Get Timelines or Timeline templates

GET /api/timelines
Api key auth Basic auth

Get a list of all saved Timelines or Timeline templates.

Query parameters

  • only_user_favorite string | null

    If true, only timelines that are marked as favorites by the user are returned.

    Values are true or false.

  • timeline_type string | null

    The type of Timeline.

    Values are default or template.

  • sort_field string

    The field to sort the timelines by.

    Values are title, description, updated, or created.

  • sort_order string

    Whether to sort the results ascending or descending

    Values are asc or desc.

  • page_size string | null

    How many results should returned at once

  • page_index string | null

    How many pages should be skipped

  • status string | null

    The status of the Timeline.

    Values are active, draft, or immutable.

Responses

  • 200 application/json

    Indicates that the (template) Timelines were found and returned.

    Hide response attributes Show response attributes object
    • customTemplateTimelineCount number

      The amount of custom Timeline templates in the results

    • defaultTimelineCount number

      The amount of default type Timelines in the results

    • elasticTemplateTimelineCount number

      The amount of Elastic's Timeline templates in the results

    • favoriteCount number

      The amount of favorited Timelines

    • templateTimelineCount number

      The amount of Timeline templates in the results

    • timeline array[object] Required
      Hide timeline attributes Show timeline attributes object
      • columns array[object] | null

        The Timeline's columns

        Hide columns attributes Show columns attributes object
      • created number | null

        The time the Timeline was created, using a 13-digit Epoch timestamp.

      • createdBy string | null

        The user who created the Timeline.

      • dataProviders array[object] | null

        Object containing query clauses

        Hide dataProviders attributes Show dataProviders attributes object
      • dataViewId string | null

        ID of the Timeline's Data View

      • dateRange object | null

        The Timeline's search period.

        Hide dateRange attributes Show dateRange attributes object | null
      • description string | null

        The Timeline's description

      • eqlOptions object | null

        EQL query that is used in the correlation tab

        Hide eqlOptions attributes Show eqlOptions attributes object | null
      • eventType string | null Deprecated

        Event types displayed in the Timeline

      • excludedRowRendererIds array[string] | null

        A list of row renderers that should not be used when in Event renderers mode

        Values are alert, alerts, auditd, auditd_file, library, netflow, plain, registry, suricata, system, system_dns, system_endgame_process, system_file, system_fim, system_security_event, system_socket, threat_match, or zeek.

      • favorite array[object] | null

        Indicates when and who marked a Timeline as a favorite.

        Hide favorite attributes Show favorite attributes object
      • filters array[object] | null

        A list of filters that should be applied to the query

        Hide filters attributes Show filters attributes object
      • indexNames array[string] | null

        A list of index names to use in the query (e.g. when the default data view has been modified)

      • kqlMode string | null

        Indicates whether the KQL bar filters the query results or searches for additional results, where:

        • filter: filters query results
        • search: displays additional search results
      • kqlQuery object | null

        KQL bar query.

        Hide kqlQuery attribute Show kqlQuery attribute object | null
      • savedQueryId string | null

        The ID of the saved query that might be used in the Query tab

      • savedSearchId string | null

        The ID of the saved search that is used in the ES|QL tab

      • sort object | null

        Object indicating how rows are sorted in the Timeline's grid

        Hide sort attributes Show sort attributes object | null
      • status string | null

        The status of the Timeline.

        Values are active, draft, or immutable.

      • templateTimelineId string | null

        A unique ID (UUID) for Timeline templates. For Timelines, the value is null.

      • templateTimelineVersion number | null

        Timeline template version number. For Timelines, the value is null.

      • timelineType string | null

        The type of Timeline.

        Values are default or template.

      • title string | null

        The Timeline's title.

      • updated number | null

        The last time the Timeline was updated, using a 13-digit Epoch timestamp

      • updatedBy string | null

        The user who last updated the Timeline

      • savedObjectId string Required

        The savedObjectId of the Timeline or Timeline template

      • version string Required

        The version of the Timeline or Timeline template

      • eventIdToNoteIds array[object] | null

        A list of all the notes that are associated to this Timeline.

        Hide eventIdToNoteIds attributes Show eventIdToNoteIds attributes object
        • created number | null

          The time the note was created, using a 13-digit Epoch timestamp.

        • createdBy string | null

          The user who created the note.

        • updated number | null

          The last time the note was updated, using a 13-digit Epoch timestamp

        • updatedBy string | null

          The user who last updated the note

        • eventId string | null

          The _id of the associated event for this note.

        • note string | null

          The text of the note

        • timelineId string Required

          The savedObjectId of the Timeline that this note is associated with

        • noteId string Required

          The savedObjectId of the note

        • version string Required

          The version of the note

      • noteIds array[string] | null

        A list of all the ids of notes that are associated to this Timeline.

      • notes array[object] | null

        A list of all the notes that are associated to this Timeline.

        Hide notes attributes Show notes attributes object
        • created number | null

          The time the note was created, using a 13-digit Epoch timestamp.

        • createdBy string | null

          The user who created the note.

        • updated number | null

          The last time the note was updated, using a 13-digit Epoch timestamp

        • updatedBy string | null

          The user who last updated the note

        • eventId string | null

          The _id of the associated event for this note.

        • note string | null

          The text of the note

        • timelineId string Required

          The savedObjectId of the Timeline that this note is associated with

        • noteId string Required

          The savedObjectId of the note

        • version string Required

          The version of the note

      • pinnedEventIds array[string] | null

        A list of all the ids of pinned events that are associated to this Timeline.

      • pinnedEventsSaveObject array[object] | null

        A list of all the pinned events that are associated to this Timeline.

        Hide pinnedEventsSaveObject attributes Show pinnedEventsSaveObject attributes object
        • created number | null

          The time the pinned event was created, using a 13-digit Epoch timestamp.

        • createdBy string | null

          The user who created the pinned event.

        • updated number | null

          The last time the pinned event was updated, using a 13-digit Epoch timestamp

        • updatedBy string | null

          The user who last updated the pinned event

        • eventId string Required

          The _id of the associated event for this pinned event.

        • timelineId string Required

          The savedObjectId of the timeline that this pinned event is associated with

        • pinnedEventId string Required

          The savedObjectId of this pinned event

        • version string Required

          The version of this pinned event

    • totalCount number Required

      The total amount of results
  • 400 application:json

    Bad request. The user supplied invalid data.

    Hide response attributes Show response attributes object
GET /api/timelines 
curl \
 --request GET 'https://localhost:5601/api/timelines' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "customTemplateTimelineCount": 2,
  "defaultTimelineCount": 90,
  "elasticTemplateTimelineCount": 8,
  "favoriteCount": 5,
  "templateTimelineCount": 10,
  "timeline": [
    {
      "columns": [
        {
          "id": "@timestamp",
          "columnHeaderType": "not-filtered"
        },
        {
          "id": "event.category",
          "columnHeaderType": "not-filtered"
        }
      ],
      "created": 1587468588922,
      "createdBy": "casetester",
      "dataProviders": [
        {
          "id": "id-d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b",
          "name": "d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b",
          "enabled": true,
          "excluded": false,
          "queryMatch": {
            "field": "_id,",
            "value": "d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b,",
            "operator": ":"
          }
        }
      ],
      "dataViewId": "security-solution-default",
      "dateRange": {
        "end": 1587456479201,
        "start": 1587370079200
      },
      "description": "Investigating exposure of CVE XYZ",
      "eqlOptions": {
        "size": 100,
        "query": "sequence\\n[process where process.name == \"sudo\"]\\n[any where true]",
        "timestampField": "@timestamp",
        "eventCategoryField": "event.category"
      },
      "eventType": "all",
      "excludedRowRendererIds": [
        "alert"
      ],
      "favorite": [
        {
          "userName": "elastic",
          "favoriteDate": 1741337636741
        }
      ],
      "filters": [
        {
          "meta": {
            "key": "@timestamp",
            "type": "exists",
            "alias": "Custom filter name",
            "index": ".alerts-security.alerts-default,logs-*",
            "value": "exists",
            "negate": "false,",
            "disabled": false
          },
          "query": "{\"exists\":{\"field\":\"@timestamp\"}}"
        }
      ],
      "indexNames": [
        ".logs*"
      ],
      "kqlMode": "search",
      "kqlQuery": {
        "kuery": {
          "kind": "kuery",
          "expression": "_id : *"
        },
        "filterQuery": null,
        "serializedQuery": "{\"bool\":{\"should\":[{\"exists\":{\"field\":\"_id\"}}],\"minimum_should_match\":1}}"
      },
      "savedQueryId": "c7b16904-02d7-4f32-b8f2-cc20f9625d6e",
      "savedSearchId": "6ce1b592-84e3-4b4a-9552-f189d4b82075",
      "sort": {
        "columnId": "@timestamp",
        "sortDirection": "desc"
      },
      "status": "active",
      "templateTimelineId": "6ce1b592-84e3-4b4a-9552-f189d4b82075",
      "templateTimelineVersion": 12,
      "timelineType": "default",
      "title": "CVE XYZ investigation",
      "updated": 1741344876825,
      "updatedBy": "casetester",
      "savedObjectId": "15c1929b-0af7-42bd-85a8-56e234cc7c4e",
      "version": "WzE0LDFd",
      "eventIdToNoteIds": [
        {
          "created": 1587468588922,
          "createdBy": "casetester",
          "updated": 1741344876825,
          "updatedBy": "casetester",
          "eventId": "d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc",
          "note": "This is an example text",
          "timelineId": "15c1929b-0af7-42bd-85a8-56e234cc7c4e",
          "noteId": "709f99c6-89b6-4953-9160-35945c8e174e",
          "version": "WzQ2LDFd"
        }
      ],
      "noteIds": [
        "709f99c6-89b6-4953-9160-35945c8e174e"
      ],
      "notes": [
        {
          "created": 1587468588922,
          "createdBy": "casetester",
          "updated": 1741344876825,
          "updatedBy": "casetester",
          "eventId": "d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc",
          "note": "This is an example text",
          "timelineId": "15c1929b-0af7-42bd-85a8-56e234cc7c4e",
          "noteId": "709f99c6-89b6-4953-9160-35945c8e174e",
          "version": "WzQ2LDFd"
        }
      ],
      "pinnedEventIds": [
        "983f99c6-89b6-4953-9160-35945c8a194f"
      ],
      "pinnedEventsSaveObject": [
        {
          "created": 1587468588922,
          "createdBy": "casetester",
          "updated": 1741344876825,
          "updatedBy": "casetester",
          "eventId": "d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc",
          "timelineId": "15c1929b-0af7-42bd-85a8-56e234cc7c4e",
          "pinnedEventId": "10r1929b-0af7-42bd-85a8-56e234f98h2f3",
          "version": "WzQ2LDFe"
        }
      ]
    }
  ],
  "totalCount": 100
}
Response examples (400) 
{
  "body": "get timeline error",
  "statusCode": 405
}