Disable an SLO

Create an agent binary download source

POST /api/fleet/agent_download_sources

Api key auth

[Required authorization] Route required privileges: fleet-settings-all.

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

application/json

Body

host string(uri) Required
id string
is_default boolean

Default value is false.
name string Required
proxy_id string | null

The ID of the proxy to use for this download source. See the proxies API for more information.
secrets object

Additional properties are NOT allowed.
Hide secrets attribute Show secrets attribute object
- ssl object
  
  Additional properties are NOT allowed.
  Hide ssl attribute Show ssl attribute object
  
  key object | string
  
  Any of:
  object-1 object string-2 string
  
  Hide attribute Show attribute
  
  id string Required
ssl object

Additional properties are NOT allowed.
Hide ssl attributes Show ssl attributes object
- certificate string
- certificate_authorities array[string]
- key string

Responses

200 application/json
Hide response attribute Show response attribute object
- item object Required
  
  Additional properties are NOT allowed.
  
  Hide item attributes Show item attributes object
  
  host string(uri) Required
  
  id string Required
  
  is_default boolean
  
  Default value is false.
  
  name string Required
  
  proxy_id string | null
  
  The ID of the proxy to use for this download source. See the proxies API for more information.
  
  secrets object
  
  Additional properties are NOT allowed.
  
  Hide secrets attribute Show secrets attribute object
  
  ssl object
  
  Additional properties are NOT allowed.
  
  Hide ssl attribute Show ssl attribute object
  
  key object | string
  
  Any of:
  object-1 object string-2 string
  
  Hide attribute Show attribute
  
  id string Required
  
  ssl object
  
  Additional properties are NOT allowed.
  
  Hide ssl attributes Show ssl attributes object
  
  certificate string
  
  certificate_authorities array[string]
  
  key string
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number

POST /api/fleet/agent_download_sources

curl \
 --request POST 'http://localhost:5622/api/fleet/agent_download_sources' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"host":"https://example.com","id":"string","is_default":false,"name":"string","proxy_id":"string","secrets":{"ssl":{"key":{"id":"string"}}},"ssl":{"certificate":"string","certificate_authorities":["string"],"key":"string"}}'

Request examples

# Headers
kbn-xsrf: true

# Payload
{
  "host": "https://example.com",
  "id": "string",
  "is_default": false,
  "name": "string",
  "proxy_id": "string",
  "secrets": {
    "ssl": {
      "key": {
        "id": "string"
      }
    }
  },
  "ssl": {
    "certificate": "string",
    "certificate_authorities": [
      "string"
    ],
    "key": "string"
  }
}

Response examples (200)

{
  "item": {
    "host": "https://example.com",
    "id": "string",
    "is_default": false,
    "name": "string",
    "proxy_id": "string",
    "secrets": {
      "ssl": {
        "key": {
          "id": "string"
        }
      }
    },
    "ssl": {
      "certificate": "string",
      "certificate_authorities": [
        "string"
      ],
      "key": "string"
    }
  }
}

Response examples (400)

{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}

Get outputs

GET /api/fleet/outputs

Api key auth

[Required authorization] Route required privileges: fleet-settings-read OR fleet-agent-policies-read.

Responses

200 application/json
Hide response attributes Show response attributes object
- items array[object] Required
  
  Any of:
  object-1 object object-2 object object-3 object object-4 object
  
  Hide attributes Show attributes
  
  allow_edit array[string]
  
  ca_sha256 string | null
  
  ca_trusted_fingerprint string | null
  
  config_yaml string | null
  
  hosts array[string(uri)] Required
  
  At least 1 element.
  
  id string
  
  is_default boolean
  
  Default value is false.
  
  is_default_monitoring boolean
  
  Default value is false.
  
  is_internal boolean
  
  is_preconfigured boolean
  
  name string Required
  
  preset string
  
  Values are balanced, custom, throughput, scale, or latency.
  
  proxy_id string | null
  
  secrets object
  
  Additional properties are allowed.
  
  Hide secrets attribute Show secrets attribute object
  
  ssl object
  
  Additional properties are allowed.
  
  Hide ssl attribute Show ssl attribute object
  
  key object | string
  
  Any of:
  object-1 object string-2 string
  
  Hide attribute Show attribute
  
  id string Required
  
  shipper object | null
  
  Additional properties are allowed.
  
  Hide shipper attributes Show shipper attributes object | null
  
  compression_level number | null Required
  
  disk_queue_compression_enabled boolean | null Required
  
  disk_queue_enabled boolean | null
  
  Default value is false.
  
  disk_queue_encryption_enabled boolean | null Required
  
  disk_queue_max_size number | null Required
  
  disk_queue_path string | null Required
  
  loadbalance boolean | null Required
  
  max_batch_bytes number | null Required
  
  mem_queue_events number | null Required
  
  queue_flush_timeout number | null Required
  
  ssl object | null
  
  Additional properties are allowed.
  
  Hide ssl attributes Show ssl attributes object | null
  
  certificate string
  
  certificate_authorities array[string]
  
  key string
  
  verification_mode string
  
  Values are full, none, certificate, or strict.
  
  type string Required
  
  Value is elasticsearch.
  
  Hide attributes Show attributes
  
  allow_edit array[string]
  
  ca_sha256 string | null
  
  ca_trusted_fingerprint string | null
  
  config_yaml string | null
  
  hosts array[string(uri)] Required
  
  At least 1 element.
  
  id string
  
  is_default boolean
  
  Default value is false.
  
  is_default_monitoring boolean
  
  Default value is false.
  
  is_internal boolean
  
  is_preconfigured boolean
  
  kibana_api_key string | null
  
  kibana_url string | null
  
  name string Required
  
  preset string
  
  Values are balanced, custom, throughput, scale, or latency.
  
  proxy_id string | null
  
  secrets object
  
  Additional properties are allowed.
  
  Hide secrets attributes Show secrets attributes object
  
  service_token object | string
  
  Any of:
  object-1 object string-2 string
  
  Hide attribute Show attribute
  
  id string Required
  
  ssl object
  
  Additional properties are allowed.
  
  Hide ssl attribute Show ssl attribute object
  
  key object | string
  
  Any of:
  object-1 object string-2 string
  
  Hide attribute Show attribute
  
  id string Required
  
  service_token string | null
  
  shipper object | null
  
  Additional properties are allowed.
  
  Hide shipper attributes Show shipper attributes object | null
  
  compression_level number | null Required
  
  disk_queue_compression_enabled boolean | null Required
  
  disk_queue_enabled boolean | null
  
  Default value is false.
  
  disk_queue_encryption_enabled boolean | null Required
  
  disk_queue_max_size number | null Required
  
  disk_queue_path string | null Required
  
  loadbalance boolean | null Required
  
  max_batch_bytes number | null Required
  
  mem_queue_events number | null Required
  
  queue_flush_timeout number | null Required
  
  ssl object | null
  
  Additional properties are allowed.
  
  Hide ssl attributes Show ssl attributes object | null
  
  certificate string
  
  certificate_authorities array[string]
  
  key string
  
  verification_mode string
  
  Values are full, none, certificate, or strict.
  
  sync_integrations boolean
  
  sync_uninstalled_integrations boolean
  
  type string Required
  
  Value is remote_elasticsearch.
  
  Hide attributes Show attributes
  
  allow_edit array[string]
  
  ca_sha256 string | null
  
  ca_trusted_fingerprint string | null
  
  config_yaml string | null
  
  hosts array[string] Required
  
  At least 1 element.
  
  id string
  
  is_default boolean
  
  Default value is false.
  
  is_default_monitoring boolean
  
  Default value is false.
  
  is_internal boolean
  
  is_preconfigured boolean
  
  name string Required
  
  proxy_id string | null
  
  secrets object
  
  Additional properties are allowed.
  
  Hide secrets attribute Show secrets attribute object
  
  ssl object
  
  Additional properties are allowed.
  
  Hide ssl attribute Show ssl attribute object
  
  key object | string
  
  Any of:
  object-1 object string-2 string
  
  Hide attribute Show attribute
  
  id string Required
  
  shipper object | null
  
  Additional properties are allowed.
  
  Hide shipper attributes Show shipper attributes object | null
  
  compression_level number | null Required
  
  disk_queue_compression_enabled boolean | null Required
  
  disk_queue_enabled boolean | null
  
  Default value is false.
  
  disk_queue_encryption_enabled boolean | null Required
  
  disk_queue_max_size number | null Required
  
  disk_queue_path string | null Required
  
  loadbalance boolean | null Required
  
  max_batch_bytes number | null Required
  
  mem_queue_events number | null Required
  
  queue_flush_timeout number | null Required
  
  ssl object | null
  
  Additional properties are allowed.
  
  Hide ssl attributes Show ssl attributes object | null
  
  certificate string
  
  certificate_authorities array[string]
  
  key string
  
  verification_mode string
  
  Values are full, none, certificate, or strict.
  
  type string Required
  
  Value is logstash.
  
  Hide attributes Show attributes
  
  allow_edit array[string]
  
  auth_type string Required
  
  Values are none, user_pass, ssl, or kerberos.
  
  broker_timeout number
  
  ca_sha256 string | null
  
  ca_trusted_fingerprint string | null
  
  client_id string
  
  compression string
  
  Values are gzip, snappy, lz4, or none.
  
  compression_level array | null | boolean | number | object | string Required
  
  Any of:
  array-1 array | null boolean-2 boolean | null number-3 number | null object-4 object | null string-5 string | null
  
  config_yaml string | null
  
  connection_type array | null | boolean | number | object | string Required
  
  Any of:
  array-1 array | null boolean-2 boolean | null number-3 number | null object-4 object | null string-5 string | null
  
  hash object
  
  Additional properties are allowed.
  
  Hide hash attributes Show hash attributes object
  
  hash string
  
  random boolean
  
  headers array[object]
  
  Hide headers attributes Show headers attributes object
  
  key string Required
  
  value string Required
  
  hosts array[string] Required
  
  At least 1 element.
  
  id string
  
  is_default boolean
  
  Default value is false.
  
  is_default_monitoring boolean
  
  Default value is false.
  
  is_internal boolean
  
  is_preconfigured boolean
  
  key string
  
  name string Required
  
  partition string
  
  Values are random, round_robin, or hash.
  
  password array | null | boolean | number | object | string Required
  
  Any of:
  array-1 array | null boolean-2 boolean | null number-3 number | null object-4 object | null string-5 string | null
  
  proxy_id string | null
  
  random object
  
  Additional properties are allowed.
  
  Hide random attribute Show random attribute object
  
  group_events number
  
  required_acks integer
  
  Values are 1, 0, or -1.
  
  round_robin object
  
  Additional properties are allowed.
  
  Hide round_robin attribute Show round_robin attribute object
  
  group_events number
  
  sasl object | null
  
  Additional properties are allowed.
  
  Hide sasl attribute Show sasl attribute object | null
  
  mechanism string
  
  Values are PLAIN, SCRAM-SHA-256, or SCRAM-SHA-512.
  
  secrets object
  
  Additional properties are allowed.
  
  Hide secrets attributes Show secrets attributes object
  
  password object | string
  
  Any of:
  object-1 object string-2 string
  
  Hide attribute Show attribute
  
  id string Required
  
  ssl object
  
  Additional properties are allowed.
  
  Hide ssl attribute Show ssl attribute object
  
  key object | string Required
  
  Any of:
  object-1 object string-2 string
  
  Hide attribute Show attribute
  
  id string Required
  
  shipper object | null
  
  Additional properties are allowed.
  
  Hide shipper attributes Show shipper attributes object | null
  
  compression_level number | null Required
  
  disk_queue_compression_enabled boolean | null Required
  
  disk_queue_enabled boolean | null
  
  Default value is false.
  
  disk_queue_encryption_enabled boolean | null Required
  
  disk_queue_max_size number | null Required
  
  disk_queue_path string | null Required
  
  loadbalance boolean | null Required
  
  max_batch_bytes number | null Required
  
  mem_queue_events number | null Required
  
  queue_flush_timeout number | null Required
  
  ssl object | null
  
  Additional properties are allowed.
  
  Hide ssl attributes Show ssl attributes object | null
  
  certificate string
  
  certificate_authorities array[string]
  
  key string
  
  verification_mode string
  
  Values are full, none, certificate, or strict.
  
  timeout number
  
  topic string
  
  type string Required
  
  Value is kafka.
  
  username array | null | boolean | number | object | string Required
  
  Any of:
  array-1 array | null boolean-2 boolean | null number-3 number | null object-4 object | null string-5 string | null
  
  version string
- page number Required
- perPage number Required
- total number Required
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number

GET /api/fleet/outputs

curl \
 --request GET 'http://localhost:5622/api/fleet/outputs' \
 --header "Authorization: $API_KEY"

Response examples (200)

{
  "items": [
    {
      "allow_edit": [
        "string"
      ],
      "ca_sha256": "string",
      "ca_trusted_fingerprint": "string",
      "config_yaml": "string",
      "hosts": [
        "https://example.com"
      ],
      "id": "string",
      "is_default": false,
      "is_default_monitoring": false,
      "is_internal": true,
      "is_preconfigured": true,
      "name": "string",
      "preset": "balanced",
      "proxy_id": "string",
      "secrets": {
        "ssl": {
          "key": {
            "id": "string"
          }
        }
      },
      "shipper": {
        "compression_level": 42.0,
        "disk_queue_compression_enabled": true,
        "disk_queue_enabled": false,
        "disk_queue_encryption_enabled": true,
        "disk_queue_max_size": 42.0,
        "disk_queue_path": "string",
        "loadbalance": true,
        "max_batch_bytes": 42.0,
        "mem_queue_events": 42.0,
        "queue_flush_timeout": 42.0
      },
      "ssl": {
        "certificate": "string",
        "certificate_authorities": [
          "string"
        ],
        "key": "string",
        "verification_mode": "full"
      },
      "type": "elasticsearch"
    }
  ],
  "page": 42.0,
  "perPage": 42.0,
  "total": 42.0
}

Response examples (400)

{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}

Get Fleet Server hosts

GET /api/fleet/fleet_server_hosts

Api key auth

[Required authorization] Route required privileges: fleet-agents-all OR fleet-settings-read.

Responses

200 application/json
Hide response attributes Show response attributes object
- items array[object] Required
  
  Hide items attributes Show items attributes object
  
  host_urls array[string] Required
  
  At least 1 element.
  
  id string Required
  
  is_default boolean
  
  Default value is false.
  
  is_internal boolean
  
  is_preconfigured boolean
  
  Default value is false.
  
  name string Required
  
  proxy_id string | null
  
  secrets object
  
  Additional properties are NOT allowed.
  
  Hide secrets attribute Show secrets attribute object
  
  ssl object
  
  Additional properties are NOT allowed.
  
  Hide ssl attributes Show ssl attributes object
  
  es_key object | string
  
  Any of:
  object-1 object string-2 string
  
  Hide attribute Show attribute
  
  id string Required
  
  key object | string
  
  Any of:
  object-1 object string-2 string
  
  Hide attribute Show attribute
  
  id string Required
  
  ssl object | null
  
  Additional properties are NOT allowed.
  
  Hide ssl attributes Show ssl attributes object | null
  
  certificate string
  
  certificate_authorities array[string]
  
  client_auth string
  
  Values are optional, required, or none.
  
  es_certificate string
  
  es_certificate_authorities array[string]
  
  es_key string
  
  key string
- page number Required
- perPage number Required
- total number Required
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number

GET /api/fleet/fleet_server_hosts

curl \
 --request GET 'http://localhost:5622/api/fleet/fleet_server_hosts' \
 --header "Authorization: $API_KEY"

Response examples (200)

{
  "items": [
    {
      "host_urls": [
        "string"
      ],
      "id": "string",
      "is_default": false,
      "is_internal": true,
      "is_preconfigured": false,
      "name": "string",
      "proxy_id": "string",
      "secrets": {
        "ssl": {
          "es_key": {
            "id": "string"
          },
          "key": {
            "id": "string"
          }
        }
      },
      "ssl": {
        "certificate": "string",
        "certificate_authorities": [
          "string"
        ],
        "client_auth": "optional",
        "es_certificate": "string",
        "es_certificate_authorities": [
          "string"
        ],
        "es_key": "string",
        "key": "string"
      }
    }
  ],
  "page": 42.0,
  "perPage": 42.0,
  "total": 42.0
}

Response examples (400)

{
  "error": "string",
  "errorType": "string",
  "message": "string",
  "statusCode": 42.0
}

Get anonymization fields

GET /api/security_ai_assistant/anonymization_fields/_find

Api key auth

Get a list of all anonymization fields.

Query parameters

fields array[string]
filter string

Search query
sort_field string

Field to sort by

Values are created_at, anonymized, allowed, field, or updated_at.
sort_order string

Sort order

Values are asc or desc.
page integer

Page number

Minimum value is 1. Default value is 1.
per_page integer

AnonymizationFields per page

Minimum value is 0. Default value is 20.

Responses

200 application/json

Successful response
Hide response attributes Show response attributes object
- data array[object] Required
  
  Hide data attributes Show data attributes object
  
  allowed boolean
  
  anonymized boolean
  
  createdAt string
  
  createdBy string
  
  field string Required
  
  id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  namespace string
  
  Kibana space
  
  timestamp string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  updatedAt string
  
  updatedBy string
- page integer Required
- perPage integer Required
- total integer Required
400 application/json

Generic Error
Hide response attributes Show response attributes object
- error string
- message string
- statusCode number

GET /api/security_ai_assistant/anonymization_fields/_find

curl \
 --request GET 'http://localhost:5622/api/security_ai_assistant/anonymization_fields/_find' \
 --header "Authorization: $API_KEY"

Response examples (200)

{
  "data": [
    {
      "allowed": true,
      "anonymized": true,
      "createdAt": "string",
      "createdBy": "string",
      "field": "string",
      "id": "string",
      "namespace": "string",
      "timestamp": "string",
      "updatedAt": "string",
      "updatedBy": "string"
    }
  ],
  "page": 42,
  "perPage": 42,
  "total": 42
}

Response examples (400)

{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Create a Knowledge Base Entry

POST /api/security_ai_assistant/knowledge_base/entries

Api key auth

Create a Knowledge Base Entry

application/json

Body object Required

global boolean

Whether this Knowledge Base Entry is global, defaults to false
name string Required

Name of the Knowledge Base Entry
namespace string

Kibana Space, defaults to 'default' space
users array[object]

Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users.

Could be any string, not necessarily a UUID
Hide users attributes Show users attributes object
- id string
  
  User id
- name string
  
  User name
kbResource string Required

Knowledge Base resource name for grouping entries, e.g. 'security_labs', 'user', etc

Values are security_labs or user.
source string Required

Source document name or filepath
text string Required

Knowledge Base Entry content
type string Required Discriminator

Entry type

Value is document.
required boolean

Whether this resource should always be included, defaults to false
vector object

Object containing Knowledge Base Entry text embeddings and modelId used to create the embeddings
Hide vector attributes Show vector attributes object
- modelId string Required
  
  ID of the model used to create the embeddings
- tokens object Required
  
  Tokens with their corresponding values
  Hide tokens attribute Show tokens attribute object
  
  * number Additional properties

global boolean

Whether this Knowledge Base Entry is global, defaults to false
name string Required

Name of the Knowledge Base Entry
namespace string

Kibana Space, defaults to 'default' space
users array[object]

Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users.

Could be any string, not necessarily a UUID
Hide users attributes Show users attributes object
- id string
  
  User id
- name string
  
  User name
description string Required

Description for when this index or data stream should be queried for Knowledge Base content. Passed to the LLM as a tool description
field string Required

Field to query for Knowledge Base content
index string Required

Index or Data Stream to query for Knowledge Base content
queryDescription string Required

Description of query field used to fetch Knowledge Base content. Passed to the LLM as part of the tool input schema
type string Required Discriminator

Entry type

Value is index.
inputSchema array[object]

Array of objects defining the input schema, allowing the LLM to extract structured data to be used in retrieval
Hide inputSchema attributes Show inputSchema attributes object
- description string Required
  
  Description of the field
- fieldName string Required
  
  Name of the field
- fieldType string Required
  
  Type of the field
outputFields array[string]

Fields to extract from the query result, defaults to all fields if not provided or empty

Responses

200 application/json

Successful request returning Knowledge Base Entries
Any of:
Security_AI_Assistant_API_DocumentEntryResponseFields object Security_AI_Assistant_API_IndexEntryResponseFields object
Hide attributes Show attributes

global boolean Required

Whether this Knowledge Base Entry is global, defaults to false

name string Required

Name of the Knowledge Base Entry

namespace string Required

Kibana Space, defaults to 'default' space

users array[object] Required

Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users.

Could be any string, not necessarily a UUID

Hide users attributes Show users attributes object

id string

User id

name string

User name

createdAt string Required

Time the Knowledge Base Entry was created

createdBy string Required

User who created the Knowledge Base Entry

id string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

updatedAt string Required

Time the Knowledge Base Entry was last updated

updatedBy string Required

User who last updated the Knowledge Base Entry

kbResource string Required

Knowledge Base resource name for grouping entries, e.g. 'security_labs', 'user', etc

Values are security_labs or user.

source string Required

Source document name or filepath

text string Required

Knowledge Base Entry content

type string Required Discriminator

Entry type

Value is document.

required boolean

Whether this resource should always be included, defaults to false

vector object

Object containing Knowledge Base Entry text embeddings and modelId used to create the embeddings

Hide vector attributes Show vector attributes object

modelId string Required

ID of the model used to create the embeddings

tokens object Required

Tokens with their corresponding values

Hide tokens attribute Show tokens attribute object

* number Additional properties
Hide attributes Show attributes

global boolean Required

Whether this Knowledge Base Entry is global, defaults to false

name string Required

Name of the Knowledge Base Entry

namespace string Required

Kibana Space, defaults to 'default' space

users array[object] Required

Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users.

Could be any string, not necessarily a UUID

Hide users attributes Show users attributes object

id string

User id

name string

User name

createdAt string Required

Time the Knowledge Base Entry was created

createdBy string Required

User who created the Knowledge Base Entry

id string(nonempty) Required

A string that does not contain only whitespace characters

Minimum length is 1.

updatedAt string Required

Time the Knowledge Base Entry was last updated

updatedBy string Required

User who last updated the Knowledge Base Entry

description string Required

Description for when this index or data stream should be queried for Knowledge Base content. Passed to the LLM as a tool description

field string Required

Field to query for Knowledge Base content

index string Required

Index or Data Stream to query for Knowledge Base content

queryDescription string Required

Description of query field used to fetch Knowledge Base content. Passed to the LLM as part of the tool input schema

type string Required Discriminator

Entry type

Value is index.

inputSchema array[object]

Array of objects defining the input schema, allowing the LLM to extract structured data to be used in retrieval

Hide inputSchema attributes Show inputSchema attributes object

description string Required

Description of the field

fieldName string Required

Name of the field

fieldType string Required

Type of the field

outputFields array[string]

Fields to extract from the query result, defaults to all fields if not provided or empty
400 application/json

Generic Error
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode number Required

POST /api/security_ai_assistant/knowledge_base/entries

curl \
 --request POST 'http://localhost:5622/api/security_ai_assistant/knowledge_base/entries' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"global":true,"name":"string","namespace":"string","users":[{"id":"string","name":"string"}],"kbResource":"security_labs","source":"string","text":"string","type":"document","required":true,"vector":{"modelId":"string","tokens":{"additionalProperty1":42.0,"additionalProperty2":42.0}}}'

Request examples

{
  "global": true,
  "name": "string",
  "namespace": "string",
  "users": [
    {
      "id": "string",
      "name": "string"
    }
  ],
  "kbResource": "security_labs",
  "source": "string",
  "text": "string",
  "type": "document",
  "required": true,
  "vector": {
    "modelId": "string",
    "tokens": {
      "additionalProperty1": 42.0,
      "additionalProperty2": 42.0
    }
  }
}

{
  "global": true,
  "name": "string",
  "namespace": "string",
  "users": [
    {
      "id": "string",
      "name": "string"
    }
  ],
  "description": "string",
  "field": "string",
  "index": "string",
  "queryDescription": "string",
  "type": "index",
  "inputSchema": [
    {
      "description": "string",
      "fieldName": "string",
      "fieldType": "string"
    }
  ],
  "outputFields": [
    "string"
  ]
}

Response examples (200)

{
  "global": true,
  "name": "string",
  "namespace": "string",
  "users": [
    {
      "id": "string",
      "name": "string"
    }
  ],
  "createdAt": "string",
  "createdBy": "string",
  "id": "string",
  "updatedAt": "string",
  "updatedBy": "string",
  "kbResource": "security_labs",
  "source": "string",
  "text": "string",
  "type": "document",
  "required": true,
  "vector": {
    "modelId": "string",
    "tokens": {
      "additionalProperty1": 42.0,
      "additionalProperty2": 42.0
    }
  }
}

{
  "global": true,
  "name": "string",
  "namespace": "string",
  "users": [
    {
      "id": "string",
      "name": "string"
    }
  ],
  "createdAt": "string",
  "createdBy": "string",
  "id": "string",
  "updatedAt": "string",
  "updatedBy": "string",
  "description": "string",
  "field": "string",
  "index": "string",
  "queryDescription": "string",
  "type": "index",
  "inputSchema": [
    {
      "description": "string",
      "fieldName": "string",
      "fieldType": "string"
    }
  ],
  "outputFields": [
    "string"
  ]
}

Response examples (400)

{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Deletes a single Knowledge Base Entry using the `id` field

DELETE /api/security_ai_assistant/knowledge_base/entries/{id}

Api key auth

Deletes a single Knowledge Base Entry using the id field

Path parameters

id string(nonempty) Required

The Knowledge Base Entry's id value

Minimum length is 1.

Responses

200 application/json

Successful request returning the deleted Knowledge Base Entry's ID
Hide response attribute Show response attribute object
- id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
400 application/json

Generic Error
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode number Required

DELETE /api/security_ai_assistant/knowledge_base/entries/{id}

curl \
 --request DELETE 'http://localhost:5622/api/security_ai_assistant/knowledge_base/entries/{id}' \
 --header "Authorization: $API_KEY"

Response examples (200)

{
  "id": "string"
}

Response examples (400)

{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Get the status of the Entity Store

GET /api/entity_store/status

Api key auth

Query parameters

include_components boolean

If true returns a detailed status of the engine including all it's components

Responses

200 application/json

Successful response
Hide response attributes Show response attributes object
- engines array[object] Required
  
  Hide engines attributes Show engines attributes object
  
  delay string
  
  Format should match the following pattern: [smdh]$. Default value is 1m.
  
  docsPerSecond integer
  
  error object
  
  Hide error attributes Show error attributes object
  
  action string Required
  
  Value is init.
  
  message string Required
  
  fieldHistoryLength integer Required
  
  filter string
  
  frequency string
  
  Format should match the following pattern: [smdh]$. Default value is 1m.
  
  indexPattern string Required
  
  lookbackPeriod string
  
  Format should match the following pattern: [smdh]$. Default value is 24h.
  
  status string Required
  
  Values are installing, started, stopped, updating, or error.
  
  timeout string
  
  Format should match the following pattern: [smdh]$. Default value is 180s.
  
  timestampField string
  
  type string Required
  
  Values are user, host, service, or generic.
  
  components array[object]
  
  Hide components attributes Show components attributes object
  
  errors array[object]
  
  Hide errors attributes Show errors attributes object
  
  message string
  
  title string
  
  health string
  
  Values are green, yellow, red, or unknown.
  
  id string Required
  
  installed boolean Required
  
  metadata object
  
  Hide metadata attributes Show metadata attributes object
  
  delete_time_in_ms integer
  
  documents_deleted integer
  
  documents_indexed integer Required
  
  documents_processed integer Required
  
  exponential_avg_checkpoint_duration_ms integer Required
  
  exponential_avg_documents_indexed integer Required
  
  exponential_avg_documents_processed integer Required
  
  index_failures integer Required
  
  index_time_in_ms integer Required
  
  index_total integer Required
  
  pages_processed integer Required
  
  processing_time_in_ms integer Required
  
  processing_total integer Required
  
  search_failures integer Required
  
  search_time_in_ms integer Required
  
  search_total integer Required
  
  trigger_count integer Required
  
  resource string Required
  
  Values are entity_engine, entity_definition, index, component_template, index_template, ingest_pipeline, enrich_policy, task, or transform.
- status string Required
  
  Values are not_installed, installing, running, stopped, or error.

GET /api/entity_store/status

curl \
 --request GET 'http://localhost:5622/api/entity_store/status' \
 --header "Authorization: $API_KEY"

Response examples (200)

{
  "engines": [
    {
      "delay": "1m",
      "docsPerSecond": 42,
      "error": {
        "action": "init",
        "message": "string"
      },
      "fieldHistoryLength": 42,
      "filter": "string",
      "frequency": "1m",
      "indexPattern": "string",
      "lookbackPeriod": "24h",
      "status": "installing",
      "timeout": "180s",
      "timestampField": "string",
      "type": "user",
      "components": [
        {
          "errors": [
            {
              "message": "string",
              "title": "string"
            }
          ],
          "health": "green",
          "id": "string",
          "installed": true,
          "metadata": {
            "delete_time_in_ms": 42,
            "documents_deleted": 42,
            "documents_indexed": 42,
            "documents_processed": 42,
            "exponential_avg_checkpoint_duration_ms": 42,
            "exponential_avg_documents_indexed": 42,
            "exponential_avg_documents_processed": 42,
            "index_failures": 42,
            "index_time_in_ms": 42,
            "index_total": 42,
            "pages_processed": 42,
            "processing_time_in_ms": 42,
            "processing_total": 42,
            "search_failures": 42,
            "search_time_in_ms": 42,
            "search_total": 42,
            "trigger_count": 42
          },
          "resource": "entity_engine"
        }
      ]
    }
  ],
  "status": "not_installed"
}

Update an SLO

PUT /s/{spaceId}/api/observability/slos/{sloId}

Api key auth

You must have the write privileges for the SLOs feature in the Observability section of the Kibana feature privileges.

Headers

kbn-xsrf string Required

Cross-site request forgery protection

Path parameters

spaceId string Required

An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used.
sloId string Required

An identifier for the slo.

application/json

Body Required

budgetingMethod string

The budgeting method to use when computing the rollup data.

Values are occurrences or timeslices.
description string

A description for the SLO.
groupBy string | array[string]

optional group by field or fields to use to generate an SLO per distinct value

One of:
string-1 string array-2 array[string]
indicator object
One of:
SLOs_indicator_properties_custom_kql object SLOs_indicator_properties_apm_availability object SLOs_indicator_properties_apm_latency object SLOs_indicator_properties_custom_metric object SLOs_indicator_properties_histogram object SLOs_indicator_properties_timeslice_metric object
Defines properties for a custom query indicator type
Hide attributes Show attributes

params object Required

An object containing the indicator parameters.

Hide params attributes Show params attributes object

dataViewId string

The kibana data view id to use, primarily used to include data view runtime mappings. Make sure to save SLO again if you add/update run time fields to the data view and if those fields are being used in slo queries.

filter string | object

Defines properties for a filter

One of:
string-1 string object-2 object

the KQL query to filter the documents with.

Hide attributes Show attributes

filters array[object]

Defines properties for a filter

Hide filters attributes Show filters attributes object

meta object

Defines properties for a filter

Hide meta attributes Show meta attributes object

alias string | null

controlledBy string

disabled boolean

field string

group string

index string

isMultiIndex boolean

key string

negate boolean

params object

type string

value string

query object

kqlQuery string

good string | object Required

The KQL query used to define the good events.

One of:
string-1 string object-2 object

the KQL query to filter the documents with.

Hide attributes Show attributes

filters array[object]

Defines properties for a filter

Hide filters attributes Show filters attributes object

meta object

Defines properties for a filter

Hide meta attributes Show meta attributes object

alias string | null

controlledBy string

disabled boolean

field string

group string

index string

isMultiIndex boolean

key string

negate boolean

params object

type string

value string

query object

kqlQuery string

index string Required

The index or index pattern to use

timestampField string Required

The timestamp field used in the source indice.

total string | object Required

The KQL query used to define all events.

One of:
string-1 string object-2 object

the KQL query to filter the documents with.

Hide attributes Show attributes

filters array[object]

Defines properties for a filter

Hide filters attributes Show filters attributes object

meta object

Defines properties for a filter

Hide meta attributes Show meta attributes object

alias string | null

controlledBy string

disabled boolean

field string

group string

index string

isMultiIndex boolean

key string

negate boolean

params object

type string

value string

query object

kqlQuery string

type string Required

The type of indicator.
Defines properties for the APM availability indicator type
Hide attributes Show attributes

params object Required

An object containing the indicator parameters.

Hide params attributes Show params attributes object

environment string Required

The APM service environment or "*"

filter string

KQL query used for filtering the data

index string Required

The index used by APM metrics

service string Required

The APM service name

transactionName string Required

The APM transaction name or "*"

transactionType string Required

The APM transaction type or "*"

type string Required

The type of indicator.
Defines properties for the APM latency indicator type
Hide attributes Show attributes

params object Required

An object containing the indicator parameters.

Hide params attributes Show params attributes object

environment string Required

The APM service environment or "*"

filter string

KQL query used for filtering the data

index string Required

The index used by APM metrics

service string Required

The APM service name

threshold number Required

The latency threshold in milliseconds

transactionName string Required

The APM transaction name or "*"

transactionType string Required

The APM transaction type or "*"

type string Required

The type of indicator.
Defines properties for a custom metric indicator type
Hide attributes Show attributes

params object Required

An object containing the indicator parameters.

Hide params attributes Show params attributes object

dataViewId string

The kibana data view id to use, primarily used to include data view runtime mappings. Make sure to save SLO again if you add/update run time fields to the data view and if those fields are being used in slo queries.

filter string

the KQL query to filter the documents with.

good object Required

An object defining the "good" metrics and equation

Hide good attributes Show good attributes object

equation string Required

The equation to calculate the "good" metric.

metrics array[object] Required

List of metrics with their name, aggregation type, and field.

One of:
object-1 object object-2 object

Hide attributes Show attributes

aggregation string Required

The aggregation type of the metric.

Value is sum.

field string Required

The field of the metric.

filter string

The filter to apply to the metric.

name string Required

The name of the metric. Only valid options are A-Z

Format should match the following pattern: ^[A-Z]$.

Hide attributes Show attributes

aggregation string Required

The aggregation type of the metric.

Value is doc_count.

filter string

The filter to apply to the metric.

name string Required

The name of the metric. Only valid options are A-Z

Format should match the following pattern: ^[A-Z]$.

index string Required

The index or index pattern to use

timestampField string Required

The timestamp field used in the source indice.

total object Required

An object defining the "total" metrics and equation

Hide total attributes Show total attributes object

equation string Required

The equation to calculate the "total" metric.

metrics array[object] Required

List of metrics with their name, aggregation type, and field.

One of:
object-1 object object-2 object

Hide attributes Show attributes

aggregation string Required

The aggregation type of the metric.

Value is sum.

field string Required

The field of the metric.

filter string

The filter to apply to the metric.

name string Required

The name of the metric. Only valid options are A-Z

Format should match the following pattern: ^[A-Z]$.

Hide attributes Show attributes

aggregation string Required

The aggregation type of the metric.

Value is doc_count.

filter string

The filter to apply to the metric.

name string Required

The name of the metric. Only valid options are A-Z

Format should match the following pattern: ^[A-Z]$.

type string Required

The type of indicator.
Defines properties for a histogram indicator type
Hide attributes Show attributes

params object Required

An object containing the indicator parameters.

Hide params attributes Show params attributes object

dataViewId string

The kibana data view id to use, primarily used to include data view runtime mappings. Make sure to save SLO again if you add/update run time fields to the data view and if those fields are being used in slo queries.

filter string

the KQL query to filter the documents with.

good object Required

An object defining the "good" events

Hide good attributes Show good attributes object

aggregation string Required

The type of aggregation to use.

Values are value_count or range.

field string Required

The field use to aggregate the good events.

filter string

The filter for good events.

from number

The starting value of the range. Only required for "range" aggregations.

to number

The ending value of the range. Only required for "range" aggregations.

index string Required

The index or index pattern to use

timestampField string Required

The timestamp field used in the source indice.

total object Required

An object defining the "total" events

Hide total attributes Show total attributes object

aggregation string Required

The type of aggregation to use.

Values are value_count or range.

field string Required

The field use to aggregate the good events.

filter string

The filter for total events.

from number

The starting value of the range. Only required for "range" aggregations.

to number

The ending value of the range. Only required for "range" aggregations.

type string Required

The type of indicator.
Defines properties for a timeslice metric indicator type
Hide attributes Show attributes

params object Required

An object containing the indicator parameters.

Hide params attributes Show params attributes object

dataViewId string

The kibana data view id to use, primarily used to include data view runtime mappings. Make sure to save SLO again if you add/update run time fields to the data view and if those fields are being used in slo queries.

filter string

the KQL query to filter the documents with.

index string Required

The index or index pattern to use

metric object Required

An object defining the metrics, equation, and threshold to determine if it's a good slice or not

Hide metric attributes Show metric attributes object

comparator string Required

The comparator to use to compare the equation to the threshold.

Values are GT, GTE, LT, or LTE.

equation string Required

The equation to calculate the metric.

metrics array[object] Required

List of metrics with their name, aggregation type, and field.

Any of:
SLOs_timeslice_metric_basic_metric_with_field object SLOs_timeslice_metric_percentile_metric object SLOs_timeslice_metric_doc_count_metric object

Hide attributes Show attributes

aggregation string Required

The aggregation type of the metric.

Values are sum, avg, min, max, std_deviation, last_value, or cardinality.

field string Required

The field of the metric.

filter string

The filter to apply to the metric.

name string Required

The name of the metric. Only valid options are A-Z

Format should match the following pattern: ^[A-Z]$.

Hide attributes Show attributes

aggregation string Required

The aggregation type of the metric. Only valid option is "percentile"

Value is percentile.

field string Required

The field of the metric.

filter string

The filter to apply to the metric.

name string Required

The name of the metric. Only valid options are A-Z

Format should match the following pattern: ^[A-Z]$.

percentile number Required

The percentile value.

Hide attributes Show attributes

aggregation string Required

The aggregation type of the metric. Only valid option is "doc_count"

Value is doc_count.

filter string

The filter to apply to the metric.

name string Required

The name of the metric. Only valid options are A-Z

Format should match the following pattern: ^[A-Z]$.

threshold number Required

The threshold used to determine if the metric is a good slice or not.

timestampField string Required

The timestamp field used in the source indice.

type string Required

The type of indicator.
name string

A name for the SLO.
objective object

Defines properties for the SLO objective
Hide objective attributes Show objective attributes object
- target number Required
  
  the target objective between 0 and 1 excluded
  
  Minimum value is 0, maximum value is 100.
- timesliceTarget number
  
  the target objective for each slice when using a timeslices budgeting method
  
  Minimum value is 0, maximum value is 100.
- timesliceWindow string
  
  the duration of each slice when using a timeslices budgeting method, as {duraton}{unit}
settings object

Defines properties for SLO settings.
Hide settings attributes Show settings attributes object
- frequency string
  
  The interval between checks for changes in the source data. The minimum value is 1m and the maximum is 59m. The default value is 1 minute.
  
  Default value is 1m.
- preventInitialBackfill boolean
  
  Start aggregating data from the time the SLO is created, instead of backfilling data from the beginning of the time window.
  
  Default value is false.
- syncDelay string
  
  The time delay in minutes between the current time and the latest source data time. Increasing the value will delay any alerting. The default value is 1 minute. The minimum value is 1m and the maximum is 359m. It should always be greater then source index refresh interval.
  
  Default value is 1m.
- syncField string
  
  The date field that is used to identify new documents in the source. It is strongly recommended to use a field that contains the ingest timestamp. If you use a different field, you might need to set the delay such that it accounts for data transmission delays. When unspecified, we use the indicator timestamp field.
tags array[string]

List of tags
timeWindow object

Defines properties for the SLO time window
Hide timeWindow attributes Show timeWindow attributes object
- duration string Required
  
  the duration formatted as {duration}{unit}. Accepted values for rolling: 7d, 30d, 90d. Accepted values for calendar aligned: 1w (weekly) or 1M (monthly)
- type string Required
  
  Indicates weither the time window is a rolling or a calendar aligned time window.
  
  Values are rolling or calendarAligned.

Responses

200 application/json

Successful request
Hide response attributes Show response attributes object
- budgetingMethod string Required
  
  The budgeting method to use when computing the rollup data.
  
  Values are occurrences or timeslices.
- createdAt string Required
  
  The creation date
- description string Required
  
  The description of the SLO.
- enabled boolean Required
  
  Indicate if the SLO is enabled
- groupBy string | array[string] Required
  
  optional group by field or fields to use to generate an SLO per distinct value
  
  One of:
  string-1 string array-2 array[string]
- id string Required
  
  The identifier of the SLO.
- indicator object Required
  
  One of:
  SLOs_indicator_properties_custom_kql object SLOs_indicator_properties_apm_availability object SLOs_indicator_properties_apm_latency object SLOs_indicator_properties_custom_metric object SLOs_indicator_properties_histogram object SLOs_indicator_properties_timeslice_metric object
  
  Defines properties for a custom query indicator type
  
  Hide attributes Show attributes
  
  params object Required
  
  An object containing the indicator parameters.
  
  Hide params attributes Show params attributes object
  
  dataViewId string
  
  The kibana data view id to use, primarily used to include data view runtime mappings. Make sure to save SLO again if you add/update run time fields to the data view and if those fields are being used in slo queries.
  
  filter string | object
  
  Defines properties for a filter
  
  One of:
  string-1 string object-2 object
  
  the KQL query to filter the documents with.
  
  Hide attributes Show attributes
  
  filters array[object]
  
  Defines properties for a filter
  
  Hide filters attributes Show filters attributes object
  
  meta object
  
  Defines properties for a filter
  
  Hide meta attributes Show meta attributes object
  
  alias string | null
  
  controlledBy string
  
  disabled boolean
  
  field string
  
  group string
  
  index string
  
  isMultiIndex boolean
  
  key string
  
  negate boolean
  
  params object
  
  type string
  
  value string
  
  query object
  
  kqlQuery string
  
  good string | object Required
  
  The KQL query used to define the good events.
  
  One of:
  string-1 string object-2 object
  
  the KQL query to filter the documents with.
  
  Hide attributes Show attributes
  
  filters array[object]
  
  Defines properties for a filter
  
  Hide filters attributes Show filters attributes object
  
  meta object
  
  Defines properties for a filter
  
  Hide meta attributes Show meta attributes object
  
  alias string | null
  
  controlledBy string
  
  disabled boolean
  
  field string
  
  group string
  
  index string
  
  isMultiIndex boolean
  
  key string
  
  negate boolean
  
  params object
  
  type string
  
  value string
  
  query object
  
  kqlQuery string
  
  index string Required
  
  The index or index pattern to use
  
  timestampField string Required
  
  The timestamp field used in the source indice.
  
  total string | object Required
  
  The KQL query used to define all events.
  
  One of:
  string-1 string object-2 object
  
  the KQL query to filter the documents with.
  
  Hide attributes Show attributes
  
  filters array[object]
  
  Defines properties for a filter
  
  Hide filters attributes Show filters attributes object
  
  meta object
  
  Defines properties for a filter
  
  Hide meta attributes Show meta attributes object
  
  alias string | null
  
  controlledBy string
  
  disabled boolean
  
  field string
  
  group string
  
  index string
  
  isMultiIndex boolean
  
  key string
  
  negate boolean
  
  params object
  
  type string
  
  value string
  
  query object
  
  kqlQuery string
  
  type string Required Discriminator
  
  The type of indicator.
  
  Value is sli.kql.custom.
  
  Defines properties for the APM availability indicator type
  
  Hide attributes Show attributes
  
  params object Required
  
  An object containing the indicator parameters.
  
  Hide params attributes Show params attributes object
  
  environment string Required
  
  The APM service environment or "*"
  
  filter string
  
  KQL query used for filtering the data
  
  index string Required
  
  The index used by APM metrics
  
  service string Required
  
  The APM service name
  
  transactionName string Required
  
  The APM transaction name or "*"
  
  transactionType string Required
  
  The APM transaction type or "*"
  
  type string Required Discriminator
  
  The type of indicator.
  
  Value is sli.apm.transactionErrorRate.
  
  Defines properties for the APM latency indicator type
  
  Hide attributes Show attributes
  
  params object Required
  
  An object containing the indicator parameters.
  
  Hide params attributes Show params attributes object
  
  environment string Required
  
  The APM service environment or "*"
  
  filter string
  
  KQL query used for filtering the data
  
  index string Required
  
  The index used by APM metrics
  
  service string Required
  
  The APM service name
  
  threshold number Required
  
  The latency threshold in milliseconds
  
  transactionName string Required
  
  The APM transaction name or "*"
  
  transactionType string Required
  
  The APM transaction type or "*"
  
  type string Required Discriminator
  
  The type of indicator.
  
  Value is sli.apm.transactionDuration.
  
  Defines properties for a custom metric indicator type
  
  Hide attributes Show attributes
  
  params object Required
  
  An object containing the indicator parameters.
  
  Hide params attributes Show params attributes object
  
  dataViewId string
  
  The kibana data view id to use, primarily used to include data view runtime mappings. Make sure to save SLO again if you add/update run time fields to the data view and if those fields are being used in slo queries.
  
  filter string
  
  the KQL query to filter the documents with.
  
  good object Required
  
  An object defining the "good" metrics and equation
  
  Hide good attributes Show good attributes object
  
  equation string Required
  
  The equation to calculate the "good" metric.
  
  metrics array[object] Required
  
  List of metrics with their name, aggregation type, and field.
  
  One of:
  object-1 object object-2 object
  
  Hide attributes Show attributes
  
  aggregation string Required
  
  The aggregation type of the metric.
  
  Value is sum.
  
  field string Required
  
  The field of the metric.
  
  filter string
  
  The filter to apply to the metric.
  
  name string Required
  
  The name of the metric. Only valid options are A-Z
  
  Format should match the following pattern: ^[A-Z]$.
  
  Hide attributes Show attributes
  
  aggregation string Required
  
  The aggregation type of the metric.
  
  Value is doc_count.
  
  filter string
  
  The filter to apply to the metric.
  
  name string Required
  
  The name of the metric. Only valid options are A-Z
  
  Format should match the following pattern: ^[A-Z]$.
  
  index string Required
  
  The index or index pattern to use
  
  timestampField string Required
  
  The timestamp field used in the source indice.
  
  total object Required
  
  An object defining the "total" metrics and equation
  
  Hide total attributes Show total attributes object
  
  equation string Required
  
  The equation to calculate the "total" metric.
  
  metrics array[object] Required
  
  List of metrics with their name, aggregation type, and field.
  
  One of:
  object-1 object object-2 object
  
  Hide attributes Show attributes
  
  aggregation string Required
  
  The aggregation type of the metric.
  
  Value is sum.
  
  field string Required
  
  The field of the metric.
  
  filter string
  
  The filter to apply to the metric.
  
  name string Required
  
  The name of the metric. Only valid options are A-Z
  
  Format should match the following pattern: ^[A-Z]$.
  
  Hide attributes Show attributes
  
  aggregation string Required
  
  The aggregation type of the metric.
  
  Value is doc_count.
  
  filter string
  
  The filter to apply to the metric.
  
  name string Required
  
  The name of the metric. Only valid options are A-Z
  
  Format should match the following pattern: ^[A-Z]$.
  
  type string Required Discriminator
  
  The type of indicator.
  
  Value is sli.metric.custom.
  
  Defines properties for a histogram indicator type
  
  Hide attributes Show attributes
  
  params object Required
  
  An object containing the indicator parameters.
  
  Hide params attributes Show params attributes object
  
  dataViewId string
  
  The kibana data view id to use, primarily used to include data view runtime mappings. Make sure to save SLO again if you add/update run time fields to the data view and if those fields are being used in slo queries.
  
  filter string
  
  the KQL query to filter the documents with.
  
  good object Required
  
  An object defining the "good" events
  
  Hide good attributes Show good attributes object
  
  aggregation string Required
  
  The type of aggregation to use.
  
  Values are value_count or range.
  
  field string Required
  
  The field use to aggregate the good events.
  
  filter string
  
  The filter for good events.
  
  from number
  
  The starting value of the range. Only required for "range" aggregations.
  
  to number
  
  The ending value of the range. Only required for "range" aggregations.
  
  index string Required
  
  The index or index pattern to use
  
  timestampField string Required
  
  The timestamp field used in the source indice.
  
  total object Required
  
  An object defining the "total" events
  
  Hide total attributes Show total attributes object
  
  aggregation string Required
  
  The type of aggregation to use.
  
  Values are value_count or range.
  
  field string Required
  
  The field use to aggregate the good events.
  
  filter string
  
  The filter for total events.
  
  from number
  
  The starting value of the range. Only required for "range" aggregations.
  
  to number
  
  The ending value of the range. Only required for "range" aggregations.
  
  type string Required Discriminator
  
  The type of indicator.
  
  Value is sli.histogram.custom.
  
  Defines properties for a timeslice metric indicator type
  
  Hide attributes Show attributes
  
  params object Required
  
  An object containing the indicator parameters.
  
  Hide params attributes Show params attributes object
  
  dataViewId string
  
  The kibana data view id to use, primarily used to include data view runtime mappings. Make sure to save SLO again if you add/update run time fields to the data view and if those fields are being used in slo queries.
  
  filter string
  
  the KQL query to filter the documents with.
  
  index string Required
  
  The index or index pattern to use
  
  metric object Required
  
  An object defining the metrics, equation, and threshold to determine if it's a good slice or not
  
  Hide metric attributes Show metric attributes object
  
  comparator string Required
  
  The comparator to use to compare the equation to the threshold.
  
  Values are GT, GTE, LT, or LTE.
  
  equation string Required
  
  The equation to calculate the metric.
  
  metrics array[object] Required
  
  List of metrics with their name, aggregation type, and field.
  
  Any of:
  SLOs_timeslice_metric_basic_metric_with_field object SLOs_timeslice_metric_percentile_metric object SLOs_timeslice_metric_doc_count_metric object
  
  Hide attributes Show attributes
  
  aggregation string Required
  
  The aggregation type of the metric.
  
  Values are sum, avg, min, max, std_deviation, last_value, or cardinality.
  
  field string Required
  
  The field of the metric.
  
  filter string
  
  The filter to apply to the metric.
  
  name string Required
  
  The name of the metric. Only valid options are A-Z
  
  Format should match the following pattern: ^[A-Z]$.
  
  Hide attributes Show attributes
  
  aggregation string Required
  
  The aggregation type of the metric. Only valid option is "percentile"
  
  Value is percentile.
  
  field string Required
  
  The field of the metric.
  
  filter string
  
  The filter to apply to the metric.
  
  name string Required
  
  The name of the metric. Only valid options are A-Z
  
  Format should match the following pattern: ^[A-Z]$.
  
  percentile number Required
  
  The percentile value.
  
  Hide attributes Show attributes
  
  aggregation string Required
  
  The aggregation type of the metric. Only valid option is "doc_count"
  
  Value is doc_count.
  
  filter string
  
  The filter to apply to the metric.
  
  name string Required
  
  The name of the metric. Only valid options are A-Z
  
  Format should match the following pattern: ^[A-Z]$.
  
  threshold number Required
  
  The threshold used to determine if the metric is a good slice or not.
  
  timestampField string Required
  
  The timestamp field used in the source indice.
  
  type string Required Discriminator
  
  The type of indicator.
  
  Value is sli.metric.timeslice.
- name string Required
  
  The name of the SLO.
- objective object Required
  
  Defines properties for the SLO objective
  
  Hide objective attributes Show objective attributes object
  
  target number Required
  
  the target objective between 0 and 1 excluded
  
  Minimum value is 0, maximum value is 100.
  
  timesliceTarget number
  
  the target objective for each slice when using a timeslices budgeting method
  
  Minimum value is 0, maximum value is 100.
  
  timesliceWindow string
  
  the duration of each slice when using a timeslices budgeting method, as {duraton}{unit}
- revision number Required
  
  The SLO revision
- settings object Required
  
  Defines properties for SLO settings.
  
  Hide settings attributes Show settings attributes object
  
  frequency string
  
  The interval between checks for changes in the source data. The minimum value is 1m and the maximum is 59m. The default value is 1 minute.
  
  Default value is 1m.
  
  preventInitialBackfill boolean
  
  Start aggregating data from the time the SLO is created, instead of backfilling data from the beginning of the time window.
  
  Default value is false.
  
  syncDelay string
  
  The time delay in minutes between the current time and the latest source data time. Increasing the value will delay any alerting. The default value is 1 minute. The minimum value is 1m and the maximum is 359m. It should always be greater then source index refresh interval.
  
  Default value is 1m.
  
  syncField string
  
  The date field that is used to identify new documents in the source. It is strongly recommended to use a field that contains the ingest timestamp. If you use a different field, you might need to set the delay such that it accounts for data transmission delays. When unspecified, we use the indicator timestamp field.
- tags array[string] Required
  
  List of tags
- timeWindow object Required
  
  Defines properties for the SLO time window
  
  Hide timeWindow attributes Show timeWindow attributes object
  
  duration string Required
  
  the duration formatted as {duration}{unit}. Accepted values for rolling: 7d, 30d, 90d. Accepted values for calendar aligned: 1w (weekly) or 1M (monthly)
  
  type string Required
  
  Indicates weither the time window is a rolling or a calendar aligned time window.
  
  Values are rolling or calendarAligned.
- updatedAt string Required
  
  The last update date
- version number Required
  
  The internal SLO version
400 application/json

Bad request
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode number Required
401 application/json

Unauthorized response
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode number Required
403 application/json

Unauthorized response
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode number Required
404 application/json

Not found response
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode number Required

PUT /s/{spaceId}/api/observability/slos/{sloId}

curl \
 --request PUT 'http://localhost:5622/s/default/api/observability/slos/9c235211-6834-11ea-a78c-6feb38a34414' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: string" \
 --data '{"budgetingMethod":"occurrences","description":"string","groupBy":[["service.name"],"service.name",["service.name","service.environment"]],"indicator":{"params":{"dataViewId":"03b80ab3-003d-498b-881c-3beedbaf1162","filter":"field.environment : \"production\" and service.name : \"my-service\"","good":"request.latency \u003c= 150 and request.status_code : \"2xx\"","index":"my-service-*","timestampField":"timestamp","total":"field.environment : \"production\" and service.name : \"my-service\""},"type":"sli.kql.custom"},"name":"string","objective":{"target":0.99,"timesliceTarget":0.995,"timesliceWindow":"5m"},"settings":{"frequency":"5m","preventInitialBackfill":true,"syncDelay":"5m","syncField":"event.ingested"},"tags":["string"],"timeWindow":{"duration":"30d","type":"rolling"}}'

Request examples

# Headers
kbn-xsrf: string

# Payload
{
  "budgetingMethod": "occurrences",
  "description": "string",
  "groupBy": [
    [
      "service.name"
    ],
    "service.name",
    [
      "service.name",
      "service.environment"
    ]
  ],
  "indicator": {
    "params": {
      "dataViewId": "03b80ab3-003d-498b-881c-3beedbaf1162",
      "filter": "field.environment : \"production\" and service.name : \"my-service\"",
      "good": "request.latency <= 150 and request.status_code : \"2xx\"",
      "index": "my-service-*",
      "timestampField": "timestamp",
      "total": "field.environment : \"production\" and service.name : \"my-service\""
    },
    "type": "sli.kql.custom"
  },
  "name": "string",
  "objective": {
    "target": 0.99,
    "timesliceTarget": 0.995,
    "timesliceWindow": "5m"
  },
  "settings": {
    "frequency": "5m",
    "preventInitialBackfill": true,
    "syncDelay": "5m",
    "syncField": "event.ingested"
  },
  "tags": [
    "string"
  ],
  "timeWindow": {
    "duration": "30d",
    "type": "rolling"
  }
}

Response examples (200)

{
  "budgetingMethod": "occurrences",
  "createdAt": "2023-01-12T10:03:19.000Z",
  "description": "My SLO description",
  "enabled": true,
  "groupBy": [
    [
      "service.name"
    ],
    "service.name",
    [
      "service.name",
      "service.environment"
    ]
  ],
  "id": "8853df00-ae2e-11ed-90af-09bb6422b258",
  "indicator": {
    "params": {
      "dataViewId": "03b80ab3-003d-498b-881c-3beedbaf1162",
      "filter": "field.environment : \"production\" and service.name : \"my-service\"",
      "good": "request.latency <= 150 and request.status_code : \"2xx\"",
      "index": "my-service-*",
      "timestampField": "timestamp",
      "total": "field.environment : \"production\" and service.name : \"my-service\""
    },
    "type": "sli.kql.custom"
  },
  "name": "My Service SLO",
  "objective": {
    "target": 0.99,
    "timesliceTarget": 0.995,
    "timesliceWindow": "5m"
  },
  "revision": 2,
  "settings": {
    "frequency": "5m",
    "preventInitialBackfill": true,
    "syncDelay": "5m",
    "syncField": "event.ingested"
  },
  "tags": [
    "string"
  ],
  "timeWindow": {
    "duration": "30d",
    "type": "rolling"
  },
  "updatedAt": "2023-01-12T10:03:19.000Z",
  "version": 2
}

Response examples (400)

{
  "error": "Bad Request",
  "message": "Invalid value 'foo' supplied to: [...]",
  "statusCode": 400
}

Response examples (401)

{
  "error": "Unauthorized",
  "message": "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastics] for REST request [/_security/_authenticate]]: unable to authenticate user [elastics] for REST request [/_security/_authenticate]",
  "statusCode": 401
}

Response examples (403)

{
  "error": "Unauthorized",
  "message": "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastics] for REST request [/_security/_authenticate]]: unable to authenticate user [elastics] for REST request [/_security/_authenticate]",
  "statusCode": 403
}

Response examples (404)

{
  "error": "Not Found",
  "message": "SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found",
  "statusCode": 404
}

POST /s/{spaceId}/api/observability/slos/{sloId}/disable

Api key auth

You must have the write privileges for the SLOs feature in the Observability section of the Kibana feature privileges.

Headers

kbn-xsrf string Required

Cross-site request forgery protection

Path parameters

spaceId string Required

An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used.
sloId string Required

An identifier for the slo.

Responses

204

Successful request
400 application/json

Bad request
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode number Required
401 application/json

Unauthorized response
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode number Required
403 application/json

Unauthorized response
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode number Required
404 application/json

Not found response
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode number Required

POST /s/{spaceId}/api/observability/slos/{sloId}/disable

curl \
 --request POST 'http://localhost:5622/s/default/api/observability/slos/9c235211-6834-11ea-a78c-6feb38a34414/disable' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: string"

Response examples (400)

{
  "error": "Bad Request",
  "message": "Invalid value 'foo' supplied to: [...]",
  "statusCode": 400
}

Response examples (401)

{
  "error": "Unauthorized",
  "message": "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastics] for REST request [/_security/_authenticate]]: unable to authenticate user [elastics] for REST request [/_security/_authenticate]",
  "statusCode": 401
}

Response examples (403)

{
  "error": "Unauthorized",
  "message": "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastics] for REST request [/_security/_authenticate]]: unable to authenticate user [elastics] for REST request [/_security/_authenticate]",
  "statusCode": 403
}

Response examples (404)

{
  "error": "Not Found",
  "message": "SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found",
  "statusCode": 404
}

key object | string

key object | string

key object | string

key object | string

key object | string

key object | string Required

es_key object | string

key object | string

Body object Required

Body Required

groupBy string | array[string]

indicator object

filter string | object

good string | object Required

total string | object Required

groupBy string | array[string] Required

indicator object Required

filter string | object

good string | object Required

total string | object Required