Create a saved query

POST /api/osquery/saved_queries

Api key auth Basic auth

Create and run a saved query.

application/json; Elastic-Api-Version=2023-10-31

Body Required

description string | null

The saved query description.
ecs_mapping object | null

Map osquery results columns or static values to Elastic Common Schema (ECS) fields
Hide ecs_mapping attribute Show ecs_mapping attribute object | null
- * object Additional properties
  
  Additional properties are allowed.
  Hide * attributes Show * attributes object
  
  field string
  
  The ECS field to map to.
  
  value string | array[string]
  
  The value to map to the ECS field.
  
  One of:
  string-1 string array-2 array[string]
id string | null

The ID of a saved query.
interval string

An interval, in seconds, on which to run the query.
platform string | null

Restricts the query to a specified platform. The default is all platforms. To specify multiple platforms, use commas. For example, linux,darwin.
query string

The SQL query you want to run.
removed boolean | null

Indicates whether the query is removed.
snapshot boolean | null

Indicates whether the query is a snapshot.
version string | null

Uses the Osquery versions greater than or equal to the specified version string.

Responses

200 application/json; Elastic-Api-Version=2023-10-31

OK

Additional properties are allowed.

POST /api/osquery/saved_queries

curl \
 --request POST https://localhost:5601/api/osquery/saved_queries \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json; Elastic-Api-Version=2023-10-31"

Request example

{
  "id": "saved_query_id",
  "query": "select * from uptime;",
  "timeout": 120,
  "version": "2.8.0",
  "interval": "60",
  "platform": "linux,darwin",
  "description": "Saved query description",
  "ecs_mapping": {
    "host.uptime": {
      "field": "total_seconds"
    }
  }
}

Response examples (200)

{
  "data": {}
}

Create a saved query

Body Required

value string | array[string]

Responses