Api key auth (http_api_key)
These APIs use key-based authentication. You must create an API key and use the encoded value in the request header. For example: Authorization: ApiKey base64AccessApiKey
Kibana APIs
1.0.2
Base URL
http://localhost:5622
http://localhost:5622The Kibana REST APIs enable you to manage resources such as connectors, data views, and saved objects. The API calls are stateless. Each request that you make happens in isolation from other calls and must include all of the necessary information for Kibana to fulfill the request. API requests return JSON output, which is a format that is machine-readable and works well for automation.
To interact with Kibana APIs, use the following operations:
- GET: Fetches the information.
- PATCH: Applies partial modifications to the existing information.
- POST: Adds new information.
- PUT: Updates the existing information.
- DELETE: Removes the information.
You can prepend any Kibana API endpoint with kbn: and run the request in Dev Tools → Console.
For example:
GET kbn:/api/data_views
For more information about the console, refer to Run API requests.
NOTE: Access to internal Kibana API endpoints will be restricted in Kibana version 9.0. Please move any integrations to publicly documented APIs.
Documentation source and versions
This documentation is derived from the 9.0 branch of the kibana repository.
It is provided under license Attribution-NonCommercial-NoDerivatives 4.0 International.
This documentation contains work-in-progress information for future Elastic Stack releases.
This is version 1.0.2 of this API documentation.
Last update on Mar 26, 2025.
Servers
| Base URL | Description |
|---|---|
| http://localhost:5622 | |
| https://localhost:5601 | |
| https://localhost:5601 |
Authentication
The API accepts 2 different authentication methods:
Basic auth (http)
Basic auth tokens are constructed with the Basic keyword, followed by a space, followed by a base64-encoded string of your username:password
(separated by a : colon).
Example: send a Authorization: Basic aGVsbG86aGVsbG8=
HTTP header with your requests to authenticate with the API.
Alerting
Alerting enables you to define rules, which detect complex conditions within your data. When a condition is met, the rule tracks it as an alert and runs the actions that are defined in the rule. Actions typically involve the use of connectors to interact with Kibana services or third party integrations.
Get the rule types
If you have read privileges for one or more Kibana features, the API response contains information about the appropriate rule types. For example, there are rule types associated with the Management > Stack Rules feature, Analytics > Discover and Machine Learning features, Observability features, and Security features. To get rule types associated with the Stack Monitoring feature, use the monitoring_user built-in role.
GET
/api/alerting/rule_types
curl \
--request GET 'http://localhost:5622/api/alerting/rule_types' \
--header "Authorization: $API_KEY"
Response examples (200)
[
{
"id": "xpack.ml.anomaly_detection_alert",
"name": "Anomaly detection alert",
"alerts": {
"context": "ml.anomaly-detection",
"mappings": {
"fieldMap": {
"kibana.alert.job_id": {
"type": "keyword",
"array": false,
"required": true
},
"kibana.alert.is_interim": {
"type": "boolean",
"array": false,
"required": false
},
"kibana.alert.top_records": {
"type": "object",
"array": true,
"dynamic": false,
"required": false,
"properties": {
"actual": {
"type": "double"
},
"job_id": {
"type": "keyword"
},
"typical": {
"type": "double"
},
"function": {
"type": "keyword"
},
"timestamp": {
"type": "date"
},
"field_name": {
"type": "keyword"
},
"is_interim": {
"type": "boolean"
},
"record_score": {
"type": "double"
},
"by_field_name": {
"type": "keyword"
},
"by_field_value": {
"type": "keyword"
},
"detector_index": {
"type": "integer"
},
"over_field_name": {
"type": "keyword"
},
"over_field_value": {
"type": "keyword"
},
"initial_record_score": {
"type": "double"
},
"partition_field_name": {
"type": "keyword"
},
"partition_field_value": {
"type": "keyword"
}
}
},
"kibana.alert.anomaly_score": {
"type": "double",
"array": false,
"required": false
},
"kibana.alert.top_influencers": {
"type": "object",
"array": true,
"dynamic": false,
"required": false,
"properties": {
"job_id": {
"type": "keyword"
},
"timestamp": {
"type": "date"
},
"is_interim": {
"type": "boolean"
},
"influencer_score": {
"type": "double"
},
"influencer_field_name": {
"type": "keyword"
},
"influencer_field_value": {
"type": "keyword"
},
"initial_influencer_score": {
"type": "double"
}
}
},
"kibana.alert.anomaly_timestamp": {
"type": "date",
"array": false,
"required": false
}
}
},
"shouldWrite": true
},
"category": "management",
"producer": "ml",
"action_groups": [
{
"id": "anomaly_score_match",
"name": "Anomaly score matched the condition"
},
{
"id": "recovered",
"name": "Recovered"
}
],
"is_exportable": true,
"action_variables": {
"state": [],
"params": [],
"context": [
{
"name": "timestamp",
"description": "The bucket timestamp of the anomaly"
},
{
"name": "timestampIso8601",
"description": "The bucket time of the anomaly in ISO8601 format"
},
{
"name": "jobIds",
"description": "List of job IDs that triggered the alert"
},
{
"name": "message",
"description": "Alert info message"
},
{
"name": "isInterim",
"description": "Indicate if top hits contain interim results"
},
{
"name": "score",
"description": "Anomaly score at the time of the notification action"
},
{
"name": "topRecords",
"description": "Top records"
},
{
"name": "topInfluencers",
"description": "Top influencers"
},
{
"name": "anomalyExplorerUrl",
"description": "URL to open in the Anomaly Explorer",
"useWithTripleBracesInTemplates": true
}
]
},
"rule_task_timeout": "5m",
"enabled_in_license": true,
"has_alerts_mappings": true,
"authorized_consumers": {
"ml": {
"all": true,
"read": true
},
"apm": {
"all": true,
"read": true
},
"slo": {
"all": true,
"read": true
},
"logs": {
"all": true,
"read": true
},
"siem": {
"all": true,
"read": true
},
"alerts": {
"all": true,
"read": true
},
"uptime": {
"all": true,
"read": true
},
"discover": {
"all": true,
"read": true
},
"monitoring": {
"all": true,
"read": true
},
"stackAlerts": {
"all": true,
"read": true
},
"infrastructure": {
"all": true,
"read": true
}
},
"has_fields_for_a_a_d": false,
"recovery_action_group": {
"id": "recovered",
"name": "Recovered"
},
"default_action_group_id": "anomaly_score_match",
"minimum_license_required": "platinum",
"does_set_recovery_context": true
},
{
"id": "xpack.ml.anomaly_detection_jobs_health",
"name": "Anomaly detection jobs health",
"category": "management",
"producer": "ml",
"action_groups": [
{
"id": "anomaly_detection_realtime_issue",
"name": "Issue detected"
},
{
"id": "recovered",
"name": "Recovered"
}
],
"is_exportable": true,
"action_variables": {
"state": [],
"params": [],
"context": [
{
"name": "results",
"description": "Results of the rule execution"
},
{
"name": "message",
"description": "Alert info message"
}
]
},
"rule_task_timeout": "5m",
"enabled_in_license": true,
"has_alerts_mappings": false,
"authorized_consumers": {
"ml": {
"all": true,
"read": true
},
"apm": {
"all": true,
"read": true
},
"slo": {
"all": true,
"read": true
},
"logs": {
"all": true,
"read": true
},
"siem": {
"all": true,
"read": true
},
"alerts": {
"all": true,
"read": true
},
"uptime": {
"all": true,
"read": true
},
"discover": {
"all": true,
"read": true
},
"monitoring": {
"all": true,
"read": true
},
"stackAlerts": {
"all": true,
"read": true
},
"infrastructure": {
"all": true,
"read": true
}
},
"has_fields_for_a_a_d": false,
"recovery_action_group": {
"id": "recovered",
"name": "Recovered"
},
"default_action_group_id": "anomaly_detection_realtime_issue",
"minimum_license_required": "platinum",
"does_set_recovery_context": true
}
]
Response examples (401)
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}Path parameters
-
id
string Required The identifier for the rule.
GET
/api/alerting/rule/{id}
curl \
--request GET 'http://localhost:5622/api/alerting/rule/{id}' \
--header "Authorization: $API_KEY"
Response examples (200)
{
"actions": [
{
"alerts_filter": {
"query": {
"dsl": "string",
"filters": [
{
"$state": {
"store": "appState"
},
"meta": {},
"query": {}
}
],
"kql": "string"
},
"timeframe": {
"days": [
1
],
"hours": {
"end": "string",
"start": "string"
},
"timezone": "string"
}
},
"connector_type_id": "string",
"frequency": {
"notify_when": "onActionGroupChange",
"summary": true,
"throttle": "string"
},
"group": "string",
"id": "string",
"params": {},
"use_alert_data_for_template": true,
"uuid": "string"
}
],
"active_snoozes": [
"string"
],
"alert_delay": {
"active": 42.0
},
"api_key_created_by_user": true,
"api_key_owner": "string",
"consumer": "string",
"created_at": "string",
"created_by": "string",
"enabled": true,
"execution_status": {
"error": {
"message": "string",
"reason": "read"
},
"last_duration": 42.0,
"last_execution_date": "string",
"status": "ok",
"warning": {
"message": "string",
"reason": "maxExecutableActions"
}
},
"flapping": {
"look_back_window": 42.0,
"status_change_threshold": 42.0
},
"id": "string",
"is_snoozed_until": "string",
"last_run": {
"alerts_count": {
"active": 42.0,
"ignored": 42.0,
"new": 42.0,
"recovered": 42.0
},
"outcome": "succeeded",
"outcome_msg": [
"string"
],
"outcome_order": 42.0,
"warning": "read"
},
"mapped_params": {},
"monitoring": {
"run": {
"calculated_metrics": {
"p50": 42.0,
"p95": 42.0,
"p99": 42.0,
"success_ratio": 42.0
},
"history": [
{
"duration": 42.0,
"outcome": "succeeded",
"success": true,
"timestamp": 42.0
}
],
"last_run": {
"metrics": {
"duration": 42.0,
"gap_duration_s": 42.0,
"gap_range": {
"gte": "string",
"lte": "string"
},
"total_alerts_created": 42.0,
"total_alerts_detected": 42.0,
"total_indexing_duration_ms": 42.0,
"total_search_duration_ms": 42.0
},
"timestamp": "string"
}
}
},
"mute_all": true,
"muted_alert_ids": [
"string"
],
"name": "string",
"next_run": "string",
"notify_when": "onActionGroupChange",
"params": {},
"revision": 42.0,
"rule_type_id": "string",
"running": true,
"schedule": {
"interval": "string"
},
"scheduled_task_id": "string",
"snooze_schedule": [
{
"duration": 42.0,
"id": "string",
"rRule": {
"byhour": [
42.0
],
"byminute": [
42.0
],
"bymonth": [
42.0
],
"bymonthday": [
42.0
],
"bysecond": [
42.0
],
"bysetpos": [
42.0
],
"byweekday": [
"string"
],
"byweekno": [
42.0
],
"byyearday": [
42.0
],
"count": 42.0,
"dtstart": "string",
"freq": 0,
"interval": 42.0,
"tzid": "string",
"until": "string",
"wkst": "MO"
},
"skipRecurrences": [
"string"
]
}
],
"tags": [
"string"
],
"throttle": "string",
"updated_at": "string",
"updated_by": "string",
"view_in_app_relative_url": "string"
}Path parameters
-
id
string Required The identifier for the rule. If it is omitted, an ID is randomly generated.
Body
-
actions
array[object] An action that runs under defined conditions.
Default value is
[](empty). -
alert_delay
object Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.
Additional properties are NOT allowed.
-
consumer
string Required The name of the application or feature that owns the rule. For example:
alerts,apm,discover,infrastructure,logs,metrics,ml,monitoring,securitySolution,siem,stackAlerts, oruptime. -
enabled
boolean Indicates whether you want to run the rule on an interval basis after it is created.
Default value is
true. -
flapping
object | null When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.
Additional properties are NOT allowed.
-
name
string Required The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
-
notify_when
string | null Indicates how often alerts generate actions. Valid values include:
onActionGroupChange: Actions run when the alert status changes;onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met;onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specifynotify_whenat both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.Values are
onActionGroupChange,onActiveAlert, oronThrottleInterval. -
rule_type_id
string Required The rule type identifier.
-
schedule
object Required The check interval, which specifies how frequently the rule conditions are checked.
Additional properties are NOT allowed.
-
throttle
string | null Use the
throttleproperty in the actionfrequencyobject instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values. params
object The parameters for the rule.
Any of: params_property_apm_anomalyobject params_property_apm_error_countobject params_property_apm_transaction_durationobject params_property_apm_transaction_error_rateobject params_es_query_dsl_ruleobject params_es_query_esql_ruleobject params_es_query_kql_ruleobject params_index_threshold_ruleobject params_property_infra_inventoryobject Countobject Ratioobject params_property_infra_metric_thresholdobject params_property_slo_burn_rateobject params_property_synthetics_uptime_tlsobject params_property_synthetics_monitor_statusobject
POST
/api/alerting/rule/{id}
curl \
--request POST 'http://localhost:5622/api/alerting/rule/{id}' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"name":"my Elasticsearch query ESQL rule","params":{"size":0,"esqlQuery":{"esql":"FROM kibana_sample_data_logs | KEEP bytes, clientip, host, geo.dest | where geo.dest != \"GB\" | STATS sumbytes = sum(bytes) by clientip, host | WHERE sumbytes \u003e 5000 | SORT sumbytes desc | LIMIT 10"},"threshold":[0],"timeField":"@timestamp","searchType":"esqlQuery","timeWindowSize":1,"timeWindowUnit":"d","thresholdComparator":"\u003e"},"actions":[{"id":"d0db1fe0-78d6-11ee-9177-f7d404c8c945","group":"query matched","params":{"level":"info","message":"Elasticsearch query rule '{{rule.name}}' is active:\n- Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} - Link: {{context.link}}"},"frequency":{"summary":false,"notify_when":"onActiveAlert"}}],"consumer":"stackAlerts","schedule":{"interval":"1d"},"rule_type_id":".es-query"}'
Request examples
Elasticsearch query rule (ES|QL)
Create an Elasticsearch query rule that uses Elasticsearch Query Language (ES|QL) to define its query and a server log connector to send notifications.
{
"name": "my Elasticsearch query ESQL rule",
"params": {
"size": 0,
"esqlQuery": {
"esql": "FROM kibana_sample_data_logs | KEEP bytes, clientip, host, geo.dest | where geo.dest != \"GB\" | STATS sumbytes = sum(bytes) by clientip, host | WHERE sumbytes > 5000 | SORT sumbytes desc | LIMIT 10"
},
"threshold": [
0
],
"timeField": "@timestamp",
"searchType": "esqlQuery",
"timeWindowSize": 1,
"timeWindowUnit": "d",
"thresholdComparator": ">"
},
"actions": [
{
"id": "d0db1fe0-78d6-11ee-9177-f7d404c8c945",
"group": "query matched",
"params": {
"level": "info",
"message": "Elasticsearch query rule '{{rule.name}}' is active:\n- Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} - Link: {{context.link}}"
},
"frequency": {
"summary": false,
"notify_when": "onActiveAlert"
}
}
],
"consumer": "stackAlerts",
"schedule": {
"interval": "1d"
},
"rule_type_id": ".es-query"
}
Create an Elasticsearch query rule that uses Elasticsearch query domain specific language (DSL) to define its query and a server log connector to send notifications.
{
"name": "my Elasticsearch query rule",
"params": {
"size": 100,
"index": [
"kibana_sample_data_logs"
],
"esQuery": "\"\"\"{\"query\":{\"match_all\" : {}}}\"\"\"",
"threshold": [
100
],
"timeField": "@timestamp",
"timeWindowSize": 1,
"timeWindowUnit": "d",
"thresholdComparator": ">"
},
"actions": [
{
"id": "fdbece50-406c-11ee-850e-c71febc4ca7f",
"group": "query matched",
"params": {
"level": "info",
"message": "The system has detected {{alerts.new.count}} new, {{alerts.ongoing.count}} ongoing, and {{alerts.recovered.count}} recovered alerts."
},
"frequency": {
"summary": true,
"throttle": "1d",
"notify_when": "onThrottleInterval"
}
},
{
"id": "fdbece50-406c-11ee-850e-c71febc4ca7f",
"group": "recovered",
"params": {
"level": "info",
"message": "Recovered"
},
"frequency": {
"summary": false,
"notify_when": "onActionGroupChange"
}
}
],
"consumer": "alerts",
"schedule": {
"interval": "1d"
},
"rule_type_id": ".es-query"
}
Create an Elasticsearch query rule that uses Kibana query language (KQL).
{
"name": "my Elasticsearch query KQL rule",
"params": {
"size": 100,
"aggType": "count",
"groupBy": "all",
"threshold": [
1000
],
"searchType": "searchSource",
"timeWindowSize": 5,
"timeWindowUnit": "m",
"searchConfiguration": {
"index": "90943e30-9a47-11e8-b64d-95841ca0b247",
"query": {
"query": "\"\"geo.src : \"US\" \"\"",
"language": "kuery"
}
},
"thresholdComparator": ">",
"excludeHitsFromPreviousRun": true
},
"consumer": "alerts",
"schedule": {
"interval": "1m"
},
"rule_type_id": ".es-query"
}
Create an index threshold rule that uses a server log connector to send notifications when the threshold is met.
{
"name": "my rule",
"tags": [
"cpu"
],
"params": {
"index": [
".test-index"
],
"aggType": "avg",
"groupBy": "top",
"aggField": "sheet.version",
"termSize": 6,
"termField": "name.keyword",
"threshold": [
1000
],
"timeField": "@timestamp",
"timeWindowSize": 5,
"timeWindowUnit": "m",
"thresholdComparator": ">"
},
"actions": [
{
"id": "48de3460-f401-11ed-9f8e-399c75a2deeb",
"group": "threshold met",
"params": {
"level": "info",
"message": "Rule '{{rule.name}}' is active for group '{{context.group}}':\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}\n- Timestamp: {{context.date}}"
},
"frequency": {
"summary": false,
"notify_when": "onActionGroupChange"
}
}
],
"consumer": "alerts",
"schedule": {
"interval": "1m"
},
"alert_delay": {
"active": 3
},
"rule_type_id": ".index-threshold"
}
Create a tracking containment rule that checks when an entity is contained or no longer contained within a boundary.
{
"name": "my tracking rule",
"params": {
"index": "kibana_sample_data_logs",
"entity": "agent.keyword",
"indexId": "90943e30-9a47-11e8-b64d-95841ca0b247",
"geoField": "geo.coordinates",
"dateField\"": "@timestamp",
"boundaryType": "entireIndex",
"boundaryIndexId": "0cd90abf-abe7-44c7-909a-f621bbbcfefc",
"boundaryGeoField": "location",
"boundaryNameField": "name",
"boundaryIndexTitle": "boundary*"
},
"consumer": "alerts",
"schedule": {
"interval": "1h"
},
"rule_type_id": ".geo-containment"
}
Response examples (200)
Elasticsearch query rule (ES|QL)
The response for successfully creating an Elasticsearch query rule that uses Elasticsearch Query Language (ES|QL).
{
"id": "e0d62360-78e8-11ee-9177-f7d404c8c945",
"name": "my Elasticsearch query ESQL rule",
"tags": [],
"params": {
"size": 0,
"aggType": "count",
"groupBy": "all",
"esqlQuery": {
"esql": "FROM kibana_sample_data_logs | keep bytes, clientip, host, geo.dest | WHERE geo.dest != \"GB\" | stats sumbytes = sum(bytes) by clientip, host | WHERE sumbytes > 5000 | sort sumbytes desc | limit 10"
},
"threshold": [
0
],
"timeField": "@timestamp",
"searchType": "esqlQuery",
"timeWindowSize": 1,
"timeWindowUnit": "d",
"thresholdComparator": ">",
"excludeHitsFromPreviousRun\"": "true,"
},
"actions": [
{
"id": "d0db1fe0-78d6-11ee-9177-f7d404c8c945",
"uuid": "bfe370a3-531b-4855-bbe6-ad739f578844",
"group": "query matched",
"params": {
"level": "info",
"message": "Elasticsearch query rule '{{rule.name}}' is active:\n- Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} - Link: {{context.link}}"
},
"frequency": {
"summary": false,
"throttle": null,
"notify_when": "onActiveAlert"
},
"connector_type_id": ".server-log"
}
],
"enabled": true,
"running": false,
"consumer": "stackAlerts",
"mute_all": false,
"revision": 0,
"schedule": {
"interval": "1d"
},
"throttle": null,
"created_at": "2023-11-01T19:00:10.453Z",
"created_by": "elastic",
"updated_at": "2023-11-01T19:00:10.453Z",
"updated_by": "elastic\",",
"notify_when": null,
"rule_type_id": ".es-query",
"api_key_owner": "elastic",
"muted_alert_ids": [],
"execution_status": {
"status": "pending",
"last_execution_date": "2023-11-01T19:00:10.453Z"
},
"scheduled_task_id": "e0d62360-78e8-11ee-9177-f7d404c8c945",
"api_key_created_by_user": false
}
The response for successfully creating an Elasticsearch query rule that uses Elasticsearch query domain specific language (DSL).
{
"id": "58148c70-407f-11ee-850e-c71febc4ca7f",
"name": "my Elasticsearch query rule",
"tags": [],
"params": {
"size": 100,
"index": [
"kibana_sample_data_logs"
],
"aggType": "count",
"esQuery": "\"\"\"{\"query\":{\"match_all\" : {}}}\"\"\"",
"groupBy": "all",
"threshold": [
100
],
"timeField": "@timestamp",
"searchType": "esQuery",
"timeWindowSize": 1,
"timeWindowUnit": "d",
"thresholdComparator": ">",
"excludeHitsFromPreviousRun": true
},
"actions": [
{
"id": "fdbece50-406c-11ee-850e-c71febc4ca7f",
"uuid": "53f3c2a3-e5d0-4cfa-af3b-6f0881385e78",
"group": "query matched",
"params": {
"level": "info",
"message": "The system has detected {{alerts.new.count}} new, {{alerts.ongoing.count}} ongoing, and {{alerts.recovered.count}} recovered alerts."
},
"frequency": {
"summary": true,
"throttle": "1d",
"notify_when": "onThrottleInterval"
},
"connector_type_id": ".server-log"
},
{
"id": "fdbece50-406c-11ee-850e-c71febc4ca7f",
"uuid": "2324e45b-c0df-45c7-9d70-4993e30be758",
"group": "recovered",
"params": {
"level": "info",
"message": "Recovered"
},
"frequency": {
"summary": false,
"throttle": null,
"notify_when": "onActionGroupChange"
},
"connector_type_id": ".server-log"
}
],
"enabled": true,
"running": false,
"consumer": "alerts",
"mute_all": false,
"revision": 0,
"schedule": {
"interval": "1d"
},
"throttle": null,
"created_at": "2023-08-22T00:03:38.263Z",
"created_by": "elastic",
"updated_at": "2023-08-22T00:03:38.263Z",
"updated_by": "elastic",
"notify_when": null,
"rule_type_id": ".es-query",
"api_key_owner": "elastic",
"muted_alert_ids": [],
"execution_status": {
"status": "pending",
"last_execution_date": "2023-08-22T00:03:38.263Z"
},
"scheduled_task_id": "58148c70-407f-11ee-850e-c71febc4ca7f",
"api_key_created_by_user": false
}
The response for successfully creating an Elasticsearch query rule that uses Kibana query language (KQL).
{
"id": "7bd506d0-2284-11ee-8fad-6101956ced88",
"name": "my Elasticsearch query KQL rule\"",
"tags": [],
"params": {
"size": 100,
"aggType": "count",
"groupBy": "all",
"threshold": [
1000
],
"searchType": "searchSource",
"timeWindowSize": 5,
"timeWindowUnit": "m",
"searchConfiguration": {
"index": "90943e30-9a47-11e8-b64d-95841ca0b247",
"query": {
"query": "\"\"geo.src : \"US\" \"\"",
"language": "kuery"
}
},
"thresholdComparator": ">",
"excludeHitsFromPreviousRun": true
},
"actions": [],
"enabled": true,
"running": false,
"consumer": "alerts",
"mute_all": false,
"revision": 0,
"schedule": {
"interval": "1m"
},
"throttle": null,
"created_at": "2023-07-14T20:24:50.729Z",
"created_by": "elastic",
"updated_at": "2023-07-14T20:24:50.729Z",
"updated_by": "elastic",
"notify_when": null,
"rule_type_id": ".es-query",
"api_key_owner": "elastic",
"muted_alert_ids": [],
"execution_status": {
"status": "pending",
"last_execution_date": "2023-07-14T20:24:50.729Z"
},
"scheduled_task_id": "7bd506d0-2284-11ee-8fad-6101956ced88",
"api_key_created_by_user": false
}
The response for successfully creating an index threshold rule.
{
"id": "41893910-6bca-11eb-9e0d-85d233e3ee35",
"name": "my rule",
"tags": [
"cpu"
],
"params": {
"index": [
".test-index"
],
"aggType": "avg",
"groupBy": "top",
"aggField": "sheet.version",
"termSize": 6,
"termField": "name.keyword",
"threshold": [
1000
],
"timeField": "@timestamp",
"timeWindowSize": 5,
"timeWindowUnit": "m",
"thresholdComparator": ">"
},
"actions": [
{
"id": "dceeb5d0-6b41-11eb-802b-85b0c1bc8ba2",
"uuid": "07aef2a0-9eed-4ef9-94ec-39ba58eb609d",
"group": "threshold met",
"params": {
"level": "info",
"message": "Rule {{rule.name}} is active for group {{context.group} :\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}\n- Timestamp: {{context.date}}"
},
"frequency": {
"summary": false,
"throttle": null,
"notify_when": "onActionGroupChange"
},
"connector_type_id": ".server-log"
}
],
"enabled": true,
"running": false,
"consumer": "alerts",
"mute_all": false,
"revision": 0,
"schedule": {
"interval": "1m"
},
"throttle": null,
"created_at": "2022-06-08T17:20:31.632Z",
"created_by": "elastic",
"updated_at": "2022-06-08T17:20:31.632Z",
"updated_by": "elastic",
"alert_delay": {
"active": 3
},
"notify_when": null,
"rule_type_id": ".index-threshold",
"api_key_owner": "elastic",
"muted_alert_ids": [],
"execution_status": {
"status": "pending",
"last_execution_date": "2022-06-08T17:20:31.632Z"
},
"scheduled_task_id": "425b0800-6bca-11eb-9e0d-85d233e3ee35",
"api_key_created_by_user": false
}
The response for successfully creating a tracking containment rule.
{
"id": "b6883f9d-5f70-4758-a66e-369d7c26012f",
"name": "my tracking rule",
"tags": [],
"params": {
"index": "kibana_sample_data_logs",
"entity": "agent.keyword",
"indexId": "90943e30-9a47-11e8-b64d-95841ca0b247",
"geoField": "geo.coordinates",
"dateField": "@timestamp",
"boundaryType": "entireIndex",
"boundaryIndexId": "0cd90abf-abe7-44c7-909a-f621bbbcfefc",
"boundaryGeoField": "location",
"boundaryNameField": "name",
"boundaryIndexTitle": "boundary*"
},
"actions": [],
"enabled": true,
"running": false,
"consumer": "alerts",
"last_run": {
"outcome": "succeeded",
"warning": null,
"outcome_msg": null,
"alerts_count": {
"new": 0,
"active": 0,
"ignored": 0,
"recovered": 0
},
"outcome_order": 0
},
"mute_all": false,
"next_run": "2024-02-15T03:26:38.033Z",
"revision": 1,
"schedule": {
"interval": "1h"
},
"throttle": null,
"created_at": "2024-02-14T19:52:55.920Z",
"created_by": "elastic",
"updated_at": "2024-02-15T03:24:32.574Z",
"updated_by": "elastic",
"notify_when": null,
"rule_type_id": ".geo-containment",
"api_key_owner": "elastic",
"muted_alert_ids": [],
"execution_status": {
"status": "ok",
"last_duration": 74,
"last_execution_date": "2024-02-15T03:25:38.125Z"
},
"scheduled_task_id": "b6883f9d-5f70-4758-a66e-369d7c26012f",
"api_key_created_by_user": false
}Path parameters
-
id
string Required The identifier for the rule.
POST
/api/alerting/rule/{id}/_disable
curl \
--request POST 'http://localhost:5622/api/alerting/rule/{id}/_disable' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"untrack":true}'
Request examples
# Headers
kbn-xsrf: true
# Payload
{
"untrack": true
}Path parameters
-
id
string Required The identifier for the rule.
POST
/api/alerting/rule/{id}/_mute_all
curl \
--request POST 'http://localhost:5622/api/alerting/rule/{id}/_mute_all' \
--header "Authorization: $API_KEY" \
--header "kbn-xsrf: true"Path parameters
-
id
string Required The identifier for the rule.
POST
/api/alerting/rule/{id}/_update_api_key
curl \
--request POST 'http://localhost:5622/api/alerting/rule/{id}/_update_api_key' \
--header "Authorization: $API_KEY" \
--header "kbn-xsrf: true"
POST
/api/alerting/rule/{rule_id}/alert/{alert_id}/_unmute
curl \
--request POST 'http://localhost:5622/api/alerting/rule/{rule_id}/alert/{alert_id}/_unmute' \
--header "Authorization: $API_KEY" \
--header "kbn-xsrf: true"Query parameters
-
per_page
number The number of rules to return per page.
Minimum value is
0. Default value is10. -
page
number The page number to return.
Minimum value is
1. Default value is1. -
search
string An Elasticsearch simple_query_string query that filters the objects in the response.
-
default_search_operator
string The default operator to use for the simple_query_string.
Values are
ORorAND. Default value isOR. -
search_fields
array[string] | string The fields to perform the simple_query_string parsed query against.
-
sort_field
string Determines which field is used to sort the results. The field must exist in the
attributeskey of the response. -
sort_order
string Determines the sort order.
Values are
ascordesc. -
has_reference
object | null Filters the rules that have a relation with the reference objects with a specific type and identifier.
Additional properties are NOT allowed.
-
fields
array[string] The fields to return in the
attributeskey of the response. -
filter
string A KQL string that you filter with an attribute from your saved object. It should look like
savedObjectType.attributes.title: "myTitle". However, if you used a direct attribute of a saved object, such asupdatedAt, you must define your filter, for example,savedObjectType.updatedAt > 2018-12-22. -
filter_consumers
array[string] List of consumers to filter.
GET
/api/alerting/rules/_find
curl \
--request GET 'http://localhost:5622/api/alerting/rules/_find' \
--header "Authorization: $API_KEY"
Response examples (200)
Index threshold rule
A response that contains information about an index threshold rule.
{
"data": [
{
"id": "3583a470-74f6-11ed-9801-35303b735aef",
"name": "my alert",
"tags": [
"cpu"
],
"params": {
"index": [
"test-index"
],
"aggType": "avg",
"groupBy": "top",
"aggField": "sheet.version",
"termSize": 6,
"termField": "name.keyword",
"threshold": [
1000
],
"timeField": "@timestamp",
"timeWindowSize": 5,
"timeWindowUnit": "m",
"thresholdComparator": ">"
},
"actions": [
{
"id": "9dca3e00-74f5-11ed-9801-35303b735aef",
"uuid": "1c7a1280-f28c-4e06-96b2-e4e5f05d1d61",
"group": "threshold met",
"params": {
"level": "info",
"message": "Rule {{rule.name}} is active for group {{context.group}}:\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}\n- Timestamp: {{context.date}}",
"connector_type_id": ".server-log"
},
"frequency": {
"summary": false,
"throttle": null,
"notify_when": "onActionGroupChange"
}
}
],
"enabled": true,
"consumer": "alerts",
"last_run": {
"outcome": "succeeded",
"warning": null,
"outcome_msg": null,
"alerts_count": {
"new": 0,
"active": 0,
"ignored": 0,
"recovered": 0
}
},
"mute_all": false,
"next_run": "2022-12-06T01:45:23.912Z",
"revision": 1,
"schedule": {
"interval": "1m"
},
"throttle": null,
"created_at": "2022-12-05T23:40:33.132Z",
"created_by": "elastic",
"updated_at": "2022-12-05T23:40:33.132Z",
"updated_by": "elastic",
"rule_type_id": ".index-threshold",
"api_key_owner": "elastic",
"muted_alert_ids": [],
"execution_status": {
"status": "ok",
"last_duration": 48,
"last_execution_date": "2022-12-06T01:44:23.983Z"
},
"scheduled_task_id": "3583a470-74f6-11ed-9801-35303b735aef",
"api_key_created_by_user": false
}
],
"page": 1,
"total": 1,
"per_page": 10
}
A response that contains information about a security rule that has conditional actions.
{
"data": [
{
"id": "6107a8f0-f401-11ed-9f8e-399c75a2deeb",
"name": "security_rule",
"tags": [],
"params": {
"to": "now",
"from": "now-3660s",
"meta": {
"from": "1h",
"kibana_siem_app_url": "https://localhost:5601/app/security"
},
"type": "threshold",
"index": [
"kibana_sample_data_logs"
],
"query": "*",
"author": [],
"ruleId": "an_internal_rule_id",
"threat": [],
"filters": [],
"license": "",
"version": 1,
"language": "kuery",
"severity": "low",
"immutable": false,
"riskScore": 21,
"threshold": {
"field": [
"bytes"
],
"value": 1,
"cardinality": []
},
"maxSignals": 100,
"references": [],
"description": "A security threshold rule.",
"outputIndex": "",
"exceptionsList": [],
"falsePositives": [],
"severityMapping": [],
"riskScoreMapping": []
},
"actions": [
{
"id": "49eae970-f401-11ed-9f8e-399c75a2deeb",
"uuid": "1c7a1280-f28c-4e06-96b2-e4e5f05d1d61",
"group": "default",
"params": {
"documents": [
{
"rule_id": {
"[object Object]": null
},
"alert_id": {
"[object Object]": null
},
"rule_name": {
"[object Object]": null
},
"context_message": {
"[object Object]": null
}
}
]
},
"frequency": {
"summary": true,
"throttle": null,
"notify_when": "onActiveAlert"
},
"alerts_filter": {
"query": {
"kql": "",
"filters": [
{
"meta": {
"key": "client.geo.region_iso_code",
"alias": null,
"field": "client.geo.region_iso_code",
"index": "c4bdca79-e69e-4d80-82a1-e5192c621bea",
"negate": false,
"params": {
"type": "phrase",
"query": "CA-QC"
},
"disabled": false
},
"query": {
"match_phrase": {
"client.geo.region_iso_code": "CA-QC"
}
},
"$state": {
"store": "appState"
}
}
]
},
"timeframe": {
"days": [
7
],
"hours": {
"end": "17:00",
"start": "08:00"
},
"timezone": "UTC"
}
},
"connector_type_id": ".index"
}
],
"enabled": true,
"running": false,
"consumer": "siem",
"last_run": {
"outcome": "succeeded",
"warning": null,
"outcome_msg": [
"Rule execution completed successfully"
],
"alerts_count": {
"new": 0,
"active": 0,
"ignored": 0,
"recovered": 0
},
"outcome_order": 0
},
"mute_all": false,
"next_run": "2023-05-16T20:27:49.507Z",
"revision": 1,
"schedule": {
"interval": "1m"
},
"throttle": null,
"created_at": "2023-05-16T15:50:28.358Z",
"created_by": "elastic",
"updated_at": "2023-05-16T20:25:42.559Z",
"updated_by": "elastic",
"notify_when": null,
"rule_type_id": "siem.thresholdRule",
"api_key_owner": "elastic",
"muted_alert_ids": [],
"execution_status": {
"status": "ok",
"last_duration": 166,
"last_execution_date": "2023-05-16T20:26:49.590Z"
},
"scheduled_task_id": "6107a8f0-f401-11ed-9f8e-399c75a2deeb",
"api_key_created_by_user": false
}
],
"page": 1,
"total": 1,
"per_page": 10
}APM agent configuration
Adjust APM agent configuration without need to redeploy your application.
Get a list of agent configurations
Headers
-
elastic-api-version
string Required The version of the API to use
Value is
2023-10-31. Default value is2023-10-31.
GET
/api/apm/settings/agent-configuration
curl \
--request GET 'http://localhost:5622/api/apm/settings/agent-configuration' \
--header "Authorization: $API_KEY" \
--header "elastic-api-version: 2023-10-31"
Response examples (200)
{
"configurations": [
{
"@timestamp": 1730194190636,
"agent_name": "string",
"applied_by_agent": true,
"etag": "0bc3b5ebf18fba8163fe4c96f491e3767a358f85",
"service": {
"environment": "prod",
"name": "node"
},
"settings": {
"additionalProperty1": "string",
"additionalProperty2": "string"
}
}
]
}
Response examples (400)
{
"error": "Not Found",
"message": "Not Found",
"statusCode": 400
}
Response examples (401)
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
Response examples (404)
{
"error": "Not Found",
"message": "Not Found",
"statusCode": 404
}Create or update agent configuration
Headers
-
elastic-api-version
string Required The version of the API to use
Value is
2023-10-31. Default value is2023-10-31. -
kbn-xsrf
string Required A required header to protect against CSRF attacks
Query parameters
-
overwrite
boolean If the config exists ?overwrite=true is required
Body
Required
-
agent_name
string Agent name
-
service
object Required Service
-
settings
object Required Agent configuration settings
PUT
/api/apm/settings/agent-configuration
curl \
--request PUT 'http://localhost:5622/api/apm/settings/agent-configuration' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--header "elastic-api-version: 2023-10-31" \
--header "kbn-xsrf: true" \
--data '{"agent_name":"string","service":{"environment":"prod","name":"node"},"settings":{"additionalProperty1":"string","additionalProperty2":"string"}}'
Request examples
# Headers
elastic-api-version: 2023-10-31
kbn-xsrf: true
# Payload
{
"agent_name": "string",
"service": {
"environment": "prod",
"name": "node"
},
"settings": {
"additionalProperty1": "string",
"additionalProperty2": "string"
}
}
Response examples (200)
{}
Response examples (400)
{
"error": "Not Found",
"message": "Not Found",
"statusCode": 400
}
Response examples (401)
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
Response examples (403)
{
"error": "Forbidden",
"message": "string",
"statusCode": 403
}
Response examples (404)
{
"error": "Not Found",
"message": "Not Found",
"statusCode": 404
}Lookup single agent configuration
This endpoint allows to search for single agent configuration and update 'applied_by_agent' field.
Headers
-
elastic-api-version
string Required The version of the API to use
Value is
2023-10-31. Default value is2023-10-31. -
kbn-xsrf
string Required A required header to protect against CSRF attacks
Body
Required
-
etag
string If etags match then
applied_by_agentfield will be set totrue -
mark_as_applied_by_agent
boolean markAsAppliedByAgent=truemeans "force setting it to true regardless of etag". This is needed for Jaeger agent that doesn't have etags -
service
object Required Service
POST
/api/apm/settings/agent-configuration/search
curl \
--request POST 'http://localhost:5622/api/apm/settings/agent-configuration/search' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--header "elastic-api-version: 2023-10-31" \
--header "kbn-xsrf: true" \
--data '{"etag":"0bc3b5ebf18fba8163fe4c96f491e3767a358f85","mark_as_applied_by_agent":true,"service":{"environment":"prod","name":"node"}}'
Request examples
# Headers
elastic-api-version: 2023-10-31
kbn-xsrf: true
# Payload
{
"etag": "0bc3b5ebf18fba8163fe4c96f491e3767a358f85",
"mark_as_applied_by_agent": true,
"service": {
"environment": "prod",
"name": "node"
}
}
Response examples (200)
{
"_id": "string",
"_index": "string",
"_score": 42.0,
"_source": {
"@timestamp": 1730194190636,
"agent_name": "string",
"applied_by_agent": true,
"etag": "0bc3b5ebf18fba8163fe4c96f491e3767a358f85",
"service": {
"environment": "prod",
"name": "node"
},
"settings": {
"additionalProperty1": "string",
"additionalProperty2": "string"
}
}
}
Response examples (400)
{
"error": "Not Found",
"message": "Not Found",
"statusCode": 400
}
Response examples (401)
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
Response examples (404)
{
"error": "Not Found",
"message": "Not Found",
"statusCode": 404
}Get single agent configuration
Headers
-
elastic-api-version
string Required The version of the API to use
Value is
2023-10-31. Default value is2023-10-31.
Query parameters
-
name
string Service name
-
environment
string Service environment
GET
/api/apm/settings/agent-configuration/view
curl \
--request GET 'http://localhost:5622/api/apm/settings/agent-configuration/view' \
--header "Authorization: $API_KEY" \
--header "elastic-api-version: 2023-10-31"
Response examples (200)
{
"id": "string",
"@timestamp": 1730194190636,
"agent_name": "string",
"applied_by_agent": true,
"etag": "0bc3b5ebf18fba8163fe4c96f491e3767a358f85",
"service": {
"environment": "prod",
"name": "node"
},
"settings": {
"additionalProperty1": "string",
"additionalProperty2": "string"
}
}
Response examples (400)
{
"error": "Not Found",
"message": "Not Found",
"statusCode": 400
}
Response examples (401)
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
Response examples (404)
{
"error": "Not Found",
"message": "Not Found",
"statusCode": 404
}APM agent keys
Configure APM agent keys to authorize requests from APM agents to the APM Server.
Headers
-
elastic-api-version
string Required The version of the API to use
Value is
2023-10-31. Default value is2023-10-31. -
kbn-xsrf
string Required A required header to protect against CSRF attacks
Body
Required
-
name
string Required Agent name
-
privileges
array[string] Required Privileges configuration
Values are
event:writeorconfig_agent:read.
POST
/api/apm/agent_keys
curl \
--request POST 'http://localhost:5622/api/apm/agent_keys' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--header "elastic-api-version: 2023-10-31" \
--header "kbn-xsrf: true" \
--data '{"name":"string","privileges":["event:write"]}'
Request examples
# Headers
elastic-api-version: 2023-10-31
kbn-xsrf: true
# Payload
{
"name": "string",
"privileges": [
"event:write"
]
}
Response examples (200)
{
"agentKey": {
"api_key": "string",
"encoded": "string",
"expiration": 42,
"id": "string",
"name": "string"
}
}
Response examples (400)
{
"error": "Not Found",
"message": "Not Found",
"statusCode": 400
}
Response examples (401)
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
Response examples (403)
{
"error": "Forbidden",
"message": "string",
"statusCode": 403
}
Response examples (500)
{
"error": "Internal Server Error",
"message": "string",
"statusCode": 500
}APM annotations
Annotate visualizations in the APM app with significant events. Annotations enable you to easily see how events are impacting the performance of your applications.
Create a service annotation
Create a new annotation for a specific service.
Headers
-
elastic-api-version
string Required The version of the API to use
Value is
2023-10-31. Default value is2023-10-31. -
kbn-xsrf
string Required A required header to protect against CSRF attacks
Path parameters
-
serviceName
string Required The name of the service
Body
Required
-
@timestamp
string Required Timestamp
-
message
string Message
-
service
object Required Service
POST
/api/apm/services/{serviceName}/annotation
curl \
--request POST 'http://localhost:5622/api/apm/services/{serviceName}/annotation' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--header "elastic-api-version: 2023-10-31" \
--header "kbn-xsrf: true" \
--data '{"@timestamp":"string","message":"string","service":{"environment":"string","version":"string"},"tags":["string"]}'
Request examples
# Headers
elastic-api-version: 2023-10-31
kbn-xsrf: true
# Payload
{
"@timestamp": "string",
"message": "string",
"service": {
"environment": "string",
"version": "string"
},
"tags": [
"string"
]
}
Response examples (200)
{
"_id": "string",
"_index": "string",
"_source": {
"@timestamp": "string",
"annotation": {
"title": "string",
"type": "string"
},
"event": {
"created": "string"
},
"message": "string",
"service": {
"environment": "string",
"name": "string",
"version": "string"
},
"tags": [
"string"
]
}
}
Response examples (400)
{
"error": "Not Found",
"message": "Not Found",
"statusCode": 400
}
Response examples (401)
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
Response examples (403)
{
"error": "Forbidden",
"message": "string",
"statusCode": 403
}
Response examples (404)
{
"error": "Not Found",
"message": "Not Found",
"statusCode": 404
}Search for annotations
Search for annotations related to a specific service.
Headers
-
elastic-api-version
string Required The version of the API to use
Value is
2023-10-31. Default value is2023-10-31.
Path parameters
-
serviceName
string Required The name of the service
Query parameters
-
environment
string The environment to filter annotations by
-
start
string The start date for the search
-
end
string The end date for the search
GET
/api/apm/services/{serviceName}/annotation/search
curl \
--request GET 'http://localhost:5622/api/apm/services/{serviceName}/annotation/search' \
--header "Authorization: $API_KEY" \
--header "elastic-api-version: 2023-10-31"
Response examples (200)
{
"annotations": [
{
"@timestamp": 42.0,
"id": "string",
"text": "string",
"type": "version"
}
]
}
Response examples (400)
{
"error": "Not Found",
"message": "Not Found",
"statusCode": 400
}
Response examples (401)
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
Response examples (500)
{
"error": "Internal Server Error",
"message": "string",
"statusCode": 500
}APM server schema
Create APM fleet server schema.
Headers
-
elastic-api-version
string Required The version of the API to use
Value is
2023-10-31. Default value is2023-10-31. -
kbn-xsrf
string Required A required header to protect against CSRF attacks
POST
/api/apm/fleet/apm_server_schema
curl \
--request POST 'http://localhost:5622/api/apm/fleet/apm_server_schema' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--header "elastic-api-version: 2023-10-31" \
--header "kbn-xsrf: true" \
--data '{"schema":{"foo":"bar"}}'
Request examples
# Headers
elastic-api-version: 2023-10-31
kbn-xsrf: true
# Payload
{
"schema": {
"foo": "bar"
}
}
Response examples (200)
{}
Response examples (400)
{
"error": "Not Found",
"message": "Not Found",
"statusCode": 400
}
Response examples (401)
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
Response examples (403)
{
"error": "Forbidden",
"message": "string",
"statusCode": 403
}
Response examples (404)
{
"error": "Not Found",
"message": "Not Found",
"statusCode": 404
}APM sourcemaps
Configure APM source maps. A source map allows minified files to be mapped back to original source code--allowing you to maintain the speed advantage of minified code, without losing the ability to quickly and easily debug your application. For best results, uploading source maps should become a part of your deployment procedure, and not something you only do when you see unhelpful errors. That's because uploading source maps after errors happen won't make old errors magically readable--errors must occur again for source mapping to occur.
Upload a source map
Upload a source map for a specific service and version. You must have all Kibana privileges for the APM and User Experience feature.
The maximum payload size is 1mb. If you attempt to upload a source map that exceeds the maximum payload size, you will get a 413 error. Before uploading source maps that exceed this default, change the maximum payload size allowed by Kibana with the server.maxPayload variable.
Headers
-
elastic-api-version
string Required The version of the API to use
Value is
2023-10-31. Default value is2023-10-31. -
kbn-xsrf
string Required A required header to protect against CSRF attacks
Body
Required
-
bundle_filepath
string Required The absolute path of the final bundle as used in the web application.
-
service_name
string Required The name of the service that the service map should apply to.
-
service_version
string Required The version of the service that the service map should apply to.
-
sourcemap
string(binary) Required The source map. It can be a string or file upload. It must follow the source map format specification.
POST
/api/apm/sourcemaps
curl -X POST "http://localhost:5601/api/apm/sourcemaps" \
-H 'Content-Type: multipart/form-data' \
-H 'kbn-xsrf: true' \
-H 'Authorization: ApiKey ${YOUR_API_KEY}' \
-F 'service_name="foo"' \
-F 'service_version="1.0.0"' \
-F 'bundle_filepath="/test/e2e/general-usecase/bundle.js"' \
-F 'sourcemap="{\"version\":3,\"file\":\"static/js/main.chunk.js\",\"sources\":[\"fleet-source-map-client/src/index.css\",\"fleet-source-map-client/src/App.js\",\"webpack:///./src/index.css?bb0a\",\"fleet-source-map-client/src/index.js\",\"fleet-source-map-client/src/reportWebVitals.js\"],\"sourcesContent\":[\"content\"],\"mappings\":\"mapping\",\"sourceRoot\":\"\"}"'
Response examples (200)
A successful response from `POST /api/apm/sourcemaps`.
{
"id": "apm:foo-1.0.0-644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456",
"body": "eJyFkL1OwzAUhd/Fc+MbYMuCEBIbHRjKgBgc96R16tiWr1OQqr47NwqJxEK3q/PzWccXxchnZ7E1A1SjuhjVZtF2yOxiEPlO17oWox3D3uPFeSRTjmJQARfCPeiAgGx8NTKsYdAc1T3rwaSJGcds8Sp3c1HnhfywUZ3QhMTFFGepZxqMC9oex3CS9tpk1XyozgOlmoVKuJX1DqEQZ0su7PGtLU+V/3JPKc3cL7TJ2FNDRPov4bFta3MDM4f7W69lpJjLO9qdK8bzVPhcJz3HUCQ4LbO/p5hCSC4cZPByrp/wFqOklbpefwAhzpqI",
"type": "sourcemap",
"created": "2021-07-09T20:47:44.812Z",
"identifier": "foo-1.0.0",
"decodedSize": 441,
"encodedSize": 237,
"packageName": "apm",
"relative_url": "/api/fleet/artifacts/foo-1.0.0/644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456",
"decodedSha256": "644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456",
"encodedSha256": "024c72749c3e3dd411b103f7040ae62633558608f480bce4b108cf5b2275bd24",
"encryptionAlgorithm": "none",
"compressionAlgorithm": "zlib"
}
Response examples (400)
{
"error": "Not Found",
"message": "Not Found",
"statusCode": 400
}
Response examples (401)
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
Response examples (403)
{
"error": "Forbidden",
"message": "string",
"statusCode": 403
}
Response examples (500)
{
"error": "Internal Server Error",
"message": "string",
"statusCode": 500
}
Response examples (501)
{
"error": "Not Implemented",
"message": "Not Implemented",
"statusCode": 501
}Delete source map
Delete a previously uploaded source map. You must have all Kibana privileges for the APM and User Experience feature.
Headers
-
elastic-api-version
string Required The version of the API to use
Value is
2023-10-31. Default value is2023-10-31. -
kbn-xsrf
string Required A required header to protect against CSRF attacks
Path parameters
-
id
string Required Source map identifier
Responses
-
200 application/json
Successful response
Additional properties are NOT allowed.
-
400 application/json
Bad Request response
-
401 application/json
Unauthorized response
-
403 application/json
Forbidden response
-
500 application/json
Internal Server Error response
-
501 application/json
Not Implemented response
DELETE
/api/apm/sourcemaps/{id}
curl -X DELETE "http://localhost:5601/api/apm/sourcemaps/apm:foo-1.0.0-644fd5a9" \
-H 'Content-Type: application/json' \
-H 'kbn-xsrf: true' \
-H 'Authorization: ApiKey ${YOUR_API_KEY}'
Response examples (200)
{}
Response examples (400)
{
"error": "Not Found",
"message": "Not Found",
"statusCode": 400
}
Response examples (401)
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
Response examples (403)
{
"error": "Forbidden",
"message": "string",
"statusCode": 403
}
Response examples (500)
{
"error": "Internal Server Error",
"message": "string",
"statusCode": 500
}
Response examples (501)
{
"error": "Not Implemented",
"message": "Not Implemented",
"statusCode": 501
}Create a case
You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're creating.
Body
Required
-
assignees
array[object] | null An array containing users that are assigned to the case.
Not more than
10elements. -
category
string A word or phrase that categorizes the case.
Maximum length is
50. connector
object Required One of: Cases_connector_properties_noneobject Cases_connector_properties_cases_webhookobject Cases_connector_properties_jiraobject Cases_connector_properties_resilientobject Cases_connector_properties_servicenowobject Cases_connector_properties_servicenow_sirobject Cases_connector_properties_swimlaneobject Defines properties for connectors when type is
.none.-
customFields
array[object] Custom field values for a case. Any optional custom fields that are not specified in the request are set to null.
At least
0but not more than10elements. -
description
string Required The description for the case.
Maximum length is
30000. -
owner
string Required The application that owns the cases: Stack Management, Observability, or Elastic Security.
Values are
cases,observability, orsecuritySolution. -
settings
object Required An object that contains the case settings.
-
severity
string The severity of the case.
Values are
critical,high,low, ormedium. Default value islow. -
title
string Required A title for the case.
Maximum length is
160.
POST
/api/cases
curl \
--request POST 'http://localhost:5622/api/cases' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--header "kbn-xsrf: string" \
--data '{"tags":["tag-1"],"owner":"cases","title":"Case title 1","settings":{"syncAlerts":true},"connector":{"id":"131d4448-abe0-4789-939d-8ef60680b498","name":"My connector","type":".jira","fields":{"parent":null,"priority":"High","issueType":"10006"}},"description":"A case description.","customFields":[{"key":"d312efda-ec2b-42ec-9e2c-84981795c581","type":"text","value":"My field value"}]}'
Request example
{
"tags": [
"tag-1"
],
"owner": "cases",
"title": "Case title 1",
"settings": {
"syncAlerts": true
},
"connector": {
"id": "131d4448-abe0-4789-939d-8ef60680b498",
"name": "My connector",
"type": ".jira",
"fields": {
"parent": null,
"priority": "High",
"issueType": "10006"
}
},
"description": "A case description.",
"customFields": [
{
"key": "d312efda-ec2b-42ec-9e2c-84981795c581",
"type": "text",
"value": "My field value"
}
]
}
Response examples (200)
{
"id": "66b9aa00-94fa-11ea-9f74-e7e108796192",
"tags": [
"tag 1"
],
"owner": "cases",
"title": "Case title 1",
"status": "open",
"version": "WzUzMiwxXQ==",
"comments": [],
"duration": null,
"settings": {
"syncAlerts": true
},
"severity": "low",
"assignees": [],
"closed_at": null,
"closed_by": null,
"connector": {
"id": "131d4448-abe0-4789-939d-8ef60680b498",
"name": "My connector",
"type": ".jira",
"fields": {
"parent": null,
"priority": "High",
"issueType": "10006"
}
},
"created_at": "2022-10-13T15:33:50.604Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"updated_at": null,
"updated_by": null,
"description": "A case description.",
"totalAlerts": 0,
"customFields": [
{
"key": "d312efda-ec2b-42ec-9e2c-84981795c581",
"type": "text",
"value": "My field value"
},
{
"key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
"type": "toggle",
"value": null
}
],
"totalComment": 0,
"external_service": null
}
Response examples (401)
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}Delete cases
You must have read or all privileges and the delete sub-feature privilege for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're deleting.
Query parameters
-
ids
array[string] Required The cases that you want to removed. All non-ASCII characters must be URL encoded.
DELETE
/api/cases
curl \
--request DELETE 'http://localhost:5622/api/cases?ids=d4e7abb0-b462-11ec-9a8d-698504725a43' \
--header "Authorization: $API_KEY" \
--header "kbn-xsrf: string"
Response examples (401)
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}Search cases
You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're seeking.
Query parameters
-
assignees
string | array[string] Filters the returned cases by assignees. Valid values are
noneor unique identifiers for the user profiles. These identifiers can be found by using the suggest user profile API. -
category
string | array[string] Filters the returned cases by category.
-
defaultSearchOperator
string he default operator to use for the simple_query_string.
Default value is
OR. -
from
string Returns only cases that were created after a specific date. The date must be specified as a KQL data range or date match expression.
-
owner
string | array[string] A filter to limit the response to a specific set of applications. If this parameter is omitted, the response contains information about all the cases that the user has access to read.
-
page
integer The page number to return.
Default value is
1. -
perPage
integer The number of items to return. Limited to 100 items.
Maximum value is
100. Default value is20. -
reporters
string | array[string] Filters the returned cases by the user name of the reporter.
-
search
string An Elasticsearch simple_query_string query that filters the objects in the response.
-
searchFields
string | array[string] The fields to perform the simple_query_string parsed query against.
-
severity
string The severity of the case.
Values are
critical,high,low, ormedium. -
sortField
string Determines which field is used to sort the results.
Values are
createdAt,updatedAt,closedAt,title,category,status, orseverity. Default value iscreatedAt. -
sortOrder
string Determines the sort order.
Values are
ascordesc. Default value isdesc. -
status
string Filters the returned cases by state.
Values are
closed,in-progress, oropen. -
to
string Returns only cases that were created before a specific date. The date must be specified as a KQL data range or date match expression.
GET
/api/cases/_find
curl \
--request GET 'http://localhost:5622/api/cases/_find' \
--header "Authorization: $API_KEY"
Response examples (200)
{
"page": 1,
"cases": [
{
"id": "abed3a70-71bd-11ea-a0b2-c51ea50a58e2",
"tags": [
"tag-1"
],
"owner": "cases",
"title": "Case title",
"status": "open",
"version": "WzExMCwxXQ==",
"category": null,
"comments": [],
"duration": null,
"settings": {
"syncAlerts": true
},
"severity": "low",
"assignees": [],
"closed_at": null,
"closed_by": null,
"connector": {
"id": "none",
"name": "none",
"type": ".none",
"fields": null
},
"created_at": "2023-10-12T00:16:36.371Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"updated_at": "2023-10-12T00:27:58.162Z",
"updated_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"description": "Case description",
"totalAlerts": 0,
"customFields": [
{
"key": "d312efda-ec2b-42ec-9e2c-84981795c581",
"type": "text",
"value": "My field value"
},
{
"key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
"type": "toggle",
"value": null
}
],
"totalComment": 1,
"external_service": null
}
],
"total": 1,
"per_page": 5,
"count_open_cases": 1,
"count_closed_cases": 0,
"count_in_progress_cases": 0
}
Response examples (401)
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}Get case information
You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're seeking.
Path parameters
-
caseId
string Required The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded.
GET
/api/cases/{caseId}
curl \
--request GET 'http://localhost:5622/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414' \
--header "Authorization: $API_KEY"
Response examples (200)
Retrieves information about a case including its comments.
{
"id": "31cdada0-02c1-11ed-85f2-4f7c222ca2fa",
"tags": [
"tag 1"
],
"owner": "cases",
"title": "Case title 1",
"status": "open",
"version": "WzM2LDFd",
"category": null,
"comments": [
{
"id": "2134c1d0-02c2-11ed-85f2-4f7c222ca2fa",
"type": "user",
"owner": "cases",
"comment": "A new comment",
"version": "WzM3LDFd",
"pushed_at": null,
"pushed_by": null,
"created_at": "2023-10-13T15:40:32.335Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"updated_at": null,
"updated_by": null
}
],
"duration": null,
"settings": {
"syncAlerts": true
},
"severity": "low",
"assignees": [
{
"uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
}
],
"closed_at": null,
"closed_by": null,
"connector": {
"id": "none",
"name": "none",
"type": ".none",
"fields": null
},
"created_at": "2023-10-13T15:33:50.604Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"updated_at": "2023-10-13T15:40:32.335Z",
"updated_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"description": "A case description",
"totalAlerts": 0,
"customFields": [
{
"key": "d312efda-ec2b-42ec-9e2c-84981795c581",
"type": "text",
"value": "My field value"
},
{
"key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
"type": "toggle",
"value": null
}
],
"totalComment": 1,
"external_service": null
}{
"id": "c3ff7550-def1-4e90-b6bc-c9969a4a09b1",
"tags": [
"observability",
"tag 1"
],
"owner": "observability",
"title": "Observability case title 1",
"status": "in-progress",
"version": "WzI0NywyXQ==",
"category": null,
"comments": [
{
"id": "59d438d0-79a9-4864-8d4b-e63adacebf6e",
"rule": {
"id": "03e4eb87-62ca-4e5d-9570-3d7625e9669d",
"name": "Observability rule"
},
"type": "alert",
"index": [
".internal.alerts-observability.logs.alerts-default-000001"
],
"owner": "observability",
"alertId": [
"a6e12ac4-7bce-457b-84f6-d7ce8deb8446"
],
"version": "WzY3LDJd",
"pushed_at": null,
"pushed_by": null,
"created_at": "2023-11-06T19:29:38.424Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"updated_at": null,
"updated_by": null
},
{
"id": "d99342d3-3aa3-4b80-90ec-a702607604f5",
"type": "user",
"owner": "observability",
"comment": "The first comment.",
"version": "WzcyLDJd",
"pushed_at": null,
"pushed_by": null,
"created_at": "2023-11-06T19:29:57.812Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"updated_at": null,
"updated_by": null
}
],
"duration": null,
"settings": {
"syncAlerts": false
},
"severity": "low",
"assignees": [
{
"uid": "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
}
],
"closed_at": null,
"closed_by": null,
"connector": {
"id": "none",
"name": "none",
"type": ".none",
"fields": null
},
"created_at": "2023-11-06T19:29:04.086Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null
},
"updated_at": "2023-11-06T19:47:55.662Z",
"updated_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"description": "An Observability case description.",
"totalAlerts": 1,
"customFields": [],
"totalComment": 1,
"external_service": null
}
Response examples (401)
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}Add a case comment or alert
You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're creating. NOTE: Each case can have a maximum of 1,000 alerts.
Path parameters
-
caseId
string Required The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded.
Body
object
Required
The add comment to case API request body varies depending on whether you are adding an alert or a comment.
Defines properties for case comment requests when type is alert.
alertId
string | array[string] Required The alert identifiers. It is required only when
typeisalert. You can use an array of strings to add multiple alerts to a case, provided that they all relate to the same rule;indexmust also be an array with the same length or number of elements. Adding multiple alerts in this manner is recommended rather than calling the API multiple times. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.index
string | array[string] Required The alert indices. It is required only when
typeisalert. If you are adding multiple alerts to a case, use an array of strings; the position of each index name in the array must match the position of the corresponding alert identifier in thealertIdarray. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.-
owner
string Required The application that owns the cases: Stack Management, Observability, or Elastic Security.
Values are
cases,observability, orsecuritySolution. -
rule
object Required Technical preview The rule that is associated with the alerts. It is required only when
typeisalert. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. -
type
string Required Discriminator The type of comment.
Value is
alert.
POST
/api/cases/{caseId}/comments
curl \
--request POST 'http://localhost:5622/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/comments' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--header "kbn-xsrf: string" \
--data '{"type":"user","owner":"cases","comment":"A new comment."}'
Request example
{
"type": "user",
"owner": "cases",
"comment": "A new comment."
}
Response examples (200)
{
"id": "293f1bc0-74f6-11ea-b83a-553aecdb28b6",
"tags": [
"tag 1"
],
"owner": "cases",
"title": "Case title 1",
"status": "open",
"version": "WzIzMzgsMV0=",
"category": null,
"comments": [
{
"id": "8af6ac20-74f6-11ea-b83a-553aecdb28b6",
"type": "user",
"owner": "cases",
"comment": "A new comment.",
"version": "WzIwNDMxLDFd",
"created_at": "2022-10-02T00:49:47.716Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null
}
}
],
"duration": null,
"settings": {
"syncAlerts": false
},
"severity": "low",
"assignees": [],
"closed_at": null,
"closed_by": null,
"connector": {
"id": "none",
"name": "none",
"type": ".none",
"fields": null
},
"created_at": "2022-03-24T00:37:03.906Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"updated_at": "2022-06-03T00:49:47.716Z",
"updated_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"description": "A case description.",
"totalAlerts": 0,
"customFields": [
{
"key": "d312efda-ec2b-42ec-9e2c-84981795c581",
"type": "text",
"value": "Field value"
},
{
"key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
"type": "toggle",
"value": true
}
],
"totalComment": 1,
"external_service": null
}
Response examples (401)
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}Find case comments and alerts
Retrieves a paginated list of comments for a case. You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases with the comments you're seeking.
Path parameters
-
caseId
string Required The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded.
GET
/api/cases/{caseId}/comments/_find
curl \
--request GET 'http://localhost:5622/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/comments/_find' \
--header "Authorization: $API_KEY"
Response examples (200)
{
"assignees": [
{
"uid": "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
}
],
"category": "string",
"closed_at": "2025-05-04T09:42:00Z",
"closed_by": {
"email": "string",
"full_name": "string",
"profile_uid": "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
"username": "elastic"
},
"comments": [
{
"alertId": [
"a6e12ac4-7bce-457b-84f6-d7ce8deb8446"
],
"created_at": "2023-11-06T19:29:38.424Z",
"created_by": {
"email": "string",
"full_name": "string",
"profile_uid": "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
"username": "elastic"
},
"id": "73362370-ab1a-11ec-985f-97e55adae8b9",
"index": [
".internal.alerts-security.alerts-default-000001"
],
"owner": "cases",
"pushed_at": "2025-05-04T09:42:00Z",
"pushed_by": {
"email": "string",
"full_name": "string",
"profile_uid": "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
"username": "elastic"
},
"rule": {
"id": "94d80550-aaf4-11ec-985f-97e55adae8b9",
"name": "security_rule"
},
"type": "alert",
"updated_at": "2025-05-04T09:42:00Z",
"updated_by": {
"email": "string",
"full_name": "string",
"profile_uid": "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
"username": "elastic"
},
"version": "WzMwNDgsMV0="
}
],
"connector": {
"fields": "string",
"id": "none",
"name": "none",
"type": ".none"
},
"created_at": "2022-05-13T09:16:17.416Z",
"created_by": {
"email": "string",
"full_name": "string",
"profile_uid": "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
"username": "elastic"
},
"customFields": [
{
"key": "string",
"type": "text",
"value": "string"
}
],
"description": "A case description.",
"duration": 120,
"external_service": {
"connector_id": "string",
"connector_name": "string",
"external_id": "string",
"external_title": "string",
"external_url": "string",
"pushed_at": "2025-05-04T09:42:00Z",
"pushed_by": {
"email": "string",
"full_name": "string",
"profile_uid": "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
"username": "elastic"
}
},
"id": "66b9aa00-94fa-11ea-9f74-e7e108796192",
"owner": "cases",
"settings": {
"syncAlerts": true
},
"severity": "low",
"status": "closed",
"tags": [
"tag-1"
],
"title": "Case title 1",
"totalAlerts": 0,
"totalComment": 0,
"updated_at": "2025-05-04T09:42:00Z",
"updated_by": {
"email": "string",
"full_name": "string",
"profile_uid": "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
"username": "elastic"
},
"version": "WzUzMiwxXQ=="
}
Response examples (401)
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}Get a case comment or alert
You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases with the comments you're seeking.
GET
/api/cases/{caseId}/comments/{commentId}
curl \
--request GET 'http://localhost:5622/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/comments/71ec1870-725b-11ea-a0b2-c51ea50a58e2' \
--header "Authorization: $API_KEY"
Response examples (200)
{
"id": "8048b460-fe2b-11ec-b15d-779a7c8bbcc3",
"type": "user",
"owner": "cases",
"comment": "A new comment",
"version": "WzIzLDFd",
"pushed_at": null,
"pushed_by": null,
"created_at": "2023-10-07T19:32:13.104Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"updated_at": null,
"updated_by": null
}
Response examples (401)
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}Delete a case comment or alert
You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're deleting.
DELETE
/api/cases/{caseId}/comments/{commentId}
curl \
--request DELETE 'http://localhost:5622/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/comments/71ec1870-725b-11ea-a0b2-c51ea50a58e2' \
--header "Authorization: $API_KEY" \
--header "kbn-xsrf: string"
Response examples (401)
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}Attach a file to a case
Attach a file to a case. You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're updating. The request must include:
- The
Content-Type: multipart/form-dataHTTP header. - The location of the file that is being uploaded.
Path parameters
-
caseId
string Required The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded.
POST
/api/cases/{caseId}/files
curl \
--request POST 'http://localhost:5622/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/files' \
--header "Authorization: $API_KEY" \
--header "Content-Type: multipart/form-data" \
--header "kbn-xsrf: string" \
--form "file=@file" \
--form "filename=string"
Response examples (200)
{
"id": "293f1bc0-74f6-11ea-b83a-553aecdb28b6",
"tags": [
"tag 1"
],
"owner": "cases",
"title": "Case title 1",
"status": "open",
"version": "WzIzMzgsMV0=",
"category": null,
"comments": [
{
"id": "8af6ac20-74f6-11ea-b83a-553aecdb28b6",
"type": "user",
"owner": "cases",
"comment": "A new comment.",
"version": "WzIwNDMxLDFd",
"created_at": "2022-10-02T00:49:47.716Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null
}
}
],
"duration": null,
"settings": {
"syncAlerts": false
},
"severity": "low",
"assignees": [],
"closed_at": null,
"closed_by": null,
"connector": {
"id": "none",
"name": "none",
"type": ".none",
"fields": null
},
"created_at": "2022-03-24T00:37:03.906Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"updated_at": "2022-06-03T00:49:47.716Z",
"updated_by": {
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"description": "A case description.",
"totalAlerts": 0,
"customFields": [
{
"key": "d312efda-ec2b-42ec-9e2c-84981795c581",
"type": "text",
"value": "Field value"
},
{
"key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
"type": "toggle",
"value": true
}
],
"totalComment": 1,
"external_service": null
}
Response examples (401)
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}
Get cases for an alert
Technical preview
You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're seeking.
Path parameters
-
alertId
string Required An identifier for the alert.
Query parameters
-
owner
string | array[string] A filter to limit the response to a specific set of applications. If this parameter is omitted, the response contains information about all the cases that the user has access to read.
GET
/api/cases/alerts/{alertId}
curl \
--request GET 'http://localhost:5622/api/cases/alerts/09f0c261e39e36351d75995b78bb83673774d1bc2cca9df2d15f0e5c0a99a540' \
--header "Authorization: $API_KEY"
Response examples (200)
[
{
"id": "06116b80-e1c3-11ec-be9b-9b1838238ee6",
"title": "security_case"
}
]
Response examples (401)
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}Get case settings
Get setting details such as the closure type, custom fields, templatse, and the default connector for cases. You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on where the cases were created.
Query parameters
-
owner
string | array[string] A filter to limit the response to a specific set of applications. If this parameter is omitted, the response contains information about all the cases that the user has access to read.
GET
/api/cases/configure
curl \
--request GET 'http://localhost:5622/api/cases/configure' \
--header "Authorization: $API_KEY"
Response examples (200)
[
{
"id": "856ee650-6c82-11ee-a20a-6164169afa58",
"error": null,
"owner": "cases",
"version": "WzEyLDNd",
"mappings": [],
"connector": {
"id": "none",
"name": "none",
"type": ".none",
"fields": null
},
"templates": [
{
"key": "505932fe-ee3a-4960-a661-c781b5acdb05",
"name": "template-1",
"tags": [
"Template tag 1"
],
"caseFields": {
"tags": [
"Default case tag"
],
"title": "Default case title",
"category": "Default-category",
"settings": {
"syncAlerts": false
},
"assignees": [
{
"uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
}
],
"connector": {
"id": "none",
"name": "none",
"type": ".none",
"fields": null
},
"description": "A default description for cases.",
"customFields": [
{
"key": "d312efda-ec2b-42ec-9e2c-84981795c581",
"type": "text",
"value": "Default text field value."
}
]
},
"description": "A description of the template."
}
],
"created_at": "2024-07-01T17:07:17.767Z",
"created_by": {
"email": null,
"username": "elastic",
"full_name": null
},
"updated_at": null,
"updated_by": null,
"closure_type": "close-by-user",
"customFields": [
{
"key": "d312efda-ec2b-42ec-9e2c-84981795c581",
"type": "text",
"label": "my-text-field",
"required": false,
"defaultValue": "Custom text field value."
}
]
}
]
Response examples (401)
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}Add case settings
Case settings include external connection details, custom fields, and templates. Connectors are used to interface with external systems. You must create a connector before you can use it in your cases. If you set a default connector, it is automatically selected when you create cases in Kibana. If you use the create case API, however, you must still specify all of the connector details. You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on where you are creating cases.
Body
-
closure_type
string Required Indicates whether a case is automatically closed when it is pushed to external systems (
close-by-pushing) or not automatically closed (close-by-user).Values are
close-by-pushingorclose-by-user. -
connector
object Required An object that contains the connector configuration.
-
customFields
array[object] Custom fields case configuration.
At least
0but not more than10elements. -
owner
string Required The application that owns the cases: Stack Management, Observability, or Elastic Security.
Values are
cases,observability, orsecuritySolution. -
templates
array[object] Technical preview
POST
/api/cases/configure
curl \
--request POST 'http://localhost:5622/api/cases/configure' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--header "kbn-xsrf: string" \
--data '{"owner":"cases","connector":{"id":"5e656730-e1ca-11ec-be9b-9b1838238ee6","name":"my-jira-connector","type":".jira","fields":null},"templates":[{"key":"505932fe-ee3a-4960-a661-c781b5acdb05","name":"template-1","tags":["Template tag 1"],"caseFields":{"tags":["Default case tag"],"title":"Default case title","category":"Default-category","assignees":[{"uid":"u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"}],"description":"A default description for cases.","customFields":[{"key":"d312efda-ec2b-42ec-9e2c-84981795c581","type":"text","value":"A text field value for the template."}]},"description":"A description of the template."}],"closure_type":"close-by-user","customFields":[{"key":"d312efda-ec2b-42ec-9e2c-84981795c581","type":"text","label":"my-text-field","required":false,"defaultValue":"My custom field default value."}]}'
Request example
{
"owner": "cases",
"connector": {
"id": "5e656730-e1ca-11ec-be9b-9b1838238ee6",
"name": "my-jira-connector",
"type": ".jira",
"fields": null
},
"templates": [
{
"key": "505932fe-ee3a-4960-a661-c781b5acdb05",
"name": "template-1",
"tags": [
"Template tag 1"
],
"caseFields": {
"tags": [
"Default case tag"
],
"title": "Default case title",
"category": "Default-category",
"assignees": [
{
"uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
}
],
"description": "A default description for cases.",
"customFields": [
{
"key": "d312efda-ec2b-42ec-9e2c-84981795c581",
"type": "text",
"value": "A text field value for the template."
}
]
},
"description": "A description of the template."
}
],
"closure_type": "close-by-user",
"customFields": [
{
"key": "d312efda-ec2b-42ec-9e2c-84981795c581",
"type": "text",
"label": "my-text-field",
"required": false,
"defaultValue": "My custom field default value."
}
]
}
Response examples (200)
{
"id": "4a97a440-e1cd-11ec-be9b-9b1838238ee6",
"error": null,
"owner": "cases",
"version": "WzIwNzMsMV0=",
"mappings": [
{
"source": "title",
"target": "summary",
"action_type": "overwrite"
},
{
"source": "description",
"target": "description",
"action_type": "overwrite"
},
{
"source": "comments",
"target": "comments",
"action_type": "append"
},
{
"source": "tags",
"target": "labels",
"action_type": "overwrite"
}
],
"connector": {
"id": "5e656730-e1ca-11ec-be9b-9b1838238ee6",
"name": "my-jira-connector",
"type": ".jira",
"fields": null
},
"templates": [
{
"key": "505932fe-ee3a-4960-a661-c781b5acdb05",
"name": "template-1",
"tags": [
"Template tag 1"
],
"caseFields": {
"tags": [
"Default case tag"
],
"title": "Default case title",
"category": "Default-category",
"assignees": [
{
"uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
}
],
"description": "A default description for cases.",
"customFields": [
{
"key": "d312efda-ec2b-42ec-9e2c-84981795c581",
"type": "text",
"value": "A text field value for the template."
}
]
},
"description": "A description of the template."
}
],
"created_at": "2024-07-01T17:07:17.767Z",
"created_by": {
"email": "null,",
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
"updated_at": null,
"updated_by": null,
"closure_type": "close-by-user",
"customFields": [
{
"key": "d312efda-ec2b-42ec-9e2c-84981795c581",
"type": "text",
"label": "my-text-field",
"required": false,
"defaultValue": "My custom field default value."
}
]
}
Response examples (401)
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}Get case connectors
Get information about connectors that are supported for use in cases. You must have read privileges for the Actions and Connectors feature in the Management section of the Kibana feature privileges.
GET
/api/cases/configure/connectors/_find
curl \
--request GET 'http://localhost:5622/api/cases/configure/connectors/_find' \
--header "Authorization: $API_KEY"
Response examples (200)
[
{
"id": "61787f53-4eee-4741-8df6-8fe84fa616f7",
"name": "my-Jira",
"config": {
"apiUrl": "https://elastic.atlassian.net/",
"projectKey": "ES"
},
"actionTypeId": ".jira",
"isDeprecated": false,
"isPreconfigured": false,
"isMissingSecrets": false,
"referencedByCount": 0
}
]
Response examples (401)
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}Get case creators
Returns information about the users who opened cases. You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases. The API returns information about the users as they existed at the time of the case creation, including their name, full name, and email address. If any of those details change thereafter or if a user is deleted, the information returned by this API is unchanged.
Query parameters
-
owner
string | array[string] A filter to limit the response to a specific set of applications. If this parameter is omitted, the response contains information about all the cases that the user has access to read.
GET
/api/cases/reporters
curl \
--request GET 'http://localhost:5622/api/cases/reporters' \
--header "Authorization: $API_KEY"
Response examples (200)
[
{
"email": null,
"username": "elastic",
"full_name": null,
"profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
},
{
"email": "jdoe@example.com",
"username": "jdoe",
"full_name": "Jane Doe",
"profile_uid": "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
}
]
Response examples (401)
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}Get case tags
Aggregates and returns a list of case tags. You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're seeking.
GET
/api/cases/tags
curl \
--request GET 'http://localhost:5622/api/cases/tags' \
--header "Authorization: $API_KEY"
Response examples (200)
[
"observability",
"security",
"tag 1",
"tag 2"
]
Response examples (401)
{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}Connectors
Connectors provide a central place to store connection information for services and integrations with Elastic or third party systems. Alerting rules can use connectors to run actions when rule conditions are met.
Get connector types
You do not need any Kibana feature privileges to run this API.
Query parameters
-
feature_id
string A filter to limit the retrieved connector types to those that support a specific feature (such as alerting or cases).
GET
/api/actions/connector_types
curl \
--request GET 'http://localhost:5622/api/actions/connector_types' \
--header "Authorization: $API_KEY"
Response examples (200)
[
{
"id": ".gen-ai",
"name": "OpenAI",
"enabled": true,
"enabled_in_config": true,
"enabled_in_license": true,
"is_system_action_type": false,
"supported_feature_ids": [
"generativeAIForSecurity",
"generativeAIForObservability",
"generativeAIForSearchPlayground"
],
"minimum_license_required": "enterprise"
},
{
"id": ".bedrock",
"name": "AWS Bedrock",
"enabled": true,
"enabled_in_config": true,
"enabled_in_license": true,
"is_system_action_type": false,
"supported_feature_ids": [
"generativeAIForSecurity",
"generativeAIForObservability",
"generativeAIForSearchPlayground"
],
"minimum_license_required": "enterprise"
},
{
"id": ".gemini",
"name": "Google Gemini",
"enabled": true,
"enabled_in_config": true,
"enabled_in_license": true,
"is_system_action_type": false,
"supported_feature_ids": [
"generativeAIForSecurity"
],
"minimum_license_required": "enterprise"
}
]Delete a connector
WARNING: When you delete a connector, it cannot be recovered.
Path parameters
-
id
string Required An identifier for the connector.
DELETE
/api/actions/connector/{id}
curl \
--request DELETE 'http://localhost:5622/api/actions/connector/{id}' \
--header "Authorization: $API_KEY" \
--header "kbn-xsrf: true"Run a connector
You can use this API to test an action that involves interaction with Kibana services or integrations with third-party systems.
Path parameters
-
id
string Required An identifier for the connector.
Body
params
object Required One of: run_acknowledge_resolve_pagerdutyobject run_documentsobject run_message_emailobject run_message_serverlogobject run_message_slackobject run_trigger_pagerdutyobject run_addeventobject run_closealertobject run_closeincidentobject run_createalertobject run_fieldsbyissuetypeobject run_getchoicesobject run_getfieldsobject run_getincidentobject run_issueobject run_issuesobject run_issuetypesobject run_postmessageobject run_pushtoserviceobject run_validchannelidobject Test an action that acknowledges or resolves a PagerDuty alert.
POST
/api/actions/connector/{id}/_execute
curl \
--request POST 'http://localhost:5622/api/actions/connector/{id}/_execute' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"params":{"documents":[{"id":"my_doc_id","name":"my_doc_name","message":"hello, world"}]}}'
Request examples
Run an index connector.
{
"params": {
"documents": [
{
"id": "my_doc_id",
"name": "my_doc_name",
"message": "hello, world"
}
]
}
}{
"params": {
"subAction": "issueTypes"
}
}{
"params": {
"subAction": "getChoices",
"subActionParams": {
"fields": [
"severity",
"urgency"
]
}
}
}{
"params": {
"subAction": "postMessage",
"subActionParams": {
"text": "A test message.",
"channelIds": [
"C123ABC456"
]
}
}
}{
"params": {
"subAction": "pushToService",
"subActionParams": {
"comments": [
{
"comment": "A comment about the incident.",
"commentId": 1
}
],
"incident": {
"caseId": "1000",
"caseName": "Case name",
"description": "Description of the incident."
}
}
}
}
Response examples (200)
Response from running an index connector.
{
"data": {
"took": 135,
"items": [
{
"create": {
"_id": "4JtvwYUBrcyxt2NnfW3y",
"_index": "my-index",
"result": "created",
"status": 201,
"_seq_no": 0,
"_shards": {
"total": 2,
"failed": 0,
"successful": 1
},
"_version": 1,
"_primary_term": 1
}
}
],
"errors": false
},
"status": "ok",
"connector_id": "fd38c600-96a5-11ed-bb79-353b74189cba"
}{
"data": [
{
"id": 10024,
"name": "Improvement"
},
{
"id": 10006,
"name": "Task"
},
{
"id": 10007,
"name": "Sub-task"
},
{
"id": 10025,
"name": "New Feature"
},
{
"id": 10023,
"name": "Bug"
},
{
"id": 10000,
"name": "Epic"
}
],
"status": "ok",
"connector_id": "b3aad810-edbe-11ec-82d1-11348ecbf4a6"
}{
"status": "ok",
"connector_id": "7fc7b9a0-ecc9-11ec-8736-e7d63118c907"
}{
"data": [
{
"label": "Critical",
"value": 1,
"element": "severity",
"dependent_value": ""
},
{
"label": "Major",
"value": 2,
"element": "severity",
"dependent_value": ""
},
{
"label": "Minor",
"value": 3,
"element": "severity",
"dependent_value": ""
},
{
"label": "Warning",
"value": 4,
"element": "severity",
"dependent_value": ""
},
{
"label": "OK",
"value": 5,
"element": "severity",
"dependent_value": ""
},
{
"label": "Clear",
"value": 0,
"element": "severity",
"dependent_value": ""
},
{
"label": "1 - High",
"value": 1,
"element": "urgency",
"dependent_value": ""
},
{
"label": "2 - Medium",
"value": 2,
"element": "urgency",
"dependent_value": ""
},
{
"label": "3 - Low",
"value": 3,
"element": "urgency",
"dependent_value": ""
}
],
"status": "ok",
"connector_id": "9d9be270-2fd2-11ed-b0e0-87533c532698"
}{
"data": {
"ok": true,
"ts": "1234567890.123456",
"channel": "C123ABC456",
"message": {
"ts": "1234567890.123456",
"team": "T01ABCDE2F",
"text": "A test message",
"type": "message",
"user": "U12A345BC6D",
"app_id": "A01BC2D34EF",
"blocks": [
{
"type": "rich_text",
"block_id": "/NXe",
"elements": [
{
"type": "rich_text_section",
"elements": [
{
"text": "A test message.",
"type": "text"
}
]
}
]
}
],
"bot_id": "B12BCDEFGHI",
"bot_profile": {
"id": "B12BCDEFGHI",
"name": "test",
"icons": {
"image_36": "https://a.slack-edge.com/80588/img/plugins/app/bot_36.png"
},
"app_id": "A01BC2D34EF",
"deleted": false,
"team_id": "T01ABCDE2F",
"updated": 1672169705
}
}
},
"status": "ok",
"connector_id": ".slack_api"
}{
"data": {
"id": "aKPmBHWzmdRQtx6Mx",
"url": "https://elastic.swimlane.url.us/record/aNcL2xniGHGpa2AHb/aKPmBHWzmdRQtx6Mx",
"title": "TEST-457",
"comments": [
{
"commentId": 1,
"pushedDate": "2022-09-08T16:52:27.865Z"
}
],
"pushedDate": "2022-09-08T16:52:27.866Z"
},
"status": "ok",
"connector_id": "a4746470-2f94-11ed-b0e0-87533c532698"
}
GET
/api/actions/connectors
curl \
--request GET 'http://localhost:5622/api/actions/connectors' \
--header "Authorization: $API_KEY"
Response examples (200)
[
{
"id": "preconfigured-email-connector",
"name": "my-preconfigured-email-notification",
"is_deprecated": false,
"is_preconfigured": true,
"is_system_action": false,
"connector_type_id": ".email",
"referenced_by_count": 0
},
{
"id": "e07d0c80-8b8b-11ed-a780-3b746c987a81",
"name": "my-index-connector",
"config": {
"index": "test-index",
"refresh": false,
"executionTimeField": null
},
"is_deprecated": false,
"is_preconfigured": false,
"is_system_action": false,
"connector_type_id": ".index",
"is_missing_secrets": false,
"referenced_by_count": 2
}
]
Get a list of dashboards
Technical Preview
This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
GET
/api/dashboards/dashboard
curl \
--request GET 'http://localhost:5622/api/dashboards/dashboard' \
--header "Authorization: $API_KEY"
Response examples (200)
{
"items": [
{
"attributes": {
"description": "",
"timeRestore": false,
"title": "string"
},
"createdAt": "string",
"createdBy": "string",
"error": {
"error": "string",
"message": "string",
"metadata": {},
"statusCode": 42.0
},
"id": "string",
"managed": true,
"namespaces": [
"string"
],
"originId": "string",
"references": [
{
"id": "string",
"name": "string",
"type": "string"
}
],
"type": "string",
"updatedAt": "string",
"updatedBy": "string",
"version": "string"
}
],
"total": 42.0
}