "read": true
      },
      "slo": {
        "all": true,
        "read": true
      },
      "logs": {
        "all": true,
        "read": true
      },
      "siem": {
        "all": true,
        "read": true
      },
      "alerts": {
        "all": true,
        "read": true
      },
      "uptime": {
        "all": true,
        "read": true
      },
      "discover": {
        "all": true,
        "read": true
      },
      "monitoring": {
        "all": true,
        "read": true
      },
      "stackAlerts": {
        "all": true,
        "read": true
      },
      "infrastructure": {
        "all": true,
        "read": true
      }
    },
    "has_fields_for_a_a_d": false,
    "recovery_action_group": {
      "id": "recovered",
      "name": "Recovered"
    },
    "default_action_group_id": "anomaly_detection_realtime_issue",
    "minimum_license_required": "platinum",
    "does_set_recovery_context": true
  }
]

Response examples (401)

{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

Create a rule

POST /api/alerting/rule/{id}

Api key auth Basic auth

Headers

elastic-api-version string

The version of the API to use

Value is 2023-10-31. Default value is 2023-10-31.
kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

id string Required

The identifier for the rule. If it is omitted, an ID is randomly generated.

application/json; Elastic-Api-Version=2023-10-31

Body

actions array[object]

An action that runs under defined conditions.

Default value is [] (empty).
Hide actions attributes Show actions attributes object
- alerts_filter object
  
  Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.
  
  Additional properties are NOT allowed.
  Hide alerts_filter attributes Show alerts_filter attributes object
  
  query object
  
  Additional properties are NOT allowed.
  
  Hide query attributes Show query attributes object
  
  dsl string
  
  A filter written in Elasticsearch Query Domain Specific Language (DSL).
  
  filters array[object] Required
  
  A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the kbn-es-query package.
  
  Hide filters attributes Show filters attributes object
  
  $state object
  
  Additional properties are NOT allowed.
  
  Hide $state attribute Show $state attribute object
  
  store string Required
  
  A filter can be either specific to an application context or applied globally.
  
  Values are appState or globalState.
  
  meta object Required
  
  Additional properties are allowed.
  
  query object
  
  Additional properties are allowed.
  
  kql string Required
  
  A filter written in Kibana Query Language (KQL).
  
  timeframe object
  
  Defines a period that limits whether the action runs.
  
  Additional properties are NOT allowed.
  
  Hide timeframe attributes Show timeframe attributes object
  
  days array[integer] Required
  
  Defines the days of the week that the action can run, represented as an array of numbers. For example, 1 represents Monday. An empty array is equivalent to specifying all the days of the week.
  
  Values are 1, 2, 3, 4, 5, 6, or 7.
  
  hours object Required
  
  Defines the range of time in a day that the action can run. If the start value is 00:00 and the end value is 24:00, actions be generated all day.
  
  Additional properties are NOT allowed.
  
  Hide hours attributes Show hours attributes object
  
  end string Required
  
  The end of the time frame in 24-hour notation (hh:mm).
  
  start string Required
  
  The start of the time frame in 24-hour notation (hh:mm).
  
  timezone string Required
  
  The ISO time zone for the hours values. Values such as UTC and UTC+1 also work but lack built-in daylight savings time support and are not recommended.
- frequency object
  
  Additional properties are NOT allowed.
  Hide frequency attributes Show frequency attributes object
  
  notify_when string Required
  
  Indicates how often alerts generate actions. Valid values include: onActionGroupChange: Actions run when the alert status changes; onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify notify_when at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
  
  Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.
  
  summary boolean Required
  
  Indicates whether the action is a summary.
  
  throttle string | null Required
  
  The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if notify_when is set to onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
- group string
  
  The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to default.
- id string Required
  
  The identifier for the connector saved object.
- params object
  
  The parameters for the action, which are sent to the connector. The params are handled as Mustache templates and passed a default set of context.
  
  Default value is {} (empty). Additional properties are allowed.
- use_alert_data_for_template boolean
  
  Indicates whether to use alert data as a template.
- uuid string
  
  A universally unique identifier (UUID) for the action.
alert_delay object

Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.

Additional properties are NOT allowed.
Hide alert_delay attribute Show alert_delay attribute object
- active number Required
  
  The number of consecutive runs that must meet the rule conditions.
consumer string Required

The name of the application or feature that owns the rule. For example: alerts, apm, discover, infrastructure, logs, metrics, ml, monitoring, securitySolution, siem, stackAlerts, or uptime.
enabled boolean

Indicates whether you want to run the rule on an interval basis after it is created.

Default value is true.
flapping object | null

When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.

Additional properties are NOT allowed.
Hide flapping attributes Show flapping attributes object | null
- look_back_window number Required
  
  The minimum number of runs in which the threshold must be met.
  
  Minimum value is 2, maximum value is 20.
- status_change_threshold number Required
  
  The minimum number of times an alert must switch states in the look back window.
  
  Minimum value is 2, maximum value is 20.
name string Required

The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
notify_when string | null

Indicates how often alerts generate actions. Valid values include: onActionGroupChange: Actions run when the alert status changes; onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify notify_when at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.
rule_type_id string Required

The rule type identifier.
schedule object Required

The check interval, which specifies how frequently the rule conditions are checked.

Additional properties are NOT allowed.
Hide schedule attribute Show schedule attribute object
- interval string Required
  
  The interval is specified in seconds, minutes, hours, or days.
tags array[string]

The tags for the rule.

Default value is [] (empty).
throttle string | null

Use the throttle property in the action frequency object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
params object

The parameters for the rule.
Any of:
params_property_apm_anomaly object params_property_apm_error_count object params_property_apm_transaction_duration object params_property_apm_transaction_error_rate object params_es_query_dsl_rule object params_es_query_esql_rule object params_es_query_kql_rule object params_index_threshold_rule object params_property_infra_inventory object Count object Ratio object params_property_infra_metric_threshold object params_property_slo_burn_rate object params_property_synthetics_uptime_tls object params_property_synthetics_monitor_status object
Hide attributes Show attributes

serviceName string

The service name from APM

transactionType string

The transaction type from APM

windowSize number Required

The window size

windowUnit string Required

The window size unit

Values are m, h, or d.

environment string Required

The environment from APM

anomalySeverityType string Required

The anomaly threshold value

Values are critical, major, minor, or warning.
Hide attributes Show attributes

serviceName string

The service name from APM

windowSize number Required

The window size

windowUnit string Required

The window size unit

Values are m, h, or d.

environment string Required

The environment from APM

threshold number Required

The error count threshold value

groupBy array[string]

Values are service.name, service.environment, transaction.name, or error.grouping_key. Default value is ["service.name", "service.environment"].

errorGroupingKey string
Hide attributes Show attributes

serviceName string

The service name from APM

transactionType string

The transaction type from APM

transactionName string

The transaction name from APM

windowSize number Required

The window size

windowUnit string Required

ç

Values are m, h, or d.

environment string Required

threshold number Required

The latency threshold value

groupBy array[string]

Values are service.name, service.environment, transaction.type, or transaction.name. Default value is ["service.name", "service.environment", "transaction.type"].

aggregationType string Required

Values are avg, 95th, or 99th.
Hide attributes Show attributes

serviceName string

The service name from APM

transactionType string

The transaction type from APM

transactionName string

The transaction name from APM

windowSize number Required

The window size

windowUnit string Required

The window size unit

Values are m, h, or d.

environment string Required

The environment from APM

threshold number Required

The error rate threshold value

groupBy array[string]

Values are service.name, service.environment, transaction.type, or transaction.name. Default value is ["service.name", "service.environment", "transaction.type"].
An Elasticsearch query rule can run a query defined in Elasticsearch Query DSL and compare the number of matches to a configured threshold. These parameters are appropriate when rule_type_id is .es-query.
Hide attributes Show attributes

aggField string

The name of the numeric field that is used in the aggregation. This property is required when aggType is avg, max, min or sum.

aggType string

The type of aggregation to perform.

Values are avg, count, max, min, or sum. Default value is count.

esQuery string Required

The query definition, which uses Elasticsearch Query DSL.

excludeHitsFromPreviousRun boolean

Indicates whether to exclude matches from previous runs. If true, you can avoid alert duplication by excluding documents that have already been detected by the previous rule run. This option is not available when a grouping field is specified.

groupBy string

Indicates whether the aggregation is applied over all documents (all) or split into groups (top) using a grouping field (termField). If grouping is used, an alert will be created for each group when it exceeds the threshold; only the top groups (up to termSize number of groups) are checked.

Values are all or top. Default value is all.

index array[string] | string Required

The indices to query.

One of:
array-1 array[string] string-2 string

searchType string

The type of query, in this case a query that uses Elasticsearch Query DSL.

Value is esQuery. Default value is esQuery.

size integer

The number of documents to pass to the configured actions when the threshold condition is met.

termField string | array[string]

The names of up to four fields that are used for grouping the aggregation. This property is required when groupBy is top.

One of:
string-1 string array-2 array[string]

termSize integer

This property is required when groupBy is top. It specifies the number of groups to check against the threshold and therefore limits the number of alerts on high cardinality fields.

threshold array[integer] Required

The threshold value that is used with the thresholdComparator. If the thresholdComparator is between or notBetween, you must specify the boundary values.

thresholdComparator string Required

The comparison function for the threshold. For example, "is above", "is above or equals", "is below", "is below or equals", "is between", and "is not between".

Values are >, >=, <, <=, between, or notBetween.

timeField string Required

The field that is used to calculate the time window.

timeWindowSize integer Required

The size of the time window (in timeWindowUnit units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection.

timeWindowUnit string Required

The type of units for the time window: seconds, minutes, hours, or days.

Values are s, m, h, or d.
An Elasticsearch query rule can run an ES|QL query and compare the number of matches to a configured threshold. These parameters are appropriate when rule_type_id is .es-query.
Hide attributes Show attributes

aggField string

The name of the numeric field that is used in the aggregation. This property is required when aggType is avg, max, min or sum.

aggType string

The type of aggregation to perform.

Values are avg, count, max, min, or sum. Default value is count.

esqlQuery object Required

Hide esqlQuery attribute Show esqlQuery attribute object

esql string Required

The query definition, which uses Elasticsearch Query Language.

excludeHitsFromPreviousRun boolean

Indicates whether to exclude matches from previous runs. If true, you can avoid alert duplication by excluding documents that have already been detected by the previous rule run. This option is not available when a grouping field is specified.

groupBy string

Indicates whether the aggregation is applied over all documents (all) or split into groups (top) using a grouping field (termField). If grouping is used, an alert will be created for each group when it exceeds the threshold; only the top groups (up to termSize number of groups) are checked.

Values are all or top. Default value is all.

searchType string Required

The type of query, in this case a query that uses Elasticsearch Query Language (ES|QL).

Value is esqlQuery.

size integer Required

When searchType is esqlQuery, this property is required but it does not affect the rule behavior.

termSize integer

This property is required when groupBy is top. It specifies the number of groups to check against the threshold and therefore limits the number of alerts on high cardinality fields.

threshold array[integer] Required

The threshold value that is used with the thresholdComparator. When searchType is esqlQuery, this property is required and must be set to zero.

Minimum value of each is 0, maximum value of each is 0.

thresholdComparator string Required

The comparison function for the threshold. When searchType is esqlQuery, this property is required and must be set to ">". Since the threshold value must be 0, the result is that an alert occurs whenever the query returns results.

Value is >.

timeField string

The field that is used to calculate the time window.

timeWindowSize integer Required

The size of the time window (in timeWindowUnit units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection.

timeWindowUnit string Required

The type of units for the time window: seconds, minutes, hours, or days.

Values are s, m, h, or d.
An Elasticsearch query rule can run a query defined in KQL or Lucene and compare the number of matches to a configured threshold. These parameters are appropriate when rule_type_id is .es-query.
Hide attributes Show attributes

aggField string

The name of the numeric field that is used in the aggregation. This property is required when aggType is avg, max, min or sum.

aggType string

The type of aggregation to perform.

Values are avg, count, max, min, or sum. Default value is count.

excludeHitsFromPreviousRun boolean

Indicates whether to exclude matches from previous runs. If true, you can avoid alert duplication by excluding documents that have already been detected by the previous rule run. This option is not available when a grouping field is specified.

groupBy string

Indicates whether the aggregation is applied over all documents (all) or split into groups (top) using a grouping field (termField). If grouping is used, an alert will be created for each group when it exceeds the threshold; only the top groups (up to termSize number of groups) are checked.

Values are all or top. Default value is all.

searchConfiguration object

The query definition, which uses KQL or Lucene to fetch the documents from Elasticsearch.

Hide searchConfiguration attributes Show searchConfiguration attributes object

filter array[object]

A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the kbn-es-query package.

Hide filter attributes Show filter attributes object

meta object

Hide meta attributes Show meta attributes object

alias string | null

controlledBy string

disabled boolean

field string

group string

index string

isMultiIndex boolean

key string

negate boolean

params object

type string

value string

query object

$state object

index string | array[string]

The indices to query.

One of:
string-1 string array-2 array[string]

query object

Hide query attributes Show query attributes object

language string

query string

searchType string Required

The type of query, in this case a text-based query that uses KQL or Lucene.

Value is searchSource.

size integer Required

The number of documents to pass to the configured actions when the threshold condition is met.

termField string | array[string]

The names of up to four fields that are used for grouping the aggregation. This property is required when groupBy is top.

One of:
string-1 string array-2 array[string]

termSize integer

This property is required when groupBy is top. It specifies the number of groups to check against the threshold and therefore limits the number of alerts on high cardinality fields.

threshold array[integer] Required

The threshold value that is used with the thresholdComparator. If the thresholdComparator is between or notBetween, you must specify the boundary values.

thresholdComparator string Required

The comparison function for the threshold. For example, "is above", "is above or equals", "is below", "is below or equals", "is between", and "is not between".

Values are >, >=, <, <=, between, or notBetween.

timeField string

The field that is used to calculate the time window.

timeWindowSize integer Required

The size of the time window (in timeWindowUnit units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection.

timeWindowUnit string Required

The type of units for the time window: seconds, minutes, hours, or days.

Values are s, m, h, or d.
An index threshold rule runs an Elasticsearch query, aggregates field values from documents, compares them to threshold values, and schedules actions to run when the thresholds are met. These parameters are appropriate when rule_type_id is .index-threshold.
Hide attributes Show attributes

aggField string

The name of the numeric field that is used in the aggregation. This property is required when aggType is avg, max, min or sum.

aggType string

The type of aggregation to perform.

Values are avg, count, max, min, or sum. Default value is count.

filterKuery string

A KQL expression thats limits the scope of alerts.

groupBy string

Indicates whether the aggregation is applied over all documents (all) or split into groups (top) using a grouping field (termField). If grouping is used, an alert will be created for each group when it exceeds the threshold; only the top groups (up to termSize number of groups) are checked.

Values are all or top. Default value is all.

index array[string] Required

The indices to query.

termField string | array[string]

The names of up to four fields that are used for grouping the aggregation. This property is required when groupBy is top.

One of:
string-1 string array-2 array[string]

termSize integer

This property is required when groupBy is top. It specifies the number of groups to check against the threshold and therefore limits the number of alerts on high cardinality fields.

threshold array[integer] Required

The threshold value that is used with the thresholdComparator. If the thresholdComparator is between or notBetween, you must specify the boundary values.

thresholdComparator string Required

The comparison function for the threshold. For example, "is above", "is above or equals", "is below", "is below or equals", "is between", and "is not between".

Values are >, >=, <, <=, between, or notBetween.

timeField string Required

The field that is used to calculate the time window.

timeWindowSize integer Required

The size of the time window (in timeWindowUnit units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection.

timeWindowUnit string Required

The type of units for the time window: seconds, minutes, hours, or days.

Values are s, m, h, or d.
Hide attributes Show attributes

criteria array[object]

Hide criteria attributes Show criteria attributes object

metric string

Values are count, cpu, diskLatency, load, memory, memoryTotal, tx, rx, logRate, diskIOReadBytes, diskIOWriteBytes, s3TotalRequests, s3NumberOfObjects, s3BucketSize, s3DownloadBytes, s3UploadBytes, rdsConnections, rdsQueriesExecuted, rdsActiveTransactions, rdsLatency, sqsMessagesVisible, sqsMessagesDelayed, sqsMessagesSent, sqsMessagesEmpty, sqsOldestMessage, or custom.

timeSize number

timeUnit string

Values are s, m, h, or d.

sourceId string

threshold array[number]

comparator string

Values are <, <=, >, >=, between, or outside.

customMetric object

Hide customMetric attributes Show customMetric attributes object

type string

Value is custom.

field string

aggregation string

Values are avg, max, min, or rate.

id string

label string

warningThreshold array[number]

warningComparator string

Values are <, <=, >, >=, between, or outside.

filterQuery string

filterQueryText string

nodeType string

Values are host, pod, container, awsEC2, awsS3, awsSQS, or awsRDS.

sourceId string

alertOnNoData boolean
Hide attributes Show attributes

criteria array[object]

Hide criteria attributes Show criteria attributes object

field string

comparator string

Values are more than, more than or equals, less than, less than or equals, equals, does not equal, matches, does not match, matches phrase, or does not match phrase.

value number | string

One of:
number-1 number string-2 string

count object Required

Hide count attributes Show count attributes object

comparator string

Values are more than, more than or equals, less than, less than or equals, equals, does not equal, matches, does not match, matches phrase, or does not match phrase.

value number

timeSize number Required

timeUnit string Required

Values are s, m, h, or d.

logView object Required

Hide logView attributes Show logView attributes object

logViewId string

type string

Value is log-view-reference.

groupBy array[string]
Hide attributes Show attributes

criteria array[array]

Hide criteria attributes Show criteria attributes object

field string

comparator string

Values are more than, more than or equals, less than, less than or equals, equals, does not equal, matches, does not match, matches phrase, or does not match phrase.

value number | string

One of:
number-1 number string-2 string

count object Required

Hide count attributes Show count attributes object

comparator string

Values are more than, more than or equals, less than, less than or equals, equals, does not equal, matches, does not match, matches phrase, or does not match phrase.

value number

timeSize number Required

timeUnit string Required

Values are s, m, h, or d.

logView object Required

Hide logView attributes Show logView attributes object

logViewId string

type string

Value is log-view-reference.

groupBy array[string]
Hide attributes Show attributes

criteria array[object]

One of:
non count criterion object count criterion object custom criterion object

Hide attributes Show attributes

threshold array[number]

comparator string

Values are <, <=, >, >=, between, or outside.

timeUnit string

timeSize number

warningThreshold array[number]

warningComparator string

Values are <, <=, >, >=, between, or outside.

metric string

aggType string

Values are avg, max, min, cardinality, rate, count, sum, p95, p99, or custom.

Hide attributes Show attributes

threshold array[number]

comparator string

Values are <, <=, >, >=, between, or outside.

timeUnit string

timeSize number

warningThreshold array[number]

warningComparator string

Values are <, <=, >, >=, between, or outside.

aggType string

Value is count.

Hide attributes Show attributes

threshold array[number]

comparator string

Values are <, <=, >, >=, between, or outside.

timeUnit string

timeSize number

warningThreshold array[number]

warningComparator string

Values are <, <=, >, >=, between, or outside.

aggType string

Value is custom.

customMetric array[object]

One of:
object-1 object object-2 object

Hide attributes Show attributes

name string

aggType string

Values are avg, sum, max, min, or cardinality.

field string

equation string

label string

groupBy string | array[string]

One of:
string-1 string array-2 array[string]

filterQuery string

sourceId string

alertOnNoData boolean

alertOnGroupDisappear boolean
Hide attributes Show attributes

sloId string

The SLO identifier used by the rule

burnRateThreshold number

The burn rate threshold used to trigger the alert

maxBurnRateThreshold number

The maximum burn rate threshold value defined by the SLO error budget

longWindow object

The duration of the long window used to compute the burn rate

Hide longWindow attributes Show longWindow attributes object

value number

The duration value

unit string

The duration unit

shortWindow object

The duration of the short window used to compute the burn rate

Hide shortWindow attributes Show shortWindow attributes object

value number

The duration value

unit string

The duration unit
Hide attributes Show attributes

search string

certExpirationThreshold number

certAgeThreshold number
Hide attributes Show attributes

availability object

Hide availability attributes Show availability attributes object

range number

rangeUnit string

threshold string

filters string | object

One of:
string-1 string object-2 object Deprecated

locations array[string] Deprecated

numTimes number Required

search string

shouldCheckStatus boolean Required

shouldCheckAvailability boolean Required

timerangeCount number

timerangeUnit string

timerange object Deprecated

Hide timerange attributes Show timerange attributes object Deprecated

from string

to string

version number

isAutoGenerated boolean

Responses

200 application/json; Elastic-Api-Version=2023-10-31

Indicates a successful call.
Hide response attributes Show response attributes object
- actions array[object] Required
  
  Hide actions attributes Show actions attributes object
  
  alerts_filter object
  
  Defines a period that limits whether the action runs.
  
  Additional properties are NOT allowed.
  
  Hide alerts_filter attributes Show alerts_filter attributes object
  
  query object
  
  Additional properties are NOT allowed.
  
  Hide query attributes Show query attributes object
  
  dsl string
  
  A filter written in Elasticsearch Query Domain Specific Language (DSL).
  
  filters array[object] Required
  
  A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the kbn-es-query package.
  
  Hide filters attributes Show filters attributes object
  
  $state object
  
  Additional properties are NOT allowed.
  
  Hide $state attribute Show $state attribute object
  
  store string Required
  
  A filter can be either specific to an application context or applied globally.
  
  Values are appState or globalState.
  
  meta object Required
  
  Additional properties are allowed.
  
  query object
  
  Additional properties are allowed.
  
  kql string Required
  
  A filter written in Kibana Query Language (KQL).
  
  timeframe object
  
  Additional properties are NOT allowed.
  
  Hide timeframe attributes Show timeframe attributes object
  
  days array[integer] Required
  
  Defines the days of the week that the action can run, represented as an array of numbers. For example, 1 represents Monday. An empty array is equivalent to specifying all the days of the week.
  
  Values are 1, 2, 3, 4, 5, 6, or 7.
  
  hours object Required
  
  Additional properties are NOT allowed.
  
  Hide hours attributes Show hours attributes object
  
  end string Required
  
  The end of the time frame in 24-hour notation (hh:mm).
  
  start string Required
  
  The start of the time frame in 24-hour notation (hh:mm).
  
  timezone string Required
  
  The ISO time zone for the hours values. Values such as UTC and UTC+1 also work but lack built-in daylight savings time support and are not recommended.
  
  connector_type_id string Required
  
  The type of connector. This property appears in responses but cannot be set in requests.
  
  frequency object
  
  Additional properties are NOT allowed.
  
  Hide frequency attributes Show frequency attributes object
  
  notify_when string Required
  
  Indicates how often alerts generate actions. Valid values include: onActionGroupChange: Actions run when the alert status changes; onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify notify_when at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
  
  Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.
  
  summary boolean Required
  
  Indicates whether the action is a summary.
  
  throttle string | null Required
  
  The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if 'notify_when' is set to 'onThrottleInterval'. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
  
  group string
  
  The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to default.
  
  id string Required
  
  The identifier for the connector saved object.
  
  params object Required
  
  The parameters for the action, which are sent to the connector. The params are handled as Mustache templates and passed a default set of context.
  
  Additional properties are allowed.
  
  use_alert_data_for_template boolean
  
  Indicates whether to use alert data as a template.
  
  uuid string
  
  A universally unique identifier (UUID) for the action.
- active_snoozes array[string]
  
  List of active snoozes for the rule.
- alert_delay object
  
  Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.
  
  Additional properties are NOT allowed.
  
  Hide alert_delay attribute Show alert_delay attribute object
  
  active number Required
  
  The number of consecutive runs that must meet the rule conditions.
- api_key_created_by_user boolean | null
  
  Indicates whether the API key that is associated with the rule was created by the user.
- api_key_owner string | null Required
  
  The owner of the API key that is associated with the rule and used to run background tasks.
- consumer string Required
  
  The name of the application or feature that owns the rule. For example: alerts, apm, discover, infrastructure, logs, metrics, ml, monitoring, securitySolution, siem, stackAlerts, or uptime.
- created_at string Required
  
  The date and time that the rule was created.
- created_by string | null Required
  
  The identifier for the user that created the rule.
- enabled boolean Required
  
  Indicates whether you want to run the rule on an interval basis after it is created.
- execution_status object Required
  
  Additional properties are NOT allowed.
  
  Hide execution_status attributes Show execution_status attributes object
  
  error object
  
  Additional properties are NOT allowed.
  
  Hide error attributes Show error attributes object
  
  message string Required
  
  Error message.
  
  reason string Required
  
  Reason for error.
  
  Values are read, decrypt, execute, unknown, license, timeout, disabled, or validate.
  
  last_duration number
  
  Duration of last execution of the rule.
  
  last_execution_date string Required
  
  The date and time when rule was executed last.
  
  status string Required
  
  Status of rule execution.
  
  Values are ok, active, error, warning, pending, or unknown.
  
  warning object
  
  Additional properties are NOT allowed.
  
  Hide warning attributes Show warning attributes object
  
  message string Required
  
  Warning message.
  
  reason string Required
  
  Reason for warning.
  
  Values are maxExecutableActions, maxAlerts, maxQueuedActions, or ruleExecution.
- flapping object | null
  
  When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.
  
  Additional properties are NOT allowed.
  
  Hide flapping attributes Show flapping attributes object | null
  
  look_back_window number Required
  
  The minimum number of runs in which the threshold must be met.
  
  Minimum value is 2, maximum value is 20.
  
  status_change_threshold number Required
  
  The minimum number of times an alert must switch states in the look back window.
  
  Minimum value is 2, maximum value is 20.
- id string Required
  
  The identifier for the rule.
- is_snoozed_until string | null
  
  The date when the rule will no longer be snoozed.
- last_run object | null
  
  Additional properties are NOT allowed.
  
  Hide last_run attributes Show last_run attributes object | null
  
  alerts_count object Required
  
  Additional properties are NOT allowed.
  
  Hide alerts_count attributes Show alerts_count attributes object
  
  active number | null
  
  Number of active alerts during last run.
  
  ignored number | null
  
  Number of ignored alerts during last run.
  
  new number | null
  
  Number of new alerts during last run.
  
  recovered number | null
  
  Number of recovered alerts during last run.
  
  outcome string Required
  
  Outcome of last run of the rule. Value could be succeeded, warning or failed.
  
  Values are succeeded, warning, or failed.
  
  outcome_msg array[string] | null
  
  Outcome message generated during last rule run.
  
  outcome_order number
  
  Order of the outcome.
  
  warning string | null
  
  Warning of last rule execution.
  
  Values are read, decrypt, execute, unknown, license, timeout, disabled, validate, maxExecutableActions, maxAlerts, maxQueuedActions, or ruleExecution.
- mapped_params object
  
  Additional properties are allowed.
- monitoring object
  
  Monitoring details of the rule.
  
  Additional properties are NOT allowed.
  
  Hide monitoring attribute Show monitoring attribute object
  
  run object Required
  
  Rule run details.
  
  Additional properties are NOT allowed.
  
  Hide run attributes Show run attributes object
  
  calculated_metrics object Required
  
  Calculation of different percentiles and success ratio.
  
  Additional properties are NOT allowed.
  
  Hide calculated_metrics attributes Show calculated_metrics attributes object
  
  p50 number
  
  p95 number
  
  p99 number
  
  success_ratio number Required
  
  history array[object] Required
  
  History of the rule run.
  
  Hide history attributes Show history attributes object
  
  duration number
  
  Duration of the rule run.
  
  outcome string
  
  Outcome of last run of the rule. Value could be succeeded, warning or failed.
  
  Values are succeeded, warning, or failed.
  
  success boolean Required
  
  Indicates whether the rule run was successful.
  
  timestamp number Required
  
  Time of rule run.
  
  last_run object Required
  
  Additional properties are NOT allowed.
  
  Hide last_run attributes Show last_run attributes object
  
  metrics object Required
  
  Additional properties are NOT allowed.
  
  Hide metrics attributes Show metrics attributes object
  
  duration number
  
  Duration of most recent rule run.
  
  gap_duration_s number | null
  
  Duration in seconds of rule run gap.
  
  total_alerts_created number | null
  
  Total number of alerts created during last rule run.
  
  total_alerts_detected number | null
  
  Total number of alerts detected during last rule run.
  
  total_indexing_duration_ms number | null
  
  Total time spent indexing documents during last rule run in milliseconds.
  
  total_search_duration_ms number | null
  
  Total time spent performing Elasticsearch searches as measured by Kibana; includes network latency and time spent serializing or deserializing the request and response.
  
  timestamp string Required
  
  Time of the most recent rule run.
- mute_all boolean Required
  
  Indicates whether all alerts are muted.
- muted_alert_ids array[string] Required
  
  List of identifiers of muted alerts.
- name string Required
  
  The name of the rule.
- next_run string | null
  
  Date and time of the next run of the rule.
- notify_when string | null
  
  Indicates how often alerts generate actions. Valid values include: onActionGroupChange: Actions run when the alert status changes; onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify notify_when at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
  
  Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.
- params object Required
  
  The parameters for the rule.
  
  Additional properties are allowed.
- revision number Required
  
  The rule revision number.
- rule_type_id string Required
  
  The rule type identifier.
- running boolean | null
  
  Indicates whether the rule is running.
- schedule object Required
  
  Additional properties are NOT allowed.
  
  Hide schedule attribute Show schedule attribute object
  
  interval string Required
  
  The interval is specified in seconds, minutes, hours, or days.
- scheduled_task_id string
  
  Identifier of the scheduled task.
- snooze_schedule array[object]
  
  Hide snooze_schedule attributes Show snooze_schedule attributes object
  
  duration number Required
  
  Duration of the rule snooze schedule.
  
  id string
  
  Identifier of the rule snooze schedule.
  
  rRule object Required
  
  Additional properties are NOT allowed.
  
  Hide rRule attributes Show rRule attributes object
  
  byhour array[number] | null
  
  Indicates hours of the day to recur.
  
  byminute array[number] | null
  
  Indicates minutes of the hour to recur.
  
  bymonth array[number] | null
  
  Indicates months of the year that this rule should recur.
  
  bymonthday array[number] | null
  
  Indicates the days of the month to recur.
  
  bysecond array[number] | null
  
  Indicates seconds of the day to recur.
  
  bysetpos array[number] | null
  
  A positive or negative integer affecting the nth day of the month. For example, -2 combined with byweekday of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use byweekday.
  
  byweekday array[string | number] | null
  
  Indicates the days of the week to recur or else nth-day-of-month strings. For example, "+2TU" second Tuesday of month, "-1FR" last Friday of the month, which are internally converted to a byweekday/bysetpos combination.
  
  byweekno array[number] | null
  
  Indicates number of the week hours to recur.
  
  byyearday array[number] | null
  
  Indicates the days of the year that this rule should recur.
  
  count number
  
  Number of times the rule should recur until it stops.
  
  dtstart string Required
  
  Rule start date in Coordinated Universal Time (UTC).
  
  freq integer
  
  Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY.
  
  Values are 0, 1, 2, 3, 4, 5, or 6.
  
  interval number
  
  Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks.
  
  tzid string Required
  
  Indicates timezone abbreviation.
  
  until string
  
  Recur the rule until this date.
  
  wkst string
  
  Indicates the start of week, defaults to Monday.
  
  Values are MO, TU, WE, TH, FR, SA, or SU.
  
  skipRecurrences array[string]
  
  Skips recurrence of rule on this date.
- tags array[string] Required
  
  The tags for the rule.
- throttle string | null Deprecated
  
  Deprecated in 8.13.0. Use the throttle property in the action frequency object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
- updated_at string Required
  
  The date and time that the rule was updated most recently.
- updated_by string | null Required
  
  The identifier for the user that updated this rule most recently.
- view_in_app_relative_url string | null
  
  Relative URL to view rule in the app.
400

Indicates an invalid schema or parameters.
403

Indicates that this call is forbidden.
409

Indicates that the rule id is already in use.

POST /api/alerting/rule/{id}

curl \
 --request POST 'http://localhost:5622/api/alerting/rule/{id}' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json; Elastic-Api-Version=2023-10-31" \
 --header "elastic-api-version: 2023-10-31" \
 --header "kbn-xsrf: true"

Request examples

Create an Elasticsearch query rule that uses Elasticsearch Query Language (ES|QL) to define its query and a server log connector to send notifications.

{
  "name": "my Elasticsearch query ESQL rule",
  "params": {
    "size": 0,
    "esqlQuery": {
      "esql": "FROM kibana_sample_data_logs | KEEP bytes, clientip, host, geo.dest | where geo.dest != \"GB\" | STATS sumbytes = sum(bytes) by clientip, host | WHERE sumbytes > 5000 | SORT sumbytes desc | LIMIT 10"
    },
    "threshold": [
      0
    ],
    "timeField": "@timestamp",
    "searchType": "esqlQuery",
    "timeWindowSize": 1,
    "timeWindowUnit": "d",
    "thresholdComparator": ">"
  },
  "actions": [
    {
      "id": "d0db1fe0-78d6-11ee-9177-f7d404c8c945",
      "group": "query matched",
      "params": {
        "level": "info",
        "message": "Elasticsearch query rule '{{rule.name}}' is active:\n- Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} - Link: {{context.link}}"
      },
      "frequency": {
        "summary": false,
        "notify_when": "onActiveAlert"
      }
    }
  ],
  "consumer": "stackAlerts",
  "schedule": {
    "interval": "1d"
  },
  "rule_type_id": ".es-query"
}

Create an Elasticsearch query rule that uses Elasticsearch query domain specific language (DSL) to define its query and a server log connector to send notifications.

{
  "name": "my Elasticsearch query rule",
  "params": {
    "size": 100,
    "index": [
      "kibana_sample_data_logs"
    ],
    "esQuery": "\"\"\"{\"query\":{\"match_all\" : {}}}\"\"\"",
    "threshold": [
      100
    ],
    "timeField": "@timestamp",
    "timeWindowSize": 1,
    "timeWindowUnit": "d",
    "thresholdComparator": ">"
  },
  "actions": [
    {
      "id": "fdbece50-406c-11ee-850e-c71febc4ca7f",
      "group": "query matched",
      "params": {
        "level": "info",
        "message": "The system has detected {{alerts.new.count}} new, {{alerts.ongoing.count}} ongoing, and {{alerts.recovered.count}} recovered alerts."
      },
      "frequency": {
        "summary": true,
        "throttle": "1d",
        "notify_when": "onThrottleInterval"
      }
    },
    {
      "id": "fdbece50-406c-11ee-850e-c71febc4ca7f",
      "group": "recovered",
      "params": {
        "level": "info",
        "message": "Recovered"
      },
      "frequency": {
        "summary": false,
        "notify_when": "onActionGroupChange"
      }
    }
  ],
  "consumer": "alerts",
  "schedule": {
    "interval": "1d"
  },
  "rule_type_id": ".es-query"
}

Create an Elasticsearch query rule that uses Kibana query language (KQL).

{
  "name": "my Elasticsearch query KQL rule",
  "params": {
    "size": 100,
    "aggType": "count",
    "groupBy": "all",
    "threshold": [
      1000
    ],
    "searchType": "searchSource",
    "timeWindowSize": 5,
    "timeWindowUnit": "m",
    "searchConfiguration": {
      "index": "90943e30-9a47-11e8-b64d-95841ca0b247",
      "query": {
        "query": "\"\"geo.src : \"US\" \"\"",
        "language": "kuery"
      }
    },
    "thresholdComparator": ">",
    "excludeHitsFromPreviousRun": true
  },
  "consumer": "alerts",
  "schedule": {
    "interval": "1m"
  },
  "rule_type_id": ".es-query"
}

Create an index threshold rule that uses a server log connector to send notifications when the threshold is met.

{
  "name": "my rule",
  "tags": [
    "cpu"
  ],
  "params": {
    "index": [
      ".test-index"
    ],
    "aggType": "avg",
    "groupBy": "top",
    "aggField": "sheet.version",
    "termSize": 6,
    "termField": "name.keyword",
    "threshold": [
      1000
    ],
    "timeField": "@timestamp",
    "timeWindowSize": 5,
    "timeWindowUnit": "m",
    "thresholdComparator": ">"
  },
  "actions": [
    {
      "id": "48de3460-f401-11ed-9f8e-399c75a2deeb",
      "group": "threshold met",
      "params": {
        "level": "info",
        "message": "Rule '{{rule.name}}' is active for group '{{context.group}}':\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}\n- Timestamp: {{context.date}}"
      },
      "frequency": {
        "summary": false,
        "notify_when": "onActionGroupChange"
      }
    }
  ],
  "consumer": "alerts",
  "schedule": {
    "interval": "1m"
  },
  "alert_delay": {
    "active": 3
  },
  "rule_type_id": ".index-threshold"
}

Create a tracking containment rule that checks when an entity is contained or no longer contained within a boundary.

{
  "name": "my tracking rule",
  "params": {
    "index": "kibana_sample_data_logs",
    "entity": "agent.keyword",
    "indexId": "90943e30-9a47-11e8-b64d-95841ca0b247",
    "geoField": "geo.coordinates",
    "dateField\"": "@timestamp",
    "boundaryType": "entireIndex",
    "boundaryIndexId": "0cd90abf-abe7-44c7-909a-f621bbbcfefc",
    "boundaryGeoField": "location",
    "boundaryNameField": "name",
    "boundaryIndexTitle": "boundary*"
  },
  "consumer": "alerts",
  "schedule": {
    "interval": "1h"
  },
  "rule_type_id": ".geo-containment"
}

Response examples (200)

The response for successfully creating an Elasticsearch query rule that uses Elasticsearch Query Language (ES|QL).

{
  "id": "e0d62360-78e8-11ee-9177-f7d404c8c945",
  "name": "my Elasticsearch query ESQL rule",
  "tags": [],
  "params": {
    "size": 0,
    "aggType": "count",
    "groupBy": "all",
    "esqlQuery": {
      "esql": "FROM kibana_sample_data_logs | keep bytes, clientip, host, geo.dest | WHERE geo.dest != \"GB\" | stats sumbytes = sum(bytes) by clientip, host | WHERE sumbytes > 5000 | sort sumbytes desc | limit 10"
    },
    "threshold": [
      0
    ],
    "timeField": "@timestamp",
    "searchType": "esqlQuery",
    "timeWindowSize": 1,
    "timeWindowUnit": "d",
    "thresholdComparator": ">",
    "excludeHitsFromPreviousRun\"": "true,"
  },
  "actions": [
    {
      "id": "d0db1fe0-78d6-11ee-9177-f7d404c8c945",
      "uuid": "bfe370a3-531b-4855-bbe6-ad739f578844",
      "group": "query matched",
      "params": {
        "level": "info",
        "message": "Elasticsearch query rule '{{rule.name}}' is active:\n- Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} - Link: {{context.link}}"
      },
      "frequency": {
        "summary": false,
        "throttle": null,
        "notify_when": "onActiveAlert"
      },
      "connector_type_id": ".server-log"
    }
  ],
  "enabled": true,
  "running": false,
  "consumer": "stackAlerts",
  "mute_all": false,
  "revision": 0,
  "schedule": {
    "interval": "1d"
  },
  "throttle": null,
  "created_at": "2023-11-01T19:00:10.453Z",
  "created_by": "elastic",
  "updated_at": "2023-11-01T19:00:10.453Z",
  "updated_by": "elastic\",",
  "notify_when": null,
  "rule_type_id": ".es-query",
  "api_key_owner": "elastic",
  "muted_alert_ids": [],
  "execution_status": {
    "status": "pending",
    "last_execution_date": "2023-11-01T19:00:10.453Z"
  },
  "scheduled_task_id": "e0d62360-78e8-11ee-9177-f7d404c8c945",
  "api_key_created_by_user": false
}

The response for successfully creating an Elasticsearch query rule that uses Elasticsearch query domain specific language (DSL).

{
  "id": "58148c70-407f-11ee-850e-c71febc4ca7f",
  "name": "my Elasticsearch query rule",
  "tags": [],
  "params": {
    "size": 100,
    "index": [
      "kibana_sample_data_logs"
    ],
    "aggType": "count",
    "esQuery": "\"\"\"{\"query\":{\"match_all\" : {}}}\"\"\"",
    "groupBy": "all",
    "threshold": [
      100
    ],
    "timeField": "@timestamp",
    "searchType": "esQuery",
    "timeWindowSize": 1,
    "timeWindowUnit": "d",
    "thresholdComparator": ">",
    "excludeHitsFromPreviousRun": true
  },
  "actions": [
    {
      "id": "fdbece50-406c-11ee-850e-c71febc4ca7f",
      "uuid": "53f3c2a3-e5d0-4cfa-af3b-6f0881385e78",
      "group": "query matched",
      "params": {
        "level": "info",
        "message": "The system has detected {{alerts.new.count}} new, {{alerts.ongoing.count}} ongoing, and {{alerts.recovered.count}} recovered alerts."
      },
      "frequency": {
        "summary": true,
        "throttle": "1d",
        "notify_when": "onThrottleInterval"
      },
      "connector_type_id": ".server-log"
    },
    {
      "id": "fdbece50-406c-11ee-850e-c71febc4ca7f",
      "uuid": "2324e45b-c0df-45c7-9d70-4993e30be758",
      "group": "recovered",
      "params": {
        "level": "info",
        "message": "Recovered"
      },
      "frequency": {
        "summary": false,
        "throttle": null,
        "notify_when": "onActionGroupChange"
      },
      "connector_type_id": ".server-log"
    }
  ],
  "enabled": true,
  "running": false,
  "consumer": "alerts",
  "mute_all": false,
  "revision": 0,
  "schedule": {
    "interval": "1d"
  },
  "throttle": null,
  "created_at": "2023-08-22T00:03:38.263Z",
  "created_by": "elastic",
  "updated_at": "2023-08-22T00:03:38.263Z",
  "updated_by": "elastic",
  "notify_when": null,
  "rule_type_id": ".es-query",
  "api_key_owner": "elastic",
  "muted_alert_ids": [],
  "execution_status": {
    "status": "pending",
    "last_execution_date": "2023-08-22T00:03:38.263Z"
  },
  "scheduled_task_id": "58148c70-407f-11ee-850e-c71febc4ca7f",
  "api_key_created_by_user": false
}

The response for successfully creating an Elasticsearch query rule that uses Kibana query language (KQL).

{
  "id": "7bd506d0-2284-11ee-8fad-6101956ced88",
  "name": "my Elasticsearch query KQL rule\"",
  "tags": [],
  "params": {
    "size": 100,
    "aggType": "count",
    "groupBy": "all",
    "threshold": [
      1000
    ],
    "searchType": "searchSource",
    "timeWindowSize": 5,
    "timeWindowUnit": "m",
    "searchConfiguration": {
      "index": "90943e30-9a47-11e8-b64d-95841ca0b247",
      "query": {
        "query": "\"\"geo.src : \"US\" \"\"",
        "language": "kuery"
      }
    },
    "thresholdComparator": ">",
    "excludeHitsFromPreviousRun": true
  },
  "actions": [],
  "enabled": true,
  "running": false,
  "consumer": "alerts",
  "mute_all": false,
  "revision": 0,
  "schedule": {
    "interval": "1m"
  },
  "throttle": null,
  "created_at": "2023-07-14T20:24:50.729Z",
  "created_by": "elastic",
  "updated_at": "2023-07-14T20:24:50.729Z",
  "updated_by": "elastic",
  "notify_when": null,
  "rule_type_id": ".es-query",
  "api_key_owner": "elastic",
  "muted_alert_ids": [],
  "execution_status": {
    "status": "pending",
    "last_execution_date": "2023-07-14T20:24:50.729Z"
  },
  "scheduled_task_id": "7bd506d0-2284-11ee-8fad-6101956ced88",
  "api_key_created_by_user": false
}

The response for successfully creating an index threshold rule.

{
  "id": "41893910-6bca-11eb-9e0d-85d233e3ee35",
  "name": "my rule",
  "tags": [
    "cpu"
  ],
  "params": {
    "index": [
      ".test-index"
    ],
    "aggType": "avg",
    "groupBy": "top",
    "aggField": "sheet.version",
    "termSize": 6,
    "termField": "name.keyword",
    "threshold": [
      1000
    ],
    "timeField": "@timestamp",
    "timeWindowSize": 5,
    "timeWindowUnit": "m",
    "thresholdComparator": ">"
  },
  "actions": [
    {
      "id": "dceeb5d0-6b41-11eb-802b-85b0c1bc8ba2",
      "uuid": "07aef2a0-9eed-4ef9-94ec-39ba58eb609d",
      "group": "threshold met",
      "params": {
        "level": "info",
        "message": "Rule {{rule.name}} is active for group {{context.group} :\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}\n- Timestamp: {{context.date}}"
      },
      "frequency": {
        "summary": false,
        "throttle": null,
        "notify_when": "onActionGroupChange"
      },
      "connector_type_id": ".server-log"
    }
  ],
  "enabled": true,
  "running": false,
  "consumer": "alerts",
  "mute_all": false,
  "revision": 0,
  "schedule": {
    "interval": "1m"
  },
  "throttle": null,
  "created_at": "2022-06-08T17:20:31.632Z",
  "created_by": "elastic",
  "updated_at": "2022-06-08T17:20:31.632Z",
  "updated_by": "elastic",
  "alert_delay": {
    "active": 3
  },
  "notify_when": null,
  "rule_type_id": ".index-threshold",
  "api_key_owner": "elastic",
  "muted_alert_ids": [],
  "execution_status": {
    "status": "pending",
    "last_execution_date": "2022-06-08T17:20:31.632Z"
  },
  "scheduled_task_id": "425b0800-6bca-11eb-9e0d-85d233e3ee35",
  "api_key_created_by_user": false
}

The response for successfully creating a tracking containment rule.

{
  "id": "b6883f9d-5f70-4758-a66e-369d7c26012f",
  "name": "my tracking rule",
  "tags": [],
  "params": {
    "index": "kibana_sample_data_logs",
    "entity": "agent.keyword",
    "indexId": "90943e30-9a47-11e8-b64d-95841ca0b247",
    "geoField": "geo.coordinates",
    "dateField": "@timestamp",
    "boundaryType": "entireIndex",
    "boundaryIndexId": "0cd90abf-abe7-44c7-909a-f621bbbcfefc",
    "boundaryGeoField": "location",
    "boundaryNameField": "name",
    "boundaryIndexTitle": "boundary*"
  },
  "actions": [],
  "enabled": true,
  "running": false,
  "consumer": "alerts",
  "last_run": {
    "outcome": "succeeded",
    "warning": null,
    "outcome_msg": null,
    "alerts_count": {
      "new": 0,
      "active": 0,
      "ignored": 0,
      "recovered": 0
    },
    "outcome_order": 0
  },
  "mute_all": false,
  "next_run": "2024-02-15T03:26:38.033Z",
  "revision": 1,
  "schedule": {
    "interval": "1h"
  },
  "throttle": null,
  "created_at": "2024-02-14T19:52:55.920Z",
  "created_by": "elastic",
  "updated_at": "2024-02-15T03:24:32.574Z",
  "updated_by": "elastic",
  "notify_when": null,
  "rule_type_id": ".geo-containment",
  "api_key_owner": "elastic",
  "muted_alert_ids": [],
  "execution_status": {
    "status": "ok",
    "last_duration": 74,
    "last_execution_date": "2024-02-15T03:25:38.125Z"
  },
  "scheduled_task_id": "b6883f9d-5f70-4758-a66e-369d7c26012f",
  "api_key_created_by_user": false
}

Create a data view

POST /api/data_views/data_view

Api key auth Basic auth

Headers

kbn-xsrf string Required

Cross-site request forgery protection

application/json; Elastic-Api-Version=2023-10-31

Body Required

data_view object Required

The data view object.
Hide data_view attributes Show data_view attributes object
- allowNoIndex boolean
  
  Allows the data view saved object to exist before the data is available.
- fieldAttrs object
  Hide fieldAttrs attribute Show fieldAttrs attribute object
  
  * object Additional properties
  
  A map of field attributes by field name.
  
  Hide * attributes Show * attributes object
  
  count integer
  
  Popularity count for the field.
  
  customDescription string
  
  Custom description for the field.
  
  Maximum length is 300.
  
  customLabel string
  
  Custom label for the field.
- fieldFormats object
  
  A map of field formats by field name.
- fields object
- id string
- name string
  
  The data view name.
- namespaces array[string]
  
  An array of space identifiers for sharing the data view between multiple spaces.
  
  Default value is default.
- runtimeFieldMap object
  Hide runtimeFieldMap attribute Show runtimeFieldMap attribute object
  
  * object Additional properties
  
  A map of runtime field definitions by field name.
  
  Hide * attributes Show * attributes object
  
  script object Required
  
  Hide script attribute Show script attribute object
  
  source string
  
  Script for the runtime field.
  
  type string Required
  
  Mapping type of the runtime field.
- sourceFilters array[object]
  
  The array of field names you want to filter out in Discover.
  Hide sourceFilters attribute Show sourceFilters attribute object
  
  value string Required
- timeFieldName string
  
  The timestamp field name, which you use for time-based data views.
- title string Required
  
  Comma-separated list of data streams, indices, and aliases that you want to search. Supports wildcards (*).
- type string
  
  When set to rollup, identifies the rollup data views.
- typeMeta object
  
  When you use rollup indices, contains the field list for the rollup data view API endpoints.
  Hide typeMeta attributes Show typeMeta attributes object
  
  aggs object Required
  
  A map of rollup restrictions by aggregation type and field name.
  
  params object Required
  
  Properties for retrieving rollup fields.
- version string
override boolean

Override an existing data view if a data view with the provided title already exists.

Default value is false.

Responses

200 application/json; Elastic-Api-Version=2023-10-31

Indicates a successful call.
Hide response attribute Show response attribute object
- data_view object
  
  Hide data_view attributes Show data_view attributes object
  
  allowNoIndex boolean
  
  Allows the data view saved object to exist before the data is available.
  
  fieldAttrs object
  
  Hide fieldAttrs attribute Show fieldAttrs attribute object
  
  * object Additional properties
  
  A map of field attributes by field name.
  
  Hide * attributes Show * attributes object
  
  count integer
  
  Popularity count for the field.
  
  customDescription string
  
  Custom description for the field.
  
  Maximum length is 300.
  
  customLabel string
  
  Custom label for the field.
  
  fieldFormats object
  
  A map of field formats by field name.
  
  fields object
  
  id string
  
  name string
  
  The data view name.
  
  namespaces array[string]
  
  An array of space identifiers for sharing the data view between multiple spaces.
  
  Default value is default.
  
  runtimeFieldMap object
  
  Hide runtimeFieldMap attribute Show runtimeFieldMap attribute object
  
  * object Additional properties
  
  A map of runtime field definitions by field name.
  
  Hide * attributes Show * attributes object
  
  script object Required
  
  Hide script attribute Show script attribute object
  
  source string
  
  Script for the runtime field.
  
  type string Required
  
  Mapping type of the runtime field.
  
  sourceFilters array[object]
  
  The array of field names you want to filter out in Discover.
  
  Hide sourceFilters attribute Show sourceFilters attribute object
  
  value string Required
  
  timeFieldName string
  
  The timestamp field name, which you use for time-based data views.
  
  title string
  
  Comma-separated list of data streams, indices, and aliases that you want to search. Supports wildcards (*).
  
  typeMeta object | null
  
  When you use rollup indices, contains the field list for the rollup data view API endpoints.
  
  Hide typeMeta attributes Show typeMeta attributes object | null
  
  aggs object
  
  A map of rollup restrictions by aggregation type and field name.
  
  params object
  
  Properties for retrieving rollup fields.
  
  version string
400 application/json; Elastic-Api-Version=2023-10-31

Bad request
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode number Required

POST /api/data_views/data_view

curl \
 --request POST 'http://localhost:5622/api/data_views/data_view' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json; Elastic-Api-Version=2023-10-31" \
 --header "kbn-xsrf: string"

Request example

{
  "data_view": {
    "name": "My Logstash data view",
    "title": "logstash-*",
    "runtimeFieldMap": {
      "runtime_shape_name": {
        "type": "keyword",
        "script": {
          "source": "emit(doc['shape_name'].value)"
        }
      }
    }
  }
}

Response examples (200)

{
  "data_view": {
    "allowNoIndex": true,
    "fieldAttrs": {
      "additionalProperty1": {
        "count": 42,
        "customDescription": "string",
        "customLabel": "string"
      },
      "additionalProperty2": {
        "count": 42,
        "customDescription": "string",
        "customLabel": "string"
      }
    },
    "fieldFormats": {},
    "fields": {},
    "id": "ff959d40-b880-11e8-a6d9-e546fe2bba5f",
    "name": "string",
    "namespaces": [
      "default"
    ],
    "runtimeFieldMap": {
      "additionalProperty1": {
        "script": {
          "source": "string"
        },
        "type": "string"
      },
      "additionalProperty2": {
        "script": {
          "source": "string"
        },
        "type": "string"
      }
    },
    "sourceFilters": [
      {
        "value": "string"
      }
    ],
    "timeFieldName": "string",
    "title": "string",
    "typeMeta": {
      "aggs": {},
      "params": {}
    },
    "version": "WzQ2LDJd"
  }
}

Response examples (400)

{
  "error": "Bad Request",
  "message": "string",
  "statusCode": 400
}

Delete a data view

DELETE /api/data_views/data_view/{viewId}

Api key auth Basic auth

WARNING: When you delete a data view, it cannot be recovered.

Headers

kbn-xsrf string Required

Cross-site request forgery protection

Path parameters

viewId string Required

An identifier for the data view.

Responses

204

Indicates a successful call.
404 application/json; Elastic-Api-Version=2023-10-31

Object is not found.
Hide response attributes Show response attributes object
- error string
  
  Value is Not Found.
- message string
- statusCode integer
  
  Value is 404.

DELETE /api/data_views/data_view/{viewId}

curl \
 --request DELETE 'http://localhost:5622/api/data_views/data_view/ff959d40-b880-11e8-a6d9-e546fe2bba5f' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: string"

Response examples (404)

{
  "error": "Not Found",
  "message": "Saved object [index-pattern/caaad6d0-920c-11ed-b36a-874bd1548a00] not found",
  "statusCode": 404
}

Bulk get assets

POST /api/fleet/epm/bulk_assets

Api key auth Basic auth

application/json; Elastic-Api-Version=2023-10-31

Body

assetIds array[object] Required

list of items necessary to fetch assets
Hide assetIds attributes Show assetIds attributes object
- id string
- type string

Responses

200 application/json; Elastic-Api-Version=2023-10-31

OK
Hide response attribute Show response attribute object Deprecated
- items array[object] Required
  
  Hide items attributes Show items attributes object
  
  appLink string
  
  attributes object
  
  Hide attributes attributes Show attributes attributes object
  
  description string
  
  title string
  
  id string
  
  type string
  
  One of:
  string-1 string string-2 string
  
  Values are dashboard, visualization, search, index_pattern, map, lens, security_rule, csp_rule_template, ml_module, tag, osquery_pack_asset, or osquery_saved_query.
  
  updatedAt string
400 application/json; Elastic-Api-Version=2023-10-31

Generic Error
Hide response attributes Show response attributes object
- error string
- message string
- statusCode number

POST /api/fleet/epm/bulk_assets

curl \
 --request POST 'http://localhost:5622/api/fleet/epm/bulk_assets' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json; Elastic-Api-Version=2023-10-31"

Request examples

{
  "assetIds": [
    {
      "id": "string",
      "type": "string"
    }
  ]
}

Response examples (200)

{
  "items": [
    {
      "appLink": "string",
      "attributes": {
        "description": "string",
        "title": "string"
      },
      "id": "string",
      "type": "dashboard",
      "updatedAt": "string"
    }
  ]
}

Response examples (400)

{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Get file information

GET /api/endpoint/action/{action_id}/file/{file_id}

Api key auth Basic auth

Get information for the specified file using the file ID.

Path parameters

action_id string Required
file_id string Required

Responses

200 application/json; Elastic-Api-Version=2023-10-31

OK

GET /api/endpoint/action/{action_id}/file/{file_id}

curl \
 --request GET 'http://localhost:5622/api/endpoint/action/{action_id}/file/{file_id}' \
 --header "Authorization: $API_KEY"

Response examples (200)

{}

Create rule exception items

POST /api/detection_engine/rules/{id}/exceptions

Api key auth Basic auth

Create exception items that apply to a single detection rule.

Path parameters

id string(uuid) Required

Detection rule's identifier

application/json; Elastic-Api-Version=2023-10-31

Body Required

Rule exception items.

items array[object] Required
Hide items attributes Show items attributes object
- comments array[object]
  
  Default value is [] (empty).
  Hide comments attribute Show comments attribute object
  
  comment string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- description string Required
  
  Describes the exception list.
- entries array[object] Required
  Any of:
  Security_Exceptions_API_ExceptionListItemEntryMatch object Security_Exceptions_API_ExceptionListItemEntryMatchAny object Security_Exceptions_API_ExceptionListItemEntryList object Security_Exceptions_API_ExceptionListItemEntryExists object Security_Exceptions_API_ExceptionListItemEntryNested object Security_Exceptions_API_ExceptionListItemEntryMatchWildcard object
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required Discriminator
  
  Value is match.
  
  value string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required Discriminator
  
  Value is match_any.
  
  value array[string(nonempty)] Required
  
  A string that does not contain only whitespace characters
  
  At least 1 element. Minimum length of each is 1.
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  list object Required
  
  Hide list attributes Show list attributes object
  
  id string(nonempty) Required
  
  Value list's identifier.
  
  Minimum length is 1.
  
  type string Required
  
  Specifies the Elasticsearch data type of excludes the list container holds. Some common examples:
  
  keyword: Many ECS fields are Elasticsearch keywords
  
  ip: IP addresses
  
  ip_range: Range of IP addresses (supports IPv4, IPv6, and CIDR notation)
  
  Values are binary, boolean, byte, date, date_nanos, date_range, double, double_range, float, float_range, geo_point, geo_shape, half_float, integer, integer_range, ip, ip_range, keyword, long, long_range, shape, short, or text.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required Discriminator
  
  Value is list.
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required Discriminator
  
  Value is exists.
  
  Hide attributes Show attributes
  
  entries array[object] Required
  
  At least 1 element.
  
  One of:
  Security_Exceptions_API_ExceptionListItemEntryMatch object Security_Exceptions_API_ExceptionListItemEntryMatchAny object Security_Exceptions_API_ExceptionListItemEntryExists object
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required
  
  Value is match.
  
  value string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required
  
  Value is match_any.
  
  value array[string(nonempty)] Required
  
  A string that does not contain only whitespace characters
  
  At least 1 element. Minimum length of each is 1.
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required
  
  Value is exists.
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  type string Required Discriminator
  
  Value is nested.
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required Discriminator
  
  Value is wildcard.
  
  value string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- expire_time string(date-time)
- item_id string(nonempty)
  
  Human readable string identifier, e.g. trusted-linux-processes
  
  Minimum length is 1.
- meta object
  
  Additional properties are allowed.
- name string(nonempty) Required
  
  Exception list name.
  
  Minimum length is 1.
- namespace_type string
  Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where:
  
  single: Only available in the Kibana space in which it is created.
  
  agnostic: Available in all Kibana spaces.
  Values are agnostic or single. Default value is single.
- os_types array[string]
  
  Use this field to specify the operating system.
  
  Values are linux, macos, or windows. Default value is [] (empty).
- tags array[string(nonempty)]
  
  String array containing words and phrases to help categorize exception items.
  
  Minimum length of each is 1. Default value is [] (empty).
- type string Required
  
  Value is simple.

Responses

200 application/json; Elastic-Api-Version=2023-10-31

Successful response
Hide response attributes Show response attributes object
- _version string
  
  The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version.
- comments array[object] Required
  
  Array of comment fields:
  
  comment (string): Comments about the exception item.
  
  Hide comments attributes Show comments attributes object
  
  comment string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  created_at string(date-time) Required
  
  Autogenerated date of object creation.
  
  created_by string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  updated_at string(date-time)
  
  Autogenerated date of last object update.
  
  updated_by string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- created_at string(date-time) Required
  
  Autogenerated date of object creation.
- created_by string Required
  
  Autogenerated value - user that created object.
- description string Required
  
  Describes the exception list.
- entries array[object] Required
  
  Any of:
  Security_Exceptions_API_ExceptionListItemEntryMatch object Security_Exceptions_API_ExceptionListItemEntryMatchAny object Security_Exceptions_API_ExceptionListItemEntryList object Security_Exceptions_API_ExceptionListItemEntryExists object Security_Exceptions_API_ExceptionListItemEntryNested object Security_Exceptions_API_ExceptionListItemEntryMatchWildcard object
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required Discriminator
  
  Value is match.
  
  value string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required Discriminator
  
  Value is match_any.
  
  value array[string(nonempty)] Required
  
  A string that does not contain only whitespace characters
  
  At least 1 element. Minimum length of each is 1.
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  list object Required
  
  Hide list attributes Show list attributes object
  
  id string(nonempty) Required
  
  Value list's identifier.
  
  Minimum length is 1.
  
  type string Required
  
  Specifies the Elasticsearch data type of excludes the list container holds. Some common examples:
  
  keyword: Many ECS fields are Elasticsearch keywords
  
  ip: IP addresses
  
  ip_range: Range of IP addresses (supports IPv4, IPv6, and CIDR notation)
  
  Values are binary, boolean, byte, date, date_nanos, date_range, double, double_range, float, float_range, geo_point, geo_shape, half_float, integer, integer_range, ip, ip_range, keyword, long, long_range, shape, short, or text.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required Discriminator
  
  Value is list.
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required Discriminator
  
  Value is exists.
  
  Hide attributes Show attributes
  
  entries array[object] Required
  
  At least 1 element.
  
  One of:
  Security_Exceptions_API_ExceptionListItemEntryMatch object Security_Exceptions_API_ExceptionListItemEntryMatchAny object Security_Exceptions_API_ExceptionListItemEntryExists object
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required
  
  Value is match.
  
  value string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required
  
  Value is match_any.
  
  value array[string(nonempty)] Required
  
  A string that does not contain only whitespace characters
  
  At least 1 element. Minimum length of each is 1.
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required
  
  Value is exists.
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  type string Required Discriminator
  
  Value is nested.
  
  Hide attributes Show attributes
  
  field string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  operator string Required
  
  Values are excluded or included.
  
  type string Required Discriminator
  
  Value is wildcard.
  
  value string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
- expire_time string(date-time)
  
  The exception item’s expiration date, in ISO format. This field is only available for regular exception items, not endpoint exceptions.
- id string(nonempty) Required
  
  Exception's identifier.
  
  Minimum length is 1.
- item_id string(nonempty) Required
  
  Human readable string identifier, e.g. trusted-linux-processes
  
  Minimum length is 1.
- list_id string(nonempty) Required
  
  Exception list's human readable string identifier, e.g. trusted-linux-processes.
  
  Minimum length is 1.
- meta object
  
  Additional properties are allowed.
- name string(nonempty) Required
  
  Exception list name.
  
  Minimum length is 1.
- namespace_type string Required
  
  Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where:
  
  single: Only available in the Kibana space in which it is created.
  
  agnostic: Available in all Kibana spaces.
  
  Values are agnostic or single. Default value is single.
- os_types array[string]
  
  Use this field to specify the operating system.
  
  Values are linux, macos, or windows. Default value is [] (empty).
- tags array[string(nonempty)]
  
  String array containing words and phrases to help categorize exception items.
  
  Minimum length of each is 1. Default value is [] (empty).
- tie_breaker_id string Required
  
  Field used in search to ensure all containers are sorted and returned correctly.
- type string Required
  
  Value is simple.
- updated_at string(date-time) Required
  
  Autogenerated date of last object update.
- updated_by string Required
  
  Autogenerated value - user that last updated object.
400 application/json; Elastic-Api-Version=2023-10-31

Invalid input data response
One of:
Security_Exceptions_API_PlatformErrorResponse object Security_Exceptions_API_SiemErrorResponse object
Hide attributes Show attributes

error string Required

message string Required

statusCode integer Required
Hide attributes Show attributes

message string Required

status_code integer Required
401 application/json; Elastic-Api-Version=2023-10-31

Unsuccessful authentication response
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
403 application/json; Elastic-Api-Version=2023-10-31

Not enough privileges response
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
500 application/json; Elastic-Api-Version=2023-10-31

Internal server error response
Hide response attributes Show response attributes object
- message string Required
- status_code integer Required

POST /api/detection_engine/rules/{id}/exceptions

curl \
 --request POST 'http://localhost:5622/api/detection_engine/rules/330bdd28-eedf-40e1-bed0-f10176c7f9e0/exceptions' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json; Elastic-Api-Version=2023-10-31"

Request example

{
  "items": [
    {
      "name": "Sample Exception List Item",
      "tags": [
        "malware"
      ],
      "type": "simple",
      "entries": [
        {
          "type": "exists",
          "field": "actingProcess.file.signer",
          "operator": "excluded"
        },
        {
          "type": "match_any",
          "field": "host.name",
          "value": [
            "saturn",
            "jupiter"
          ],
          "operator": "included"
        }
      ],
      "item_id": "simple_list_item",
      "list_id": "simple_list",
      "os_types": [
        "linux"
      ],
      "description": "This is a sample detection type exception item.",
      "namespace_type": "single"
    }
  ]
}

Response examples (200)

[
  {
    "id": "71a9f4b2-c85c-49b4-866f-c71eb9e67da2",
    "name": "Sample Exception List Item",
    "tags": [
      "malware"
    ],
    "type": "simple",
    "entries": [
      {
        "type": "exists",
        "field": "actingProcess.file.signer",
        "operator": "excluded"
      },
      {
        "type": "match_any",
        "field": "host.name",
        "value": [
          "saturn",
          "jupiter"
        ],
        "operator": "included"
      }
    ],
    "item_id": "simple_list_item",
    "list_id": "simple_list",
    "_version": "WzQsMV0=",
    "comments": [],
    "os_types": [
      "linux"
    ],
    "created_at": "2025-01-07T20:07:33.119Z",
    "created_by": "elastic",
    "updated_at": "2025-01-07T20:07:33.119Z",
    "updated_by": "elastic",
    "description": "This is a sample detection type exception item.",
    "namespace_type": "single",
    "tie_breaker_id": "09434836-9db9-4942-a234-5a9268e0b34c"
  }
]

Response examples (400)

{
  "error": "Bad Request",
  "message": "Invalid request payload JSON format",
  "statusCode": 400
}

{
  "error": "Bad Request",
  "message": "[request params]: id: Invalid uuid",
  "statusCode": 400
}

Response examples (401)

{
  "error": "Unauthorized",
  "message": "[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]",
  "statusCode": 401
}

Response examples (403)

{
  "message": "Unable to create exception-list",
  "status_code": 403
}

Response examples (500)

{
  "message": "Internal Server Error",
  "status_code": 500
}

POST /s/{spaceId}/api/observability/slos/{sloId}/_reset

Api key auth Basic auth

You must have the write privileges for the SLOs feature in the Observability section of the Kibana feature privileges.

Headers

kbn-xsrf string Required

Cross-site request forgery protection

Path parameters

spaceId string Required

An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used.
sloId string Required

An identifier for the slo.

Responses

200 application/json; Elastic-Api-Version=2023-10-31

Successful request
Hide response attributes Show response attributes object
- budgetingMethod string Required
  
  The budgeting method to use when computing the rollup data.
  
  Values are occurrences or timeslices.
- createdAt string Required
  
  The creation date
- description string Required
  
  The description of the SLO.
- enabled boolean Required
  
  Indicate if the SLO is enabled
- groupBy string | array[string] Required
  
  optional group by field or fields to use to generate an SLO per distinct value
  
  One of:
  string-1 string array-2 array[string]
- id string Required
  
  The identifier of the SLO.
- indicator object Required
  
  One of:
  SLOs_indicator_properties_custom_kql object SLOs_indicator_properties_apm_availability object SLOs_indicator_properties_apm_latency object SLOs_indicator_properties_custom_metric object SLOs_indicator_properties_histogram object SLOs_indicator_properties_timeslice_metric object
  
  Defines properties for a custom query indicator type
  
  Hide attributes Show attributes
  
  params object Required
  
  An object containing the indicator parameters.
  
  Hide params attributes Show params attributes object
  
  dataViewId string
  
  The kibana data view id to use, primarily used to include data view runtime mappings. Make sure to save SLO again if you add/update run time fields to the data view and if those fields are being used in slo queries.
  
  filter string | object
  
  Defines properties for a filter
  
  One of:
  string-1 string object-2 object
  
  the KQL query to filter the documents with.
  
  Hide attributes Show attributes
  
  filters array[object]
  
  Defines properties for a filter
  
  Hide filters attributes Show filters attributes object
  
  meta object
  
  Defines properties for a filter
  
  Hide meta attributes Show meta attributes object
  
  alias string | null
  
  controlledBy string
  
  disabled boolean
  
  field string
  
  group string
  
  index string
  
  isMultiIndex boolean
  
  key string
  
  negate boolean
  
  params object
  
  type string
  
  value string
  
  query object
  
  kqlQuery string
  
  good string | object Required
  
  The KQL query used to define the good events.
  
  One of:
  string-1 string object-2 object
  
  the KQL query to filter the documents with.
  
  Hide attributes Show attributes
  
  filters array[object]
  
  Defines properties for a filter
  
  Hide filters attributes Show filters attributes object
  
  meta object
  
  Defines properties for a filter
  
  Hide meta attributes Show meta attributes object
  
  alias string | null
  
  controlledBy string
  
  disabled boolean
  
  field string
  
  group string
  
  index string
  
  isMultiIndex boolean
  
  key string
  
  negate boolean
  
  params object
  
  type string
  
  value string
  
  query object
  
  kqlQuery string
  
  index string Required
  
  The index or index pattern to use
  
  timestampField string Required
  
  The timestamp field used in the source indice.
  
  total string | object Required
  
  The KQL query used to define all events.
  
  One of:
  string-1 string object-2 object
  
  the KQL query to filter the documents with.
  
  Hide attributes Show attributes
  
  filters array[object]
  
  Defines properties for a filter
  
  Hide filters attributes Show filters attributes object
  
  meta object
  
  Defines properties for a filter
  
  Hide meta attributes Show meta attributes object
  
  alias string | null
  
  controlledBy string
  
  disabled boolean
  
  field string
  
  group string
  
  index string
  
  isMultiIndex boolean
  
  key string
  
  negate boolean
  
  params object
  
  type string
  
  value string
  
  query object
  
  kqlQuery string
  
  type string Required Discriminator
  
  The type of indicator.
  
  Value is sli.kql.custom.
  
  Defines properties for the APM availability indicator type
  
  Hide attributes Show attributes
  
  params object Required
  
  An object containing the indicator parameters.
  
  Hide params attributes Show params attributes object
  
  environment string Required
  
  The APM service environment or "*"
  
  filter string
  
  KQL query used for filtering the data
  
  index string Required
  
  The index used by APM metrics
  
  service string Required
  
  The APM service name
  
  transactionName string Required
  
  The APM transaction name or "*"
  
  transactionType string Required
  
  The APM transaction type or "*"
  
  type string Required Discriminator
  
  The type of indicator.
  
  Value is sli.apm.transactionErrorRate.
  
  Defines properties for the APM latency indicator type
  
  Hide attributes Show attributes
  
  params object Required
  
  An object containing the indicator parameters.
  
  Hide params attributes Show params attributes object
  
  environment string Required
  
  The APM service environment or "*"
  
  filter string
  
  KQL query used for filtering the data
  
  index string Required
  
  The index used by APM metrics
  
  service string Required
  
  The APM service name
  
  threshold number Required
  
  The latency threshold in milliseconds
  
  transactionName string Required
  
  The APM transaction name or "*"
  
  transactionType string Required
  
  The APM transaction type or "*"
  
  type string Required Discriminator
  
  The type of indicator.
  
  Value is sli.apm.transactionDuration.
  
  Defines properties for a custom metric indicator type
  
  Hide attributes Show attributes
  
  params object Required
  
  An object containing the indicator parameters.
  
  Hide params attributes Show params attributes object
  
  dataViewId string
  
  The kibana data view id to use, primarily used to include data view runtime mappings. Make sure to save SLO again if you add/update run time fields to the data view and if those fields are being used in slo queries.
  
  filter string
  
  the KQL query to filter the documents with.
  
  good object Required
  
  An object defining the "good" metrics and equation
  
  Hide good attributes Show good attributes object
  
  equation string Required
  
  The equation to calculate the "good" metric.
  
  metrics array[object] Required
  
  List of metrics with their name, aggregation type, and field.
  
  Hide metrics attributes Show metrics attributes object
  
  aggregation string Required
  
  The aggregation type of the metric. Only valid option is "sum"
  
  Value is sum.
  
  field string Required
  
  The field of the metric.
  
  filter string
  
  The filter to apply to the metric.
  
  name string Required
  
  The name of the metric. Only valid options are A-Z
  
  Format should match the following pattern: ^[A-Z]$.
  
  index string Required
  
  The index or index pattern to use
  
  timestampField string Required
  
  The timestamp field used in the source indice.
  
  total object Required
  
  An object defining the "total" metrics and equation
  
  Hide total attributes Show total attributes object
  
  equation string Required
  
  The equation to calculate the "total" metric.
  
  metrics array[object] Required
  
  List of metrics with their name, aggregation type, and field.
  
  Hide metrics attributes Show metrics attributes object
  
  aggregation string Required
  
  The aggregation type of the metric. Only valid option is "sum"
  
  Value is sum.
  
  field string Required
  
  The field of the metric.
  
  filter string
  
  The filter to apply to the metric.
  
  name string Required
  
  The name of the metric. Only valid options are A-Z
  
  Format should match the following pattern: ^[A-Z]$.
  
  type string Required Discriminator
  
  The type of indicator.
  
  Value is sli.metric.custom.
  
  Defines properties for a histogram indicator type
  
  Hide attributes Show attributes
  
  params object Required
  
  An object containing the indicator parameters.
  
  Hide params attributes Show params attributes object
  
  dataViewId string
  
  The kibana data view id to use, primarily used to include data view runtime mappings. Make sure to save SLO again if you add/update run time fields to the data view and if those fields are being used in slo queries.
  
  filter string
  
  the KQL query to filter the documents with.
  
  good object Required
  
  An object defining the "good" events
  
  Hide good attributes Show good attributes object
  
  aggregation string Required
  
  The type of aggregation to use.
  
  Values are value_count or range.
  
  field string Required
  
  The field use to aggregate the good events.
  
  filter string
  
  The filter for good events.
  
  from number
  
  The starting value of the range. Only required for "range" aggregations.
  
  to number
  
  The ending value of the range. Only required for "range" aggregations.
  
  index string Required
  
  The index or index pattern to use
  
  timestampField string Required
  
  The timestamp field used in the source indice.
  
  total object Required
  
  An object defining the "total" events
  
  Hide total attributes Show total attributes object
  
  aggregation string Required
  
  The type of aggregation to use.
  
  Values are value_count or range.
  
  field string Required
  
  The field use to aggregate the good events.
  
  filter string
  
  The filter for total events.
  
  from number
  
  The starting value of the range. Only required for "range" aggregations.
  
  to number
  
  The ending value of the range. Only required for "range" aggregations.
  
  type string Required Discriminator
  
  The type of indicator.
  
  Value is sli.histogram.custom.
  
  Defines properties for a timeslice metric indicator type
  
  Hide attributes Show attributes
  
  params object Required
  
  An object containing the indicator parameters.
  
  Hide params attributes Show params attributes object
  
  dataViewId string
  
  The kibana data view id to use, primarily used to include data view runtime mappings. Make sure to save SLO again if you add/update run time fields to the data view and if those fields are being used in slo queries.
  
  filter string
  
  the KQL query to filter the documents with.
  
  index string Required
  
  The index or index pattern to use
  
  metric object Required
  
  An object defining the metrics, equation, and threshold to determine if it's a good slice or not
  
  Hide metric attributes Show metric attributes object
  
  comparator string Required
  
  The comparator to use to compare the equation to the threshold.
  
  Values are GT, GTE, LT, or LTE.
  
  equation string Required
  
  The equation to calculate the metric.
  
  metrics array[object] Required
  
  List of metrics with their name, aggregation type, and field.
  
  Any of:
  SLOs_timeslice_metric_basic_metric_with_field object SLOs_timeslice_metric_percentile_metric object SLOs_timeslice_metric_doc_count_metric object
  
  Hide attributes Show attributes
  
  aggregation string Required
  
  The aggregation type of the metric.
  
  Values are sum, avg, min, max, std_deviation, last_value, or cardinality.
  
  field string Required
  
  The field of the metric.
  
  filter string
  
  The filter to apply to the metric.
  
  name string Required
  
  The name of the metric. Only valid options are A-Z
  
  Format should match the following pattern: ^[A-Z]$.
  
  Hide attributes Show attributes
  
  aggregation string Required
  
  The aggregation type of the metric. Only valid option is "percentile"
  
  Value is percentile.
  
  field string Required
  
  The field of the metric.
  
  filter string
  
  The filter to apply to the metric.
  
  name string Required
  
  The name of the metric. Only valid options are A-Z
  
  Format should match the following pattern: ^[A-Z]$.
  
  percentile number Required
  
  The percentile value.
  
  Hide attributes Show attributes
  
  aggregation string Required
  
  The aggregation type of the metric. Only valid option is "doc_count"
  
  Value is doc_count.
  
  filter string
  
  The filter to apply to the metric.
  
  name string Required
  
  The name of the metric. Only valid options are A-Z
  
  Format should match the following pattern: ^[A-Z]$.
  
  threshold number Required
  
  The threshold used to determine if the metric is a good slice or not.
  
  timestampField string Required
  
  The timestamp field used in the source indice.
  
  type string Required Discriminator
  
  The type of indicator.
  
  Value is sli.metric.timeslice.
- name string Required
  
  The name of the SLO.
- objective object Required
  
  Defines properties for the SLO objective
  
  Hide objective attributes Show objective attributes object
  
  target number Required
  
  the target objective between 0 and 1 excluded
  
  Minimum value is 0, maximum value is 100.
  
  timesliceTarget number
  
  the target objective for each slice when using a timeslices budgeting method
  
  Minimum value is 0, maximum value is 100.
  
  timesliceWindow string
  
  the duration of each slice when using a timeslices budgeting method, as {duraton}{unit}
- revision number Required
  
  The SLO revision
- settings object Required
  
  Defines properties for SLO settings.
  
  Hide settings attributes Show settings attributes object
  
  frequency string
  
  Configure how often the transform runs, default 1m
  
  Default value is 1m.
  
  preventInitialBackfill boolean
  
  Prevents the transform from backfilling data when it starts.
  
  Default value is false.
  
  syncDelay string
  
  The synch delay to apply to the transform. Default 1m
  
  Default value is 1m.
- tags array[string] Required
  
  List of tags
- timeWindow object Required
  
  Defines properties for the SLO time window
  
  Hide timeWindow attributes Show timeWindow attributes object
  
  duration string Required
  
  the duration formatted as {duration}{unit}. Accepted values for rolling: 7d, 30d, 90d. Accepted values for calendar aligned: 1w (weekly) or 1M (monthly)
  
  type string Required
  
  Indicates weither the time window is a rolling or a calendar aligned time window.
  
  Values are rolling or calendarAligned.
- updatedAt string Required
  
  The last update date
- version number Required
  
  The internal SLO version
400 application/json; Elastic-Api-Version=2023-10-31

Bad request
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode number Required
401 application/json; Elastic-Api-Version=2023-10-31

Unauthorized response
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode number Required
403 application/json; Elastic-Api-Version=2023-10-31

Unauthorized response
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode number Required
404 application/json; Elastic-Api-Version=2023-10-31

Not found response
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode number Required

POST /s/{spaceId}/api/observability/slos/{sloId}/_reset

curl \
 --request POST 'http://localhost:5622/s/default/api/observability/slos/9c235211-6834-11ea-a78c-6feb38a34414/_reset' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: string"

Response examples (200)

{
  "budgetingMethod": "occurrences",
  "createdAt": "2023-01-12T10:03:19.000Z",
  "description": "My SLO description",
  "enabled": true,
  "groupBy": [
    [
      "service.name"
    ],
    "service.name",
    [
      "service.name",
      "service.environment"
    ]
  ],
  "id": "8853df00-ae2e-11ed-90af-09bb6422b258",
  "indicator": {
    "params": {
      "dataViewId": "03b80ab3-003d-498b-881c-3beedbaf1162",
      "filter": "field.environment : \"production\" and service.name : \"my-service\"",
      "good": "request.latency <= 150 and request.status_code : \"2xx\"",
      "index": "my-service-*",
      "timestampField": "timestamp",
      "total": "field.environment : \"production\" and service.name : \"my-service\""
    },
    "type": "sli.kql.custom"
  },
  "name": "My Service SLO",
  "objective": {
    "target": 0.99,
    "timesliceTarget": 0.995,
    "timesliceWindow": "5m"
  },
  "revision": 2,
  "settings": {
    "frequency": "5m",
    "preventInitialBackfill": true,
    "syncDelay": "5m"
  },
  "tags": [
    "string"
  ],
  "timeWindow": {
    "duration": "30d",
    "type": "rolling"
  },
  "updatedAt": "2023-01-12T10:03:19.000Z",
  "version": 2
}

Response examples (400)

{
  "error": "Bad Request",
  "message": "Invalid value 'foo' supplied to: [...]",
  "statusCode": 400
}

Response examples (401)

{
  "error": "Unauthorized",
  "message": "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastics] for REST request [/_security/_authenticate]]: unable to authenticate user [elastics] for REST request [/_security/_authenticate]",
  "statusCode": 401
}

Response examples (403)

{
  "error": "Unauthorized",
  "message": "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastics] for REST request [/_security/_authenticate]]: unable to authenticate user [elastics] for REST request [/_security/_authenticate]",
  "statusCode": 403
}

Response examples (404)

{
  "error": "Not Found",
  "message": "SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found",
  "statusCode": 404
}

params object

Body Required

type string

Body Required

groupBy string | array[string] Required

indicator object Required

filter string | object

good string | object Required

total string | object Required