Get the alerting framework health

GET /api/alerting/_health
Api key auth Basic auth

You must have read privileges for the Management > Stack Rules feature or for at least one of the Analytics > Discover, Analytics > Machine Learning, Observability, or Security features.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • alerting_framework_health object

      Three substates identify the health of the alerting framework: decryption_health, execution_health, and read_health.

      Hide alerting_framework_health attributes Show alerting_framework_health attributes object
      • decryption_health object

        The timestamp and status of the rule decryption.

        Hide decryption_health attributes Show decryption_health attributes object
      • execution_health object

        The timestamp and status of the rule run.

        Hide execution_health attributes Show execution_health attributes object
      • read_health object

        The timestamp and status of the rule reading events.

        Hide read_health attributes Show read_health attributes object
    • has_permanent_encryption_key boolean

      If false, the encrypted saved object plugin does not have a permanent encryption key.

    • is_sufficiently_secure boolean

      If false, security is enabled but TLS is not.
  • 401 application/json

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
GET /api/alerting/_health 
curl \
 --request GET 'http://localhost:5622/api/alerting/_health' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "is_sufficiently_secure": true,
  "alerting_framework_health": {
    "read_health": {
      "status": "ok",
      "timestamp": "2023-01-13T01:28:00.280Z"
    },
    "execution_health": {
      "status": "ok",
      "timestamp": "2023-01-13T01:28:00.280Z"
    },
    "decryption_health": {
      "status": "ok",
      "timestamp": "2023-01-13T01:28:00.280Z"
    }
  },
  "has_permanent_encryption_key": true
}
Response examples (401) 
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

Get the rule types

GET /api/alerting/rule_types
Api key auth Basic auth

If you have read privileges for one or more Kibana features, the API response contains information about the appropriate rule types. For example, there are rule types associated with the Management > Stack Rules feature, Analytics > Discover and Machine Learning features, Observability features, and Security features. To get rule types associated with the Stack Monitoring feature, use the monitoring_user built-in role.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • action_groups array[object]

      An explicit list of groups for which the rule type can schedule actions, each with the action group's unique ID and human readable name. Rule actions validation uses this configuration to ensure that groups are valid.

      Hide action_groups attributes Show action_groups attributes object
    • action_variables object

      A list of action variables that the rule type makes available via context and state in action parameter templates, and a short human readable description. When you create a rule in Kibana, it uses this information to prompt you for these variables in action parameter editors.

      Hide action_variables attributes Show action_variables attributes object
    • alerts object

      Details for writing alerts as data documents for this rule type.

      Hide alerts attributes Show alerts attributes object
      • context string

        The namespace for this rule type.

        Values are ml.anomaly-detection, observability.apm, observability.logs, observability.metrics, observability.slo, observability.threshold, observability.uptime, security, or stack.

      • dynamic string

        Indicates whether new fields are added dynamically.

        Values are false, runtime, strict, or true.

      • isSpaceAware boolean

        Indicates whether the alerts are space-aware. If true, space-specific alert indices are used.

      • mappings object
        Hide mappings attribute Show mappings attribute object
        • fieldMap object

          Mapping information for each field supported in alerts as data documents for this rule type. For more information about mapping parameters, refer to the Elasticsearch documentation.

          Hide fieldMap attribute Show fieldMap attribute object
          • * object Additional properties
            Hide * attributes Show * attributes object
            • array boolean

              Indicates whether the field is an array.

            • dynamic boolean

              Indicates whether it is a dynamic field mapping.

            • format string

              Indicates the format of the field. For example, if the type is date_range, the format can be epoch_millis||strict_date_optional_time.

            • ignore_above integer

              Specifies the maximum length of a string field. Longer strings are not indexed or stored.

            • index boolean

              Indicates whether field values are indexed.

            • path string

              TBD

            • properties object

              Details about the object properties. This property is applicable when type is object.

              Hide properties attribute Show properties attribute object
              • * object Additional properties
                Hide * attribute Show * attribute object
                • type string

                  The data type for each object property.

            • required boolean

              Indicates whether the field is required.

            • scaling_factor integer

              The scaling factor to use when encoding values. This property is applicable when type is scaled_float. Values will be multiplied by this factor at index time and rounded to the closest long value.

            • type string

              Specifies the data type for the field.

      • secondaryAlias string

        A secondary alias. It is typically used to support the signals alias for detection rules.

      • shouldWrite boolean

        Indicates whether the rule should write out alerts as data.

      • useEcs boolean

        Indicates whether to include the ECS component template for the alerts.

      • useLegacyAlerts boolean

        Indicates whether to include the legacy component template for the alerts.

        Default value is false.

    • authorized_consumers object

      The list of the plugins IDs that have access to the rule type.

      Hide authorized_consumers attributes Show authorized_consumers attributes object
    • category string

      The rule category, which is used by features such as category-specific maintenance windows.

      Values are management, observability, or securitySolution.

    • default_action_group_id string

      The default identifier for the rule type group.

    • does_set_recovery_context boolean

      Indicates whether the rule passes context variables to its recovery action.

    • enabled_in_license boolean

      Indicates whether the rule type is enabled or disabled based on the subscription.

    • has_alerts_mappings boolean

      Indicates whether the rule type has custom mappings for the alert data.

    • has_fields_for_a_a_d boolean
    • id string

      The unique identifier for the rule type.

    • is_exportable boolean

      Indicates whether the rule type is exportable in Stack Management > Saved Objects.

    • minimum_license_required string

      The subscriptions required to use the rule type.

    • name string

      The descriptive name of the rule type.

    • producer string

      An identifier for the application that produces this rule type.

    • recovery_action_group object

      An action group to use when an alert goes from an active state to an inactive one.

      Hide recovery_action_group attributes Show recovery_action_group attributes object
    • rule_task_timeout string
  • 401 application/json

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
GET /api/alerting/rule_types 
curl \
 --request GET 'http://localhost:5622/api/alerting/rule_types' \
 --header "Authorization: $API_KEY"
Response examples (200) 
[
  {
    "id": "xpack.ml.anomaly_detection_alert",
    "name": "Anomaly detection alert",
    "alerts": {
      "context": "ml.anomaly-detection",
      "mappings": {
        "fieldMap": {
          "kibana.alert.job_id": {
            "type": "keyword",
            "array": false,
            "required": true
          },
          "kibana.alert.is_interim": {
            "type": "boolean",
            "array": false,
            "required": false
          },
          "kibana.alert.top_records": {
            "type": "object",
            "array": true,
            "dynamic": false,
            "required": false,
            "properties": {
              "actual": {
                "type": "double"
              },
              "job_id": {
                "type": "keyword"
              },
              "typical": {
                "type": "double"
              },
              "function": {
                "type": "keyword"
              },
              "timestamp": {
                "type": "date"
              },
              "field_name": {
                "type": "keyword"
              },
              "is_interim": {
                "type": "boolean"
              },
              "record_score": {
                "type": "double"
              },
              "by_field_name": {
                "type": "keyword"
              },
              "by_field_value": {
                "type": "keyword"
              },
              "detector_index": {
                "type": "integer"
              },
              "over_field_name": {
                "type": "keyword"
              },
              "over_field_value": {
                "type": "keyword"
              },
              "initial_record_score": {
                "type": "double"
              },
              "partition_field_name": {
                "type": "keyword"
              },
              "partition_field_value": {
                "type": "keyword"
              }
            }
          },
          "kibana.alert.anomaly_score": {
            "type": "double",
            "array": false,
            "required": false
          },
          "kibana.alert.top_influencers": {
            "type": "object",
            "array": true,
            "dynamic": false,
            "required": false,
            "properties": {
              "job_id": {
                "type": "keyword"
              },
              "timestamp": {
                "type": "date"
              },
              "is_interim": {
                "type": "boolean"
              },
              "influencer_score": {
                "type": "double"
              },
              "influencer_field_name": {
                "type": "keyword"
              },
              "influencer_field_value": {
                "type": "keyword"
              },
              "initial_influencer_score": {
                "type": "double"
              }
            }
          },
          "kibana.alert.anomaly_timestamp": {
            "type": "date",
            "array": false,
            "required": false
          }
        }
      },
      "shouldWrite": true
    },
    "category": "management",
    "producer": "ml",
    "action_groups": [
      {
        "id": "anomaly_score_match",
        "name": "Anomaly score matched the condition"
      },
      {
        "id": "recovered",
        "name": "Recovered"
      }
    ],
    "is_exportable": true,
    "action_variables": {
      "state": [],
      "params": [],
      "context": [
        {
          "name": "timestamp",
          "description": "The bucket timestamp of the anomaly"
        },
        {
          "name": "timestampIso8601",
          "description": "The bucket time of the anomaly in ISO8601 format"
        },
        {
          "name": "jobIds",
          "description": "List of job IDs that triggered the alert"
        },
        {
          "name": "message",
          "description": "Alert info message"
        },
        {
          "name": "isInterim",
          "description": "Indicate if top hits contain interim results"
        },
        {
          "name": "score",
          "description": "Anomaly score at the time of the notification action"
        },
        {
          "name": "topRecords",
          "description": "Top records"
        },
        {
          "name": "topInfluencers",
          "description": "Top influencers"
        },
        {
          "name": "anomalyExplorerUrl",
          "description": "URL to open in the Anomaly Explorer",
          "useWithTripleBracesInTemplates": true
        }
      ]
    },
    "rule_task_timeout": "5m",
    "enabled_in_license": true,
    "has_alerts_mappings": true,
    "authorized_consumers": {
      "ml": {
        "all": true,
        "read": true
      },
      "apm": {
        "all": true,
        "read": true
      },
      "slo": {
        "all": true,
        "read": true
      },
      "logs": {
        "all": true,
        "read": true
      },
      "siem": {
        "all": true,
        "read": true
      },
      "alerts": {
        "all": true,
        "read": true
      },
      "uptime": {
        "all": true,
        "read": true
      },
      "discover": {
        "all": true,
        "read": true
      },
      "monitoring": {
        "all": true,
        "read": true
      },
      "stackAlerts": {
        "all": true,
        "read": true
      },
      "infrastructure": {
        "all": true,
        "read": true
      }
    },
    "has_fields_for_a_a_d": false,
    "recovery_action_group": {
      "id": "recovered",
      "name": "Recovered"
    },
    "default_action_group_id": "anomaly_score_match",
    "minimum_license_required": "platinum",
    "does_set_recovery_context": true
  },
  {
    "id": "xpack.ml.anomaly_detection_jobs_health",
    "name": "Anomaly detection jobs health",
    "category": "management",
    "producer": "ml",
    "action_groups": [
      {
        "id": "anomaly_detection_realtime_issue",
        "name": "Issue detected"
      },
      {
        "id": "recovered",
        "name": "Recovered"
      }
    ],
    "is_exportable": true,
    "action_variables": {
      "state": [],
      "params": [],
      "context": [
        {
          "name": "results",
          "description": "Results of the rule execution"
        },
        {
          "name": "message",
          "description": "Alert info message"
        }
      ]
    },
    "rule_task_timeout": "5m",
    "enabled_in_license": true,
    "has_alerts_mappings": false,
    "authorized_consumers": {
      "ml": {
        "all": true,
        "read": true
      },
      "apm": {
        "all": true,
        "read": true
      },
      "slo": {
        "all": true,
        "read": true
      },
      "logs": {
        "all": true,
        "read": true
      },
      "siem": {
        "all": true,
        "read": true
      },
      "alerts": {
        "all": true,
        "read": true
      },
      "uptime": {
        "all": true,
        "read": true
      },
      "discover": {
        "all": true,
        "read": true
      },
      "monitoring": {
        "all": true,
        "read": true
      },
      "stackAlerts": {
        "all": true,
        "read": true
      },
      "infrastructure": {
        "all": true,
        "read": true
      }
    },
    "has_fields_for_a_a_d": false,
    "recovery_action_group": {
      "id": "recovered",
      "name": "Recovered"
    },
    "default_action_group_id": "anomaly_detection_realtime_issue",
    "minimum_license_required": "platinum",
    "does_set_recovery_context": true
  }
]
Response examples (401) 
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

Get rule details

GET /api/alerting/rule/{id}
Api key auth Basic auth

Path parameters

  • id string Required

    The identifier for the rule.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • actions array[object] Required
      Hide actions attributes Show actions attributes object
      • alerts_filter object

        Defines a period that limits whether the action runs.

        Additional properties are NOT allowed.

        Hide alerts_filter attributes Show alerts_filter attributes object
        • query object

          Additional properties are NOT allowed.

          Hide query attributes Show query attributes object
          • dsl string

            A filter written in Elasticsearch Query Domain Specific Language (DSL).

          • filters array[object] Required

            A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the kbn-es-query package.

            Hide filters attributes Show filters attributes object
            • $state object

              Additional properties are NOT allowed.

              Hide $state attribute Show $state attribute object
              • store string Required

                A filter can be either specific to an application context or applied globally.

                Values are appState or globalState.

            • meta object Required

              Additional properties are allowed.

            • query object

              Additional properties are allowed.

          • kql string Required

            A filter written in Kibana Query Language (KQL).

        • timeframe object

          Additional properties are NOT allowed.

          Hide timeframe attributes Show timeframe attributes object
          • days array[integer] Required

            Defines the days of the week that the action can run, represented as an array of numbers. For example, 1 represents Monday. An empty array is equivalent to specifying all the days of the week.

            Values are 1, 2, 3, 4, 5, 6, or 7.

          • hours object Required

            Additional properties are NOT allowed.

            Hide hours attributes Show hours attributes object
            • end string Required

              The end of the time frame in 24-hour notation (hh:mm).

            • start string Required

              The start of the time frame in 24-hour notation (hh:mm).

          • timezone string Required

            The ISO time zone for the hours values. Values such as UTC and UTC+1 also work but lack built-in daylight savings time support and are not recommended.

      • connector_type_id string Required

        The type of connector. This property appears in responses but cannot be set in requests.

      • frequency object

        Additional properties are NOT allowed.

        Hide frequency attributes Show frequency attributes object
        • notify_when string Required

          Indicates how often alerts generate actions. Valid values include: onActionGroupChange: Actions run when the alert status changes; onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify notify_when at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

          Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.

        • summary boolean Required

          Indicates whether the action is a summary.

        • throttle string | null Required

          The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if 'notify_when' is set to 'onThrottleInterval'. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

      • group string

        The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to default.

      • id string Required

        The identifier for the connector saved object.

      • params object Required

        The parameters for the action, which are sent to the connector. The params are handled as Mustache templates and passed a default set of context.

        Additional properties are allowed.

      • use_alert_data_for_template boolean

        Indicates whether to use alert data as a template.

      • uuid string

        A universally unique identifier (UUID) for the action.

    • active_snoozes array[string]

      List of active snoozes for the rule.

    • alert_delay object

      Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.

      Additional properties are NOT allowed.

      Hide alert_delay attribute Show alert_delay attribute object
      • active number Required

        The number of consecutive runs that must meet the rule conditions.

    • api_key_created_by_user boolean | null

      Indicates whether the API key that is associated with the rule was created by the user.

    • api_key_owner string | null Required

      The owner of the API key that is associated with the rule and used to run background tasks.

    • consumer string Required

      The name of the application or feature that owns the rule. For example: alerts, apm, discover, infrastructure, logs, metrics, ml, monitoring, securitySolution, siem, stackAlerts, or uptime.

    • created_at string Required

      The date and time that the rule was created.

    • created_by string | null Required

      The identifier for the user that created the rule.

    • enabled boolean Required

      Indicates whether you want to run the rule on an interval basis after it is created.

    • execution_status object Required

      Additional properties are NOT allowed.

      Hide execution_status attributes Show execution_status attributes object
      • error object

        Additional properties are NOT allowed.

        Hide error attributes Show error attributes object
        • message string Required

          Error message.

        • reason string Required

          Reason for error.

          Values are read, decrypt, execute, unknown, license, timeout, disabled, or validate.

      • last_duration number

        Duration of last execution of the rule.

      • last_execution_date string Required

        The date and time when rule was executed last.

      • status string Required

        Status of rule execution.

        Values are ok, active, error, warning, pending, or unknown.

      • warning object

        Additional properties are NOT allowed.

        Hide warning attributes Show warning attributes object
        • message string Required

          Warning message.

        • reason string Required

          Reason for warning.

          Values are maxExecutableActions, maxAlerts, maxQueuedActions, or ruleExecution.

    • flapping object | null

      When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.

      Additional properties are NOT allowed.

      Hide flapping attributes Show flapping attributes object | null
      • look_back_window number Required

        The minimum number of runs in which the threshold must be met.

        Minimum value is 2, maximum value is 20.

      • status_change_threshold number Required

        The minimum number of times an alert must switch states in the look back window.

        Minimum value is 2, maximum value is 20.

    • id string Required

      The identifier for the rule.

    • is_snoozed_until string | null

      The date when the rule will no longer be snoozed.

    • last_run object | null

      Additional properties are NOT allowed.

      Hide last_run attributes Show last_run attributes object | null
      • alerts_count object Required

        Additional properties are NOT allowed.

        Hide alerts_count attributes Show alerts_count attributes object
        • active number | null

          Number of active alerts during last run.

        • ignored number | null

          Number of ignored alerts during last run.

        • new number | null

          Number of new alerts during last run.

        • recovered number | null

          Number of recovered alerts during last run.

      • outcome string Required

        Outcome of last run of the rule. Value could be succeeded, warning or failed.

        Values are succeeded, warning, or failed.

      • outcome_msg array[string] | null

        Outcome message generated during last rule run.

      • outcome_order number

        Order of the outcome.

      • warning string | null

        Warning of last rule execution.

        Values are read, decrypt, execute, unknown, license, timeout, disabled, validate, maxExecutableActions, maxAlerts, maxQueuedActions, or ruleExecution.

    • mapped_params object

      Additional properties are allowed.

    • monitoring object

      Monitoring details of the rule.

      Additional properties are NOT allowed.

      Hide monitoring attribute Show monitoring attribute object
      • run object Required

        Rule run details.

        Additional properties are NOT allowed.

        Hide run attributes Show run attributes object
        • calculated_metrics object Required

          Calculation of different percentiles and success ratio.

          Additional properties are NOT allowed.

          Hide calculated_metrics attributes Show calculated_metrics attributes object
        • history array[object] Required

          History of the rule run.

          Hide history attributes Show history attributes object
          • duration number

            Duration of the rule run.

          • outcome string

            Outcome of last run of the rule. Value could be succeeded, warning or failed.

            Values are succeeded, warning, or failed.

          • success boolean Required

            Indicates whether the rule run was successful.

          • timestamp number Required

            Time of rule run.

        • last_run object Required

          Additional properties are NOT allowed.

          Hide last_run attributes Show last_run attributes object
          • metrics object Required

            Additional properties are NOT allowed.

            Hide metrics attributes Show metrics attributes object
            • duration number

              Duration of most recent rule run.

            • gap_duration_s number | null

              Duration in seconds of rule run gap.

            • gap_range object | null

              Additional properties are NOT allowed.

              Hide gap_range attributes Show gap_range attributes object | null
              • gte string Required

                End of the gap range.

              • lte string Required

                Start of the gap range.

            • total_alerts_created number | null

              Total number of alerts created during last rule run.

            • total_alerts_detected number | null

              Total number of alerts detected during last rule run.

            • total_indexing_duration_ms number | null

              Total time spent indexing documents during last rule run in milliseconds.

            • total_search_duration_ms number | null

              Total time spent performing Elasticsearch searches as measured by Kibana; includes network latency and time spent serializing or deserializing the request and response.

          • timestamp string Required

            Time of the most recent rule run.

    • mute_all boolean Required

      Indicates whether all alerts are muted.

    • muted_alert_ids array[string] Required

      List of identifiers of muted alerts.

    • name string Required

      The name of the rule.

    • next_run string | null

      Date and time of the next run of the rule.

    • notify_when string | null

      Indicates how often alerts generate actions. Valid values include: onActionGroupChange: Actions run when the alert status changes; onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify notify_when at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

      Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.

    • params object Required

      The parameters for the rule.

      Additional properties are allowed.

    • revision number Required

      The rule revision number.

    • rule_type_id string Required

      The rule type identifier.

    • running boolean | null

      Indicates whether the rule is running.

    • schedule object Required

      Additional properties are NOT allowed.

      Hide schedule attribute Show schedule attribute object
      • interval string Required

        The interval is specified in seconds, minutes, hours, or days.

    • scheduled_task_id string

      Identifier of the scheduled task.

    • snooze_schedule array[object]
      Hide snooze_schedule attributes Show snooze_schedule attributes object
      • duration number Required

        Duration of the rule snooze schedule.

      • id string

        Identifier of the rule snooze schedule.

      • rRule object Required

        Additional properties are NOT allowed.

        Hide rRule attributes Show rRule attributes object
        • byhour array[number] | null

          Indicates hours of the day to recur.

        • byminute array[number] | null

          Indicates minutes of the hour to recur.

        • bymonth array[number] | null

          Indicates months of the year that this rule should recur.

        • bymonthday array[number] | null

          Indicates the days of the month to recur.

        • bysecond array[number] | null

          Indicates seconds of the day to recur.

        • bysetpos array[number] | null

          A positive or negative integer affecting the nth day of the month. For example, -2 combined with byweekday of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use byweekday.

        • byweekday array[string | number] | null

          Indicates the days of the week to recur or else nth-day-of-month strings. For example, "+2TU" second Tuesday of month, "-1FR" last Friday of the month, which are internally converted to a byweekday/bysetpos combination.

        • byweekno array[number] | null

          Indicates number of the week hours to recur.

        • byyearday array[number] | null

          Indicates the days of the year that this rule should recur.

        • count number

          Number of times the rule should recur until it stops.

        • dtstart string Required

          Rule start date in Coordinated Universal Time (UTC).

        • freq integer

          Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY.

          Values are 0, 1, 2, 3, 4, 5, or 6.

        • interval number

          Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks.

        • tzid string Required

          Indicates timezone abbreviation.

        • until string

          Recur the rule until this date.

        • wkst string

          Indicates the start of week, defaults to Monday.

          Values are MO, TU, WE, TH, FR, SA, or SU.

      • skipRecurrences array[string]

        Skips recurrence of rule on this date.

    • tags array[string] Required

      The tags for the rule.

    • throttle string | null Deprecated

      Deprecated in 8.13.0. Use the throttle property in the action frequency object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

    • updated_at string Required

      The date and time that the rule was updated most recently.

    • updated_by string | null Required

      The identifier for the user that updated this rule most recently.

    • view_in_app_relative_url string | null

      Relative URL to view rule in the app.
  • 400

    Indicates an invalid schema or parameters.

  • 403

    Indicates that this call is forbidden.

  • 404

    Indicates a rule with the given ID does not exist.

GET /api/alerting/rule/{id} 
curl \
 --request GET 'http://localhost:5622/api/alerting/rule/{id}' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "actions": [
    {
      "alerts_filter": {
        "query": {
          "dsl": "string",
          "filters": [
            {
              "$state": {
                "store": "appState"
              },
              "meta": {},
              "query": {}
            }
          ],
          "kql": "string"
        },
        "timeframe": {
          "days": [
            1
          ],
          "hours": {
            "end": "string",
            "start": "string"
          },
          "timezone": "string"
        }
      },
      "connector_type_id": "string",
      "frequency": {
        "notify_when": "onActionGroupChange",
        "summary": true,
        "throttle": "string"
      },
      "group": "string",
      "id": "string",
      "params": {},
      "use_alert_data_for_template": true,
      "uuid": "string"
    }
  ],
  "active_snoozes": [
    "string"
  ],
  "alert_delay": {
    "active": 42.0
  },
  "api_key_created_by_user": true,
  "api_key_owner": "string",
  "consumer": "string",
  "created_at": "string",
  "created_by": "string",
  "enabled": true,
  "execution_status": {
    "error": {
      "message": "string",
      "reason": "read"
    },
    "last_duration": 42.0,
    "last_execution_date": "string",
    "status": "ok",
    "warning": {
      "message": "string",
      "reason": "maxExecutableActions"
    }
  },
  "flapping": {
    "look_back_window": 42.0,
    "status_change_threshold": 42.0
  },
  "id": "string",
  "is_snoozed_until": "string",
  "last_run": {
    "alerts_count": {
      "active": 42.0,
      "ignored": 42.0,
      "new": 42.0,
      "recovered": 42.0
    },
    "outcome": "succeeded",
    "outcome_msg": [
      "string"
    ],
    "outcome_order": 42.0,
    "warning": "read"
  },
  "mapped_params": {},
  "monitoring": {
    "run": {
      "calculated_metrics": {
        "p50": 42.0,
        "p95": 42.0,
        "p99": 42.0,
        "success_ratio": 42.0
      },
      "history": [
        {
          "duration": 42.0,
          "outcome": "succeeded",
          "success": true,
          "timestamp": 42.0
        }
      ],
      "last_run": {
        "metrics": {
          "duration": 42.0,
          "gap_duration_s": 42.0,
          "gap_range": {
            "gte": "string",
            "lte": "string"
          },
          "total_alerts_created": 42.0,
          "total_alerts_detected": 42.0,
          "total_indexing_duration_ms": 42.0,
          "total_search_duration_ms": 42.0
        },
        "timestamp": "string"
      }
    }
  },
  "mute_all": true,
  "muted_alert_ids": [
    "string"
  ],
  "name": "string",
  "next_run": "string",
  "notify_when": "onActionGroupChange",
  "params": {},
  "revision": 42.0,
  "rule_type_id": "string",
  "running": true,
  "schedule": {
    "interval": "string"
  },
  "scheduled_task_id": "string",
  "snooze_schedule": [
    {
      "duration": 42.0,
      "id": "string",
      "rRule": {
        "byhour": [
          42.0
        ],
        "byminute": [
          42.0
        ],
        "bymonth": [
          42.0
        ],
        "bymonthday": [
          42.0
        ],
        "bysecond": [
          42.0
        ],
        "bysetpos": [
          42.0
        ],
        "byweekday": [
          "string"
        ],
        "byweekno": [
          42.0
        ],
        "byyearday": [
          42.0
        ],
        "count": 42.0,
        "dtstart": "string",
        "freq": 0,
        "interval": 42.0,
        "tzid": "string",
        "until": "string",
        "wkst": "MO"
      },
      "skipRecurrences": [
        "string"
      ]
    }
  ],
  "tags": [
    "string"
  ],
  "throttle": "string",
  "updated_at": "string",
  "updated_by": "string",
  "view_in_app_relative_url": "string"
}

Mute all alerts

POST /api/alerting/rule/{id}/_mute_all
Api key auth Basic auth

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • id string Required

    The identifier for the rule.

Responses

  • 204

    Indicates a successful call.

  • 400

    Indicates an invalid schema or parameters.

  • 403

    Indicates that this call is forbidden.

  • 404

    Indicates a rule with the given ID does not exist.

POST /api/alerting/rule/{id}/_mute_all 
curl \
 --request POST 'http://localhost:5622/api/alerting/rule/{id}/_mute_all' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: true"

Unmute all alerts

POST /api/alerting/rule/{id}/_unmute_all
Api key auth Basic auth

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • id string Required

    The identifier for the rule.

Responses

  • 204

    Indicates a successful call.

  • 400

    Indicates an invalid schema or parameters.

  • 403

    Indicates that this call is forbidden.

  • 404

    Indicates a rule with the given ID does not exist.

POST /api/alerting/rule/{id}/_unmute_all 
curl \
 --request POST 'http://localhost:5622/api/alerting/rule/{id}/_unmute_all' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: true"

Mute an alert

POST /api/alerting/rule/{rule_id}/alert/{alert_id}/_mute
Api key auth Basic auth

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • rule_id string Required

    The identifier for the rule.

  • alert_id string Required

    The identifier for the alert.

Responses

  • 204

    Indicates a successful call.

  • 400

    Indicates an invalid schema or parameters.

  • 403

    Indicates that this call is forbidden.

  • 404

    Indicates a rule or alert with the given ID does not exist.

POST /api/alerting/rule/{rule_id}/alert/{alert_id}/_mute 
curl \
 --request POST 'http://localhost:5622/api/alerting/rule/{rule_id}/alert/{alert_id}/_mute' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: true"

Get information about rules

GET /api/alerting/rules/_find
Api key auth Basic auth

Query parameters

  • per_page number

    The number of rules to return per page.

    Minimum value is 0. Default value is 10.

  • page number

    The page number to return.

    Minimum value is 1. Default value is 1.

  • default_search_operator string

    The default operator to use for the simple_query_string.

    Values are OR or AND. Default value is OR.

  • search_fields array[string] | string

    The fields to perform the simple_query_string parsed query against.

  • sort_field string

    Determines which field is used to sort the results. The field must exist in the attributes key of the response.

  • sort_order string

    Determines the sort order.

    Values are asc or desc.

  • has_reference object | null

    Filters the rules that have a relation with the reference objects with a specific type and identifier.

    Additional properties are NOT allowed.

    Hide has_reference attributes Show has_reference attributes object | null
  • fields array[string]

    The fields to return in the attributes key of the response.

  • filter string

    A KQL string that you filter with an attribute from your saved object. It should look like savedObjectType.attributes.title: "myTitle". However, if you used a direct attribute of a saved object, such as updatedAt, you must define your filter, for example, savedObjectType.updatedAt > 2018-12-22.

  • filter_consumers array[string]

    List of consumers to filter.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • actions array[object] Required
      Hide actions attributes Show actions attributes object
      • alerts_filter object

        Defines a period that limits whether the action runs.

        Additional properties are NOT allowed.

        Hide alerts_filter attributes Show alerts_filter attributes object
        • query object

          Additional properties are NOT allowed.

          Hide query attributes Show query attributes object
          • dsl string

            A filter written in Elasticsearch Query Domain Specific Language (DSL).

          • filters array[object] Required

            A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the kbn-es-query package.

            Hide filters attributes Show filters attributes object
            • $state object

              Additional properties are NOT allowed.

              Hide $state attribute Show $state attribute object
              • store string Required

                A filter can be either specific to an application context or applied globally.

                Values are appState or globalState.

            • meta object Required

              Additional properties are allowed.

            • query object

              Additional properties are allowed.

          • kql string Required

            A filter written in Kibana Query Language (KQL).

        • timeframe object

          Additional properties are NOT allowed.

          Hide timeframe attributes Show timeframe attributes object
          • days array[integer] Required

            Defines the days of the week that the action can run, represented as an array of numbers. For example, 1 represents Monday. An empty array is equivalent to specifying all the days of the week.

            Values are 1, 2, 3, 4, 5, 6, or 7.

          • hours object Required

            Additional properties are NOT allowed.

            Hide hours attributes Show hours attributes object
            • end string Required

              The end of the time frame in 24-hour notation (hh:mm).

            • start string Required

              The start of the time frame in 24-hour notation (hh:mm).

          • timezone string Required

            The ISO time zone for the hours values. Values such as UTC and UTC+1 also work but lack built-in daylight savings time support and are not recommended.

      • connector_type_id string Required

        The type of connector. This property appears in responses but cannot be set in requests.

      • frequency object

        Additional properties are NOT allowed.

        Hide frequency attributes Show frequency attributes object
        • notify_when string Required

          Indicates how often alerts generate actions. Valid values include: onActionGroupChange: Actions run when the alert status changes; onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify notify_when at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

          Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.

        • summary boolean Required

          Indicates whether the action is a summary.

        • throttle string | null Required

          The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if 'notify_when' is set to 'onThrottleInterval'. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

      • group string

        The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to default.

      • id string Required

        The identifier for the connector saved object.

      • params object Required

        The parameters for the action, which are sent to the connector. The params are handled as Mustache templates and passed a default set of context.

        Additional properties are allowed.

      • use_alert_data_for_template boolean

        Indicates whether to use alert data as a template.

      • uuid string

        A universally unique identifier (UUID) for the action.

    • active_snoozes array[string]

      List of active snoozes for the rule.

    • alert_delay object

      Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.

      Additional properties are NOT allowed.

      Hide alert_delay attribute Show alert_delay attribute object
      • active number Required

        The number of consecutive runs that must meet the rule conditions.

    • api_key_created_by_user boolean | null

      Indicates whether the API key that is associated with the rule was created by the user.

    • api_key_owner string | null Required

      The owner of the API key that is associated with the rule and used to run background tasks.

    • consumer string Required

      The name of the application or feature that owns the rule. For example: alerts, apm, discover, infrastructure, logs, metrics, ml, monitoring, securitySolution, siem, stackAlerts, or uptime.

    • created_at string Required

      The date and time that the rule was created.

    • created_by string | null Required

      The identifier for the user that created the rule.

    • enabled boolean Required

      Indicates whether you want to run the rule on an interval basis after it is created.

    • execution_status object Required

      Additional properties are NOT allowed.

      Hide execution_status attributes Show execution_status attributes object
      • error object

        Additional properties are NOT allowed.

        Hide error attributes Show error attributes object
        • message string Required

          Error message.

        • reason string Required

          Reason for error.

          Values are read, decrypt, execute, unknown, license, timeout, disabled, or validate.

      • last_duration number

        Duration of last execution of the rule.

      • last_execution_date string Required

        The date and time when rule was executed last.

      • status string Required

        Status of rule execution.

        Values are ok, active, error, warning, pending, or unknown.

      • warning object

        Additional properties are NOT allowed.

        Hide warning attributes Show warning attributes object
        • message string Required

          Warning message.

        • reason string Required

          Reason for warning.

          Values are maxExecutableActions, maxAlerts, maxQueuedActions, or ruleExecution.

    • flapping object | null

      When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.

      Additional properties are NOT allowed.

      Hide flapping attributes Show flapping attributes object | null
      • look_back_window number Required

        The minimum number of runs in which the threshold must be met.

        Minimum value is 2, maximum value is 20.

      • status_change_threshold number Required

        The minimum number of times an alert must switch states in the look back window.

        Minimum value is 2, maximum value is 20.

    • id string Required

      The identifier for the rule.

    • is_snoozed_until string | null

      The date when the rule will no longer be snoozed.

    • last_run object | null

      Additional properties are NOT allowed.

      Hide last_run attributes Show last_run attributes object | null
      • alerts_count object Required

        Additional properties are NOT allowed.

        Hide alerts_count attributes Show alerts_count attributes object
        • active number | null

          Number of active alerts during last run.

        • ignored number | null

          Number of ignored alerts during last run.

        • new number | null

          Number of new alerts during last run.

        • recovered number | null

          Number of recovered alerts during last run.

      • outcome string Required

        Outcome of last run of the rule. Value could be succeeded, warning or failed.

        Values are succeeded, warning, or failed.

      • outcome_msg array[string] | null

        Outcome message generated during last rule run.

      • outcome_order number

        Order of the outcome.

      • warning string | null

        Warning of last rule execution.

        Values are read, decrypt, execute, unknown, license, timeout, disabled, validate, maxExecutableActions, maxAlerts, maxQueuedActions, or ruleExecution.

    • mapped_params object

      Additional properties are allowed.

    • monitoring object

      Monitoring details of the rule.

      Additional properties are NOT allowed.

      Hide monitoring attribute Show monitoring attribute object
      • run object Required

        Rule run details.

        Additional properties are NOT allowed.

        Hide run attributes Show run attributes object
        • calculated_metrics object Required

          Calculation of different percentiles and success ratio.

          Additional properties are NOT allowed.

          Hide calculated_metrics attributes Show calculated_metrics attributes object
        • history array[object] Required

          History of the rule run.

          Hide history attributes Show history attributes object
          • duration number

            Duration of the rule run.

          • outcome string

            Outcome of last run of the rule. Value could be succeeded, warning or failed.

            Values are succeeded, warning, or failed.

          • success boolean Required

            Indicates whether the rule run was successful.

          • timestamp number Required

            Time of rule run.

        • last_run object Required

          Additional properties are NOT allowed.

          Hide last_run attributes Show last_run attributes object
          • metrics object Required

            Additional properties are NOT allowed.

            Hide metrics attributes Show metrics attributes object
            • duration number

              Duration of most recent rule run.

            • gap_duration_s number | null

              Duration in seconds of rule run gap.

            • gap_range object | null

              Additional properties are NOT allowed.

              Hide gap_range attributes Show gap_range attributes object | null
              • gte string Required

                End of the gap range.

              • lte string Required

                Start of the gap range.

            • total_alerts_created number | null

              Total number of alerts created during last rule run.

            • total_alerts_detected number | null

              Total number of alerts detected during last rule run.

            • total_indexing_duration_ms number | null

              Total time spent indexing documents during last rule run in milliseconds.

            • total_search_duration_ms number | null

              Total time spent performing Elasticsearch searches as measured by Kibana; includes network latency and time spent serializing or deserializing the request and response.

          • timestamp string Required

            Time of the most recent rule run.

    • mute_all boolean Required

      Indicates whether all alerts are muted.

    • muted_alert_ids array[string] Required

      List of identifiers of muted alerts.

    • name string Required

      The name of the rule.

    • next_run string | null

      Date and time of the next run of the rule.

    • notify_when string | null

      Indicates how often alerts generate actions. Valid values include: onActionGroupChange: Actions run when the alert status changes; onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify notify_when at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

      Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.

    • params object Required

      The parameters for the rule.

      Additional properties are allowed.

    • revision number Required

      The rule revision number.

    • rule_type_id string Required

      The rule type identifier.

    • running boolean | null

      Indicates whether the rule is running.

    • schedule object Required

      Additional properties are NOT allowed.

      Hide schedule attribute Show schedule attribute object
      • interval string Required

        The interval is specified in seconds, minutes, hours, or days.

    • scheduled_task_id string

      Identifier of the scheduled task.

    • snooze_schedule array[object]
      Hide snooze_schedule attributes Show snooze_schedule attributes object
      • duration number Required

        Duration of the rule snooze schedule.

      • id string

        Identifier of the rule snooze schedule.

      • rRule object Required

        Additional properties are NOT allowed.

        Hide rRule attributes Show rRule attributes object
        • byhour array[number] | null

          Indicates hours of the day to recur.

        • byminute array[number] | null

          Indicates minutes of the hour to recur.

        • bymonth array[number] | null

          Indicates months of the year that this rule should recur.

        • bymonthday array[number] | null

          Indicates the days of the month to recur.

        • bysecond array[number] | null

          Indicates seconds of the day to recur.

        • bysetpos array[number] | null

          A positive or negative integer affecting the nth day of the month. For example, -2 combined with byweekday of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use byweekday.

        • byweekday array[string | number] | null

          Indicates the days of the week to recur or else nth-day-of-month strings. For example, "+2TU" second Tuesday of month, "-1FR" last Friday of the month, which are internally converted to a byweekday/bysetpos combination.

        • byweekno array[number] | null

          Indicates number of the week hours to recur.

        • byyearday array[number] | null

          Indicates the days of the year that this rule should recur.

        • count number

          Number of times the rule should recur until it stops.

        • dtstart string Required

          Rule start date in Coordinated Universal Time (UTC).

        • freq integer

          Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY.

          Values are 0, 1, 2, 3, 4, 5, or 6.

        • interval number

          Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks.

        • tzid string Required

          Indicates timezone abbreviation.

        • until string

          Recur the rule until this date.

        • wkst string

          Indicates the start of week, defaults to Monday.

          Values are MO, TU, WE, TH, FR, SA, or SU.

      • skipRecurrences array[string]

        Skips recurrence of rule on this date.

    • tags array[string] Required

      The tags for the rule.

    • throttle string | null Deprecated

      Deprecated in 8.13.0. Use the throttle property in the action frequency object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

    • updated_at string Required

      The date and time that the rule was updated most recently.

    • updated_by string | null Required

      The identifier for the user that updated this rule most recently.

    • view_in_app_relative_url string | null

      Relative URL to view rule in the app.
  • 400

    Indicates an invalid schema or parameters.

  • 403

    Indicates that this call is forbidden.

GET /api/alerting/rules/_find 
curl \
 --request GET 'http://localhost:5622/api/alerting/rules/_find' \
 --header "Authorization: $API_KEY"
Response examples (200)
A response that contains information about an index threshold rule. 
{
  "data": [
    {
      "id": "3583a470-74f6-11ed-9801-35303b735aef",
      "name": "my alert",
      "tags": [
        "cpu"
      ],
      "params": {
        "index": [
          "test-index"
        ],
        "aggType": "avg",
        "groupBy": "top",
        "aggField": "sheet.version",
        "termSize": 6,
        "termField": "name.keyword",
        "threshold": [
          1000
        ],
        "timeField": "@timestamp",
        "timeWindowSize": 5,
        "timeWindowUnit": "m",
        "thresholdComparator": ">"
      },
      "actions": [
        {
          "id": "9dca3e00-74f5-11ed-9801-35303b735aef",
          "uuid": "1c7a1280-f28c-4e06-96b2-e4e5f05d1d61",
          "group": "threshold met",
          "params": {
            "level": "info",
            "message": "Rule {{rule.name}} is active for group {{context.group}}:\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}\n- Timestamp: {{context.date}}",
            "connector_type_id": ".server-log"
          },
          "frequency": {
            "summary": false,
            "throttle": null,
            "notify_when": "onActionGroupChange"
          }
        }
      ],
      "enabled": true,
      "consumer": "alerts",
      "last_run": {
        "outcome": "succeeded",
        "warning": null,
        "outcome_msg": null,
        "alerts_count": {
          "new": 0,
          "active": 0,
          "ignored": 0,
          "recovered": 0
        }
      },
      "mute_all": false,
      "next_run": "2022-12-06T01:45:23.912Z",
      "revision": 1,
      "schedule": {
        "interval": "1m"
      },
      "throttle": null,
      "created_at": "2022-12-05T23:40:33.132Z",
      "created_by": "elastic",
      "updated_at": "2022-12-05T23:40:33.132Z",
      "updated_by": "elastic",
      "rule_type_id": ".index-threshold",
      "api_key_owner": "elastic",
      "muted_alert_ids": [],
      "execution_status": {
        "status": "ok",
        "last_duration": 48,
        "last_execution_date": "2022-12-06T01:44:23.983Z"
      },
      "scheduled_task_id": "3583a470-74f6-11ed-9801-35303b735aef",
      "api_key_created_by_user": false
    }
  ],
  "page": 1,
  "total": 1,
  "per_page": 10
}
A response that contains information about a security rule that has conditional actions. 
{
  "data": [
    {
      "id": "6107a8f0-f401-11ed-9f8e-399c75a2deeb",
      "name": "security_rule",
      "tags": [],
      "params": {
        "to": "now",
        "from": "now-3660s",
        "meta": {
          "from": "1h",
          "kibana_siem_app_url": "https://localhost:5601/app/security"
        },
        "type": "threshold",
        "index": [
          "kibana_sample_data_logs"
        ],
        "query": "*",
        "author": [],
        "ruleId": "an_internal_rule_id",
        "threat": [],
        "filters": [],
        "license": "",
        "version": 1,
        "language": "kuery",
        "severity": "low",
        "immutable": false,
        "riskScore": 21,
        "threshold": {
          "field": [
            "bytes"
          ],
          "value": 1,
          "cardinality": []
        },
        "maxSignals": 100,
        "references": [],
        "description": "A security threshold rule.",
        "outputIndex": "",
        "exceptionsList": [],
        "falsePositives": [],
        "severityMapping": [],
        "riskScoreMapping": []
      },
      "actions": [
        {
          "id": "49eae970-f401-11ed-9f8e-399c75a2deeb",
          "uuid": "1c7a1280-f28c-4e06-96b2-e4e5f05d1d61",
          "group": "default",
          "params": {
            "documents": [
              {
                "rule_id": {
                  "[object Object]": null
                },
                "alert_id": {
                  "[object Object]": null
                },
                "rule_name": {
                  "[object Object]": null
                },
                "context_message": {
                  "[object Object]": null
                }
              }
            ]
          },
          "frequency": {
            "summary": true,
            "throttle": null,
            "notify_when": "onActiveAlert"
          },
          "alerts_filter": {
            "query": {
              "kql": "",
              "filters": [
                {
                  "meta": {
                    "key": "client.geo.region_iso_code",
                    "alias": null,
                    "field": "client.geo.region_iso_code",
                    "index": "c4bdca79-e69e-4d80-82a1-e5192c621bea",
                    "negate": false,
                    "params": {
                      "type": "phrase",
                      "query": "CA-QC"
                    },
                    "disabled": false
                  },
                  "query": {
                    "match_phrase": {
                      "client.geo.region_iso_code": "CA-QC"
                    }
                  },
                  "$state": {
                    "store": "appState"
                  }
                }
              ]
            },
            "timeframe": {
              "days": [
                7
              ],
              "hours": {
                "end": "17:00",
                "start": "08:00"
              },
              "timezone": "UTC"
            }
          },
          "connector_type_id": ".index"
        }
      ],
      "enabled": true,
      "running": false,
      "consumer": "siem",
      "last_run": {
        "outcome": "succeeded",
        "warning": null,
        "outcome_msg": [
          "Rule execution completed successfully"
        ],
        "alerts_count": {
          "new": 0,
          "active": 0,
          "ignored": 0,
          "recovered": 0
        },
        "outcome_order": 0
      },
      "mute_all": false,
      "next_run": "2023-05-16T20:27:49.507Z",
      "revision": 1,
      "schedule": {
        "interval": "1m"
      },
      "throttle": null,
      "created_at": "2023-05-16T15:50:28.358Z",
      "created_by": "elastic",
      "updated_at": "2023-05-16T20:25:42.559Z",
      "updated_by": "elastic",
      "notify_when": null,
      "rule_type_id": "siem.thresholdRule",
      "api_key_owner": "elastic",
      "muted_alert_ids": [],
      "execution_status": {
        "status": "ok",
        "last_duration": 166,
        "last_execution_date": "2023-05-16T20:26:49.590Z"
      },
      "scheduled_task_id": "6107a8f0-f401-11ed-9f8e-399c75a2deeb",
      "api_key_created_by_user": false
    }
  ],
  "page": 1,
  "total": 1,
  "per_page": 10
}

Get a list of agent configurations

GET /api/apm/settings/agent-configuration
Api key auth Basic auth

Headers

  • elastic-api-version string Required

    The version of the API to use

    Value is 2023-10-31. Default value is 2023-10-31.

Responses

  • 200 application/json

    Successful response

    Hide response attribute Show response attribute object
    • configurations array[object]

      Agent configuration

      Agent configuration

      Hide configurations attributes Show configurations attributes object
  • 400 application/json

    Bad Request response

    Hide response attributes Show response attributes object
  • 401 application/json

    Unauthorized response

    Hide response attributes Show response attributes object
  • 404 application/json

    Not found response

    Hide response attributes Show response attributes object
GET /api/apm/settings/agent-configuration 
curl \
 --request GET 'http://localhost:5622/api/apm/settings/agent-configuration' \
 --header "Authorization: $API_KEY" \
 --header "elastic-api-version: 2023-10-31"
Response examples (200) 
{
  "configurations": [
    {
      "@timestamp": 1730194190636,
      "agent_name": "string",
      "applied_by_agent": true,
      "etag": "0bc3b5ebf18fba8163fe4c96f491e3767a358f85",
      "service": {
        "environment": "prod",
        "name": "node"
      },
      "settings": {
        "additionalProperty1": "string",
        "additionalProperty2": "string"
      }
    }
  ]
}
Response examples (400) 
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 400
}
Response examples (401) 
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}
Response examples (404) 
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 404
}

Get agent name for service

GET /api/apm/settings/agent-configuration/agent_name
Api key auth Basic auth

Retrieve agentName for a service.

Headers

  • elastic-api-version string Required

    The version of the API to use

    Value is 2023-10-31. Default value is 2023-10-31.

Query parameters

Responses

  • 200 application/json

    Successful response

    Hide response attribute Show response attribute object
  • 400 application/json

    Bad Request response

    Hide response attributes Show response attributes object
  • 401 application/json

    Unauthorized response

    Hide response attributes Show response attributes object
  • 404 application/json

    Not found response

    Hide response attributes Show response attributes object
GET /api/apm/settings/agent-configuration/agent_name 
curl \
 --request GET 'http://localhost:5622/api/apm/settings/agent-configuration/agent_name?serviceName=node' \
 --header "Authorization: $API_KEY" \
 --header "elastic-api-version: 2023-10-31"
Response examples (200) 
{
  "agentName": "nodejs"
}
Response examples (400) 
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 400
}
Response examples (401) 
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}
Response examples (404) 
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 404
}

Upload a source map

POST /api/apm/sourcemaps
Api key auth Basic auth

Upload a source map for a specific service and version. You must have all Kibana privileges for the APM and User Experience feature. The maximum payload size is 1mb. If you attempt to upload a source map that exceeds the maximum payload size, you will get a 413 error. Before uploading source maps that exceed this default, change the maximum payload size allowed by Kibana with the server.maxPayload variable.

Headers

  • elastic-api-version string Required

    The version of the API to use

    Value is 2023-10-31. Default value is 2023-10-31.

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

multipart/form-data

Body Required

Responses

POST /api/apm/sourcemaps 
curl -X POST "http://localhost:5601/api/apm/sourcemaps" \
-H 'Content-Type: multipart/form-data' \
-H 'kbn-xsrf: true' \
-H 'Authorization: ApiKey ${YOUR_API_KEY}' \
-F 'service_name="foo"' \
-F 'service_version="1.0.0"' \
-F 'bundle_filepath="/test/e2e/general-usecase/bundle.js"' \
-F 'sourcemap="{\"version\":3,\"file\":\"static/js/main.chunk.js\",\"sources\":[\"fleet-source-map-client/src/index.css\",\"fleet-source-map-client/src/App.js\",\"webpack:///./src/index.css?bb0a\",\"fleet-source-map-client/src/index.js\",\"fleet-source-map-client/src/reportWebVitals.js\"],\"sourcesContent\":[\"content\"],\"mappings\":\"mapping\",\"sourceRoot\":\"\"}"'
Response examples (200)
A successful response from `POST /api/apm/sourcemaps`. 
{
  "id": "apm:foo-1.0.0-644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456",
  "body": "eJyFkL1OwzAUhd/Fc+MbYMuCEBIbHRjKgBgc96R16tiWr1OQqr47NwqJxEK3q/PzWccXxchnZ7E1A1SjuhjVZtF2yOxiEPlO17oWox3D3uPFeSRTjmJQARfCPeiAgGx8NTKsYdAc1T3rwaSJGcds8Sp3c1HnhfywUZ3QhMTFFGepZxqMC9oex3CS9tpk1XyozgOlmoVKuJX1DqEQZ0su7PGtLU+V/3JPKc3cL7TJ2FNDRPov4bFta3MDM4f7W69lpJjLO9qdK8bzVPhcJz3HUCQ4LbO/p5hCSC4cZPByrp/wFqOklbpefwAhzpqI",
  "type": "sourcemap",
  "created": "2021-07-09T20:47:44.812Z",
  "identifier": "foo-1.0.0",
  "decodedSize": 441,
  "encodedSize": 237,
  "packageName": "apm",
  "relative_url": "/api/fleet/artifacts/foo-1.0.0/644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456",
  "decodedSha256": "644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456",
  "encodedSha256": "024c72749c3e3dd411b103f7040ae62633558608f480bce4b108cf5b2275bd24",
  "encryptionAlgorithm": "none",
  "compressionAlgorithm": "zlib"
}
Response examples (400) 
{
  "error": "Not Found",
  "message": "Not Found",
  "statusCode": 400
}
Response examples (401) 
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}
Response examples (403) 
{
  "error": "Forbidden",
  "message": "string",
  "statusCode": 403
}
Response examples (500) 
{
  "error": "Internal Server Error",
  "message": "string",
  "statusCode": 500
}
Response examples (501) 
{
  "error": "Not Implemented",
  "message": "Not Implemented",
  "statusCode": 501
}

Delete cases

DELETE /api/cases
Api key auth Basic auth

You must have read or all privileges and the delete sub-feature privilege for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases you're deleting.

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

Query parameters

  • ids array[string] Required

    The cases that you want to removed. All non-ASCII characters must be URL encoded.

Responses

  • 204

    Indicates a successful call.

  • 401 application/json

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
DELETE /api/cases 
curl \
 --request DELETE 'http://localhost:5622/api/cases?ids=d4e7abb0-b462-11ec-9a8d-698504725a43' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: string"
Response examples (401) 
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

Update a case comment or alert

PATCH /api/cases/{caseId}/comments
Api key auth Basic auth

You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're updating. NOTE: You cannot change the comment type or the owner of a comment.

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

Path parameters

  • caseId string Required

    The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded.

application/json

Body object Required

The update case comment API request body varies depending on whether you are updating an alert or a comment.

One of:
Cases_update_alert_comment_request_properties object Cases_update_user_comment_request_properties object

Defines properties for case comment requests when type is alert.

  • alertId string | array[string] Required

    The alert identifiers. It is required only when type is alert. You can use an array of strings to add multiple alerts to a case, provided that they all relate to the same rule; index must also be an array with the same length or number of elements. Adding multiple alerts in this manner is recommended rather than calling the API multiple times. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

    One of:
    string-1 string array-2 array[string]
  • id string Required

    The identifier for the comment. To retrieve comment IDs, use the get comments API.

  • index string | array[string] Required

    The alert indices. It is required only when type is alert. If you are adding multiple alerts to a case, use an array of strings; the position of each index name in the array must match the position of the corresponding alert identifier in the alertId array. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

    One of:
    string-1 string array-2 array[string]
  • owner string Required

    The application that owns the cases: Stack Management, Observability, or Elastic Security.

    Values are cases, observability, or securitySolution.

  • rule object Required Technical preview

    The rule that is associated with the alerts. It is required only when type is alert. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

    Hide rule attributes Show rule attributes object
    • id string

      The rule identifier.

    • name string

      The rule name.

  • type string Required Discriminator

    The type of comment.

    Value is alert.

  • version string Required

    The current comment version. To retrieve version values, use the get comments API.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • assignees array[object] | null

      An array containing users that are assigned to the case.

      Not more than 10 elements.

      Hide assignees attribute Show assignees attribute object
      • uid string Required

        A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.

    • category string | null

      The case category.

    • closed_at string(date-time) | null Required
    • closed_by object | null Required
      Hide closed_by attributes Show closed_by attributes object | null
    • comments array[object] Required

      An array of comment objects for the case.

      Not more than 10000 elements.

      One of:
      Cases_alert_comment_response_properties object Cases_user_comment_response_properties object
      Hide attributes Show attributes

    • connector object Required

      One of:
      Cases_connector_properties_none object Cases_connector_properties_cases_webhook object Cases_connector_properties_jira object Cases_connector_properties_resilient object Cases_connector_properties_servicenow object Cases_connector_properties_servicenow_sir object Cases_connector_properties_swimlane object

      Defines properties for connectors when type is .none.

      Hide attributes Show attributes
      • fields string | null Required

        An object containing the connector fields. To create a case without a connector, specify null. To update a case to remove the connector, specify null.

      • id string Required

        The identifier for the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.

      • name string Required

        The name of the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.

      • type string Required Discriminator

        The type of connector. To create a case without a connector, use .none. To update a case to remove the connector, specify .none.

        Value is .none.

    • created_at string(date-time) Required
    • created_by object Required
      Hide created_by attributes Show created_by attributes object
    • customFields array[object]

      Custom field values for the case.

      Hide customFields attributes Show customFields attributes object
      • key string

        The unique identifier for the custom field. The key value must exist in the case configuration settings.

      • type string

        The custom field type. It must match the type specified in the case configuration settings.

        Values are text or toggle.

      • value string | null | boolean

        The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is undefined. The value returned in the API and user interface in this case is null.

        One of:
        string-1 string | null boolean-2 boolean

        Minimum length is 1, maximum length is 160.

    • description string Required
    • duration integer | null Required

      The elapsed time from the creation of the case to its closure (in seconds). If the case has not been closed, the duration is set to null. If the case was closed after less than half a second, the duration is rounded down to zero.

    • external_service object | null Required
      Hide external_service attributes Show external_service attributes object | null
    • id string Required
    • owner string Required

      The application that owns the cases: Stack Management, Observability, or Elastic Security.

      Values are cases, observability, or securitySolution.

    • settings object Required

      An object that contains the case settings.

      Hide settings attribute Show settings attribute object
      • syncAlerts boolean Required

        Turns alert syncing on or off.

    • severity string Required

      The severity of the case.

      Values are critical, high, low, or medium. Default value is low.

    • status string Required

      The status of the case.

      Values are closed, in-progress, or open.

    • tags array[string] Required
    • title string Required
    • totalAlerts integer Required
    • totalComment integer Required
    • updated_at string(date-time) | null Required
    • updated_by object | null Required
      Hide updated_by attributes Show updated_by attributes object | null
    • version string Required
  • 401 application/json

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
PATCH /api/cases/{caseId}/comments 
curl \
 --request PATCH 'http://localhost:5622/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/comments' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: string" \
 --data '{"id":"8af6ac20-74f6-11ea-b83a-553aecdb28b6","type":"user","owner":"cases","comment":"An updated comment.","version":"Wzk1LDFd"}'
Request example 
{
  "id": "8af6ac20-74f6-11ea-b83a-553aecdb28b6",
  "type": "user",
  "owner": "cases",
  "comment": "An updated comment.",
  "version": "Wzk1LDFd"
}
Response examples (200) 
{
  "id": "293f1bc0-74f6-11ea-b83a-553aecdb28b6",
  "tags": [
    "tag 1"
  ],
  "owner": "cases",
  "title": "Case title 1",
  "status": "open",
  "version": "WzIwNjM2LDFd",
  "category": null,
  "comments": [
    {
      "id": "8af6ac20-74f6-11ea-b83a-553aecdb28b6",
      "type": "user",
      "owner": "cases",
      "comment": "An updated comment.",
      "version": "WzIwNjM3LDFd",
      "pushed_at": null,
      "pushed_by": null,
      "created_at": "2023-10-24T00:37:10.832Z",
      "created_by": {
        "email": null,
        "username": "elastic",
        "full_name": null,
        "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
      },
      "updated_at": "2023-10-24T01:27:06.210Z",
      "updated_by": {
        "email": null,
        "username": "elastic",
        "full_name": null,
        "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
      }
    }
  ],
  "duration": null,
  "settings": {
    "syncAlerts": false
  },
  "severity": "low",
  "assignees": [],
  "closed_at": null,
  "closed_by": null,
  "connector": {
    "id": "none",
    "name": "none",
    "type": ".none",
    "fields": null
  },
  "created_at": "2023-10-24T00:37:03.906Z",
  "created_by": {
    "email": null,
    "username": "elastic",
    "full_name": null,
    "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
  },
  "updated_at": "2023-10-24T01:27:06.210Z",
  "updated_by": {
    "email": null,
    "username": "elastic",
    "full_name": null,
    "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
  },
  "description": "A case description.",
  "totalAlerts": 0,
  "customFields": [
    {
      "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
      "type": "text",
      "value": "My new field value"
    },
    {
      "key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
      "type": "toggle",
      "value": false
    }
  ],
  "totalComment": 1,
  "external_service": null
}
Response examples (401) 
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

Find case comments and alerts

GET /api/cases/{caseId}/comments/_find
Api key auth Basic auth

Retrieves a paginated list of comments for a case. You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases with the comments you're seeking.

Path parameters

  • caseId string Required

    The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded.

Query parameters

  • page integer

    The page number to return.

    Default value is 1.

  • perPage integer

    The number of items to return. Limited to 100 items.

    Maximum value is 100. Default value is 20.

  • sortOrder string

    Determines the sort order.

    Values are asc or desc. Default value is desc.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • assignees array[object] | null

      An array containing users that are assigned to the case.

      Not more than 10 elements.

      Hide assignees attribute Show assignees attribute object
      • uid string Required

        A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.

    • category string | null

      The case category.

    • closed_at string(date-time) | null Required
    • closed_by object | null Required
      Hide closed_by attributes Show closed_by attributes object | null
    • comments array[object] Required

      An array of comment objects for the case.

      Not more than 10000 elements.

      One of:
      Cases_alert_comment_response_properties object Cases_user_comment_response_properties object
      Hide attributes Show attributes

    • connector object Required

      One of:
      Cases_connector_properties_none object Cases_connector_properties_cases_webhook object Cases_connector_properties_jira object Cases_connector_properties_resilient object Cases_connector_properties_servicenow object Cases_connector_properties_servicenow_sir object Cases_connector_properties_swimlane object

      Defines properties for connectors when type is .none.

      Hide attributes Show attributes
      • fields string | null Required

        An object containing the connector fields. To create a case without a connector, specify null. To update a case to remove the connector, specify null.

      • id string Required

        The identifier for the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.

      • name string Required

        The name of the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.

      • type string Required Discriminator

        The type of connector. To create a case without a connector, use .none. To update a case to remove the connector, specify .none.

        Value is .none.

    • created_at string(date-time) Required
    • created_by object Required
      Hide created_by attributes Show created_by attributes object
    • customFields array[object]

      Custom field values for the case.

      Hide customFields attributes Show customFields attributes object
      • key string

        The unique identifier for the custom field. The key value must exist in the case configuration settings.

      • type string

        The custom field type. It must match the type specified in the case configuration settings.

        Values are text or toggle.

      • value string | null | boolean

        The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is undefined. The value returned in the API and user interface in this case is null.

        One of:
        string-1 string | null boolean-2 boolean

        Minimum length is 1, maximum length is 160.

    • description string Required
    • duration integer | null Required

      The elapsed time from the creation of the case to its closure (in seconds). If the case has not been closed, the duration is set to null. If the case was closed after less than half a second, the duration is rounded down to zero.

    • external_service object | null Required
      Hide external_service attributes Show external_service attributes object | null
    • id string Required
    • owner string Required

      The application that owns the cases: Stack Management, Observability, or Elastic Security.

      Values are cases, observability, or securitySolution.

    • settings object Required

      An object that contains the case settings.

      Hide settings attribute Show settings attribute object
      • syncAlerts boolean Required

        Turns alert syncing on or off.

    • severity string Required

      The severity of the case.

      Values are critical, high, low, or medium. Default value is low.

    • status string Required

      The status of the case.

      Values are closed, in-progress, or open.

    • tags array[string] Required
    • title string Required
    • totalAlerts integer Required
    • totalComment integer Required
    • updated_at string(date-time) | null Required
    • updated_by object | null Required
      Hide updated_by attributes Show updated_by attributes object | null
    • version string Required
  • 401 application/json

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
GET /api/cases/{caseId}/comments/_find 
curl \
 --request GET 'http://localhost:5622/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/comments/_find' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "assignees": [
    {
      "uid": "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
    }
  ],
  "category": "string",
  "closed_at": "2025-05-04T09:42:00Z",
  "closed_by": {
    "email": "string",
    "full_name": "string",
    "profile_uid": "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
    "username": "elastic"
  },
  "comments": [
    {
      "alertId": [
        "a6e12ac4-7bce-457b-84f6-d7ce8deb8446"
      ],
      "created_at": "2023-11-06T19:29:38.424Z",
      "created_by": {
        "email": "string",
        "full_name": "string",
        "profile_uid": "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
        "username": "elastic"
      },
      "id": "73362370-ab1a-11ec-985f-97e55adae8b9",
      "index": [
        ".internal.alerts-security.alerts-default-000001"
      ],
      "owner": "cases",
      "pushed_at": "2025-05-04T09:42:00Z",
      "pushed_by": {
        "email": "string",
        "full_name": "string",
        "profile_uid": "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
        "username": "elastic"
      },
      "rule": {
        "id": "94d80550-aaf4-11ec-985f-97e55adae8b9",
        "name": "security_rule"
      },
      "type": "alert",
      "updated_at": "2025-05-04T09:42:00Z",
      "updated_by": {
        "email": "string",
        "full_name": "string",
        "profile_uid": "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
        "username": "elastic"
      },
      "version": "WzMwNDgsMV0="
    }
  ],
  "connector": {
    "fields": "string",
    "id": "none",
    "name": "none",
    "type": ".none"
  },
  "created_at": "2022-05-13T09:16:17.416Z",
  "created_by": {
    "email": "string",
    "full_name": "string",
    "profile_uid": "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
    "username": "elastic"
  },
  "customFields": [
    {
      "key": "string",
      "type": "text",
      "value": "string"
    }
  ],
  "description": "A case description.",
  "duration": 120,
  "external_service": {
    "connector_id": "string",
    "connector_name": "string",
    "external_id": "string",
    "external_title": "string",
    "external_url": "string",
    "pushed_at": "2025-05-04T09:42:00Z",
    "pushed_by": {
      "email": "string",
      "full_name": "string",
      "profile_uid": "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
      "username": "elastic"
    }
  },
  "id": "66b9aa00-94fa-11ea-9f74-e7e108796192",
  "owner": "cases",
  "settings": {
    "syncAlerts": true
  },
  "severity": "low",
  "status": "closed",
  "tags": [
    "tag-1"
  ],
  "title": "Case title 1",
  "totalAlerts": 0,
  "totalComment": 0,
  "updated_at": "2025-05-04T09:42:00Z",
  "updated_by": {
    "email": "string",
    "full_name": "string",
    "profile_uid": "u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0",
    "username": "elastic"
  },
  "version": "WzUzMiwxXQ=="
}
Response examples (401) 
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

Attach a file to a case

POST /api/cases/{caseId}/files
Api key auth Basic auth

Attach a file to a case. You must have all privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're updating. The request must include:

  • The Content-Type: multipart/form-data HTTP header.
  • The location of the file that is being uploaded.

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

Path parameters

  • caseId string Required

    The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded.

multipart/form-data

Body Required

  • file string(binary) Required

    The file being attached to the case.

  • filename string

    The desired name of the file being attached to the case, it can be different than the name of the file in the filesystem. This should not include the file extension.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • assignees array[object] | null

      An array containing users that are assigned to the case.

      Not more than 10 elements.

      Hide assignees attribute Show assignees attribute object
      • uid string Required

        A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API.

    • category string | null

      The case category.

    • closed_at string(date-time) | null Required
    • closed_by object | null Required
      Hide closed_by attributes Show closed_by attributes object | null
    • comments array[object] Required

      An array of comment objects for the case.

      Not more than 10000 elements.

      One of:
      Cases_alert_comment_response_properties object Cases_user_comment_response_properties object
      Hide attributes Show attributes

    • connector object Required

      One of:
      Cases_connector_properties_none object Cases_connector_properties_cases_webhook object Cases_connector_properties_jira object Cases_connector_properties_resilient object Cases_connector_properties_servicenow object Cases_connector_properties_servicenow_sir object Cases_connector_properties_swimlane object

      Defines properties for connectors when type is .none.

      Hide attributes Show attributes
      • fields string | null Required

        An object containing the connector fields. To create a case without a connector, specify null. To update a case to remove the connector, specify null.

      • id string Required

        The identifier for the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.

      • name string Required

        The name of the connector. To create a case without a connector, use none. To update a case to remove the connector, specify none.

      • type string Required Discriminator

        The type of connector. To create a case without a connector, use .none. To update a case to remove the connector, specify .none.

        Value is .none.

    • created_at string(date-time) Required
    • created_by object Required
      Hide created_by attributes Show created_by attributes object
    • customFields array[object]

      Custom field values for the case.

      Hide customFields attributes Show customFields attributes object
      • key string

        The unique identifier for the custom field. The key value must exist in the case configuration settings.

      • type string

        The custom field type. It must match the type specified in the case configuration settings.

        Values are text or toggle.

      • value string | null | boolean

        The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is undefined. The value returned in the API and user interface in this case is null.

        One of:
        string-1 string | null boolean-2 boolean

        Minimum length is 1, maximum length is 160.

    • description string Required
    • duration integer | null Required

      The elapsed time from the creation of the case to its closure (in seconds). If the case has not been closed, the duration is set to null. If the case was closed after less than half a second, the duration is rounded down to zero.

    • external_service object | null Required
      Hide external_service attributes Show external_service attributes object | null
    • id string Required
    • owner string Required

      The application that owns the cases: Stack Management, Observability, or Elastic Security.

      Values are cases, observability, or securitySolution.

    • settings object Required

      An object that contains the case settings.

      Hide settings attribute Show settings attribute object
      • syncAlerts boolean Required

        Turns alert syncing on or off.

    • severity string Required

      The severity of the case.

      Values are critical, high, low, or medium. Default value is low.

    • status string Required

      The status of the case.

      Values are closed, in-progress, or open.

    • tags array[string] Required
    • title string Required
    • totalAlerts integer Required
    • totalComment integer Required
    • updated_at string(date-time) | null Required
    • updated_by object | null Required
      Hide updated_by attributes Show updated_by attributes object | null
    • version string Required
  • 401 application/json

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
POST /api/cases/{caseId}/files 
curl \
 --request POST 'http://localhost:5622/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/files' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: multipart/form-data" \
 --header "kbn-xsrf: string" \
 --form "file=@file" \
 --form "filename=string"
Response examples (200) 
{
  "id": "293f1bc0-74f6-11ea-b83a-553aecdb28b6",
  "tags": [
    "tag 1"
  ],
  "owner": "cases",
  "title": "Case title 1",
  "status": "open",
  "version": "WzIzMzgsMV0=",
  "category": null,
  "comments": [
    {
      "id": "8af6ac20-74f6-11ea-b83a-553aecdb28b6",
      "type": "user",
      "owner": "cases",
      "comment": "A new comment.",
      "version": "WzIwNDMxLDFd",
      "created_at": "2022-10-02T00:49:47.716Z",
      "created_by": {
        "email": null,
        "username": "elastic",
        "full_name": null
      }
    }
  ],
  "duration": null,
  "settings": {
    "syncAlerts": false
  },
  "severity": "low",
  "assignees": [],
  "closed_at": null,
  "closed_by": null,
  "connector": {
    "id": "none",
    "name": "none",
    "type": ".none",
    "fields": null
  },
  "created_at": "2022-03-24T00:37:03.906Z",
  "created_by": {
    "email": null,
    "username": "elastic",
    "full_name": null,
    "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
  },
  "updated_at": "2022-06-03T00:49:47.716Z",
  "updated_by": {
    "email": null,
    "username": "elastic",
    "full_name": null,
    "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
  },
  "description": "A case description.",
  "totalAlerts": 0,
  "customFields": [
    {
      "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
      "type": "text",
      "value": "Field value"
    },
    {
      "key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
      "type": "toggle",
      "value": true
    }
  ],
  "totalComment": 1,
  "external_service": null
}
Response examples (401) 
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

Find case activity

GET /api/cases/{caseId}/user_actions/_find
Api key auth Basic auth

Retrives a paginated list of user activity for a case. You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the case you're seeking.

Path parameters

  • caseId string Required

    The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded.

Query parameters

  • page integer

    The page number to return.

    Default value is 1.

  • perPage integer

    The number of items to return. Limited to 100 items.

    Maximum value is 100. Default value is 20.

  • sortOrder string

    Determines the sort order.

    Values are asc or desc. Default value is desc.

  • types array[string]

    Determines the types of user actions to return.

    Values are action, alert, assignees, attachment, comment, connector, create_case, description, pushed, settings, severity, status, tags, title, or user.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • page integer
    • perPage integer
    • total integer
    • userActions array[object]

      Not more than 10000 elements.

      Hide userActions attributes Show userActions attributes object
      • action string Required

        Values are add, create, delete, push_to_service, or update.

      • comment_id string | null Required
      • created_at string(date-time) Required
      • created_by object Required
        Hide created_by attributes Show created_by attributes object
      • id string Required
      • owner string Required

        The application that owns the cases: Stack Management, Observability, or Elastic Security.

        Values are cases, observability, or securitySolution.

      • payload object | null Required

        One of:
        Cases_payload_alert_comment object Cases_payload_assignees object Cases_payload_connector object Cases_payload_create_case object Cases_payload_delete object | null Cases_payload_description object Cases_payload_pushed object Cases_payload_settings object Cases_payload_severity object Cases_payload_status object Cases_payload_tags object Cases_payload_title object Cases_payload_user_comment object
        Hide attribute Show attribute
      • type string Required

        The type of action.

        Values are assignees, create_case, comment, connector, description, pushed, tags, title, status, settings, or severity.

      • version string Required
  • 401 application/json

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
GET /api/cases/{caseId}/user_actions/_find 
curl \
 --request GET 'http://localhost:5622/api/cases/9c235210-6834-11ea-a78c-6ffb38a34414/user_actions/_find' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "page": 1,
  "total": 3,
  "perPage": 20,
  "userActions": [
    {
      "id": "b4cd0770-07c9-11ed-a5fd-47154cb8767e",
      "type": "create_case",
      "owner": "cases",
      "action": "create",
      "payload": {
        "tags": [
          "tag 1"
        ],
        "owner": "cases",
        "title": "Case title 1",
        "status": "open",
        "category": null,
        "settings": {
          "syncAlerts": false
        },
        "severity": "low",
        "assignees": [],
        "connector": {
          "id": "none",
          "name": "none",
          "type": ".none",
          "fields": null
        },
        "description": "A case description.",
        "customFields": [
          {
            "key": "d312efda-ec2b-42ec-9e2c-84981795c581",
            "type": "text",
            "value": "My field value"
          },
          {
            "key": "fcc6840d-eb14-42df-8aaf-232201a705ec",
            "type": "toggle",
            "value": null
          }
        ]
      },
      "version": "WzM1ODg4LDFd",
      "comment_id": null,
      "created_at": "2023-10-20T01:17:22.150Z",
      "created_by": {
        "email": null,
        "username": "elastic",
        "full_name": null,
        "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
      }
    },
    {
      "id": "57af14a0-03b1-11ed-920c-974bfa104448",
      "type": "comment",
      "owner": "cases",
      "action": "create",
      "payload": {
        "type": "user",
        "owner": "cases",
        "comment": "A new comment"
      },
      "version": "WzM1ODg4LDFa",
      "comment_id": "578608d0-03b1-11ed-920c-974bfa104448",
      "created_at": "2023-10-14T20:12:53.354Z",
      "created_by": {
        "email": null,
        "username": "elastic",
        "full_name": null,
        "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
      }
    },
    {
      "id": "573c6980-6123-11ed-aa41-81a0a61fe447",
      "type": "assignees",
      "owner": "cases",
      "action": "add",
      "payload": {
        "assignees": {
          "uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
        }
      },
      "version": "WzM1ODg4LDFb",
      "comment_id": null,
      "created_at": "2023-10-20T01:10:28.238Z",
      "created_by": {
        "email": null,
        "username": "elastic",
        "full_name": null,
        "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
      }
    }
  ]
}
Response examples (401) 
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

Get case creators

GET /api/cases/reporters
Api key auth Basic auth

Returns information about the users who opened cases. You must have read privileges for the Cases feature in the Management, Observability, or Security section of the Kibana feature privileges, depending on the owner of the cases. The API returns information about the users as they existed at the time of the case creation, including their name, full name, and email address. If any of those details change thereafter or if a user is deleted, the information returned by this API is unchanged.

Query parameters

  • owner string | array[string]

    A filter to limit the response to a specific set of applications. If this parameter is omitted, the response contains information about all the cases that the user has access to read.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
  • 401 application/json

    Authorization information is missing or invalid.

    Hide response attributes Show response attributes object
GET /api/cases/reporters 
curl \
 --request GET 'http://localhost:5622/api/cases/reporters' \
 --header "Authorization: $API_KEY"
Response examples (200) 
[
  {
    "email": null,
    "username": "elastic",
    "full_name": null,
    "profile_uid": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
  },
  {
    "email": "jdoe@example.com",
    "username": "jdoe",
    "full_name": "Jane Doe",
    "profile_uid": "u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0"
  }
]
Response examples (401) 
{
  "error": "Unauthorized",
  "message": "string",
  "statusCode": 401
}

Get connector types

GET /api/actions/connector_types
Api key auth Basic auth

You do not need any Kibana feature privileges to run this API.

Query parameters

  • feature_id string

    A filter to limit the retrieved connector types to those that support a specific feature (such as alerting or cases).

Responses

  • 200 application/json

    Indicates a successful call.

GET /api/actions/connector_types 
curl \
 --request GET 'http://localhost:5622/api/actions/connector_types' \
 --header "Authorization: $API_KEY"
Response examples (200) 
[
  {
    "id": ".gen-ai",
    "name": "OpenAI",
    "enabled": true,
    "enabled_in_config": true,
    "enabled_in_license": true,
    "is_system_action_type": false,
    "supported_feature_ids": [
      "generativeAIForSecurity",
      "generativeAIForObservability",
      "generativeAIForSearchPlayground"
    ],
    "minimum_license_required": "enterprise"
  },
  {
    "id": ".bedrock",
    "name": "AWS Bedrock",
    "enabled": true,
    "enabled_in_config": true,
    "enabled_in_license": true,
    "is_system_action_type": false,
    "supported_feature_ids": [
      "generativeAIForSecurity",
      "generativeAIForObservability",
      "generativeAIForSearchPlayground"
    ],
    "minimum_license_required": "enterprise"
  },
  {
    "id": ".gemini",
    "name": "Google Gemini",
    "enabled": true,
    "enabled_in_config": true,
    "enabled_in_license": true,
    "is_system_action_type": false,
    "supported_feature_ids": [
      "generativeAIForSecurity"
    ],
    "minimum_license_required": "enterprise"
  }
]

Update a connector

PUT /api/actions/connector/{id}
Api key auth Basic auth

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • id string Required

    An identifier for the connector.

application/json

Body

  • name string Required

    The display name for the connector.

  • config object

    The connector configuration details.

    One of:
    bedrock_config object crowdstrike_config object d3security_config object email_config object gemini_config object resilient_config object index_config object jira_config object genai_azure_config object genai_openai_config object opsgenie_config object pagerduty_config object sentinelone_config object servicenow_config object servicenow_itom_config object slack_api_config object swimlane_config object thehive_config object tines_config object torq_config object webhook_config object cases_webhook_config object xmatters_config object

    Defines properties for connectors when type is .bedrock.

    Hide attributes Show attributes
    • apiUrl string Required

      The Amazon Bedrock request URL.

    • defaultModel string

      The generative artificial intelligence model for Amazon Bedrock to use. Current support is for the Anthropic Claude models.

      Default value is anthropic.claude-3-5-sonnet-20240620-v1:0.

  • secrets object

    One of:
    bedrock_secrets object crowdstrike_secrets object d3security_secrets object email_secrets object gemini_secrets object resilient_secrets object jira_secrets object teams_secrets object genai_secrets object opsgenie_secrets object pagerduty_secrets object sentinelone_secrets object servicenow_secrets object slack_api_secrets object swimlane_secrets object thehive_secrets object tines_secrets object torq_secrets object webhook_secrets object cases_webhook_secrets object xmatters_secrets object

    Defines secrets for connectors when type is .bedrock.

    Hide attributes Show attributes
    • accessKey string Required

      The AWS access key for authentication.

    • secret string Required

      The AWS secret for authentication.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • config object

      Additional properties are allowed.

    • connector_type_id string Required

      The connector type identifier.

    • id string Required

      The identifier for the connector.

    • is_deprecated boolean Required

      Indicates whether the connector is deprecated.

    • is_missing_secrets boolean

      Indicates whether the connector is missing secrets.

    • is_preconfigured boolean Required

      Indicates whether the connector is preconfigured. If true, the config and is_missing_secrets properties are omitted from the response.

    • is_system_action boolean Required

      Indicates whether the connector is used for system actions.

    • name string Required

      The name of the rule.
PUT /api/actions/connector/{id} 
curl \
 --request PUT 'http://localhost:5622/api/actions/connector/{id}' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"name":"updated-connector","config":{"index":"updated-index"}}'
Request example 
{
  "name": "updated-connector",
  "config": {
    "index": "updated-index"
  }
}
Response examples (200) 
{
  "config": {},
  "connector_type_id": "string",
  "id": "string",
  "is_deprecated": true,
  "is_missing_secrets": true,
  "is_preconfigured": true,
  "is_system_action": true,
  "name": "string"
}

Dashboards

Data streams

Get data streams

GET /api/fleet/data_streams
Api key auth Basic auth

[Required authorization] Route required privileges: ALL of [fleet-agents-all, fleet-agent-policies-all, fleet-settings-all].

Responses

GET /api/fleet/data_streams 
curl \
 --request GET 'http://localhost:5622/api/fleet/data_streams' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "data_streams": [
    {
      "dashboards": [
        {
          "id": "string",
          "title": "string"
        }
      ],
      "dataset": "string",
      "index": "string",
      "last_activity_ms": 42.0,
      "namespace": "string",
      "package": "string",
      "package_version": "string",
      "serviceDetails": {
        "environment": "string",
        "serviceName": "string"
      },
      "size_in_bytes": 42.0,
      "size_in_bytes_formatted": 42.0,
      "type": "string"
    }
  ]
}
Response examples (400) 
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Update data view fields metadata

POST /api/data_views/data_view/{viewId}/fields
Api key auth Basic auth

Update fields presentation metadata such as count, customLabel, customDescription, and format.

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

Path parameters

  • viewId string Required

    An identifier for the data view.

application/json

Body Required

  • fields object Required

    The field object.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attribute Show response attribute object
  • 400 application/json

    Bad request

    Hide response attributes Show response attributes object
POST /api/data_views/data_view/{viewId}/fields 
curl \
 --request POST 'http://localhost:5622/api/data_views/data_view/ff959d40-b880-11e8-a6d9-e546fe2bba5f/fields' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: string" \
 --data '{"fields":{"field1":{"count":123,"customLabel":"Field 1 label"},"field2":{"customLabel":"Field 2 label","customDescription":"Field 2 description"}}}'
Request example 
{
  "fields": {
    "field1": {
      "count": 123,
      "customLabel": "Field 1 label"
    },
    "field2": {
      "customLabel": "Field 2 label",
      "customDescription": "Field 2 description"
    }
  }
}
Response examples (200) 
{
  "acknowledged": true
}
Response examples (400) 
{
  "error": "Bad Request",
  "message": "string",
  "statusCode": 400
}

Get a runtime field

GET /api/data_views/data_view/{viewId}/runtime_field/{fieldName}
Api key auth Basic auth

Path parameters

  • fieldName string Required

    The name of the runtime field.

  • viewId string Required

    An identifier for the data view.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
  • 404 application/json

    Object is not found.

    Hide response attributes Show response attributes object
GET /api/data_views/data_view/{viewId}/runtime_field/{fieldName} 
curl \
 --request GET 'http://localhost:5622/api/data_views/data_view/ff959d40-b880-11e8-a6d9-e546fe2bba5f/runtime_field/hour_of_day' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "fields": [
    {
      "name": "hour_of_day",
      "type": "number",
      "count": 0,
      "esTypes": [
        "long"
      ],
      "scripted": false,
      "searchable": true,
      "aggregatable": true,
      "runtimeField": {
        "type": "long",
        "script": {
          "source": "emit(doc['timestamp'].value.getHour());"
        }
      },
      "shortDotsEnable": false,
      "readFromDocValues": false
    }
  ],
  "data_view": {
    "id": "d3d7af60-4c81-11e8-b3d7-01146121b73d",
    "name": "Kibana Sample Data Flights",
    "title": "kibana_sample_data_flights",
    "fields": {
      "_id": {
        "name": "_id",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "_id"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": false,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "Dest": {
        "name": "Dest",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "Origin": {
        "name": "Origin",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "_index": {
        "name": "_index",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "_index"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "_score": {
        "name": "_score",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number"
        },
        "isMapped": true,
        "scripted": false,
        "searchable": false,
        "aggregatable": false,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "Carrier": {
        "name": "Carrier",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "_source": {
        "name": "_source",
        "type": "_source",
        "count": 0,
        "format": {
          "id": "_source"
        },
        "esTypes": [
          "_source"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": false,
        "aggregatable": false,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "Cancelled": {
        "name": "Cancelled",
        "type": "boolean",
        "count": 0,
        "format": {
          "id": "boolean"
        },
        "esTypes": [
          "boolean"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "FlightNum": {
        "name": "FlightNum",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "dayOfWeek": {
        "name": "dayOfWeek",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number"
        },
        "esTypes": [
          "integer"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "timestamp": {
        "name": "timestamp",
        "type": "date",
        "count": 0,
        "format": {
          "id": "date"
        },
        "esTypes": [
          "date"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "DestRegion": {
        "name": "DestRegion",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "DestCountry": {
        "name": "DestCountry",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "DestWeather": {
        "name": "DestWeather",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "FlightDelay": {
        "name": "FlightDelay",
        "type": "boolean",
        "count": 0,
        "format": {
          "id": "boolean"
        },
        "esTypes": [
          "boolean"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "hour_of_day": {
        "name": "hour_of_day",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number",
          "params": {
            "pattern": "00"
          }
        },
        "esTypes": [
          "long"
        ],
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "runtimeField": {
          "type": "long",
          "script": {
            "source": "emit(doc['timestamp'].value.getHour());"
          }
        },
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "DestCityName": {
        "name": "DestCityName",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "DestLocation": {
        "name": "DestLocation",
        "type": "geo_point",
        "count": 0,
        "format": {
          "id": "geo_point",
          "params": {
            "transform": "wkt"
          }
        },
        "esTypes": [
          "geo_point"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "OriginRegion": {
        "name": "OriginRegion",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "DestAirportID": {
        "name": "DestAirportID",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "DistanceMiles": {
        "name": "DistanceMiles",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number"
        },
        "esTypes": [
          "float"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "FlightTimeMin": {
        "name": "FlightTimeMin",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number"
        },
        "esTypes": [
          "float"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "OriginCountry": {
        "name": "OriginCountry",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "OriginWeather": {
        "name": "OriginWeather",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "AvgTicketPrice": {
        "name": "AvgTicketPrice",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number",
          "params": {
            "pattern": "$0,0.[00]"
          }
        },
        "esTypes": [
          "float"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "FlightDelayMin": {
        "name": "FlightDelayMin",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number"
        },
        "esTypes": [
          "integer"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "FlightTimeHour": {
        "name": "FlightTimeHour",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "OriginCityName": {
        "name": "OriginCityName",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "OriginLocation": {
        "name": "OriginLocation",
        "type": "geo_point",
        "count": 0,
        "format": {
          "id": "geo_point",
          "params": {
            "transform": "wkt"
          }
        },
        "esTypes": [
          "geo_point"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "FlightDelayType": {
        "name": "FlightDelayType",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "OriginAirportID": {
        "name": "OriginAirportID",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "DistanceKilometers": {
        "name": "DistanceKilometers",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number"
        },
        "esTypes": [
          "float"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      }
    },
    "version": "WzM2LDJd",
    "fieldAttrs": {},
    "allowNoIndex": false,
    "fieldFormats": {
      "hour_of_day": {
        "id": "number",
        "params": {
          "pattern": "00"
        }
      },
      "AvgTicketPrice": {
        "id": "number",
        "params": {
          "pattern": "$0,0.[00]"
        }
      }
    },
    "sourceFilters": [],
    "timeFieldName": "timestamp",
    "runtimeFieldMap": {
      "hour_of_day": {
        "type": "long",
        "script": {
          "source": "emit(doc['timestamp'].value.getHour());"
        }
      }
    }
  }
}
Response examples (404) 
{
  "error": "Not Found",
  "message": "Saved object [index-pattern/caaad6d0-920c-11ed-b36a-874bd1548a00] not found",
  "statusCode": 404
}

Update a runtime field

POST /api/data_views/data_view/{viewId}/runtime_field/{fieldName}
Api key auth Basic auth

Path parameters

  • fieldName string Required

    The name of the runtime field.

  • viewId string Required

    An identifier for the data view.

application/json

Body Required

  • runtimeField object Required

    The runtime field definition object.

    You can update following fields:

    • type
    • script

Responses

  • 200

    Indicates a successful call.

  • 400 application/json

    Bad request

    Hide response attributes Show response attributes object
POST /api/data_views/data_view/{viewId}/runtime_field/{fieldName} 
curl \
 --request POST 'http://localhost:5622/api/data_views/data_view/ff959d40-b880-11e8-a6d9-e546fe2bba5f/runtime_field/hour_of_day' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"runtimeField":{"script":{"source":"emit(doc[\"bar\"].value)"}}}'
Request example 
{
  "runtimeField": {
    "script": {
      "source": "emit(doc[\"bar\"].value)"
    }
  }
}
Response examples (400) 
{
  "error": "Bad Request",
  "message": "string",
  "statusCode": 400
}

Get the default data view

GET /api/data_views/default
Api key auth Basic auth

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attribute Show response attribute object
  • 400 application/json

    Bad request

    Hide response attributes Show response attributes object
GET /api/data_views/default 
curl \
 --request GET 'http://localhost:5622/api/data_views/default' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "data_view_id": "ff959d40-b880-11e8-a6d9-e546fe2bba5f"
}
Response examples (400) 
{
  "error": "Bad Request",
  "message": "string",
  "statusCode": 400
}