Create a model response

Base URL	Description
http://localhost:5622
http://api.example.com
https://<KIBANA_URL>

Update a rule

PUT /api/alerting/rule/{id}

Api key auth

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

id string Required

The identifier for the rule.

application/json

Body

actions array[object]

An action that runs under defined conditions.

Default value is [] (empty).
Hide actions attributes Show actions attributes object
- alerts_filter object
  
  Additional properties are NOT allowed.
  Hide alerts_filter attributes Show alerts_filter attributes object
  
  query object
  
  Additional properties are NOT allowed.
  
  Hide query attributes Show query attributes object
  
  dsl string
  
  A filter written in Elasticsearch Query Domain Specific Language (DSL).
  
  filters array[object] Required
  
  A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the kbn-es-query package.
  
  Hide filters attributes Show filters attributes object
  
  $state object
  
  Additional properties are NOT allowed.
  
  Hide $state attribute Show $state attribute object
  
  store string Required
  
  A filter can be either specific to an application context or applied globally.
  
  Values are appState or globalState.
  
  meta object Required
  
  Additional properties are allowed.
  
  query object
  
  Additional properties are allowed.
  
  kql string Required
  
  A filter written in Kibana Query Language (KQL).
  
  timeframe object
  
  Defines a period that limits whether the action runs.
  
  Additional properties are NOT allowed.
  
  Hide timeframe attributes Show timeframe attributes object
  
  days array[integer] Required
  
  Defines the days of the week that the action can run, represented as an array of numbers. For example, 1 represents Monday. An empty array is equivalent to specifying all the days of the week.
  
  Values are 1, 2, 3, 4, 5, 6, or 7.
  
  hours object Required
  
  Defines the range of time in a day that the action can run. If the start value is 00:00 and the end value is 24:00, actions be generated all day.
  
  Additional properties are NOT allowed.
  
  Hide hours attributes Show hours attributes object
  
  end string Required
  
  The end of the time frame in 24-hour notation (hh:mm).
  
  start string Required
  
  The start of the time frame in 24-hour notation (hh:mm).
  
  timezone string Required
  
  The ISO time zone for the hours values. Values such as UTC and UTC+1 also work but lack built-in daylight savings time support and are not recommended.
- frequency object
  
  Additional properties are NOT allowed.
  Hide frequency attributes Show frequency attributes object
  
  notify_when string Required
  
  Indicates how often alerts generate actions. Valid values include: onActionGroupChange: Actions run when the alert status changes; onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify notify_when at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
  
  Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.
  
  summary boolean Required
  
  Indicates whether the action is a summary.
  
  throttle string | null Required
  
  The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if notify_when is set to onThrottleInterval. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
- group string
  
  The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to default.
- id string Required
  
  The identifier for the connector saved object.
- params object
  
  The parameters for the action, which are sent to the connector. The params are handled as Mustache templates and passed a default set of context.
  
  Default value is {} (empty). Additional properties are allowed.
- use_alert_data_for_template boolean
  
  Indicates whether to use alert data as a template.
- uuid string
  
  A universally unique identifier (UUID) for the action.
alert_delay object

Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.

Additional properties are NOT allowed.
Hide alert_delay attribute Show alert_delay attribute object
- active number Required
  
  The number of consecutive runs that must meet the rule conditions.
flapping object | null

When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.

Additional properties are NOT allowed.
Hide flapping attributes Show flapping attributes object | null
- look_back_window number Required
  
  The minimum number of runs in which the threshold must be met.
  
  Minimum value is 2, maximum value is 20.
- status_change_threshold number Required
  
  The minimum number of times an alert must switch states in the look back window.
  
  Minimum value is 2, maximum value is 20.
name string Required

The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
notify_when string | null

Indicates how often alerts generate actions. Valid values include: onActionGroupChange: Actions run when the alert status changes; onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify notify_when at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.
params object

The parameters for the rule.

Default value is {} (empty). Additional properties are allowed.
schedule object Required

Additional properties are NOT allowed.
Hide schedule attribute Show schedule attribute object
- interval string Required
  
  The interval is specified in seconds, minutes, hours, or days.
tags array[string]

The tags for the rule.

Default value is [] (empty).
throttle string | null

Use the throttle property in the action frequency object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.

Responses

200 application/json

Indicates a successful call.
Hide response attributes Show response attributes object
- actions array[object] Required
  
  Hide actions attributes Show actions attributes object
  
  alerts_filter object
  
  Defines a period that limits whether the action runs.
  
  Additional properties are NOT allowed.
  
  Hide alerts_filter attributes Show alerts_filter attributes object
  
  query object
  
  Additional properties are NOT allowed.
  
  Hide query attributes Show query attributes object
  
  dsl string
  
  A filter written in Elasticsearch Query Domain Specific Language (DSL).
  
  filters array[object] Required
  
  A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the kbn-es-query package.
  
  Hide filters attributes Show filters attributes object
  
  $state object
  
  Additional properties are NOT allowed.
  
  Hide $state attribute Show $state attribute object
  
  store string Required
  
  A filter can be either specific to an application context or applied globally.
  
  Values are appState or globalState.
  
  meta object Required
  
  Additional properties are allowed.
  
  query object
  
  Additional properties are allowed.
  
  kql string Required
  
  A filter written in Kibana Query Language (KQL).
  
  timeframe object
  
  Additional properties are NOT allowed.
  
  Hide timeframe attributes Show timeframe attributes object
  
  days array[integer] Required
  
  Defines the days of the week that the action can run, represented as an array of numbers. For example, 1 represents Monday. An empty array is equivalent to specifying all the days of the week.
  
  Values are 1, 2, 3, 4, 5, 6, or 7.
  
  hours object Required
  
  Additional properties are NOT allowed.
  
  Hide hours attributes Show hours attributes object
  
  end string Required
  
  The end of the time frame in 24-hour notation (hh:mm).
  
  start string Required
  
  The start of the time frame in 24-hour notation (hh:mm).
  
  timezone string Required
  
  The ISO time zone for the hours values. Values such as UTC and UTC+1 also work but lack built-in daylight savings time support and are not recommended.
  
  connector_type_id string Required
  
  The type of connector. This property appears in responses but cannot be set in requests.
  
  frequency object
  
  Additional properties are NOT allowed.
  
  Hide frequency attributes Show frequency attributes object
  
  notify_when string Required
  
  Indicates how often alerts generate actions. Valid values include: onActionGroupChange: Actions run when the alert status changes; onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify notify_when at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
  
  Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.
  
  summary boolean Required
  
  Indicates whether the action is a summary.
  
  throttle string | null Required
  
  The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if 'notify_when' is set to 'onThrottleInterval'. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
  
  group string
  
  The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to default.
  
  id string Required
  
  The identifier for the connector saved object.
  
  params object Required
  
  The parameters for the action, which are sent to the connector. The params are handled as Mustache templates and passed a default set of context.
  
  Additional properties are allowed.
  
  use_alert_data_for_template boolean
  
  Indicates whether to use alert data as a template.
  
  uuid string
  
  A universally unique identifier (UUID) for the action.
- active_snoozes array[string]
  
  List of active snoozes for the rule.
- alert_delay object
  
  Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.
  
  Additional properties are NOT allowed.
  
  Hide alert_delay attribute Show alert_delay attribute object
  
  active number Required
  
  The number of consecutive runs that must meet the rule conditions.
- api_key_created_by_user boolean | null
  
  Indicates whether the API key that is associated with the rule was created by the user.
- api_key_owner string | null Required
  
  The owner of the API key that is associated with the rule and used to run background tasks.
- consumer string Required
  
  The name of the application or feature that owns the rule. For example: alerts, apm, discover, infrastructure, logs, metrics, ml, monitoring, securitySolution, siem, stackAlerts, or uptime.
- created_at string Required
  
  The date and time that the rule was created.
- created_by string | null Required
  
  The identifier for the user that created the rule.
- enabled boolean Required
  
  Indicates whether you want to run the rule on an interval basis after it is created.
- execution_status object Required
  
  Additional properties are NOT allowed.
  
  Hide execution_status attributes Show execution_status attributes object
  
  error object
  
  Additional properties are NOT allowed.
  
  Hide error attributes Show error attributes object
  
  message string Required
  
  Error message.
  
  reason string Required
  
  Reason for error.
  
  Values are read, decrypt, execute, unknown, license, timeout, disabled, or validate.
  
  last_duration number
  
  Duration of last execution of the rule.
  
  last_execution_date string Required
  
  The date and time when rule was executed last.
  
  status string Required
  
  Status of rule execution.
  
  Values are ok, active, error, warning, pending, or unknown.
  
  warning object
  
  Additional properties are NOT allowed.
  
  Hide warning attributes Show warning attributes object
  
  message string Required
  
  Warning message.
  
  reason string Required
  
  Reason for warning.
  
  Values are maxExecutableActions, maxAlerts, maxQueuedActions, or ruleExecution.
- flapping object | null
  
  When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.
  
  Additional properties are NOT allowed.
  
  Hide flapping attributes Show flapping attributes object | null
  
  look_back_window number Required
  
  The minimum number of runs in which the threshold must be met.
  
  Minimum value is 2, maximum value is 20.
  
  status_change_threshold number Required
  
  The minimum number of times an alert must switch states in the look back window.
  
  Minimum value is 2, maximum value is 20.
- id string Required
  
  The identifier for the rule.
- is_snoozed_until string | null
  
  The date when the rule will no longer be snoozed.
- last_run object | null
  
  Additional properties are NOT allowed.
  
  Hide last_run attributes Show last_run attributes object | null
  
  alerts_count object Required
  
  Additional properties are NOT allowed.
  
  Hide alerts_count attributes Show alerts_count attributes object
  
  active number | null
  
  Number of active alerts during last run.
  
  ignored number | null
  
  Number of ignored alerts during last run.
  
  new number | null
  
  Number of new alerts during last run.
  
  recovered number | null
  
  Number of recovered alerts during last run.
  
  outcome string Required
  
  Outcome of last run of the rule. Value could be succeeded, warning or failed.
  
  Values are succeeded, warning, or failed.
  
  outcome_msg array[string] | null
  
  Outcome message generated during last rule run.
  
  outcome_order number
  
  Order of the outcome.
  
  warning string | null
  
  Warning of last rule execution.
  
  Values are read, decrypt, execute, unknown, license, timeout, disabled, validate, maxExecutableActions, maxAlerts, maxQueuedActions, or ruleExecution.
- mapped_params object
  
  Additional properties are allowed.
- monitoring object
  
  Monitoring details of the rule.
  
  Additional properties are NOT allowed.
  
  Hide monitoring attribute Show monitoring attribute object
  
  run object Required
  
  Rule run details.
  
  Additional properties are NOT allowed.
  
  Hide run attributes Show run attributes object
  
  calculated_metrics object Required
  
  Calculation of different percentiles and success ratio.
  
  Additional properties are NOT allowed.
  
  Hide calculated_metrics attributes Show calculated_metrics attributes object
  
  p50 number
  
  p95 number
  
  p99 number
  
  success_ratio number Required
  
  history array[object] Required
  
  History of the rule run.
  
  Hide history attributes Show history attributes object
  
  duration number
  
  Duration of the rule run.
  
  outcome string
  
  Outcome of last run of the rule. Value could be succeeded, warning or failed.
  
  Values are succeeded, warning, or failed.
  
  success boolean Required
  
  Indicates whether the rule run was successful.
  
  timestamp number Required
  
  Time of rule run.
  
  last_run object Required
  
  Additional properties are NOT allowed.
  
  Hide last_run attributes Show last_run attributes object
  
  metrics object Required
  
  Additional properties are NOT allowed.
  
  Hide metrics attributes Show metrics attributes object
  
  duration number
  
  Duration of most recent rule run.
  
  gap_duration_s number | null
  
  Duration in seconds of rule run gap.
  
  gap_range object | null
  
  Additional properties are NOT allowed.
  
  Hide gap_range attributes Show gap_range attributes object | null
  
  gte string Required
  
  End of the gap range.
  
  lte string Required
  
  Start of the gap range.
  
  total_alerts_created number | null
  
  Total number of alerts created during last rule run.
  
  total_alerts_detected number | null
  
  Total number of alerts detected during last rule run.
  
  total_indexing_duration_ms number | null
  
  Total time spent indexing documents during last rule run in milliseconds.
  
  total_search_duration_ms number | null
  
  Total time spent performing Elasticsearch searches as measured by Kibana; includes network latency and time spent serializing or deserializing the request and response.
  
  timestamp string Required
  
  Time of the most recent rule run.
- mute_all boolean Required
  
  Indicates whether all alerts are muted.
- muted_alert_ids array[string] Required
  
  List of identifiers of muted alerts.
- name string Required
  
  The name of the rule.
- next_run string | null
  
  Date and time of the next run of the rule.
- notify_when string | null
  
  Indicates how often alerts generate actions. Valid values include: onActionGroupChange: Actions run when the alert status changes; onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify notify_when at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
  
  Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.
- params object Required
  
  The parameters for the rule.
  
  Additional properties are allowed.
- revision number Required
  
  The rule revision number.
- rule_type_id string Required
  
  The rule type identifier.
- running boolean | null
  
  Indicates whether the rule is running.
- schedule object Required
  
  Additional properties are NOT allowed.
  
  Hide schedule attribute Show schedule attribute object
  
  interval string Required
  
  The interval is specified in seconds, minutes, hours, or days.
- scheduled_task_id string
  
  Identifier of the scheduled task.
- snooze_schedule array[object]
  
  Hide snooze_schedule attributes Show snooze_schedule attributes object
  
  duration number Required
  
  Duration of the rule snooze schedule.
  
  id string
  
  Identifier of the rule snooze schedule.
  
  rRule object Required
  
  Additional properties are NOT allowed.
  
  Hide rRule attributes Show rRule attributes object
  
  byhour array[number] | null
  
  Indicates hours of the day to recur.
  
  byminute array[number] | null
  
  Indicates minutes of the hour to recur.
  
  bymonth array[number] | null
  
  Indicates months of the year that this rule should recur.
  
  bymonthday array[number] | null
  
  Indicates the days of the month to recur.
  
  bysecond array[number] | null
  
  Indicates seconds of the day to recur.
  
  bysetpos array[number] | null
  
  A positive or negative integer affecting the nth day of the month. For example, -2 combined with byweekday of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use byweekday.
  
  byweekday array[string | number] | null
  
  Indicates the days of the week to recur or else nth-day-of-month strings. For example, "+2TU" second Tuesday of month, "-1FR" last Friday of the month, which are internally converted to a byweekday/bysetpos combination.
  
  byweekno array[number] | null
  
  Indicates number of the week hours to recur.
  
  byyearday array[number] | null
  
  Indicates the days of the year that this rule should recur.
  
  count number
  
  Number of times the rule should recur until it stops.
  
  dtstart string Required
  
  Rule start date in Coordinated Universal Time (UTC).
  
  freq integer
  
  Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY.
  
  Values are 0, 1, 2, 3, 4, 5, or 6.
  
  interval number
  
  Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks.
  
  tzid string Required
  
  Indicates timezone abbreviation.
  
  until string
  
  Recur the rule until this date.
  
  wkst string
  
  Indicates the start of week, defaults to Monday.
  
  Values are MO, TU, WE, TH, FR, SA, or SU.
  
  skipRecurrences array[string]
  
  Skips recurrence of rule on this date.
- tags array[string] Required
  
  The tags for the rule.
- throttle string | null Deprecated
  
  Deprecated in 8.13.0. Use the throttle property in the action frequency object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
- updated_at string Required
  
  The date and time that the rule was updated most recently.
- updated_by string | null Required
  
  The identifier for the user that updated this rule most recently.
- view_in_app_relative_url string | null
  
  Relative URL to view rule in the app.
400

Indicates an invalid schema or parameters.
403

Indicates that this call is forbidden.
404

Indicates a rule with the given ID does not exist.
409

Indicates that the rule has already been updated by another user.

PUT /api/alerting/rule/{id}

curl \
 --request PUT 'http://api.example.com/api/alerting/rule/{id}' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"name":"new name","tags":[],"params":{"index":[".updated-index"],"aggType":"avg","groupBy":"top","aggField":"sheet.version","termSize":6,"termField":"name.keyword","threshold":[1000],"timeField":"@timestamp","timeWindowSize":5,"timeWindowUnit":"m","thresholdComparator":"\u003e"},"actions":[{"id":"96b668d0-a1b6-11ed-afdf-d39a49596974","group":"threshold met","params":{"level":"info","message":"Rule {{rule.name}} is active for group {{context.group}}:\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}\n- Timestamp: {{context.date}}"},"frequency":{"summary":false,"notify_when":"onActionGroupChange"}}],"schedule":{"interval":"1m"}}'

Request example

Update an index threshold rule that uses a server log connector to send notifications when the threshold is met.

{
  "name": "new name",
  "tags": [],
  "params": {
    "index": [
      ".updated-index"
    ],
    "aggType": "avg",
    "groupBy": "top",
    "aggField": "sheet.version",
    "termSize": 6,
    "termField": "name.keyword",
    "threshold": [
      1000
    ],
    "timeField": "@timestamp",
    "timeWindowSize": 5,
    "timeWindowUnit": "m",
    "thresholdComparator": ">"
  },
  "actions": [
    {
      "id": "96b668d0-a1b6-11ed-afdf-d39a49596974",
      "group": "threshold met",
      "params": {
        "level": "info",
        "message": "Rule {{rule.name}} is active for group {{context.group}}:\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}\n- Timestamp: {{context.date}}"
      },
      "frequency": {
        "summary": false,
        "notify_when": "onActionGroupChange"
      }
    }
  ],
  "schedule": {
    "interval": "1m"
  }
}

Response examples (200)

The response for successfully updating an index threshold rule.

{
  "id": "ac4e6b90-6be7-11eb-ba0d-9b1c1f912d74",
  "name": "new name",
  "tags": [],
  "params": {
    "index": [
      ".updated-index"
    ],
    "aggType": "avg",
    "groupBy": "top",
    "aggField": "sheet.version",
    "termSize": 6,
    "termField": "name.keyword",
    "threshold": [
      1000
    ],
    "timeField": "@timestamp",
    "timeWindowSize": 5,
    "timeWindowUnit": "m",
    "thresholdComparator": ">"
  },
  "actions": [
    {
      "id": "96b668d0-a1b6-11ed-afdf-d39a49596974",
      "uuid": "07aef2a0-9eed-4ef9-94ec-39ba58eb609d",
      "group": "threshold met",
      "params": {
        "level": "info",
        "message": "Rule {{rule.name}} is active for group {{context.group}}:\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}\n- Timestamp: {{context.date}"
      },
      "frequency": {
        "summary": false,
        "throttle": null,
        "notify_when": "onActionGroupChange"
      },
      "connector_type_id": ".server-log"
    }
  ],
  "enabled": true,
  "running": false,
  "consumer": "alerts",
  "last_run": {
    "outcome": "succeeded",
    "warning": null,
    "outcome_msg": null,
    "alerts_count": {
      "new": 0,
      "active": 0,
      "ignored": 0,
      "recovered": 0
    }
  },
  "mute_all": false,
  "next_run": "2024-03-26T23:23:51.316Z",
  "revision": 1,
  "schedule": {
    "interval": "1m"
  },
  "throttle": null,
  "created_at": "2024-03-26T23:13:20.985Z",
  "created_by": "elastic",
  "updated_at": "2024-03-26T23:22:59.949Z",
  "updated_by": "elastic",
  "rule_type_id": ".index-threshold",
  "api_key_owner": "elastic",
  "muted_alert_ids": [],
  "execution_status": {
    "status": "ok",
    "last_duration": 52,
    "last_execution_date": "2024-03-26T23:22:51.390Z"
  },
  "scheduled_task_id": "4c5eda00-e74f-11ec-b72f-5b18752ff9ea",
  "api_key_created_by_user": false
}

Delete a rule

DELETE /api/alerting/rule/{id}

Api key auth

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

id string Required

The identifier for the rule.

Responses

204

Indicates a successful call.
400

Indicates an invalid schema or parameters.
403

Indicates that this call is forbidden.
404

Indicates a rule with the given ID does not exist.

DELETE /api/alerting/rule/{id}

curl \
 --request DELETE 'http://api.example.com/api/alerting/rule/{id}' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: true"

Disable a rule

POST /api/alerting/rule/{id}/_disable

Api key auth

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

id string Required

The identifier for the rule.

application/json

Body

untrack boolean

Defines whether this rule's alerts should be untracked.

Responses

204

Indicates a successful call.
400

Indicates an invalid schema.
403

Indicates that this call is forbidden.
404

Indicates a rule with the given ID does not exist.

POST /api/alerting/rule/{id}/_disable

curl \
 --request POST 'http://api.example.com/api/alerting/rule/{id}/_disable' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"untrack":true}'

Mute all alerts

POST /api/alerting/rule/{id}/_mute_all

Api key auth

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

id string Required

The identifier for the rule.

Responses

204

Indicates a successful call.
400

Indicates an invalid schema or parameters.
403

Indicates that this call is forbidden.
404

Indicates a rule with the given ID does not exist.

POST /api/alerting/rule/{id}/_mute_all

curl \
 --request POST 'http://api.example.com/api/alerting/rule/{id}/_mute_all' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: true"

Unmute all alerts

POST /api/alerting/rule/{id}/_unmute_all

Api key auth

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

id string Required

The identifier for the rule.

Responses

204

Indicates a successful call.
400

Indicates an invalid schema or parameters.
403

Indicates that this call is forbidden.
404

Indicates a rule with the given ID does not exist.

POST /api/alerting/rule/{id}/_unmute_all

curl \
 --request POST 'http://api.example.com/api/alerting/rule/{id}/_unmute_all' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: true"

Update the API key for a rule

POST /api/alerting/rule/{id}/_update_api_key

Api key auth

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

id string Required

The identifier for the rule.

Responses

204

Indicates a successful call.
400

Indicates an invalid schema or parameters.
403

Indicates that this call is forbidden.
404

Indicates a rule with the given ID does not exist.
409

Indicates that the rule has already been updated by another user.

POST /api/alerting/rule/{id}/_update_api_key

curl \
 --request POST 'http://api.example.com/api/alerting/rule/{id}/_update_api_key' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: true"

Schedule a snooze for the rule

POST /api/alerting/rule/{id}/snooze_schedule

Api key auth

When you snooze a rule, the rule checks continue to run but alerts will not generate actions. You can snooze for a specified period of time and schedule single or recurring downtimes.

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

id string Required

Identifier of the rule.

application/json

Body

schedule object Required

Additional properties are NOT allowed.
Hide schedule attribute Show schedule attribute object
- custom object
  
  Additional properties are NOT allowed.
  Hide custom attributes Show custom attributes object
  
  duration string Required
  
  The duration of the schedule. It allows values in <integer><unit> format. <unit> is one of d, h, m, or s for hours, minutes, seconds. For example: 1d, 5h, 30m, 5000s.
  
  recurring object
  
  Additional properties are NOT allowed.
  
  Hide recurring attributes Show recurring attributes object
  
  end string
  
  The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: 2025-04-01T00:00:00.000Z.
  
  every string
  
  The interval and frequency of a recurring schedule. It allows values in <integer><unit> format. <unit> is one of d, w, M, or y for days, weeks, months, years. For example: 15d, 2w, 3m, 1y.
  
  occurrences number
  
  The total number of recurrences of the schedule.
  
  Minimum value is 1.
  
  onMonth array[number]
  
  The specific months for a recurring schedule. Valid values are 1-12.
  
  At least 1 element. Minimum value of each is 1, maximum value of each is 12.
  
  onMonthDay array[number]
  
  The specific days of the month for a recurring schedule. Valid values are 1-31.
  
  At least 1 element. Minimum value of each is 1, maximum value of each is 31.
  
  onWeekDay array[string]
  
  The specific days of the week ([MO,TU,WE,TH,FR,SA,SU]) or nth day of month ([+1MO, -3FR, +2WE, -4SA, -5SU]) for a recurring schedule.
  
  At least 1 element.
  
  start string Required
  
  The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: 2025-03-12T12:00:00.000Z.
  
  timezone string
  
  The timezone of the schedule. The default timezone is UTC.

Responses

200 application/json

Indicates a successful call.
Hide response attribute Show response attribute object
- body object Required
  
  Additional properties are NOT allowed.
  
  Hide body attribute Show body attribute object
  
  schedule object Required
  
  Additional properties are NOT allowed.
  
  Hide schedule attributes Show schedule attributes object
  
  custom object
  
  Additional properties are NOT allowed.
  
  Hide custom attributes Show custom attributes object
  
  duration string Required
  
  The duration of the schedule. It allows values in <integer><unit> format. <unit> is one of d, h, m, or s for hours, minutes, seconds. For example: 1d, 5h, 30m, 5000s.
  
  recurring object
  
  Additional properties are NOT allowed.
  
  Hide recurring attributes Show recurring attributes object
  
  end string
  
  The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: 2025-04-01T00:00:00.000Z.
  
  every string
  
  The interval and frequency of a recurring schedule. It allows values in <integer><unit> format. <unit> is one of d, w, M, or y for days, weeks, months, years. For example: 15d, 2w, 3m, 1y.
  
  occurrences number
  
  The total number of recurrences of the schedule.
  
  Minimum value is 1.
  
  onMonth array[number]
  
  The specific months for a recurring schedule. Valid values are 1-12.
  
  At least 1 element. Minimum value of each is 1, maximum value of each is 12.
  
  onMonthDay array[number]
  
  The specific days of the month for a recurring schedule. Valid values are 1-31.
  
  At least 1 element. Minimum value of each is 1, maximum value of each is 31.
  
  onWeekDay array[string]
  
  The specific days of the week ([MO,TU,WE,TH,FR,SA,SU]) or nth day of month ([+1MO, -3FR, +2WE, -4SA, -5SU]) for a recurring schedule.
  
  At least 1 element.
  
  start string Required
  
  The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: 2025-03-12T12:00:00.000Z.
  
  timezone string
  
  The timezone of the schedule. The default timezone is UTC.
  
  id string Required
  
  Identifier of the snooze schedule.
400

Indicates an invalid schema.
403

Indicates that this call is forbidden.
404

Indicates a rule with the given id does not exist.

POST /api/alerting/rule/{id}/snooze_schedule

curl \
 --request POST 'http://api.example.com/api/alerting/rule/{id}/snooze_schedule' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"schedule":{"custom":{"duration":"string","recurring":{"end":"string","every":"string","occurrences":42.0,"onMonth":[42.0],"onMonthDay":[42.0],"onWeekDay":["string"]},"start":"string","timezone":"string"}}}'

Mute an alert

POST /api/alerting/rule/{rule_id}/alert/{alert_id}/_mute

Api key auth

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

rule_id string Required

The identifier for the rule.
alert_id string Required

The identifier for the alert.

Responses

204

Indicates a successful call.
400

Indicates an invalid schema or parameters.
403

Indicates that this call is forbidden.
404

Indicates a rule or alert with the given ID does not exist.

POST /api/alerting/rule/{rule_id}/alert/{alert_id}/_mute

curl \
 --request POST 'http://api.example.com/api/alerting/rule/{rule_id}/alert/{alert_id}/_mute' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: true"

Unmute an alert

POST /api/alerting/rule/{rule_id}/alert/{alert_id}/_unmute

Api key auth

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

rule_id string Required

The identifier for the rule.
alert_id string Required

The identifier for the alert.

Responses

204

Indicates a successful call.
400

Indicates an invalid schema or parameters.
403

Indicates that this call is forbidden.
404

Indicates a rule or alert with the given ID does not exist.

POST /api/alerting/rule/{rule_id}/alert/{alert_id}/_unmute

curl \
 --request POST 'http://api.example.com/api/alerting/rule/{rule_id}/alert/{alert_id}/_unmute' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: true"

Delete a snooze schedule for a rule

DELETE /api/alerting/rule/{ruleId}/snooze_schedule/{scheduleId}

Api key auth

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

ruleId string Required

The identifier for the rule.
scheduleId string Required

The identifier for the snooze schedule.

Responses

204

Indicates a successful call.
400

Indicates an invalid schema.
403

Indicates that this call is forbidden.
404

Indicates a rule with the given id does not exist.

DELETE /api/alerting/rule/{ruleId}/snooze_schedule/{scheduleId}

curl \
 --request DELETE 'http://api.example.com/api/alerting/rule/{ruleId}/snooze_schedule/{scheduleId}' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: true"

Get information about rules

GET /api/alerting/rules/_find

Api key auth

Query parameters

per_page number

The number of rules to return per page.

Minimum value is 0. Default value is 10.
page number

The page number to return.

Minimum value is 1. Default value is 1.
search string

An Elasticsearch simple_query_string query that filters the objects in the response.
default_search_operator string

The default operator to use for the simple_query_string.

Values are OR or AND. Default value is OR.
search_fields array[string] | string

The fields to perform the simple_query_string parsed query against.
sort_field string

Determines which field is used to sort the results. The field must exist in the attributes key of the response.
sort_order string

Determines the sort order.

Values are asc or desc.
has_reference object | null

Filters the rules that have a relation with the reference objects with a specific type and identifier.

Additional properties are NOT allowed.
Hide has_reference attributes Show has_reference attributes object | null
- id string Required
- type string Required
fields array[string]

The fields to return in the attributes key of the response.
filter string

A KQL string that you filter with an attribute from your saved object. It should look like savedObjectType.attributes.title: "myTitle". However, if you used a direct attribute of a saved object, such as updatedAt, you must define your filter, for example, savedObjectType.updatedAt > 2018-12-22.
filter_consumers array[string]

List of consumers to filter.

Responses

200 application/json

Indicates a successful call.
Hide response attributes Show response attributes object
- actions array[object] Required
  
  Hide actions attributes Show actions attributes object
  
  alerts_filter object
  
  Defines a period that limits whether the action runs.
  
  Additional properties are NOT allowed.
  
  Hide alerts_filter attributes Show alerts_filter attributes object
  
  query object
  
  Additional properties are NOT allowed.
  
  Hide query attributes Show query attributes object
  
  dsl string
  
  A filter written in Elasticsearch Query Domain Specific Language (DSL).
  
  filters array[object] Required
  
  A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the kbn-es-query package.
  
  Hide filters attributes Show filters attributes object
  
  $state object
  
  Additional properties are NOT allowed.
  
  Hide $state attribute Show $state attribute object
  
  store string Required
  
  A filter can be either specific to an application context or applied globally.
  
  Values are appState or globalState.
  
  meta object Required
  
  Additional properties are allowed.
  
  query object
  
  Additional properties are allowed.
  
  kql string Required
  
  A filter written in Kibana Query Language (KQL).
  
  timeframe object
  
  Additional properties are NOT allowed.
  
  Hide timeframe attributes Show timeframe attributes object
  
  days array[integer] Required
  
  Defines the days of the week that the action can run, represented as an array of numbers. For example, 1 represents Monday. An empty array is equivalent to specifying all the days of the week.
  
  Values are 1, 2, 3, 4, 5, 6, or 7.
  
  hours object Required
  
  Additional properties are NOT allowed.
  
  Hide hours attributes Show hours attributes object
  
  end string Required
  
  The end of the time frame in 24-hour notation (hh:mm).
  
  start string Required
  
  The start of the time frame in 24-hour notation (hh:mm).
  
  timezone string Required
  
  The ISO time zone for the hours values. Values such as UTC and UTC+1 also work but lack built-in daylight savings time support and are not recommended.
  
  connector_type_id string Required
  
  The type of connector. This property appears in responses but cannot be set in requests.
  
  frequency object
  
  Additional properties are NOT allowed.
  
  Hide frequency attributes Show frequency attributes object
  
  notify_when string Required
  
  Indicates how often alerts generate actions. Valid values include: onActionGroupChange: Actions run when the alert status changes; onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify notify_when at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
  
  Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.
  
  summary boolean Required
  
  Indicates whether the action is a summary.
  
  throttle string | null Required
  
  The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if 'notify_when' is set to 'onThrottleInterval'. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
  
  group string
  
  The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to default.
  
  id string Required
  
  The identifier for the connector saved object.
  
  params object Required
  
  The parameters for the action, which are sent to the connector. The params are handled as Mustache templates and passed a default set of context.
  
  Additional properties are allowed.
  
  use_alert_data_for_template boolean
  
  Indicates whether to use alert data as a template.
  
  uuid string
  
  A universally unique identifier (UUID) for the action.
- active_snoozes array[string]
  
  List of active snoozes for the rule.
- alert_delay object
  
  Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.
  
  Additional properties are NOT allowed.
  
  Hide alert_delay attribute Show alert_delay attribute object
  
  active number Required
  
  The number of consecutive runs that must meet the rule conditions.
- api_key_created_by_user boolean | null
  
  Indicates whether the API key that is associated with the rule was created by the user.
- api_key_owner string | null Required
  
  The owner of the API key that is associated with the rule and used to run background tasks.
- consumer string Required
  
  The name of the application or feature that owns the rule. For example: alerts, apm, discover, infrastructure, logs, metrics, ml, monitoring, securitySolution, siem, stackAlerts, or uptime.
- created_at string Required
  
  The date and time that the rule was created.
- created_by string | null Required
  
  The identifier for the user that created the rule.
- enabled boolean Required
  
  Indicates whether you want to run the rule on an interval basis after it is created.
- execution_status object Required
  
  Additional properties are NOT allowed.
  
  Hide execution_status attributes Show execution_status attributes object
  
  error object
  
  Additional properties are NOT allowed.
  
  Hide error attributes Show error attributes object
  
  message string Required
  
  Error message.
  
  reason string Required
  
  Reason for error.
  
  Values are read, decrypt, execute, unknown, license, timeout, disabled, or validate.
  
  last_duration number
  
  Duration of last execution of the rule.
  
  last_execution_date string Required
  
  The date and time when rule was executed last.
  
  status string Required
  
  Status of rule execution.
  
  Values are ok, active, error, warning, pending, or unknown.
  
  warning object
  
  Additional properties are NOT allowed.
  
  Hide warning attributes Show warning attributes object
  
  message string Required
  
  Warning message.
  
  reason string Required
  
  Reason for warning.
  
  Values are maxExecutableActions, maxAlerts, maxQueuedActions, or ruleExecution.
- flapping object | null
  
  When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.
  
  Additional properties are NOT allowed.
  
  Hide flapping attributes Show flapping attributes object | null
  
  look_back_window number Required
  
  The minimum number of runs in which the threshold must be met.
  
  Minimum value is 2, maximum value is 20.
  
  status_change_threshold number Required
  
  The minimum number of times an alert must switch states in the look back window.
  
  Minimum value is 2, maximum value is 20.
- id string Required
  
  The identifier for the rule.
- is_snoozed_until string | null
  
  The date when the rule will no longer be snoozed.
- last_run object | null
  
  Additional properties are NOT allowed.
  
  Hide last_run attributes Show last_run attributes object | null
  
  alerts_count object Required
  
  Additional properties are NOT allowed.
  
  Hide alerts_count attributes Show alerts_count attributes object
  
  active number | null
  
  Number of active alerts during last run.
  
  ignored number | null
  
  Number of ignored alerts during last run.
  
  new number | null
  
  Number of new alerts during last run.
  
  recovered number | null
  
  Number of recovered alerts during last run.
  
  outcome string Required
  
  Outcome of last run of the rule. Value could be succeeded, warning or failed.
  
  Values are succeeded, warning, or failed.
  
  outcome_msg array[string] | null
  
  Outcome message generated during last rule run.
  
  outcome_order number
  
  Order of the outcome.
  
  warning string | null
  
  Warning of last rule execution.
  
  Values are read, decrypt, execute, unknown, license, timeout, disabled, validate, maxExecutableActions, maxAlerts, maxQueuedActions, or ruleExecution.
- mapped_params object
  
  Additional properties are allowed.
- monitoring object
  
  Monitoring details of the rule.
  
  Additional properties are NOT allowed.
  
  Hide monitoring attribute Show monitoring attribute object
  
  run object Required
  
  Rule run details.
  
  Additional properties are NOT allowed.
  
  Hide run attributes Show run attributes object
  
  calculated_metrics object Required
  
  Calculation of different percentiles and success ratio.
  
  Additional properties are NOT allowed.
  
  Hide calculated_metrics attributes Show calculated_metrics attributes object
  
  p50 number
  
  p95 number
  
  p99 number
  
  success_ratio number Required
  
  history array[object] Required
  
  History of the rule run.
  
  Hide history attributes Show history attributes object
  
  duration number
  
  Duration of the rule run.
  
  outcome string
  
  Outcome of last run of the rule. Value could be succeeded, warning or failed.
  
  Values are succeeded, warning, or failed.
  
  success boolean Required
  
  Indicates whether the rule run was successful.
  
  timestamp number Required
  
  Time of rule run.
  
  last_run object Required
  
  Additional properties are NOT allowed.
  
  Hide last_run attributes Show last_run attributes object
  
  metrics object Required
  
  Additional properties are NOT allowed.
  
  Hide metrics attributes Show metrics attributes object
  
  duration number
  
  Duration of most recent rule run.
  
  gap_duration_s number | null
  
  Duration in seconds of rule run gap.
  
  gap_range object | null
  
  Additional properties are NOT allowed.
  
  Hide gap_range attributes Show gap_range attributes object | null
  
  gte string Required
  
  End of the gap range.
  
  lte string Required
  
  Start of the gap range.
  
  total_alerts_created number | null
  
  Total number of alerts created during last rule run.
  
  total_alerts_detected number | null
  
  Total number of alerts detected during last rule run.
  
  total_indexing_duration_ms number | null
  
  Total time spent indexing documents during last rule run in milliseconds.
  
  total_search_duration_ms number | null
  
  Total time spent performing Elasticsearch searches as measured by Kibana; includes network latency and time spent serializing or deserializing the request and response.
  
  timestamp string Required
  
  Time of the most recent rule run.
- mute_all boolean Required
  
  Indicates whether all alerts are muted.
- muted_alert_ids array[string] Required
  
  List of identifiers of muted alerts.
- name string Required
  
  The name of the rule.
- next_run string | null
  
  Date and time of the next run of the rule.
- notify_when string | null
  
  Indicates how often alerts generate actions. Valid values include: onActionGroupChange: Actions run when the alert status changes; onActiveAlert: Actions run when the alert becomes active and at each check interval while the rule conditions are met; onThrottleInterval: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify notify_when at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
  
  Values are onActionGroupChange, onActiveAlert, or onThrottleInterval.
- params object Required
  
  The parameters for the rule.
  
  Additional properties are allowed.
- revision number Required
  
  The rule revision number.
- rule_type_id string Required
  
  The rule type identifier.
- running boolean | null
  
  Indicates whether the rule is running.
- schedule object Required
  
  Additional properties are NOT allowed.
  
  Hide schedule attribute Show schedule attribute object
  
  interval string Required
  
  The interval is specified in seconds, minutes, hours, or days.
- scheduled_task_id string
  
  Identifier of the scheduled task.
- snooze_schedule array[object]
  
  Hide snooze_schedule attributes Show snooze_schedule attributes object
  
  duration number Required
  
  Duration of the rule snooze schedule.
  
  id string
  
  Identifier of the rule snooze schedule.
  
  rRule object Required
  
  Additional properties are NOT allowed.
  
  Hide rRule attributes Show rRule attributes object
  
  byhour array[number] | null
  
  Indicates hours of the day to recur.
  
  byminute array[number] | null
  
  Indicates minutes of the hour to recur.
  
  bymonth array[number] | null
  
  Indicates months of the year that this rule should recur.
  
  bymonthday array[number] | null
  
  Indicates the days of the month to recur.
  
  bysecond array[number] | null
  
  Indicates seconds of the day to recur.
  
  bysetpos array[number] | null
  
  A positive or negative integer affecting the nth day of the month. For example, -2 combined with byweekday of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use byweekday.
  
  byweekday array[string | number] | null
  
  Indicates the days of the week to recur or else nth-day-of-month strings. For example, "+2TU" second Tuesday of month, "-1FR" last Friday of the month, which are internally converted to a byweekday/bysetpos combination.
  
  byweekno array[number] | null
  
  Indicates number of the week hours to recur.
  
  byyearday array[number] | null
  
  Indicates the days of the year that this rule should recur.
  
  count number
  
  Number of times the rule should recur until it stops.
  
  dtstart string Required
  
  Rule start date in Coordinated Universal Time (UTC).
  
  freq integer
  
  Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY.
  
  Values are 0, 1, 2, 3, 4, 5, or 6.
  
  interval number
  
  Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks.
  
  tzid string Required
  
  Indicates timezone abbreviation.
  
  until string
  
  Recur the rule until this date.
  
  wkst string
  
  Indicates the start of week, defaults to Monday.
  
  Values are MO, TU, WE, TH, FR, SA, or SU.
  
  skipRecurrences array[string]
  
  Skips recurrence of rule on this date.
- tags array[string] Required
  
  The tags for the rule.
- throttle string | null Deprecated
  
  Deprecated in 8.13.0. Use the throttle property in the action frequency object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.
- updated_at string Required
  
  The date and time that the rule was updated most recently.
- updated_by string | null Required
  
  The identifier for the user that updated this rule most recently.
- view_in_app_relative_url string | null
  
  Relative URL to view rule in the app.
400

Indicates an invalid schema or parameters.
403

Indicates that this call is forbidden.

GET /api/alerting/rules/_find

curl \
 --request GET 'http://api.example.com/api/alerting/rules/_find' \
 --header "Authorization: $API_KEY"

Response examples (200)

A response that contains information about an index threshold rule.

{
  "data": [
    {
      "id": "3583a470-74f6-11ed-9801-35303b735aef",
      "name": "my alert",
      "tags": [
        "cpu"
      ],
      "params": {
        "index": [
          "test-index"
        ],
        "aggType": "avg",
        "groupBy": "top",
        "aggField": "sheet.version",
        "termSize": 6,
        "termField": "name.keyword",
        "threshold": [
          1000
        ],
        "timeField": "@timestamp",
        "timeWindowSize": 5,
        "timeWindowUnit": "m",
        "thresholdComparator": ">"
      },
      "actions": [
        {
          "id": "9dca3e00-74f5-11ed-9801-35303b735aef",
          "uuid": "1c7a1280-f28c-4e06-96b2-e4e5f05d1d61",
          "group": "threshold met",
          "params": {
            "level": "info",
            "message": "Rule {{rule.name}} is active for group {{context.group}}:\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}\n- Timestamp: {{context.date}}",
            "connector_type_id": ".server-log"
          },
          "frequency": {
            "summary": false,
            "throttle": null,
            "notify_when": "onActionGroupChange"
          }
        }
      ],
      "enabled": true,
      "consumer": "alerts",
      "last_run": {
        "outcome": "succeeded",
        "warning": null,
        "outcome_msg": null,
        "alerts_count": {
          "new": 0,
          "active": 0,
          "ignored": 0,
          "recovered": 0
        }
      },
      "mute_all": false,
      "next_run": "2022-12-06T01:45:23.912Z",
      "revision": 1,
      "schedule": {
        "interval": "1m"
      },
      "throttle": null,
      "created_at": "2022-12-05T23:40:33.132Z",
      "created_by": "elastic",
      "updated_at": "2022-12-05T23:40:33.132Z",
      "updated_by": "elastic",
      "rule_type_id": ".index-threshold",
      "api_key_owner": "elastic",
      "muted_alert_ids": [],
      "execution_status": {
        "status": "ok",
        "last_duration": 48,
        "last_execution_date": "2022-12-06T01:44:23.983Z"
      },
      "scheduled_task_id": "3583a470-74f6-11ed-9801-35303b735aef",
      "api_key_created_by_user": false
    }
  ],
  "page": 1,
  "total": 1,
  "per_page": 10
}

A response that contains information about a security rule that has conditional actions.

{
  "data": [
    {
      "id": "6107a8f0-f401-11ed-9f8e-399c75a2deeb",
      "name": "security_rule",
      "tags": [],
      "params": {
        "to": "now",
        "from": "now-3660s",
        "meta": {
          "from": "1h",
          "kibana_siem_app_url": "https://localhost:5601/app/security"
        },
        "type": "threshold",
        "index": [
          "kibana_sample_data_logs"
        ],
        "query": "*",
        "author": [],
        "ruleId": "an_internal_rule_id",
        "threat": [],
        "filters": [],
        "license": "",
        "version": 1,
        "language": "kuery",
        "severity": "low",
        "immutable": false,
        "riskScore": 21,
        "threshold": {
          "field": [
            "bytes"
          ],
          "value": 1,
          "cardinality": []
        },
        "maxSignals": 100,
        "references": [],
        "description": "A security threshold rule.",
        "outputIndex": "",
        "exceptionsList": [],
        "falsePositives": [],
        "severityMapping": [],
        "riskScoreMapping": []
      },
      "actions": [
        {
          "id": "49eae970-f401-11ed-9f8e-399c75a2deeb",
          "uuid": "1c7a1280-f28c-4e06-96b2-e4e5f05d1d61",
          "group": "default",
          "params": {
            "documents": [
              {
                "rule_id": {
                  "[object Object]": null
                },
                "alert_id": {
                  "[object Object]": null
                },
                "rule_name": {
                  "[object Object]": null
                },
                "context_message": {
                  "[object Object]": null
                }
              }
            ]
          },
          "frequency": {
            "summary": true,
            "throttle": null,
            "notify_when": "onActiveAlert"
          },
          "alerts_filter": {
            "query": {
              "kql": "",
              "filters": [
                {
                  "meta": {
                    "key": "client.geo.region_iso_code",
                    "alias": null,
                    "field": "client.geo.region_iso_code",
                    "index": "c4bdca79-e69e-4d80-82a1-e5192c621bea",
                    "negate": false,
                    "params": {
                      "type": "phrase",
                      "query": "CA-QC"
                    },
                    "disabled": false
                  },
                  "query": {
                    "match_phrase": {
                      "client.geo.region_iso_code": "CA-QC"
                    }
                  },
                  "$state": {
                    "store": "appState"
                  }
                }
              ]
            },
            "timeframe": {
              "days": [
                7
              ],
              "hours": {
                "end": "17:00",
                "start": "08:00"
              },
              "timezone": "UTC"
            }
          },
          "connector_type_id": ".index"
        }
      ],
      "enabled": true,
      "running": false,
      "consumer": "siem",
      "last_run": {
        "outcome": "succeeded",
        "warning": null,
        "outcome_msg": [
          "Rule execution completed successfully"
        ],
        "alerts_count": {
          "new": 0,
          "active": 0,
          "ignored": 0,
          "recovered": 0
        },
        "outcome_order": 0
      },
      "mute_all": false,
      "next_run": "2023-05-16T20:27:49.507Z",
      "revision": 1,
      "schedule": {
        "interval": "1m"
      },
      "throttle": null,
      "created_at": "2023-05-16T15:50:28.358Z",
      "created_by": "elastic",
      "updated_at": "2023-05-16T20:25:42.559Z",
      "updated_by": "elastic",
      "notify_when": null,
      "rule_type_id": "siem.thresholdRule",
      "api_key_owner": "elastic",
      "muted_alert_ids": [],
      "execution_status": {
        "status": "ok",
        "last_duration": 166,
        "last_execution_date": "2023-05-16T20:26:49.590Z"
      },
      "scheduled_task_id": "6107a8f0-f401-11ed-9f8e-399c75a2deeb",
      "api_key_created_by_user": false
    }
  ],
  "page": 1,
  "total": 1,
  "per_page": 10
}

Get a list of agent configurations

GET /api/apm/settings/agent-configuration

Api key auth

Headers

elastic-api-version string Required

The version of the API to use

Value is 2023-10-31. Default value is 2023-10-31.

Responses

200 application/json

Successful response
Hide response attribute Show response attribute object
- configurations array[object]
  
  Agent configuration
  
  Agent configuration
  
  Hide configurations attributes Show configurations attributes object
  
  @timestamp number Required
  
  Timestamp
  
  agent_name string
  
  Agent name
  
  applied_by_agent boolean
  
  Applied by agent
  
  etag string Required
  
  etag is sent by the APM agent to indicate the etag of the last successfully applied configuration. If the etag matches an existing configuration its applied_by_agent property will be set to true. Every time a configuration is edited applied_by_agent is reset to false.
  
  service object Required
  
  Service
  
  Hide service attributes Show service attributes object
  
  environment string
  
  The environment of the service.
  
  name string
  
  The name of the service.
  
  settings object Required
  
  Agent configuration settings
  
  Hide settings attribute Show settings attribute object
  
  * string Additional properties
400 application/json

Bad Request response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code
401 application/json

Unauthorized response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code
404 application/json

Not found response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code

GET /api/apm/settings/agent-configuration

curl \
 --request GET 'http://api.example.com/api/apm/settings/agent-configuration' \
 --header "Authorization: $API_KEY" \
 --header "elastic-api-version: 2023-10-31"

Response examples (200)

An example of a successful response from `GET /api/apm/settings/agent-configuration`.

[
  {
      "agent_name": "go",
      "service": {
      "name": "opbeans-go",
      "environment": "production"
      },
      "settings": {
      "transaction_sample_rate": "1",
      "capture_body": "off",
      "transaction_max_spans": "200"
      },
      "@timestamp": 1581934104843,
      "applied_by_agent": false,
      "etag": "1e58c178efeebae15c25c539da740d21dee422fc"
  },
  {
      "agent_name": "go",
      "service": {
      "name": "opbeans-go"
      },
      "settings": {
      "transaction_sample_rate": "1",
      "capture_body": "off",
      "transaction_max_spans": "300"
      },
      "@timestamp": 1581934111727,
      "applied_by_agent": false,
      "etag": "3eed916d3db434d9fb7f039daa681c7a04539a64"
  },
  {
      "agent_name": "nodejs",
      "service": {
      "name": "frontend"
      },
      "settings": {
      "transaction_sample_rate": "1",
      },
      "@timestamp": 1582031336265,
      "applied_by_agent": false,
      "etag": "5080ed25785b7b19f32713681e79f46996801a5b"
  }
]

Create or update agent configuration

PUT /api/apm/settings/agent-configuration

Api key auth

Headers

elastic-api-version string Required

The version of the API to use

Value is 2023-10-31. Default value is 2023-10-31.
kbn-xsrf string Required

A required header to protect against CSRF attacks

Query parameters

overwrite boolean

If the config exists ?overwrite=true is required

application/json

Body Required

agent_name string

The agent name is used by the UI to determine which settings to display.
service object Required

Service
Hide service attributes Show service attributes object
- environment string
  
  The environment of the service.
- name string
  
  The name of the service.
settings object Required

Agent configuration settings
Hide settings attribute Show settings attribute object
- * string Additional properties

Responses

200 application/json

Successful response

Additional properties are NOT allowed.
400 application/json

Bad Request response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code
401 application/json

Unauthorized response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code
403 application/json

Forbidden response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code
404 application/json

Not found response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code

PUT /api/apm/settings/agent-configuration

curl \
 --request PUT 'http://api.example.com/api/apm/settings/agent-configuration' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "elastic-api-version: 2023-10-31" \
 --header "kbn-xsrf: true" \
 --data '"{\n    \"service\": {\n        \"name\": \"frontend\",\n        \"environment\": \"production\"\n    },\n    \"settings\": {\n        \"transaction_sample_rate\": \"0.4\",\n        \"capture_body\": \"off\",\n        \"transaction_max_spans\": \"500\"\n    },\n    \"agent_name\": \"nodejs\"\n}\n"'

Request example

Run `PUT /api/apm/settings/agent-configuration` to create or update configuration details.

{
    "service": {
        "name": "frontend",
        "environment": "production"
    },
    "settings": {
        "transaction_sample_rate": "0.4",
        "capture_body": "off",
        "transaction_max_spans": "500"
    },
    "agent_name": "nodejs"
}

Delete agent configuration

DELETE /api/apm/settings/agent-configuration

Api key auth

Headers

elastic-api-version string Required

The version of the API to use

Value is 2023-10-31. Default value is 2023-10-31.
kbn-xsrf string Required

A required header to protect against CSRF attacks

application/json

Body Required

environment string

The environment of the service.
name string

The name of the service.

Responses

200 application/json

Successful response
Hide response attribute Show response attribute object
- result string
  
  Result
400 application/json

Bad Request response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code
401 application/json

Unauthorized response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code
403 application/json

Forbidden response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code
404 application/json

Not found response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code

DELETE /api/apm/settings/agent-configuration

curl \
 --request DELETE 'http://api.example.com/api/apm/settings/agent-configuration' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "elastic-api-version: 2023-10-31" \
 --header "kbn-xsrf: true" \
 --data '"{\n    \"service\" : {\n        \"name\": \"frontend\",\n        \"environment\": \"production\"\n    }\n}\n"'

Request example

Run `DELETE /api/apm/settings/agent-configuration` to delete a configuration.

{
    "service" : {
        "name": "frontend",
        "environment": "production"
    }
}

Get environments for service

GET /api/apm/settings/agent-configuration/environments

Api key auth

Headers

elastic-api-version string Required

The version of the API to use

Value is 2023-10-31. Default value is 2023-10-31.

Query parameters

serviceName string

The name of the service

Responses

200 application/json

Successful response
Hide response attribute Show response attribute object
- environments array[object]
  
  Service environment list
  
  Hide environments attributes Show environments attributes object
  
  alreadyConfigured boolean
  
  Already configured
  
  name string
  
  Service environment name
400 application/json

Bad Request response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code
401 application/json

Unauthorized response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code
404 application/json

Not found response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code

GET /api/apm/settings/agent-configuration/environments

curl \
 --request GET 'http://api.example.com/api/apm/settings/agent-configuration/environments' \
 --header "Authorization: $API_KEY" \
 --header "elastic-api-version: 2023-10-31"

Lookup single agent configuration

POST /api/apm/settings/agent-configuration/search

Api key auth

This endpoint enables you to search for a single agent configuration and update the 'applied_by_agent' field.

Headers

elastic-api-version string Required

The version of the API to use

Value is 2023-10-31. Default value is 2023-10-31.
kbn-xsrf string Required

A required header to protect against CSRF attacks

application/json

Body Required

etag string

If etags match then applied_by_agent field will be set to true
mark_as_applied_by_agent boolean

markAsAppliedByAgent=true means "force setting it to true regardless of etag". This is needed for Jaeger agent that doesn't have etags
service object Required

Service
Hide service attributes Show service attributes object
- environment string
  
  The environment of the service.
- name string
  
  The name of the service.

Responses

200 application/json

Successful response
Hide response attributes Show response attributes object
- _id string
  
  Identifier
- _index string
  
  Index
- _score number
  
  Score
- _source object
  
  Agent configuration
  
  Hide _source attributes Show _source attributes object
  
  @timestamp number Required
  
  Timestamp
  
  agent_name string
  
  Agent name
  
  applied_by_agent boolean
  
  Applied by agent
  
  etag string Required
  
  etag is sent by the APM agent to indicate the etag of the last successfully applied configuration. If the etag matches an existing configuration its applied_by_agent property will be set to true. Every time a configuration is edited applied_by_agent is reset to false.
  
  service object Required
  
  Service
  
  Hide service attributes Show service attributes object
  
  environment string
  
  The environment of the service.
  
  name string
  
  The name of the service.
  
  settings object Required
  
  Agent configuration settings
  
  Hide settings attribute Show settings attribute object
  
  * string Additional properties
400 application/json

Bad Request response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code
401 application/json

Unauthorized response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code
404 application/json

Not found response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code

POST /api/apm/settings/agent-configuration/search

curl \
 --request POST 'http://api.example.com/api/apm/settings/agent-configuration/search' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "elastic-api-version: 2023-10-31" \
 --header "kbn-xsrf: true" \
 --data '"{\n    \"etag\": \"1e58c178efeebae15c25c539da740d21dee422fc\",\n    \"service\" : {\n        \"name\": \"frontend\",\n        \"environment\": \"production\"\n    }\n}\n"'

Request example

Run `POST /api/apm/settings/agent-configuration/search` to search configuration details.

{
    "etag": "1e58c178efeebae15c25c539da740d21dee422fc",
    "service" : {
        "name": "frontend",
        "environment": "production"
    }
}

Response examples (200)

An example of a successful response from `POST /api/apm/settings/agent-configuration/search`.

{
  "_index": ".apm-agent-configuration",
  "_id": "CIaqXXABmQCdPphWj8EJ",
  "_score": 2,
  "_source": {
    "agent_name": "nodejs",
    "service": {
      "name": "frontend"
    },
    "settings": {
      "transaction_sample_rate": "1",
    },
    "@timestamp": 1582031336265,
    "applied_by_agent": false,
    "etag": "5080ed25785b7b19f32713681e79f46996801a5b"
  }
}

Get single agent configuration

GET /api/apm/settings/agent-configuration/view

Api key auth

Headers

elastic-api-version string Required

The version of the API to use

Value is 2023-10-31. Default value is 2023-10-31.

Query parameters

name string

Service name
environment string

Service environment

Responses

200 application/json

Successful response
Hide response attributes Show response attributes object
- id string Required
- @timestamp number Required
  
  Timestamp
- agent_name string
  
  Agent name
- applied_by_agent boolean
  
  Applied by agent
- etag string Required
  
  etag is sent by the APM agent to indicate the etag of the last successfully applied configuration. If the etag matches an existing configuration its applied_by_agent property will be set to true. Every time a configuration is edited applied_by_agent is reset to false.
- service object Required
  
  Service
  
  Hide service attributes Show service attributes object
  
  environment string
  
  The environment of the service.
  
  name string
  
  The name of the service.
- settings object Required
  
  Agent configuration settings
  
  Hide settings attribute Show settings attribute object
  
  * string Additional properties
400 application/json

Bad Request response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code
401 application/json

Unauthorized response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code
404 application/json

Not found response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code

GET /api/apm/settings/agent-configuration/view

curl \
 --request GET 'http://api.example.com/api/apm/settings/agent-configuration/view' \
 --header "Authorization: $API_KEY" \
 --header "elastic-api-version: 2023-10-31"

Search for annotations

GET /api/apm/services/{serviceName}/annotation/search

Api key auth

Search for annotations related to a specific service.

Headers

elastic-api-version string Required

The version of the API to use

Value is 2023-10-31. Default value is 2023-10-31.

Path parameters

serviceName string Required

The name of the service

Query parameters

environment string

The environment to filter annotations by
start string

The start date for the search
end string

The end date for the search

Responses

200 application/json

Successful response
Hide response attribute Show response attribute object
- annotations array[object]
  
  Annotations
  
  Hide annotations attributes Show annotations attributes object
  
  @timestamp number
  
  id string
  
  text string
  
  type string
  
  Value is version.
400 application/json

Bad Request response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code
401 application/json

Unauthorized response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code
500 application/json

Internal Server Error response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code

GET /api/apm/services/{serviceName}/annotation/search

curl \
 --request GET 'http://api.example.com/api/apm/services/{serviceName}/annotation/search' \
 --header "Authorization: $API_KEY" \
 --header "elastic-api-version: 2023-10-31"

Upload a source map for a specific service and version. You must have all Kibana privileges for the APM and User Experience feature. The maximum payload size is 1mb. If you attempt to upload a source map that exceeds the maximum payload size, you will get a 413 error. Before uploading source maps that exceed this default, change the maximum payload size allowed by Kibana with the server.maxPayload variable.

Headers

elastic-api-version string Required

The version of the API to use

Value is 2023-10-31. Default value is 2023-10-31.
kbn-xsrf string Required

A required header to protect against CSRF attacks

multipart/form-data

Body Required

bundle_filepath string Required

The absolute path of the final bundle as used in the web application.
service_name string Required

The name of the service that the service map should apply to.
service_version string Required

The version of the service that the service map should apply to.
sourcemap string(binary) Required

The source map. It can be a string or file upload. It must follow the source map format specification.

Responses

200 application/json

Successful response
Hide response attributes Show response attributes object
- body string
- compressionAlgorithm string
  
  Compression Algorithm
- created string
  
  Created date
- decodedSha256 string
  
  Decoded SHA-256
- decodedSize number
  
  Decoded size
- encodedSha256 string
  
  Encoded SHA-256
- encodedSize number
  
  Encoded size
- encryptionAlgorithm string
  
  Encryption Algorithm
- id string
  
  Identifier
- identifier string
  
  Identifier
- packageName string
  
  Package name
- relative_url string
  
  Relative URL
- type string
  
  Type
400 application/json

Bad Request response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code
401 application/json

Unauthorized response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code
403 application/json

Forbidden response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code
500 application/json

Internal Server Error response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code
501 application/json

Not Implemented response
Hide response attributes Show response attributes object
- error string
  
  Error type
- message string
  
  Error message
- statusCode number
  
  Error status code

POST /api/apm/sourcemaps

curl -X POST "http://localhost:5601/api/apm/sourcemaps" \
-H 'Content-Type: multipart/form-data' \
-H 'kbn-xsrf: true' \
-H 'Authorization: ApiKey ${YOUR_API_KEY}' \
-F 'service_name="foo"' \
-F 'service_version="1.0.0"' \
-F 'bundle_filepath="/test/e2e/general-usecase/bundle.js"' \
-F 'sourcemap="{\"version\":3,\"file\":\"static/js/main.chunk.js\",\"sources\":[\"fleet-source-map-client/src/index.css\",\"fleet-source-map-client/src/App.js\",\"webpack:///./src/index.css?bb0a\",\"fleet-source-map-client/src/index.js\",\"fleet-source-map-client/src/reportWebVitals.js\"],\"sourcesContent\":[\"content\"],\"mappings\":\"mapping\",\"sourceRoot\":\"\"}"'

Response examples (200)

A successful response from `POST /api/apm/sourcemaps`.

{
  "id": "apm:foo-1.0.0-644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456",
  "body": "eJyFkL1OwzAUhd/Fc+MbYMuCEBIbHRjKgBgc96R16tiWr1OQqr47NwqJxEK3q/PzWccXxchnZ7E1A1SjuhjVZtF2yOxiEPlO17oWox3D3uPFeSRTjmJQARfCPeiAgGx8NTKsYdAc1T3rwaSJGcds8Sp3c1HnhfywUZ3QhMTFFGepZxqMC9oex3CS9tpk1XyozgOlmoVKuJX1DqEQZ0su7PGtLU+V/3JPKc3cL7TJ2FNDRPov4bFta3MDM4f7W69lpJjLO9qdK8bzVPhcJz3HUCQ4LbO/p5hCSC4cZPByrp/wFqOklbpefwAhzpqI",
  "type": "sourcemap",
  "created": "2021-07-09T20:47:44.812Z",
  "identifier": "foo-1.0.0",
  "decodedSize": 441,
  "encodedSize": 237,
  "packageName": "apm",
  "relative_url": "/api/fleet/artifacts/foo-1.0.0/644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456",
  "decodedSha256": "644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456",
  "encodedSha256": "024c72749c3e3dd411b103f7040ae62633558608f480bce4b108cf5b2275bd24",
  "encryptionAlgorithm": "none",
  "compressionAlgorithm": "zlib"
}

Get CCR Remote synced integrations status by outputId

GET /api/fleet/remote_synced_integrations/{outputId}/remote_status

Api key auth

[Required authorization] Route required privileges: fleet-settings-read AND integrations-read.

Path parameters

outputId string Required

Responses

200 application/json
Hide response attributes Show response attributes object
- custom_assets object
  
  Hide custom_assets attribute Show custom_assets attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  name string Required
  
  package_name string Required
  
  package_version string Required
  
  sync_status string Required
  
  Values are completed, synchronizing, or failed.
  
  type string Required
- error string
- integrations array[object] Required
  
  Hide integrations attributes Show integrations attributes object
  
  error string
  
  id string
  
  package_name string
  
  package_version string
  
  sync_status string Required
  
  Values are completed, synchronizing, or failed.
  
  updated_at string
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number

GET /api/fleet/remote_synced_integrations/{outputId}/remote_status

curl \
 --request GET 'http://api.example.com/api/fleet/remote_synced_integrations/{outputId}/remote_status' \
 --header "Authorization: $API_KEY"

Get connector information

GET /api/actions/connector/{id}

Api key auth

Path parameters

id string Required

An identifier for the connector.

Responses

200 application/json

Indicates a successful call.
Hide response attributes Show response attributes object
- config object
  
  Additional properties are allowed.
- connector_type_id string Required
  
  The connector type identifier.
- id string Required
  
  The identifier for the connector.
- is_deprecated boolean Required
  
  Indicates whether the connector is deprecated.
- is_missing_secrets boolean
  
  Indicates whether the connector is missing secrets.
- is_preconfigured boolean Required
  
  Indicates whether the connector is preconfigured. If true, the config and is_missing_secrets properties are omitted from the response.
- is_system_action boolean Required
  
  Indicates whether the connector is used for system actions.
- name string Required
  
  The name of the rule.

GET /api/actions/connector/{id}

curl \
 --request GET 'http://api.example.com/api/actions/connector/{id}' \
 --header "Authorization: $API_KEY"

Response examples (200)

{
  "id": "df770e30-8b8b-11ed-a780-3b746c987a81",
  "name": "my_server_log_connector",
  "config": {},
  "is_deprecated": false,
  "is_preconfigured": false,
  "is_system_action": false,
  "connector_type_id": ".server-log",
  "is_missing_secrets": false
}

Get a list of dashboards Technical Preview

GET /api/dashboards/dashboard

Api key auth

This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

Query parameters

page number

The page number to return. Default is "1".

Minimum value is 1. Default value is 1.
perPage number

The number of dashboards to display on each page (max 1000). Default is "20".

Minimum value is 1, maximum value is 1000.

Responses

200 application/json
Hide response attributes Show response attributes object
- items array[object] Required
  
  Hide items attributes Show items attributes object
  
  attributes object Required
  
  Additional properties are NOT allowed.
  
  Hide attributes attributes Show attributes attributes object
  
  description string
  
  A short description.
  
  Default value is empty.
  
  tags array[string]
  
  An array of tags applied to this dashboard
  
  timeRestore boolean
  
  Whether to restore time upon viewing this dashboard
  
  Default value is false.
  
  title string Required
  
  A human-readable title for the dashboard
  
  createdAt string
  
  createdBy string
  
  error object
  
  Additional properties are NOT allowed.
  
  Hide error attributes Show error attributes object
  
  error string Required
  
  message string Required
  
  metadata object
  
  Additional properties are allowed.
  
  statusCode number Required
  
  id string Required
  
  managed boolean
  
  namespaces array[string]
  
  originId string
  
  references array[object] Required
  
  Hide references attributes Show references attributes object
  
  id string Required
  
  name string Required
  
  type string Required
  
  type string Required
  
  updatedAt string
  
  updatedBy string
  
  version string
- total number Required

GET /api/dashboards/dashboard

curl \
 --request GET 'http://api.example.com/api/dashboards/dashboard' \
 --header "Authorization: $API_KEY"

Get a dashboard Technical Preview

GET /api/dashboards/dashboard/{id}

Api key auth

This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

Path parameters

id string Required

A unique identifier for the dashboard.

Responses

200 application/json
Hide response attributes Show response attributes object
- item object Required
  
  Additional properties are allowed.
  
  Hide item attributes Show item attributes object
  
  attributes object Required
  
  Additional properties are NOT allowed.
  
  Hide attributes attributes Show attributes attributes object
  
  controlGroupInput object
  
  Additional properties are NOT allowed.
  
  Hide controlGroupInput attributes Show controlGroupInput attributes object
  
  autoApplySelections boolean
  
  Show apply selections button in controls.
  
  Default value is true.
  
  chainingSystem string
  
  The chaining strategy for multiple controls. For example, "HIERARCHICAL" or "NONE".
  
  Values are NONE or HIERARCHICAL. Default value is HIERARCHICAL.
  
  controls array[object]
  
  An array of control panels and their state in the control group.
  
  Default value is [] (empty).
  
  Hide controls attributes Show controls attributes object
  
  controlConfig object
  
  Additional properties are allowed.
  
  grow boolean
  
  Expand width of the control panel to fit available space.
  
  Default value is false.
  
  id string
  
  The unique ID of the control.
  
  order number Required
  
  The order of the control panel in the control group.
  
  type string Required
  
  The type of the control panel.
  
  width string
  
  Minimum width of the control panel in the control group.
  
  Values are small, medium, or large. Default value is medium.
  
  enhancements object
  
  Additional properties are allowed.
  
  ignoreParentSettings object Required
  
  Additional properties are NOT allowed.
  
  Hide ignoreParentSettings attributes Show ignoreParentSettings attributes object
  
  ignoreFilters boolean
  
  Ignore global filters in controls.
  
  Default value is false.
  
  ignoreQuery boolean
  
  Ignore the global query bar in controls.
  
  Default value is false.
  
  ignoreTimerange boolean
  
  Ignore the global time range in controls.
  
  Default value is false.
  
  ignoreValidations boolean
  
  Ignore validations in controls.
  
  Default value is false.
  
  labelPosition string
  
  Position of the labels for controls. For example, "oneLine", "twoLine".
  
  Values are oneLine or twoLine. Default value is oneLine.
  
  description string
  
  A short description.
  
  Default value is empty.
  
  kibanaSavedObjectMeta object
  
  A container for various metadata
  
  Default value is {} (empty). Additional properties are NOT allowed.
  
  Hide kibanaSavedObjectMeta attribute Show kibanaSavedObjectMeta attribute object
  
  searchSource object
  
  Additional properties are allowed.
  
  Hide searchSource attributes Show searchSource attributes object
  
  filter array[object]
  
  A filter for the search source.
  
  Hide filter attributes Show filter attributes object
  
  $state object
  
  Additional properties are NOT allowed.
  
  Hide $state attribute Show $state attribute object
  
  store string Required
  
  Denote whether a filter is specific to an application's context (e.g. 'appState') or whether it should be applied globally (e.g. 'globalState').
  
  Values are appState or globalState.
  
  meta object Required
  
  Additional properties are allowed.
  
  Hide meta attributes Show meta attributes object
  
  alias string | null
  
  controlledBy string
  
  disabled boolean
  
  field string
  
  group string
  
  index string
  
  isMultiIndex boolean
  
  key string
  
  negate boolean
  
  type string
  
  value string
  
  query object
  
  Additional properties are allowed.
  
  query object
  
  Additional properties are NOT allowed.
  
  Hide query attributes Show query attributes object
  
  language string Required
  
  The query language such as KQL or Lucene.
  
  query string | object Required
  
  Any of:
  string-1 string object-2 object
  
  A text-based query such as Kibana Query Language (KQL) or Lucene query language.
  
  sort array[object]
  
  type string
  
  options object Required
  
  Additional properties are NOT allowed.
  
  Hide options attributes Show options attributes object
  
  hidePanelTitles boolean
  
  Hide the panel titles in the dashboard.
  
  Default value is false.
  
  syncColors boolean
  
  Synchronize colors between related panels in the dashboard.
  
  Default value is true.
  
  syncCursor boolean
  
  Synchronize cursor position between related panels in the dashboard.
  
  Default value is true.
  
  syncTooltips boolean
  
  Synchronize tooltips between related panels in the dashboard.
  
  Default value is true.
  
  useMargins boolean
  
  Show margins between panels in the dashboard layout.
  
  Default value is true.
  
  panels array[object]
  
  Default value is [] (empty).
  
  Hide panels attributes Show panels attributes object
  
  gridData object Required
  
  Additional properties are NOT allowed.
  
  Hide gridData attributes Show gridData attributes object
  
  h number
  
  The height of the panel in grid units
  
  Minimum value is 1. Default value is 15.
  
  i string Required
  
  w number
  
  The width of the panel in grid units
  
  Minimum value is 1, maximum value is 48. Default value is 24.
  
  x number Required
  
  The x coordinate of the panel in grid units
  
  y number Required
  
  The y coordinate of the panel in grid units
  
  id string
  
  The saved object id for by reference panels
  
  panelConfig object Required
  
  Additional properties are allowed.
  
  Hide panelConfig attributes Show panelConfig attributes object
  
  description string
  
  The description of the panel
  
  enhancements object
  
  Additional properties are allowed.
  
  hidePanelTitles boolean
  
  Set to true to hide the panel title in its container.
  
  savedObjectId string
  
  The unique id of the library item to construct the embeddable.
  
  title string
  
  The title of the panel
  
  version string
  
  The version of the embeddable in the panel.
  
  panelIndex string Required
  
  panelRefName string
  
  title string
  
  The title of the panel
  
  type string Required
  
  The embeddable type
  
  version string Deprecated
  
  The version was used to store Kibana version information from versions 7.3.0 -> 8.11.0. As of version 8.11.0, the versioning information is now per-embeddable-type and is stored on the embeddable's input. (panelConfig in this type).
  
  refreshInterval object
  
  A container for various refresh interval settings
  
  Additional properties are NOT allowed.
  
  Hide refreshInterval attributes Show refreshInterval attributes object
  
  display string Deprecated
  
  A human-readable string indicating the refresh frequency. No longer used.
  
  pause boolean Required
  
  Whether the refresh interval is set to be paused while viewing the dashboard.
  
  section number Deprecated
  
  No longer used.
  
  value number Required
  
  A numeric value indicating refresh frequency in milliseconds.
  
  tags array[string]
  
  An array of tags applied to this dashboard
  
  timeFrom string
  
  An ISO string indicating when to restore time from
  
  timeRestore boolean
  
  Whether to restore time upon viewing this dashboard
  
  Default value is false.
  
  timeTo string
  
  An ISO string indicating when to restore time from
  
  title string Required
  
  A human-readable title for the dashboard
  
  version number Deprecated
  
  createdAt string
  
  createdBy string
  
  error object
  
  Additional properties are NOT allowed.
  
  Hide error attributes Show error attributes object
  
  error string Required
  
  message string Required
  
  metadata object
  
  Additional properties are allowed.
  
  statusCode number Required
  
  id string Required
  
  managed boolean
  
  namespaces array[string]
  
  originId string
  
  references array[object] Required
  
  Hide references attributes Show references attributes object
  
  id string Required
  
  name string Required
  
  type string Required
  
  type string Required
  
  updatedAt string
  
  updatedBy string
  
  version string
- meta object Required
  
  Additional properties are NOT allowed.
  
  Hide meta attributes Show meta attributes object
  
  aliasPurpose string
  
  Values are savedObjectConversion or savedObjectImport.
  
  aliasTargetId string
  
  outcome string Required
  
  Values are exactMatch, aliasMatch, or conflict.

GET /api/dashboards/dashboard/{id}

curl \
 --request GET 'http://api.example.com/api/dashboards/dashboard/{id}' \
 --header "Authorization: $API_KEY"

Get data streams

GET /api/fleet/data_streams

Api key auth

[Required authorization] Route required privileges: fleet-agents-all AND fleet-agent-policies-all AND fleet-settings-all.

Responses

200 application/json
Hide response attribute Show response attribute object
- data_streams array[object] Required
  
  Hide data_streams attributes Show data_streams attributes object
  
  dashboards array[object] Required
  
  Hide dashboards attributes Show dashboards attributes object
  
  id string Required
  
  title string Required
  
  dataset string Required
  
  index string Required
  
  last_activity_ms number Required
  
  namespace string Required
  
  package string Required
  
  package_version string Required
  
  serviceDetails object | null Required
  
  Additional properties are NOT allowed.
  
  Hide serviceDetails attributes Show serviceDetails attributes object | null
  
  environment string Required
  
  serviceName string Required
  
  size_in_bytes number Required
  
  size_in_bytes_formatted number | string Required
  
  Any of:
  number-1 number string-2 string
  
  type string Required
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number

GET /api/fleet/data_streams

curl \
 --request GET 'http://api.example.com/api/fleet/data_streams' \
 --header "Authorization: $API_KEY"

Get data streams

GET /api/fleet/epm/data_streams

Api key auth

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.

Query parameters

type string

Values are logs, metrics, traces, synthetics, or profiling.
datasetQuery string
sortOrder string

Values are asc or desc. Default value is asc.
uncategorisedOnly boolean

Default value is false.

Responses

200 application/json
Hide response attribute Show response attribute object
- items array[object] Required
  
  Hide items attribute Show items attribute object
  
  name string Required
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number

GET /api/fleet/epm/data_streams

curl \
 --request GET 'http://api.example.com/api/fleet/epm/data_streams' \
 --header "Authorization: $API_KEY"

Get all data views

GET /api/data_views

Api key auth

Responses

200 application/json

Indicates a successful call.
Hide response attribute Show response attribute object
- data_view array[object]
  
  Hide data_view attributes Show data_view attributes object
  
  id string
  
  name string
  
  namespaces array[string]
  
  title string
  
  typeMeta object
400 application/json

Bad request
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode number Required

GET /api/data_views

curl \
 --request GET 'http://api.example.com/api/data_views' \
 --header "Authorization: $API_KEY"

Response examples (200)

{
  "data_view": [
    {
      "id": "ff959d40-b880-11e8-a6d9-e546fe2bba5f",
      "name": "Kibana Sample Data eCommerce",
      "title": "kibana_sample_data_ecommerce",
      "typeMeta": {},
      "namespaces": [
        "default"
      ]
    },
    {
      "id": "d3d7af60-4c81-11e8-b3d7-01146121b73d",
      "name": "Kibana Sample Data Flights",
      "title": "kibana_sample_data_flights",
      "namespaces": [
        "default"
      ]
    },
    {
      "id": "90943e30-9a47-11e8-b64d-95841ca0b247",
      "name": "Kibana Sample Data Logs",
      "title": "kibana_sample_data_logs",
      "namespaces": [
        "default"
      ]
    }
  ]
}

Create a data view

POST /api/data_views/data_view

Api key auth

Headers

kbn-xsrf string Required

Cross-site request forgery protection

application/json

Body Required

data_view object Required

The data view object.
Hide data_view attributes Show data_view attributes object
- allowNoIndex boolean
  
  Allows the data view saved object to exist before the data is available.
- fieldAttrs object
  Hide fieldAttrs attribute Show fieldAttrs attribute object
  
  * object Additional properties
  
  A map of field attributes by field name.
  
  Hide * attributes Show * attributes object
  
  count integer
  
  Popularity count for the field.
  
  customDescription string
  
  Custom description for the field.
  
  Maximum length is 300.
  
  customLabel string
  
  Custom label for the field.
- fieldFormats object
  
  A map of field formats by field name.
- fields object
- id string
- name string
  
  The data view name.
- namespaces array[string]
  
  An array of space identifiers for sharing the data view between multiple spaces.
  
  Default value is default.
- runtimeFieldMap object
  Hide runtimeFieldMap attribute Show runtimeFieldMap attribute object
  
  * object Additional properties
  
  A map of runtime field definitions by field name.
  
  Hide * attributes Show * attributes object
  
  script object Required
  
  Hide script attribute Show script attribute object
  
  source string
  
  Script for the runtime field.
  
  type string Required
  
  Mapping type of the runtime field.
- sourceFilters array[object]
  
  The array of field names you want to filter out in Discover.
  Hide sourceFilters attribute Show sourceFilters attribute object
  
  value string Required
- timeFieldName string
  
  The timestamp field name, which you use for time-based data views.
- title string Required
  
  Comma-separated list of data streams, indices, and aliases that you want to search. Supports wildcards (*).
- type string
  
  When set to rollup, identifies the rollup data views.
- typeMeta object
  
  When you use rollup indices, contains the field list for the rollup data view API endpoints.
  Hide typeMeta attributes Show typeMeta attributes object
  
  aggs object Required
  
  A map of rollup restrictions by aggregation type and field name.
  
  params object Required
  
  Properties for retrieving rollup fields.
- version string
override boolean

Override an existing data view if a data view with the provided title already exists.

Default value is false.

Responses

200 application/json

Indicates a successful call.
Hide response attribute Show response attribute object
- data_view object
  
  Hide data_view attributes Show data_view attributes object
  
  allowNoIndex boolean
  
  Allows the data view saved object to exist before the data is available.
  
  fieldAttrs object
  
  Hide fieldAttrs attribute Show fieldAttrs attribute object
  
  * object Additional properties
  
  A map of field attributes by field name.
  
  Hide * attributes Show * attributes object
  
  count integer
  
  Popularity count for the field.
  
  customDescription string
  
  Custom description for the field.
  
  Maximum length is 300.
  
  customLabel string
  
  Custom label for the field.
  
  fieldFormats object
  
  A map of field formats by field name.
  
  fields object
  
  id string
  
  name string
  
  The data view name.
  
  namespaces array[string]
  
  An array of space identifiers for sharing the data view between multiple spaces.
  
  Default value is default.
  
  runtimeFieldMap object
  
  Hide runtimeFieldMap attribute Show runtimeFieldMap attribute object
  
  * object Additional properties
  
  A map of runtime field definitions by field name.
  
  Hide * attributes Show * attributes object
  
  script object Required
  
  Hide script attribute Show script attribute object
  
  source string
  
  Script for the runtime field.
  
  type string Required
  
  Mapping type of the runtime field.
  
  sourceFilters array[object]
  
  The array of field names you want to filter out in Discover.
  
  Hide sourceFilters attribute Show sourceFilters attribute object
  
  value string Required
  
  timeFieldName string
  
  The timestamp field name, which you use for time-based data views.
  
  title string
  
  Comma-separated list of data streams, indices, and aliases that you want to search. Supports wildcards (*).
  
  typeMeta object | null
  
  When you use rollup indices, contains the field list for the rollup data view API endpoints.
  
  Hide typeMeta attributes Show typeMeta attributes object | null
  
  aggs object
  
  A map of rollup restrictions by aggregation type and field name.
  
  params object
  
  Properties for retrieving rollup fields.
  
  version string
400 application/json

Bad request
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode number Required

POST /api/data_views/data_view

curl \
 --request POST 'http://api.example.com/api/data_views/data_view' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: string" \
 --data '{"data_view":{"name":"My Logstash data view","title":"logstash-*","runtimeFieldMap":{"runtime_shape_name":{"type":"keyword","script":{"source":"emit(doc['shape_name'].value)"}}}}}'

Request example

{
  "data_view": {
    "name": "My Logstash data view",
    "title": "logstash-*",
    "runtimeFieldMap": {
      "runtime_shape_name": {
        "type": "keyword",
        "script": {
          "source": "emit(doc['shape_name'].value)"
        }
      }
    }
  }
}

Get a data view

GET /api/data_views/data_view/{viewId}

Api key auth

Path parameters

viewId string Required

An identifier for the data view.

Responses

200 application/json

Indicates a successful call.
Hide response attribute Show response attribute object
- data_view object
  
  Hide data_view attributes Show data_view attributes object
  
  allowNoIndex boolean
  
  Allows the data view saved object to exist before the data is available.
  
  fieldAttrs object
  
  Hide fieldAttrs attribute Show fieldAttrs attribute object
  
  * object Additional properties
  
  A map of field attributes by field name.
  
  Hide * attributes Show * attributes object
  
  count integer
  
  Popularity count for the field.
  
  customDescription string
  
  Custom description for the field.
  
  Maximum length is 300.
  
  customLabel string
  
  Custom label for the field.
  
  fieldFormats object
  
  A map of field formats by field name.
  
  fields object
  
  id string
  
  name string
  
  The data view name.
  
  namespaces array[string]
  
  An array of space identifiers for sharing the data view between multiple spaces.
  
  Default value is default.
  
  runtimeFieldMap object
  
  Hide runtimeFieldMap attribute Show runtimeFieldMap attribute object
  
  * object Additional properties
  
  A map of runtime field definitions by field name.
  
  Hide * attributes Show * attributes object
  
  script object Required
  
  Hide script attribute Show script attribute object
  
  source string
  
  Script for the runtime field.
  
  type string Required
  
  Mapping type of the runtime field.
  
  sourceFilters array[object]
  
  The array of field names you want to filter out in Discover.
  
  Hide sourceFilters attribute Show sourceFilters attribute object
  
  value string Required
  
  timeFieldName string
  
  The timestamp field name, which you use for time-based data views.
  
  title string
  
  Comma-separated list of data streams, indices, and aliases that you want to search. Supports wildcards (*).
  
  typeMeta object | null
  
  When you use rollup indices, contains the field list for the rollup data view API endpoints.
  
  Hide typeMeta attributes Show typeMeta attributes object | null
  
  aggs object
  
  A map of rollup restrictions by aggregation type and field name.
  
  params object
  
  Properties for retrieving rollup fields.
  
  version string
404 application/json

Object is not found.
Hide response attributes Show response attributes object
- error string
  
  Value is Not Found.
- message string
- statusCode integer
  
  Value is 404.

GET /api/data_views/data_view/{viewId}

curl \
 --request GET 'http://api.example.com/api/data_views/data_view/ff959d40-b880-11e8-a6d9-e546fe2bba5f' \
 --header "Authorization: $API_KEY"

Response examples (200)

{
  "data_view": {
    "id": "ff959d40-b880-11e8-a6d9-e546fe2bba5f",
    "name": "Kibana Sample Data eCommerce",
    "title": "kibana_sample_data_ecommerce",
    "fields": {
      "_id": {
        "name": "_id",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "_id"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": false,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "sku": {
        "name": "sku",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "type": {
        "name": "type",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "user": {
        "name": "user",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "email": {
        "name": "email",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "_index": {
        "name": "_index",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "_index"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "_score": {
        "name": "_score",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number"
        },
        "isMapped": true,
        "scripted": false,
        "searchable": false,
        "aggregatable": false,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "_source": {
        "name": "_source",
        "type": "_source",
        "count": 0,
        "format": {
          "id": "_source"
        },
        "esTypes": [
          "_source"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": false,
        "aggregatable": false,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "category": {
        "name": "category",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "text"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": false,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "currency": {
        "name": "currency",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "order_id": {
        "name": "order_id",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "order_date": {
        "name": "order_date",
        "type": "date",
        "count": 0,
        "format": {
          "id": "date"
        },
        "esTypes": [
          "date"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "customer_id": {
        "name": "customer_id",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "day_of_week": {
        "name": "day_of_week",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "manufacturer": {
        "name": "manufacturer",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "text"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": false,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "products._id": {
        "name": "products._id",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "text"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": false,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "products.sku": {
        "name": "products.sku",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "day_of_week_i": {
        "name": "day_of_week_i",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number"
        },
        "esTypes": [
          "integer"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "event.dataset": {
        "name": "event.dataset",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "customer_phone": {
        "name": "customer_phone",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "geoip.location": {
        "name": "geoip.location",
        "type": "geo_point",
        "count": 0,
        "format": {
          "id": "geo_point",
          "params": {
            "transform": "wkt"
          }
        },
        "esTypes": [
          "geo_point"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "products.price": {
        "name": "products.price",
        "type": "number",
        "count": 1,
        "format": {
          "id": "number",
          "params": {
            "pattern": "$0,0.00"
          }
        },
        "esTypes": [
          "half_float"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "total_quantity": {
        "name": "total_quantity",
        "type": "number",
        "count": 1,
        "format": {
          "id": "number"
        },
        "esTypes": [
          "integer"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "customer_gender": {
        "name": "customer_gender",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "geoip.city_name": {
        "name": "geoip.city_name",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "category.keyword": {
        "name": "category.keyword",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "subType": {
          "multi": {
            "parent": "category"
          }
        },
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "geoip.region_name": {
        "name": "geoip.region_name",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "products.category": {
        "name": "products.category",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "text"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": false,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "products.quantity": {
        "name": "products.quantity",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number"
        },
        "esTypes": [
          "integer"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "customer_full_name": {
        "name": "customer_full_name",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "text"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": false,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "customer_last_name": {
        "name": "customer_last_name",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "text"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": false,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "products.min_price": {
        "name": "products.min_price",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number",
          "params": {
            "pattern": "$0,0.00"
          }
        },
        "esTypes": [
          "half_float"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "taxful_total_price": {
        "name": "taxful_total_price",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number",
          "params": {
            "pattern": "$0,0.[00]"
          }
        },
        "esTypes": [
          "half_float"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "customer_birth_date": {
        "name": "customer_birth_date",
        "type": "date",
        "count": 0,
        "format": {
          "id": "date"
        },
        "esTypes": [
          "date"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "customer_first_name": {
        "name": "customer_first_name",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "text"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": false,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "products.base_price": {
        "name": "products.base_price",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number",
          "params": {
            "pattern": "$0,0.00"
          }
        },
        "esTypes": [
          "half_float"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "products.created_on": {
        "name": "products.created_on",
        "type": "date",
        "count": 0,
        "format": {
          "id": "date"
        },
        "esTypes": [
          "date"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "products.product_id": {
        "name": "products.product_id",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number"
        },
        "esTypes": [
          "long"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "products.tax_amount": {
        "name": "products.tax_amount",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number"
        },
        "esTypes": [
          "half_float"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "taxless_total_price": {
        "name": "taxless_total_price",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number",
          "params": {
            "pattern": "$0,0.00"
          }
        },
        "esTypes": [
          "half_float"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "geoip.continent_name": {
        "name": "geoip.continent_name",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "manufacturer.keyword": {
        "name": "manufacturer.keyword",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "subType": {
          "multi": {
            "parent": "manufacturer"
          }
        },
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "products._id.keyword": {
        "name": "products._id.keyword",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "subType": {
          "multi": {
            "parent": "products._id"
          }
        },
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "products.manufacturer": {
        "name": "products.manufacturer",
        "type": "string",
        "count": 1,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "text"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": false,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "products.product_name": {
        "name": "products.product_name",
        "type": "string",
        "count": 1,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "text"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": false,
        "shortDotsEnable": false,
        "readFromDocValues": false
      },
      "products.taxful_price": {
        "name": "products.taxful_price",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number",
          "params": {
            "pattern": "$0,0.00"
          }
        },
        "esTypes": [
          "half_float"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "total_unique_products": {
        "name": "total_unique_products",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number"
        },
        "esTypes": [
          "integer"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "geoip.country_iso_code": {
        "name": "geoip.country_iso_code",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "products.taxless_price": {
        "name": "products.taxless_price",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number",
          "params": {
            "pattern": "$0,0.00"
          }
        },
        "esTypes": [
          "half_float"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "products.base_unit_price": {
        "name": "products.base_unit_price",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number",
          "params": {
            "pattern": "$0,0.00"
          }
        },
        "esTypes": [
          "half_float"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "products.discount_amount": {
        "name": "products.discount_amount",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number"
        },
        "esTypes": [
          "half_float"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "products.category.keyword": {
        "name": "products.category.keyword",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "subType": {
          "multi": {
            "parent": "products.category"
          }
        },
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "customer_full_name.keyword": {
        "name": "customer_full_name.keyword",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "subType": {
          "multi": {
            "parent": "customer_full_name"
          }
        },
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "customer_last_name.keyword": {
        "name": "customer_last_name.keyword",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "subType": {
          "multi": {
            "parent": "customer_last_name"
          }
        },
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "customer_first_name.keyword": {
        "name": "customer_first_name.keyword",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "subType": {
          "multi": {
            "parent": "customer_first_name"
          }
        },
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "products.discount_percentage": {
        "name": "products.discount_percentage",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number"
        },
        "esTypes": [
          "half_float"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "products.manufacturer.keyword": {
        "name": "products.manufacturer.keyword",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "subType": {
          "multi": {
            "parent": "products.manufacturer"
          }
        },
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "products.product_name.keyword": {
        "name": "products.product_name.keyword",
        "type": "string",
        "count": 0,
        "format": {
          "id": "string"
        },
        "esTypes": [
          "keyword"
        ],
        "subType": {
          "multi": {
            "parent": "products.product_name"
          }
        },
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      },
      "products.unit_discount_amount": {
        "name": "products.unit_discount_amount",
        "type": "number",
        "count": 0,
        "format": {
          "id": "number"
        },
        "esTypes": [
          "half_float"
        ],
        "isMapped": true,
        "scripted": false,
        "searchable": true,
        "aggregatable": true,
        "shortDotsEnable": false,
        "readFromDocValues": true
      }
    },
    "version": "WzUsMV0=",
    "typeMeta": {},
    "fieldAttrs": {
      "products.price": {
        "count": 1
      },
      "total_quantity": {
        "count": 1
      },
      "products.manufacturer": {
        "count": 1
      },
      "products.product_name": {
        "count": 1
      }
    },
    "namespaces": [
      "default"
    ],
    "allowNoIndex": false,
    "fieldFormats": {
      "products.price": {
        "id": "number",
        "params": {
          "pattern": "$0,0.00"
        }
      },
      "products.min_price": {
        "id": "number",
        "params": {
          "pattern": "$0,0.00"
        }
      },
      "taxful_total_price": {
        "id": "number",
        "params": {
          "pattern": "$0,0.[00]"
        }
      },
      "products.base_price": {
        "id": "number",
        "params": {
          "pattern": "$0,0.00"
        }
      },
      "taxless_total_price": {
        "id": "number",
        "params": {
          "pattern": "$0,0.00"
        }
      },
      "products.taxful_price": {
        "id": "number",
        "params": {
          "pattern": "$0,0.00"
        }
      },
      "products.taxless_price": {
        "id": "number",
        "params": {
          "pattern": "$0,0.00"
        }
      },
      "products.base_unit_price": {
        "id": "number",
        "params": {
          "pattern": "$0,0.00"
        }
      }
    },
    "sourceFilters": [],
    "timeFieldName": "order_date",
    "runtimeFieldMap": {}
  }
}

Update a data view

POST /api/data_views/data_view/{viewId}

Api key auth

Headers

kbn-xsrf string Required

Cross-site request forgery protection

Path parameters

viewId string Required

An identifier for the data view.

application/json

Body Required

data_view object Required

The data view properties you want to update. Only the specified properties are updated in the data view. Unspecified fields stay as they are persisted.
Hide data_view attributes Show data_view attributes object
- allowNoIndex boolean
  
  Allows the data view saved object to exist before the data is available.
- fieldFormats object
  
  A map of field formats by field name.
- fields object
- name string
- runtimeFieldMap object
  Hide runtimeFieldMap attribute Show runtimeFieldMap attribute object
  
  * object Additional properties
  
  A map of runtime field definitions by field name.
  
  Hide * attributes Show * attributes object
  
  script object Required
  
  Hide script attribute Show script attribute object
  
  source string
  
  Script for the runtime field.
  
  type string Required
  
  Mapping type of the runtime field.
- sourceFilters array[object]
  
  The array of field names you want to filter out in Discover.
  Hide sourceFilters attribute Show sourceFilters attribute object
  
  value string Required
- timeFieldName string
  
  The timestamp field name, which you use for time-based data views.
- title string
  
  Comma-separated list of data streams, indices, and aliases that you want to search. Supports wildcards (*).
- type string
  
  When set to rollup, identifies the rollup data views.
- typeMeta object
  
  When you use rollup indices, contains the field list for the rollup data view API endpoints.
  Hide typeMeta attributes Show typeMeta attributes object
  
  aggs object Required
  
  A map of rollup restrictions by aggregation type and field name.
  
  params object Required
  
  Properties for retrieving rollup fields.
refresh_fields boolean

Reloads the data view fields after the data view is updated.

Default value is false.

Responses

200 application/json

Indicates a successful call.
Hide response attribute Show response attribute object
- data_view object
  
  Hide data_view attributes Show data_view attributes object
  
  allowNoIndex boolean
  
  Allows the data view saved object to exist before the data is available.
  
  fieldAttrs object
  
  Hide fieldAttrs attribute Show fieldAttrs attribute object
  
  * object Additional properties
  
  A map of field attributes by field name.
  
  Hide * attributes Show * attributes object
  
  count integer
  
  Popularity count for the field.
  
  customDescription string
  
  Custom description for the field.
  
  Maximum length is 300.
  
  customLabel string
  
  Custom label for the field.
  
  fieldFormats object
  
  A map of field formats by field name.
  
  fields object
  
  id string
  
  name string
  
  The data view name.
  
  namespaces array[string]
  
  An array of space identifiers for sharing the data view between multiple spaces.
  
  Default value is default.
  
  runtimeFieldMap object
  
  Hide runtimeFieldMap attribute Show runtimeFieldMap attribute object
  
  * object Additional properties
  
  A map of runtime field definitions by field name.
  
  Hide * attributes Show * attributes object
  
  script object Required
  
  Hide script attribute Show script attribute object
  
  source string
  
  Script for the runtime field.
  
  type string Required
  
  Mapping type of the runtime field.
  
  sourceFilters array[object]
  
  The array of field names you want to filter out in Discover.
  
  Hide sourceFilters attribute Show sourceFilters attribute object
  
  value string Required
  
  timeFieldName string
  
  The timestamp field name, which you use for time-based data views.
  
  title string
  
  Comma-separated list of data streams, indices, and aliases that you want to search. Supports wildcards (*).
  
  typeMeta object | null
  
  When you use rollup indices, contains the field list for the rollup data view API endpoints.
  
  Hide typeMeta attributes Show typeMeta attributes object | null
  
  aggs object
  
  A map of rollup restrictions by aggregation type and field name.
  
  params object
  
  Properties for retrieving rollup fields.
  
  version string
400 application/json

Bad request
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode number Required

POST /api/data_views/data_view/{viewId}

curl \
 --request POST 'http://api.example.com/api/data_views/data_view/ff959d40-b880-11e8-a6d9-e546fe2bba5f' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: string" \
 --data '{"data_view":{"name":"Kibana Sample Data eCommerce","title":"kibana_sample_data_ecommerce","allowNoIndex":false,"timeFieldName":"order_date"},"refresh_fields":true}'

Request example

{
  "data_view": {
    "name": "Kibana Sample Data eCommerce",
    "title": "kibana_sample_data_ecommerce",
    "allowNoIndex": false,
    "timeFieldName": "order_date"
  },
  "refresh_fields": true
}

Get the default data view

GET /api/data_views/default

Api key auth

Responses

200 application/json

Indicates a successful call.
Hide response attribute Show response attribute object
- data_view_id string
400 application/json

Bad request
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode number Required

GET /api/data_views/default

curl \
 --request GET 'http://api.example.com/api/data_views/default' \
 --header "Authorization: $API_KEY"

Response examples (200)

{
  "data_view_id": "ff959d40-b880-11e8-a6d9-e546fe2bba5f"
}

Set the default data view

POST /api/data_views/default

Api key auth

Headers

kbn-xsrf string Required

Cross-site request forgery protection

application/json

Body Required

data_view_id string | null Required

The data view identifier. NOTE: The API does not validate whether it is a valid identifier. Use null to unset the default data view.
force boolean

Update an existing default data view identifier.

Default value is false.

Responses

200 application/json

Indicates a successful call.
Hide response attribute Show response attribute object
- acknowledged boolean
400 application/json

Bad request
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode number Required

POST /api/data_views/default

curl \
 --request POST 'http://api.example.com/api/data_views/default' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: string" \
 --data '{"force":true,"data_view_id":"ff959d40-b880-11e8-a6d9-e546fe2bba5f"}'

Request example

{
  "force": true,
  "data_view_id": "ff959d40-b880-11e8-a6d9-e546fe2bba5f"
}

Unenroll an agent

POST /api/fleet/agents/{agentId}/unenroll

Api key auth

[Required authorization] Route required privileges: fleet-agents-all.

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

agentId string Required

application/json

Body

force boolean
revoke boolean

POST /api/fleet/agents/{agentId}/unenroll

curl \
 --request POST 'http://api.example.com/api/fleet/agents/{agentId}/unenroll' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"force":true,"revoke":true}'

Cancel an agent action

POST /api/fleet/agents/actions/{actionId}/cancel

Api key auth

[Required authorization] Route required privileges: fleet-agents-all.

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

actionId string Required

Responses

200 application/json
Hide response attribute Show response attribute object
- item object Required
  
  Additional properties are NOT allowed.
  
  Hide item attributes Show item attributes object
  
  agents array[string]
  
  created_at string Required
  
  expiration string
  
  id string Required
  
  minimum_execution_duration number
  
  namespaces array[string]
  
  rollout_duration_seconds number
  
  sent_at string
  
  source_uri string
  
  start_time string
  
  total number
  
  type string Required
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number

POST /api/fleet/agents/actions/{actionId}/cancel

curl \
 --request POST 'http://api.example.com/api/fleet/agents/actions/{actionId}/cancel' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: true"

Bulk reassign agents

POST /api/fleet/agents/bulk_reassign

Api key auth

[Required authorization] Route required privileges: fleet-agents-all.

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

application/json

Body

agents array[string] | string Required

Any of:
array-1 array[string] string-2 string
batchSize number
includeInactive boolean

Default value is false.
policy_id string Required

Responses

200 application/json
Hide response attribute Show response attribute object
- actionId string Required
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number

POST /api/fleet/agents/bulk_reassign

curl \
 --request POST 'http://api.example.com/api/fleet/agents/bulk_reassign' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"agents":["string"],"batchSize":42.0,"includeInactive":false,"policy_id":"string"}'

Bulk request diagnostics from agents

POST /api/fleet/agents/bulk_request_diagnostics

Api key auth

[Required authorization] Route required privileges: fleet-agents-read.

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

application/json

Body

additional_metrics array[string]

Value is CPU.
agents array[string] | string Required

Any of:
array-1 array[string] string-2 string
batchSize number

Responses

200 application/json
Hide response attribute Show response attribute object
- actionId string Required
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number

POST /api/fleet/agents/bulk_request_diagnostics

curl \
 --request POST 'http://api.example.com/api/fleet/agents/bulk_request_diagnostics' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"additional_metrics":["CPU"],"agents":["string"],"batchSize":42.0}'

Bulk unenroll agents

POST /api/fleet/agents/bulk_unenroll

Api key auth

[Required authorization] Route required privileges: fleet-agents-all.

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

application/json

Body

agents array[string] | string Required

Any of:
array-1 array[string] string-2 string

KQL query string, leave empty to action all agents
batchSize number
force boolean

Unenrolls hosted agents too
includeInactive boolean

When passing agents by KQL query, unenrolls inactive agents too
revoke boolean

Revokes API keys of agents

Responses

200 application/json
Hide response attribute Show response attribute object
- actionId string Required
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number

POST /api/fleet/agents/bulk_unenroll

curl \
 --request POST 'http://api.example.com/api/fleet/agents/bulk_unenroll' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"agents":["string"],"batchSize":42.0,"force":true,"includeInactive":true,"revoke":true}'

Create an agent binary download source

POST /api/fleet/agent_download_sources

Api key auth

[Required authorization] Route required privileges: fleet-settings-all.

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

application/json

Body

host string(uri) Required
id string
is_default boolean

Default value is false.
name string Required
proxy_id string | null

The ID of the proxy to use for this download source. See the proxies API for more information.
secrets object

Additional properties are NOT allowed.
Hide secrets attribute Show secrets attribute object
- ssl object
  
  Additional properties are NOT allowed.
  Hide ssl attribute Show ssl attribute object
  
  key object | string
  
  Any of:
  object-1 object string-2 string
  
  Hide attribute Show attribute
  
  id string Required
ssl object

Additional properties are NOT allowed.
Hide ssl attributes Show ssl attributes object
- certificate string
- certificate_authorities array[string]
- key string

Responses

200 application/json
Hide response attribute Show response attribute object
- item object Required
  
  Additional properties are NOT allowed.
  
  Hide item attributes Show item attributes object
  
  host string(uri) Required
  
  id string Required
  
  is_default boolean
  
  Default value is false.
  
  name string Required
  
  proxy_id string | null
  
  The ID of the proxy to use for this download source. See the proxies API for more information.
  
  secrets object
  
  Additional properties are NOT allowed.
  
  Hide secrets attribute Show secrets attribute object
  
  ssl object
  
  Additional properties are NOT allowed.
  
  Hide ssl attribute Show ssl attribute object
  
  key object | string
  
  Any of:
  object-1 object string-2 string
  
  Hide attribute Show attribute
  
  id string Required
  
  ssl object
  
  Additional properties are NOT allowed.
  
  Hide ssl attributes Show ssl attributes object
  
  certificate string
  
  certificate_authorities array[string]
  
  key string
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number

POST /api/fleet/agent_download_sources

curl \
 --request POST 'http://api.example.com/api/fleet/agent_download_sources' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"host":"https://example.com","id":"string","is_default":false,"name":"string","proxy_id":"string","secrets":{"ssl":{"key":{"id":"string"}}},"ssl":{"certificate":"string","certificate_authorities":["string"],"key":"string"}}'

Get an agent binary download source

GET /api/fleet/agent_download_sources/{sourceId}

Api key auth

Get an agent binary download source by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-settings-read.

Path parameters

sourceId string Required

Responses

200 application/json
Hide response attribute Show response attribute object
- item object Required
  
  Additional properties are NOT allowed.
  
  Hide item attributes Show item attributes object
  
  host string(uri) Required
  
  id string Required
  
  is_default boolean
  
  Default value is false.
  
  name string Required
  
  proxy_id string | null
  
  The ID of the proxy to use for this download source. See the proxies API for more information.
  
  secrets object
  
  Additional properties are NOT allowed.
  
  Hide secrets attribute Show secrets attribute object
  
  ssl object
  
  Additional properties are NOT allowed.
  
  Hide ssl attribute Show ssl attribute object
  
  key object | string
  
  Any of:
  object-1 object string-2 string
  
  Hide attribute Show attribute
  
  id string Required
  
  ssl object
  
  Additional properties are NOT allowed.
  
  Hide ssl attributes Show ssl attributes object
  
  certificate string
  
  certificate_authorities array[string]
  
  key string
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number

GET /api/fleet/agent_download_sources/{sourceId}

curl \
 --request GET 'http://api.example.com/api/fleet/agent_download_sources/{sourceId}' \
 --header "Authorization: $API_KEY"

Update an agent binary download source

PUT /api/fleet/agent_download_sources/{sourceId}

Api key auth

Update an agent binary download source by ID.

[Required authorization] Route required privileges: fleet-settings-all.

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

sourceId string Required

application/json

Body

host string(uri) Required
id string
is_default boolean

Default value is false.
name string Required
proxy_id string | null

The ID of the proxy to use for this download source. See the proxies API for more information.
secrets object

Additional properties are NOT allowed.
Hide secrets attribute Show secrets attribute object
- ssl object
  
  Additional properties are NOT allowed.
  Hide ssl attribute Show ssl attribute object
  
  key object | string
  
  Any of:
  object-1 object string-2 string
  
  Hide attribute Show attribute
  
  id string Required
ssl object

Additional properties are NOT allowed.
Hide ssl attributes Show ssl attributes object
- certificate string
- certificate_authorities array[string]
- key string

Responses

200 application/json
Hide response attribute Show response attribute object
- item object Required
  
  Additional properties are NOT allowed.
  
  Hide item attributes Show item attributes object
  
  host string(uri) Required
  
  id string Required
  
  is_default boolean
  
  Default value is false.
  
  name string Required
  
  proxy_id string | null
  
  The ID of the proxy to use for this download source. See the proxies API for more information.
  
  secrets object
  
  Additional properties are NOT allowed.
  
  Hide secrets attribute Show secrets attribute object
  
  ssl object
  
  Additional properties are NOT allowed.
  
  Hide ssl attribute Show ssl attribute object
  
  key object | string
  
  Any of:
  object-1 object string-2 string
  
  Hide attribute Show attribute
  
  id string Required
  
  ssl object
  
  Additional properties are NOT allowed.
  
  Hide ssl attributes Show ssl attributes object
  
  certificate string
  
  certificate_authorities array[string]
  
  key string
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number

PUT /api/fleet/agent_download_sources/{sourceId}

curl \
 --request PUT 'http://api.example.com/api/fleet/agent_download_sources/{sourceId}' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"host":"https://example.com","id":"string","is_default":false,"name":"string","proxy_id":"string","secrets":{"ssl":{"key":{"id":"string"}}},"ssl":{"certificate":"string","certificate_authorities":["string"],"key":"string"}}'

Delete an agent binary download source

DELETE /api/fleet/agent_download_sources/{sourceId}

Api key auth

Delete an agent binary download source by ID.

[Required authorization] Route required privileges: fleet-settings-all.

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

sourceId string Required

Responses

200 application/json
Hide response attribute Show response attribute object
- id string Required
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number

DELETE /api/fleet/agent_download_sources/{sourceId}

curl \
 --request DELETE 'http://api.example.com/api/fleet/agent_download_sources/{sourceId}' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: true"

Get agent policies

GET /api/fleet/agent_policies

Api key auth

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-agents-read OR fleet-setup.

Query parameters

page number
perPage number
sortField string
sortOrder string

Values are desc or asc.
showUpgradeable boolean
kuery string
noAgentCount boolean Deprecated

use withAgentCount instead
withAgentCount boolean

get policies with agent count
full boolean

get full policies with package policies populated
format string

Values are simplified or legacy.

Responses

200 application/json
Hide response attributes Show response attributes object
- items array[object] Required
  
  Hide items attributes Show items attributes object
  
  advanced_settings object
  
  Additional properties are NOT allowed.
  
  Hide advanced_settings attributes Show advanced_settings attributes object
  
  agent_download_target_directory
  
  agent_download_timeout
  
  agent_limits_go_max_procs
  
  agent_logging_files_interval
  
  agent_logging_files_keepfiles
  
  agent_logging_files_rotateeverybytes
  
  agent_logging_level
  
  agent_logging_metrics_period
  
  agent_logging_to_files
  
  agent_features array[object]
  
  Hide agent_features attributes Show agent_features attributes object
  
  enabled boolean Required
  
  name string Required
  
  agentless object
  
  Additional properties are NOT allowed.
  
  Hide agentless attribute Show agentless attribute object
  
  resources object
  
  Additional properties are NOT allowed.
  
  Hide resources attribute Show resources attribute object
  
  requests object
  
  Additional properties are NOT allowed.
  
  Hide requests attributes Show requests attributes object
  
  cpu string
  
  memory string
  
  agents number
  
  data_output_id string | null
  
  description string
  
  download_source_id string | null
  
  fleet_server_host_id string | null
  
  global_data_tags array[object]
  
  User defined data tags that are added to all of the inputs. The values can be strings or numbers.
  
  Hide global_data_tags attributes Show global_data_tags attributes object
  
  name string Required
  
  value string | number Required
  
  Any of:
  string-1 string number-2 number
  
  has_fleet_server boolean
  
  id string Required
  
  inactivity_timeout number
  
  Minimum value is 0. Default value is 1209600.
  
  is_default boolean
  
  is_default_fleet_server boolean
  
  is_managed boolean Required
  
  is_preconfigured boolean
  
  is_protected boolean Required
  
  Indicates whether the agent policy has tamper protection enabled. Default false.
  
  keep_monitoring_alive boolean | null
  
  When set to true, monitoring will be enabled but logs/metrics collection will be disabled
  
  Default value is false.
  
  monitoring_diagnostics object
  
  Additional properties are NOT allowed.
  
  Hide monitoring_diagnostics attributes Show monitoring_diagnostics attributes object
  
  limit object
  
  Additional properties are NOT allowed.
  
  Hide limit attributes Show limit attributes object
  
  burst number
  
  interval string
  
  uploader object
  
  Additional properties are NOT allowed.
  
  Hide uploader attributes Show uploader attributes object
  
  init_dur string
  
  max_dur string
  
  max_retries number
  
  monitoring_enabled array[string]
  
  Values are logs, metrics, or traces.
  
  monitoring_http object
  
  Additional properties are NOT allowed.
  
  Hide monitoring_http attributes Show monitoring_http attributes object
  
  buffer object
  
  Additional properties are NOT allowed.
  
  Hide buffer attribute Show buffer attribute object
  
  enabled boolean
  
  Default value is false.
  
  enabled boolean
  
  host string
  
  port number
  
  Minimum value is 0, maximum value is 65353.
  
  monitoring_output_id string | null
  
  monitoring_pprof_enabled boolean
  
  name string Required
  
  Minimum length is 1.
  
  namespace string Required
  
  Minimum length is 1.
  
  overrides object | null
  
  Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure.
  
  Additional properties are allowed.
  
  package_policies array[string] | array[object]
  
  Any of:
  array-1 array[string] array-2 array[object]
  
  This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the ?full=true parameter
  
  Hide attributes Show attributes object
  
  additional_datastreams_permissions array[string] | null
  
  Additional datastream permissions, that will be added to the agent policy.
  
  agents number
  
  created_at string Required
  
  created_by string Required
  
  description string
  
  Package policy description
  
  elasticsearch object
  
  Additional properties are allowed.
  
  Hide elasticsearch attribute Show elasticsearch attribute object
  
  privileges object
  
  Additional properties are allowed.
  
  Hide privileges attribute Show privileges attribute object
  
  cluster array[string]
  
  enabled boolean Required
  
  id string Required
  
  inputs array[object] | object Required
  
  Any of:
  array-1 array[object] object-2 object
  
  Hide attributes Show attributes object
  
  config object
  
  Package variable (see integration documentation for more information)
  
  Hide config attribute Show config attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
  
  enabled boolean Required
  
  id string
  
  keep_enabled boolean
  
  policy_template string
  
  streams array[object] Required
  
  Hide streams attributes Show streams attributes object
  
  config object
  
  Package variable (see integration documentation for more information)
  
  Hide config attribute Show config attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
  
  data_stream object Required
  
  Additional properties are NOT allowed.
  
  Hide data_stream attributes Show data_stream attributes object
  
  dataset string Required
  
  elasticsearch object
  
  Additional properties are NOT allowed.
  
  Hide elasticsearch attributes Show elasticsearch attributes object
  
  dynamic_dataset boolean
  
  dynamic_namespace boolean
  
  privileges object
  
  Additional properties are NOT allowed.
  
  Hide privileges attribute Show privileges attribute object
  
  indices array[string]
  
  type string Required
  
  enabled boolean Required
  
  id string
  
  keep_enabled boolean
  
  release string
  
  Values are ga, beta, or experimental.
  
  vars object
  
  Package variable (see integration documentation for more information)
  
  Hide vars attribute Show vars attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
  
  type string Required
  
  vars object
  
  Package variable (see integration documentation for more information)
  
  Hide vars attribute Show vars attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
  
  Package policy inputs (see integration documentation to know what inputs are available)
  
  Hide attribute Show attribute
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  enabled boolean
  
  enable or disable that input, (default to true)
  
  streams object
  
  Input streams (see integration documentation to know what streams are available)
  
  Hide streams attribute Show streams attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  enabled boolean
  
  enable or disable that stream, (default to true)
  
  vars object
  
  Input/stream level variable (see integration documentation for more information)
  
  vars object
  
  Input/stream level variable (see integration documentation for more information)
  
  is_managed boolean
  
  name string Required
  
  Package policy name (should be unique)
  
  namespace string
  
  The package policy namespace. Leave blank to inherit the agent policy's namespace.
  
  output_id string | null
  
  overrides object | null
  
  Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.
  
  Additional properties are NOT allowed.
  
  Hide overrides attribute Show overrides attribute object | null
  
  inputs object
  
  Additional properties are allowed.
  
  package object
  
  Additional properties are NOT allowed.
  
  Hide package attributes Show package attributes object
  
  experimental_data_stream_features array[object]
  
  Hide experimental_data_stream_features attributes Show experimental_data_stream_features attributes object
  
  data_stream string Required
  
  features object Required
  
  Additional properties are NOT allowed.
  
  Hide features attributes Show features attributes object
  
  doc_value_only_numeric boolean
  
  doc_value_only_other boolean
  
  synthetic_source boolean
  
  tsdb boolean
  
  name string Required
  
  Package name
  
  requires_root boolean
  
  title string
  
  version string Required
  
  Package version
  
  policy_id string | null Deprecated
  
  Agent policy ID where that package policy will be added
  
  policy_ids array[string]
  
  Agent policy IDs where that package policy will be added
  
  revision number Required
  
  secret_references array[object]
  
  Hide secret_references attribute Show secret_references attribute object
  
  id string Required
  
  spaceIds array[string]
  
  supports_agentless boolean | null
  
  Indicates whether the package policy belongs to an agentless agent policy.
  
  Default value is false.
  
  updated_at string Required
  
  updated_by string Required
  
  vars object
  
  Any of:
  object-1 object object-2 object
  
  Package variable (see integration documentation for more information)
  
  Hide attribute Show attribute
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
  
  version string
  
  required_versions array[object] | null
  
  Hide required_versions attributes Show required_versions attributes object
  
  percentage number Required
  
  Target percentage of agents to auto upgrade
  
  Minimum value is 0, maximum value is 100.
  
  version string Required
  
  Target version for automatic agent upgrade
  
  revision number Required
  
  schema_version string
  
  space_ids array[string]
  
  status string Required
  
  Values are active or inactive.
  
  supports_agentless boolean | null
  
  Indicates whether the agent policy supports agentless integrations.
  
  Default value is false.
  
  unenroll_timeout number
  
  Minimum value is 0.
  
  unprivileged_agents number
  
  updated_at string Required
  
  updated_by string Required
  
  version string
- page number Required
- perPage number Required
- total number Required
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number

GET /api/fleet/agent_policies

curl \
 --request GET 'http://api.example.com/api/fleet/agent_policies' \
 --header "Authorization: $API_KEY"

Download an agent policy

GET /api/fleet/agent_policies/{agentPolicyId}/download

Api key auth

Download an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read AND fleet-setup.

Path parameters

agentPolicyId string Required

Query parameters

download boolean
standalone boolean
kubernetes boolean

Responses

200 application/json
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number
404 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number

GET /api/fleet/agent_policies/{agentPolicyId}/download

curl \
 --request GET 'http://api.example.com/api/fleet/agent_policies/{agentPolicyId}/download' \
 --header "Authorization: $API_KEY"

Get a full agent policy

GET /api/fleet/agent_policies/{agentPolicyId}/full

Api key auth

Get a full agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read.

Path parameters

agentPolicyId string Required

Query parameters

download boolean
standalone boolean
kubernetes boolean

Responses

200 application/json
Hide response attribute Show response attribute object
- item string | object Required
  
  Any of:
  string-1 string object-2 object
  
  Hide attributes Show attributes
  
  agent object
  
  Additional properties are NOT allowed.
  
  Hide agent attributes Show agent attributes object
  
  download object Required
  
  Additional properties are NOT allowed.
  
  Hide download attributes Show download attributes object
  
  secrets object
  
  Additional properties are NOT allowed.
  
  Hide secrets attribute Show secrets attribute object
  
  ssl object
  
  Additional properties are NOT allowed.
  
  Hide ssl attribute Show ssl attribute object
  
  key object Required
  
  Additional properties are NOT allowed.
  
  Hide key attribute Show key attribute object
  
  id string
  
  sourceURI string Required
  
  ssl object
  
  Additional properties are NOT allowed.
  
  Hide ssl attributes Show ssl attributes object
  
  certificate string
  
  certificate_authorities array[string]
  
  key string
  
  renegotiation string
  
  verification_mode string
  
  features object Required
  
  Hide features attribute Show features attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attribute Show * attribute object
  
  enabled boolean Required
  
  limits object
  
  Additional properties are NOT allowed.
  
  Hide limits attribute Show limits attribute object
  
  go_max_procs number
  
  logging object
  
  Additional properties are NOT allowed.
  
  Hide logging attributes Show logging attributes object
  
  files object
  
  Additional properties are NOT allowed.
  
  Hide files attributes Show files attributes object
  
  interval string
  
  keepfiles number
  
  rotateeverybytes number
  
  level string
  
  to_files boolean
  
  monitoring object Required
  
  Additional properties are NOT allowed.
  
  Hide monitoring attributes Show monitoring attributes object
  
  enabled boolean Required
  
  logs boolean Required
  
  metrics boolean Required
  
  namespace string
  
  traces boolean Required
  
  use_output string
  
  protection object
  
  Additional properties are NOT allowed.
  
  Hide protection attributes Show protection attributes object
  
  enabled boolean Required
  
  signing_key string Required
  
  uninstall_token_hash string Required
  
  fleet object
  
  Any of:
  object-1 object object-2 object
  
  Hide attributes Show attributes
  
  hosts array[string] Required
  
  proxy_url string
  
  secrets object
  
  Additional properties are NOT allowed.
  
  Hide secrets attribute Show secrets attribute object
  
  ssl object
  
  Additional properties are NOT allowed.
  
  Hide ssl attribute Show ssl attribute object
  
  key object Required
  
  Additional properties are NOT allowed.
  
  Hide key attribute Show key attribute object
  
  id string
  
  ssl object
  
  Additional properties are NOT allowed.
  
  Hide ssl attributes Show ssl attributes object
  
  certificate string
  
  certificate_authorities array[string]
  
  key string
  
  renegotiation string
  
  verification_mode string
  
  Hide attribute Show attribute
  
  kibana object Required
  
  Additional properties are NOT allowed.
  
  Hide kibana attributes Show kibana attributes object
  
  hosts array[string] Required
  
  path string
  
  protocol string Required
  
  id string Required
  
  inputs array[object] Required
  
  Hide inputs attributes Show inputs attributes object
  
  data_stream object Required
  
  Additional properties are allowed.
  
  Hide data_stream attribute Show data_stream attribute object
  
  namespace string Required
  
  id string Required
  
  meta object
  
  Additional properties are allowed.
  
  Hide meta attribute Show meta attribute object
  
  package object
  
  Additional properties are allowed.
  
  Hide package attributes Show package attributes object
  
  name string Required
  
  version string Required
  
  name string Required
  
  package_policy_id string Required
  
  processors array[object]
  
  Hide processors attribute Show processors attribute object
  
  add_fields object Required
  
  Additional properties are allowed.
  
  Hide add_fields attributes Show add_fields attributes object
  
  fields object Required
  
  target string Required
  
  revision number Required
  
  streams array[object]
  
  Hide streams attributes Show streams attributes object
  
  data_stream object Required
  
  Additional properties are allowed.
  
  Hide data_stream attributes Show data_stream attributes object
  
  dataset string Required
  
  type string
  
  id string Required
  
  type string Required
  
  use_output string Required
  
  namespaces array[string]
  
  output_permissions object
  
  Hide output_permissions attribute Show output_permissions attribute object
  
  * object Additional properties
  
  Additional properties are allowed.
  
  outputs object Required
  
  Hide outputs attribute Show outputs attribute object
  
  * object Additional properties
  
  Additional properties are allowed.
  
  Hide * attributes Show * attributes object
  
  ca_sha256 string | null
  
  hosts array[string]
  
  proxy_url string
  
  type string Required
  
  revision number
  
  secret_references array[object]
  
  Hide secret_references attribute Show secret_references attribute object
  
  id string Required
  
  signed object
  
  Additional properties are NOT allowed.
  
  Hide signed attributes Show signed attributes object
  
  data string Required
  
  signature string Required
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number

GET /api/fleet/agent_policies/{agentPolicyId}/full

curl \
 --request GET 'http://api.example.com/api/fleet/agent_policies/{agentPolicyId}/full' \
 --header "Authorization: $API_KEY"

Delete an agent policy

POST /api/fleet/agent_policies/delete

Api key auth

Delete an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all.

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

application/json

Body

agentPolicyId string Required
force boolean

bypass validation checks that can prevent agent policy deletion

Responses

200 application/json
Hide response attributes Show response attributes object
- id string Required
- name string Required
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number

POST /api/fleet/agent_policies/delete

curl \
 --request POST 'http://api.example.com/api/fleet/agent_policies/delete' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"agentPolicyId":"string","force":true}'

Get outputs for agent policies

POST /api/fleet/agent_policies/outputs

Api key auth

Get a list of outputs associated with agent policies.

[Required authorization] Route required privileges: fleet-agent-policies-read AND fleet-settings-read.

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

application/json

Body

ids array[string] Required

list of package policy ids

Responses

200 application/json
Hide response attribute Show response attribute object
- items array[object] Required
  
  Hide items attributes Show items attributes object
  
  agentPolicyId string
  
  data object Required
  
  Additional properties are NOT allowed.
  
  Hide data attributes Show data attributes object
  
  integrations array[object]
  
  Hide integrations attributes Show integrations attributes object
  
  id string
  
  integrationPolicyName string
  
  name string
  
  pkgName string
  
  output object Required
  
  Additional properties are NOT allowed.
  
  Hide output attributes Show output attributes object
  
  id string Required
  
  name string Required
  
  monitoring object Required
  
  Additional properties are NOT allowed.
  
  Hide monitoring attribute Show monitoring attribute object
  
  output object Required
  
  Additional properties are NOT allowed.
  
  Hide output attributes Show output attributes object
  
  id string Required
  
  name string Required
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number

POST /api/fleet/agent_policies/outputs

curl \
 --request POST 'http://api.example.com/api/fleet/agent_policies/outputs' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"ids":["string"]}'

Get an agent status summary

GET /api/fleet/agent_status

Api key auth

Query parameters

policyId string
policyIds array[string] | string
kuery string

Responses

200 application/json
Hide response attribute Show response attribute object
- results object Required
  
  Additional properties are NOT allowed.
  
  Hide results attributes Show results attributes object
  
  active number Required
  
  all number Required
  
  error number Required
  
  events number Required
  
  inactive number Required
  
  offline number Required
  
  online number Required
  
  orphaned number
  
  other number Required
  
  unenrolled number Required
  
  uninstalled number
  
  updating number Required
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number

GET /api/fleet/agent_status

curl \
 --request GET 'http://api.example.com/api/fleet/agent_status' \
 --header "Authorization: $API_KEY"

Get agents

GET /api/fleet/agents

Api key auth

[Required authorization] Route required privileges: fleet-agents-read.

Query parameters

page number
perPage number

Default value is 20.
kuery string
showInactive boolean

Default value is false.
withMetrics boolean

Default value is false.
showUpgradeable boolean

Default value is false.
getStatusSummary boolean

Default value is false.
sortField string
sortOrder string

Values are asc or desc.
searchAfter string
openPit boolean
pitId string
pitKeepAlive string

Responses

200 application/json
Hide response attributes Show response attributes object
- items array[object] Required
  
  Hide items attributes Show items attributes object
  
  access_api_key string
  
  access_api_key_id string
  
  active boolean Required
  
  agent object
  
  Additional properties are allowed.
  
  Hide agent attributes Show agent attributes object
  
  id string Required
  
  version string Required
  
  audit_unenrolled_reason string
  
  components array[object]
  
  Hide components attributes Show components attributes object
  
  id string Required
  
  message string Required
  
  status string Required
  
  Values are STARTING, CONFIGURING, HEALTHY, DEGRADED, FAILED, STOPPING, or STOPPED.
  
  type string Required
  
  units array[object]
  
  Hide units attributes Show units attributes object
  
  id string Required
  
  message string Required
  
  payload object
  
  Additional properties are allowed.
  
  status string Required
  
  Values are STARTING, CONFIGURING, HEALTHY, DEGRADED, FAILED, STOPPING, or STOPPED.
  
  type string Required
  
  Values are input or output.
  
  default_api_key string
  
  default_api_key_history array[object]
  
  Hide default_api_key_history attributes Show default_api_key_history attributes object Deprecated
  
  id string Required
  
  retired_at string Required
  
  default_api_key_id string
  
  enrolled_at string Required
  
  id string Required
  
  last_checkin string
  
  last_checkin_message string
  
  last_checkin_status string
  
  Values are error, online, degraded, updating, or starting.
  
  local_metadata object Required
  
  Additional properties are allowed.
  
  metrics object
  
  Additional properties are NOT allowed.
  
  Hide metrics attributes Show metrics attributes object
  
  cpu_avg number
  
  memory_size_byte_avg number
  
  namespaces array[string]
  
  outputs object
  
  Hide outputs attribute Show outputs attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  api_key_id string Required
  
  to_retire_api_key_ids array[object]
  
  Hide to_retire_api_key_ids attributes Show to_retire_api_key_ids attributes object
  
  id string Required
  
  retired_at string Required
  
  type string Required
  
  packages array[string] Required
  
  policy_id string
  
  policy_revision number | null
  
  sort array
  
  status string
  
  Values are offline, error, online, inactive, enrolling, unenrolling, unenrolled, updating, degraded, uninstalled, or orphaned.
  
  tags array[string]
  
  type string Required
  
  Values are PERMANENT, EPHEMERAL, or TEMPORARY.
  
  unenrolled_at string
  
  unenrollment_started_at string
  
  unhealthy_reason array[string] | null
  
  Values are input, output, or other.
  
  upgrade_attempts array[string] | null
  
  upgrade_details object | null
  
  Additional properties are NOT allowed.
  
  Hide upgrade_details attributes Show upgrade_details attributes object | null
  
  action_id string Required
  
  metadata object
  
  Additional properties are NOT allowed.
  
  Hide metadata attributes Show metadata attributes object
  
  download_percent number
  
  download_rate number
  
  error_msg string
  
  failed_state string
  
  Values are UPG_REQUESTED, UPG_SCHEDULED, UPG_DOWNLOADING, UPG_EXTRACTING, UPG_REPLACING, UPG_RESTARTING, UPG_FAILED, UPG_WATCHING, or UPG_ROLLBACK.
  
  retry_error_msg string
  
  retry_until string
  
  scheduled_at string
  
  state string Required
  
  Values are UPG_REQUESTED, UPG_SCHEDULED, UPG_DOWNLOADING, UPG_EXTRACTING, UPG_REPLACING, UPG_RESTARTING, UPG_FAILED, UPG_WATCHING, or UPG_ROLLBACK.
  
  target_version string Required
  
  upgrade_started_at string | null
  
  upgraded_at string | null
  
  user_provided_metadata object
  
  Additional properties are allowed.
- nextSearchAfter string
- page number Required
- perPage number Required
- pit string
- statusSummary object
  
  Hide statusSummary attribute Show statusSummary attribute object
  
  * number Additional properties
- total number Required
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number

GET /api/fleet/agents

curl \
 --request GET 'http://api.example.com/api/fleet/agents' \
 --header "Authorization: $API_KEY"

Get agents by action ids

POST /api/fleet/agents

Api key auth

[Required authorization] Route required privileges: fleet-agents-read.

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

application/json

Body

actionIds array[string] Required

Responses

200 application/json
Hide response attribute Show response attribute object
- items array[string] Required
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number

POST /api/fleet/agents

curl \
 --request POST 'http://api.example.com/api/fleet/agents' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"actionIds":["string"]}'

Delete an agent

DELETE /api/fleet/agents/{agentId}

Api key auth

Delete an agent by ID.

[Required authorization] Route required privileges: fleet-agents-all.

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

agentId string Required

Responses

200 application/json
Hide response attribute Show response attribute object
- action string Required
  
  Value is deleted.
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number

DELETE /api/fleet/agents/{agentId}

curl \
 --request DELETE 'http://api.example.com/api/fleet/agents/{agentId}' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: true"

Get agent tags

GET /api/fleet/agents/tags

Api key auth

[Required authorization] Route required privileges: fleet-agents-read.

Query parameters

kuery string
showInactive boolean

Default value is false.

Responses

200 application/json
Hide response attribute Show response attribute object
- items array[string] Required
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number

GET /api/fleet/agents/tags

curl \
 --request GET 'http://api.example.com/api/fleet/agents/tags' \
 --header "Authorization: $API_KEY"

Bulk get assets

POST /api/fleet/epm/bulk_assets

Api key auth

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

application/json

Body

assetIds array[object] Required
Hide assetIds attributes Show assetIds attributes object
- id string Required
- type string Required

Responses

200 application/json
Hide response attribute Show response attribute object
- items array[object] Required
  
  Hide items attributes Show items attributes object
  
  appLink string
  
  attributes object Required
  
  Additional properties are NOT allowed.
  
  Hide attributes attributes Show attributes attributes object
  
  description string
  
  service string
  
  title string
  
  id string Required
  
  type string Required
  
  updatedAt string
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number

POST /api/fleet/epm/bulk_assets

curl \
 --request POST 'http://api.example.com/api/fleet/epm/bulk_assets' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"assetIds":[{"id":"string","type":"string"}]}'

Create a custom integration

POST /api/fleet/epm/custom_integrations

Api key auth

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

application/json

Body

datasets array[object] Required
Hide datasets attributes Show datasets attributes object
- name string Required
- type string Required
  
  Values are logs, metrics, traces, synthetics, or profiling.
force boolean
integrationName string Required

Responses

200 application/json
Hide response attributes Show response attributes object
- _meta object Required
  
  Additional properties are NOT allowed.
  
  Hide _meta attribute Show _meta attribute object
  
  install_source string Required
- items array[object] Required
  
  Any of:
  object-1 object object-2 object
  
  Hide attributes Show attributes
  
  id string Required
  
  originId string
  
  type string Required
  
  Any of:
  string-1 string string-2 string
  
  Values are dashboard, lens, visualization, search, index-pattern, map, ml-module, security-rule, csp-rule-template, osquery-pack-asset, osquery-saved-query, or tag.
  
  Hide attributes Show attributes
  
  deferred boolean
  
  id string Required
  
  type string Required
  
  Values are index, index_template, component_template, ingest_pipeline, ilm_policy, data_stream_ilm_policy, transform, or ml_model.
  
  version string
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number

POST /api/fleet/epm/custom_integrations

curl \
 --request POST 'http://api.example.com/api/fleet/epm/custom_integrations' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"datasets":[{"name":"string","type":"logs"}],"force":true,"integrationName":"string"}'

Bulk install packages

POST /api/fleet/epm/packages/_bulk

Api key auth

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Query parameters

prerelease boolean

application/json

Body

force boolean

Default value is false.
packages array[string | object] Required

At least 1 element.
Any of:
string-1 string object-2 object
Hide attributes Show attributes

name string Required

prerelease boolean

version string Required

Responses

200 application/json
Hide response attribute Show response attribute object
- items array[object] Required
  
  Any of:
  object-1 object object-2 object
  
  Hide attributes Show attributes
  
  name string Required
  
  result object Required
  
  Additional properties are NOT allowed.
  
  Hide result attributes Show result attributes object
  
  assets array[object]
  
  Any of:
  object-1 object object-2 object
  
  Hide attributes Show attributes
  
  id string Required
  
  originId string
  
  type string Required
  
  Any of:
  string-1 string string-2 string
  
  Values are dashboard, lens, visualization, search, index-pattern, map, ml-module, security-rule, csp-rule-template, osquery-pack-asset, osquery-saved-query, or tag.
  
  Hide attributes Show attributes
  
  deferred boolean
  
  id string Required
  
  type string Required
  
  Values are index, index_template, component_template, ingest_pipeline, ilm_policy, data_stream_ilm_policy, transform, or ml_model.
  
  version string
  
  installSource string
  
  installType string Required
  
  status string
  
  Values are installed or already_installed.
  
  version string Required
  
  Hide attributes Show attributes
  
  error string Required
  
  Any of:
  string-1 string 2
  
  name string Required
  
  statusCode number Required
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number

POST /api/fleet/epm/packages/_bulk

curl \
 --request POST 'http://api.example.com/api/fleet/epm/packages/_bulk' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"force":false,"packages":["string"]}'

Get a package

GET /api/fleet/epm/packages/{pkgName}/{pkgVersion}

Api key auth

Path parameters

pkgName string Required
pkgVersion string

Query parameters

ignoreUnverified boolean
prerelease boolean
full boolean
withMetadata boolean

Default value is false.

Responses

200 application/json
Hide response attributes Show response attributes object
- item object Required
  
  Additional properties are allowed.
  
  Hide item attributes Show item attributes object
  
  agent object
  
  Additional properties are NOT allowed.
  
  Hide agent attribute Show agent attribute object
  
  privileges object
  
  Additional properties are NOT allowed.
  
  Hide privileges attribute Show privileges attribute object
  
  root boolean
  
  asset_tags array[object]
  
  Hide asset_tags attributes Show asset_tags attributes object
  
  asset_ids array[string]
  
  asset_types array[string]
  
  text string Required
  
  assets object Required
  
  Additional properties are allowed.
  
  categories array[string]
  
  conditions object
  
  Additional properties are allowed.
  
  Hide conditions attributes Show conditions attributes object
  
  elastic object
  
  Additional properties are allowed.
  
  Hide elastic attributes Show elastic attributes object
  
  capabilities array[string]
  
  subscription string
  
  kibana object
  
  Additional properties are allowed.
  
  Hide kibana attribute Show kibana attribute object
  
  version string
  
  data_streams array[object]
  
  Additional properties are allowed.
  
  description string
  
  discovery object
  
  Additional properties are allowed.
  
  Hide discovery attribute Show discovery attribute object
  
  fields array[object]
  
  Hide fields attribute Show fields attribute object
  
  name string Required
  
  download string
  
  elasticsearch object
  
  Additional properties are allowed.
  
  format_version string
  
  icons array[object]
  
  Hide icons attributes Show icons attributes object
  
  dark_mode boolean
  
  path string
  
  size string
  
  src string Required
  
  title string
  
  type string
  
  installationInfo object
  
  Additional properties are allowed.
  
  Hide installationInfo attributes Show installationInfo attributes object
  
  additional_spaces_installed_kibana object
  
  Hide additional_spaces_installed_kibana attribute Show additional_spaces_installed_kibana attribute object
  
  * array[object] Additional properties
  
  Hide * attributes Show * attributes object
  
  id string Required
  
  originId string
  
  type string Required
  
  Any of:
  string-1 string string-2 string
  
  Values are dashboard, lens, visualization, search, index-pattern, map, ml-module, security-rule, csp-rule-template, osquery-pack-asset, osquery-saved-query, or tag.
  
  created_at string
  
  experimental_data_stream_features array[object]
  
  Hide experimental_data_stream_features attributes Show experimental_data_stream_features attributes object
  
  data_stream string Required
  
  features object Required
  
  Additional properties are allowed.
  
  Hide features attributes Show features attributes object
  
  doc_value_only_numeric boolean
  
  doc_value_only_other boolean
  
  synthetic_source boolean
  
  tsdb boolean
  
  install_format_schema_version string
  
  install_source string Required
  
  Values are registry, upload, bundled, or custom.
  
  install_status string Required
  
  Values are installed, installing, or install_failed.
  
  installed_es array[object] Required
  
  Hide installed_es attributes Show installed_es attributes object
  
  deferred boolean
  
  id string Required
  
  type string Required
  
  Values are index, index_template, component_template, ingest_pipeline, ilm_policy, data_stream_ilm_policy, transform, or ml_model.
  
  version string
  
  installed_kibana array[object] Required
  
  Hide installed_kibana attributes Show installed_kibana attributes object
  
  id string Required
  
  originId string
  
  type string Required
  
  Any of:
  string-1 string string-2 string
  
  Values are dashboard, lens, visualization, search, index-pattern, map, ml-module, security-rule, csp-rule-template, osquery-pack-asset, osquery-saved-query, or tag.
  
  installed_kibana_space_id string
  
  latest_executed_state object
  
  Additional properties are allowed.
  
  Hide latest_executed_state attributes Show latest_executed_state attributes object
  
  error string
  
  name string
  
  started_at string
  
  latest_install_failed_attempts array[object]
  
  Hide latest_install_failed_attempts attributes Show latest_install_failed_attempts attributes object
  
  created_at string Required
  
  error object Required
  
  Additional properties are allowed.
  
  Hide error attributes Show error attributes object
  
  message string Required
  
  name string Required
  
  stack string
  
  target_version string Required
  
  name string Required
  
  namespaces array[string]
  
  type string Required
  
  updated_at string
  
  verification_key_id string | null
  
  verification_status string Required
  
  Values are unverified, verified, or unknown.
  
  version string Required
  
  internal boolean
  
  keepPoliciesUpToDate boolean
  
  latestVersion string
  
  license string
  
  licensePath string
  
  name string Required
  
  notice string
  
  owner object
  
  Additional properties are allowed.
  
  Hide owner attributes Show owner attributes object
  
  github string
  
  type string
  
  Values are elastic, partner, or community.
  
  path string
  
  policy_templates array[object]
  
  Additional properties are allowed.
  
  readme string
  
  release string
  
  Values are ga, beta, or experimental.
  
  screenshots array[object]
  
  Hide screenshots attributes Show screenshots attributes object
  
  dark_mode boolean
  
  path string
  
  size string
  
  src string Required
  
  title string
  
  type string
  
  signature_path string
  
  source object
  
  Additional properties are allowed.
  
  Hide source attribute Show source attribute object
  
  license string Required
  
  status string
  
  title string Required
  
  type string
  
  Any of:
  string-1 string string-2 string string-3 string string-4 string
  
  Value is integration.
  
  vars array[object]
  
  Additional properties are allowed.
  
  version string Required
- metadata object
  
  Additional properties are NOT allowed.
  
  Hide metadata attribute Show metadata attribute object
  
  has_policies boolean Required
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number

GET /api/fleet/epm/packages/{pkgName}/{pkgVersion}

curl \
 --request GET 'http://api.example.com/api/fleet/epm/packages/{pkgName}/{pkgVersion}' \
 --header "Authorization: $API_KEY"

Update package settings

PUT /api/fleet/epm/packages/{pkgName}/{pkgVersion}

Api key auth

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

pkgName string Required
pkgVersion string

application/json

Body

keepPoliciesUpToDate boolean Required

Responses

200 application/json
Hide response attribute Show response attribute object
- item object Required
  
  Additional properties are allowed.
  
  Hide item attributes Show item attributes object
  
  agent object
  
  Additional properties are NOT allowed.
  
  Hide agent attribute Show agent attribute object
  
  privileges object
  
  Additional properties are NOT allowed.
  
  Hide privileges attribute Show privileges attribute object
  
  root boolean
  
  asset_tags array[object]
  
  Hide asset_tags attributes Show asset_tags attributes object
  
  asset_ids array[string]
  
  asset_types array[string]
  
  text string Required
  
  assets object Required
  
  Additional properties are allowed.
  
  categories array[string]
  
  conditions object
  
  Additional properties are allowed.
  
  Hide conditions attributes Show conditions attributes object
  
  elastic object
  
  Additional properties are allowed.
  
  Hide elastic attributes Show elastic attributes object
  
  capabilities array[string]
  
  subscription string
  
  kibana object
  
  Additional properties are allowed.
  
  Hide kibana attribute Show kibana attribute object
  
  version string
  
  data_streams array[object]
  
  Additional properties are allowed.
  
  description string
  
  discovery object
  
  Additional properties are allowed.
  
  Hide discovery attribute Show discovery attribute object
  
  fields array[object]
  
  Hide fields attribute Show fields attribute object
  
  name string Required
  
  download string
  
  elasticsearch object
  
  Additional properties are allowed.
  
  format_version string
  
  icons array[object]
  
  Hide icons attributes Show icons attributes object
  
  dark_mode boolean
  
  path string
  
  size string
  
  src string Required
  
  title string
  
  type string
  
  installationInfo object
  
  Additional properties are allowed.
  
  Hide installationInfo attributes Show installationInfo attributes object
  
  additional_spaces_installed_kibana object
  
  Hide additional_spaces_installed_kibana attribute Show additional_spaces_installed_kibana attribute object
  
  * array[object] Additional properties
  
  Hide * attributes Show * attributes object
  
  id string Required
  
  originId string
  
  type string Required
  
  Any of:
  string-1 string string-2 string
  
  Values are dashboard, lens, visualization, search, index-pattern, map, ml-module, security-rule, csp-rule-template, osquery-pack-asset, osquery-saved-query, or tag.
  
  created_at string
  
  experimental_data_stream_features array[object]
  
  Hide experimental_data_stream_features attributes Show experimental_data_stream_features attributes object
  
  data_stream string Required
  
  features object Required
  
  Additional properties are allowed.
  
  Hide features attributes Show features attributes object
  
  doc_value_only_numeric boolean
  
  doc_value_only_other boolean
  
  synthetic_source boolean
  
  tsdb boolean
  
  install_format_schema_version string
  
  install_source string Required
  
  Values are registry, upload, bundled, or custom.
  
  install_status string Required
  
  Values are installed, installing, or install_failed.
  
  installed_es array[object] Required
  
  Hide installed_es attributes Show installed_es attributes object
  
  deferred boolean
  
  id string Required
  
  type string Required
  
  Values are index, index_template, component_template, ingest_pipeline, ilm_policy, data_stream_ilm_policy, transform, or ml_model.
  
  version string
  
  installed_kibana array[object] Required
  
  Hide installed_kibana attributes Show installed_kibana attributes object
  
  id string Required
  
  originId string
  
  type string Required
  
  Any of:
  string-1 string string-2 string
  
  Values are dashboard, lens, visualization, search, index-pattern, map, ml-module, security-rule, csp-rule-template, osquery-pack-asset, osquery-saved-query, or tag.
  
  installed_kibana_space_id string
  
  latest_executed_state object
  
  Additional properties are allowed.
  
  Hide latest_executed_state attributes Show latest_executed_state attributes object
  
  error string
  
  name string
  
  started_at string
  
  latest_install_failed_attempts array[object]
  
  Hide latest_install_failed_attempts attributes Show latest_install_failed_attempts attributes object
  
  created_at string Required
  
  error object Required
  
  Additional properties are allowed.
  
  Hide error attributes Show error attributes object
  
  message string Required
  
  name string Required
  
  stack string
  
  target_version string Required
  
  name string Required
  
  namespaces array[string]
  
  type string Required
  
  updated_at string
  
  verification_key_id string | null
  
  verification_status string Required
  
  Values are unverified, verified, or unknown.
  
  version string Required
  
  internal boolean
  
  keepPoliciesUpToDate boolean
  
  latestVersion string
  
  license string
  
  licensePath string
  
  name string Required
  
  notice string
  
  owner object
  
  Additional properties are allowed.
  
  Hide owner attributes Show owner attributes object
  
  github string
  
  type string
  
  Values are elastic, partner, or community.
  
  path string
  
  policy_templates array[object]
  
  Additional properties are allowed.
  
  readme string
  
  release string
  
  Values are ga, beta, or experimental.
  
  screenshots array[object]
  
  Hide screenshots attributes Show screenshots attributes object
  
  dark_mode boolean
  
  path string
  
  size string
  
  src string Required
  
  title string
  
  type string
  
  signature_path string
  
  source object
  
  Additional properties are allowed.
  
  Hide source attribute Show source attribute object
  
  license string Required
  
  status string
  
  title string Required
  
  type string
  
  Any of:
  string-1 string string-2 string string-3 string string-4 string
  
  Value is integration.
  
  vars array[object]
  
  Additional properties are allowed.
  
  version string Required
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number

PUT /api/fleet/epm/packages/{pkgName}/{pkgVersion}

curl \
 --request PUT 'http://api.example.com/api/fleet/epm/packages/{pkgName}/{pkgVersion}' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"keepPoliciesUpToDate":true}'

Install a package from the registry

POST /api/fleet/epm/packages/{pkgName}/{pkgVersion}

Api key auth

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

pkgName string Required
pkgVersion string

Query parameters

prerelease boolean
ignoreMappingUpdateErrors boolean

Default value is false.
skipDataStreamRollover boolean

Default value is false.

application/json

Body

force boolean

Default value is false.
ignore_constraints boolean

Default value is false.

Responses

200 application/json
Hide response attributes Show response attributes object
- _meta object Required
  
  Additional properties are NOT allowed.
  
  Hide _meta attribute Show _meta attribute object
  
  install_source string Required
- items array[object] Required
  
  Any of:
  object-1 object object-2 object
  
  Hide attributes Show attributes
  
  id string Required
  
  originId string
  
  type string Required
  
  Any of:
  string-1 string string-2 string
  
  Values are dashboard, lens, visualization, search, index-pattern, map, ml-module, security-rule, csp-rule-template, osquery-pack-asset, osquery-saved-query, or tag.
  
  Hide attributes Show attributes
  
  deferred boolean
  
  id string Required
  
  type string Required
  
  Values are index, index_template, component_template, ingest_pipeline, ilm_policy, data_stream_ilm_policy, transform, or ml_model.
  
  version string
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number

POST /api/fleet/epm/packages/{pkgName}/{pkgVersion}

curl \
 --request POST 'http://api.example.com/api/fleet/epm/packages/{pkgName}/{pkgVersion}' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"force":false,"ignore_constraints":false}'

Delete a package

DELETE /api/fleet/epm/packages/{pkgName}/{pkgVersion}

Api key auth

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

pkgName string Required
pkgVersion string

Query parameters

force boolean

Responses

200 application/json
Hide response attribute Show response attribute object
- items array[object] Required
  
  Any of:
  object-1 object object-2 object
  
  Hide attributes Show attributes
  
  id string Required
  
  originId string
  
  type string Required
  
  Any of:
  string-1 string string-2 string
  
  Values are dashboard, lens, visualization, search, index-pattern, map, ml-module, security-rule, csp-rule-template, osquery-pack-asset, osquery-saved-query, or tag.
  
  Hide attributes Show attributes
  
  deferred boolean
  
  id string Required
  
  type string Required
  
  Values are index, index_template, component_template, ingest_pipeline, ilm_policy, data_stream_ilm_policy, transform, or ml_model.
  
  version string
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number

DELETE /api/fleet/epm/packages/{pkgName}/{pkgVersion}

curl \
 --request DELETE 'http://api.example.com/api/fleet/epm/packages/{pkgName}/{pkgVersion}' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: true"

Get a package file

GET /api/fleet/epm/packages/{pkgName}/{pkgVersion}/{filePath}

Api key auth

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.

Path parameters

pkgName string Required
pkgVersion string Required
filePath string Required

Responses

200 application/json
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number

GET /api/fleet/epm/packages/{pkgName}/{pkgVersion}/{filePath}

curl \
 --request GET 'http://api.example.com/api/fleet/epm/packages/{pkgName}/{pkgVersion}/{filePath}' \
 --header "Authorization: $API_KEY"

Install Kibana assets for a package

POST /api/fleet/epm/packages/{pkgName}/{pkgVersion}/kibana_assets

Api key auth

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

pkgName string Required
pkgVersion string Required

application/json

Body

force boolean
space_ids array[string]

When provided install assets in the specified spaces instead of the current space.

At least 1 element.

Responses

200 application/json
Hide response attribute Show response attribute object
- success boolean Required
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number

POST /api/fleet/epm/packages/{pkgName}/{pkgVersion}/kibana_assets

curl \
 --request POST 'http://api.example.com/api/fleet/epm/packages/{pkgName}/{pkgVersion}/kibana_assets' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"force":true,"space_ids":["string"]}'

Authorize transforms

POST /api/fleet/epm/packages/{pkgName}/{pkgVersion}/transforms/authorize

Api key auth

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

pkgName string Required
pkgVersion string Required

Query parameters

prerelease boolean

application/json

Body

transforms array[object] Required
Hide transforms attribute Show transforms attribute object
- transformId string Required

Responses

200 application/json
Hide response attributes Show response attributes object
- error Required
- success boolean Required
- transformId string Required
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number

POST /api/fleet/epm/packages/{pkgName}/{pkgVersion}/transforms/authorize

curl \
 --request POST 'http://api.example.com/api/fleet/epm/packages/{pkgName}/{pkgVersion}/transforms/authorize' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"transforms":[{"transformId":"string"}]}'

Get package stats

GET /api/fleet/epm/packages/{pkgName}/stats

Api key auth

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.

Path parameters

pkgName string Required

Responses

200 application/json
Hide response attribute Show response attribute object
- response object Required
  
  Additional properties are NOT allowed.
  
  Hide response attribute Show response attribute object
  
  agent_policy_count number Required
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number

GET /api/fleet/epm/packages/{pkgName}/stats

curl \
 --request GET 'http://api.example.com/api/fleet/epm/packages/{pkgName}/stats' \
 --header "Authorization: $API_KEY"

Get installed packages

GET /api/fleet/epm/packages/installed

Api key auth

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.

Query parameters

dataStreamType string

Values are logs, metrics, traces, synthetics, or profiling.
showOnlyActiveDataStreams boolean
nameQuery string
searchAfter array[string | number]
perPage number

Default value is 15.
sortOrder string

Values are asc or desc. Default value is asc.

Responses

200 application/json
Hide response attributes Show response attributes object
- items array[object] Required
  
  Hide items attributes Show items attributes object
  
  dataStreams array[object] Required
  
  Hide dataStreams attributes Show dataStreams attributes object
  
  name string Required
  
  title string Required
  
  description string
  
  icons array[object]
  
  Hide icons attributes Show icons attributes object
  
  dark_mode boolean
  
  path string
  
  size string
  
  src string Required
  
  title string
  
  type string
  
  name string Required
  
  status string Required
  
  title string
  
  version string Required
- searchAfter array[string | number | boolean]
- total number Required
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number

GET /api/fleet/epm/packages/installed

curl \
 --request GET 'http://api.example.com/api/fleet/epm/packages/installed' \
 --header "Authorization: $API_KEY"

Create an enrollment API key

POST /api/fleet/enrollment_api_keys

Api key auth

[Required authorization] Route required privileges: fleet-agents-all.

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

application/json

Body

expiration string
name string
policy_id string Required

Responses

200 application/json
Hide response attributes Show response attributes object
- action string Required
  
  Value is created.
- item object Required
  
  Additional properties are NOT allowed.
  
  Hide item attributes Show item attributes object
  
  active boolean Required
  
  When false, the enrollment API key is revoked and cannot be used for enrolling Elastic Agents.
  
  api_key string Required
  
  The enrollment API key (token) used for enrolling Elastic Agents.
  
  api_key_id string Required
  
  The ID of the API key in the Security API.
  
  created_at string Required
  
  id string Required
  
  name string
  
  The name of the enrollment API key.
  
  policy_id string
  
  The ID of the agent policy the Elastic Agent will be enrolled in.
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number

POST /api/fleet/enrollment_api_keys

curl \
 --request POST 'http://api.example.com/api/fleet/enrollment_api_keys' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"expiration":"string","name":"string","policy_id":"string"}'

Revoke an enrollment API key

DELETE /api/fleet/enrollment_api_keys/{keyId}

Api key auth

Revoke an enrollment API key by ID by marking it as inactive.

[Required authorization] Route required privileges: fleet-agents-all.

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

keyId string Required

Responses

200 application/json
Hide response attribute Show response attribute object
- action string Required
  
  Value is deleted.
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number

DELETE /api/fleet/enrollment_api_keys/{keyId}

curl \
 --request DELETE 'http://api.example.com/api/fleet/enrollment_api_keys/{keyId}' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: true"

Check permissions

GET /api/fleet/check-permissions

Api key auth

Query parameters

fleetServerSetup boolean

Responses

200 application/json
Hide response attributes Show response attributes object
- error string
  
  Values are MISSING_SECURITY, MISSING_PRIVILEGES, or MISSING_FLEET_SERVER_SETUP_PRIVILEGES.
- success boolean Required
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number

GET /api/fleet/check-permissions

curl \
 --request GET 'http://api.example.com/api/fleet/check-permissions' \
 --header "Authorization: $API_KEY"

Get settings

GET /api/fleet/settings

Api key auth

[Required authorization] Route required privileges: fleet-settings-read.

Responses

200 application/json
Hide response attribute Show response attribute object
- item object Required
  
  Additional properties are NOT allowed.
  
  Hide item attributes Show item attributes object
  
  delete_unenrolled_agents object
  
  Additional properties are NOT allowed.
  
  Hide delete_unenrolled_agents attributes Show delete_unenrolled_agents attributes object
  
  enabled boolean Required
  
  is_preconfigured boolean Required
  
  has_seen_add_data_notice boolean
  
  id string Required
  
  output_secret_storage_requirements_met boolean
  
  preconfigured_fields array[string]
  
  Value is fleet_server_hosts.
  
  prerelease_integrations_enabled boolean
  
  secret_storage_requirements_met boolean
  
  use_space_awareness_migration_started_at string | null
  
  use_space_awareness_migration_status string
  
  Values are pending, success, or error.
  
  version string
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number
404 application/json
Hide response attribute Show response attribute object
- message string Required

GET /api/fleet/settings

curl \
 --request GET 'http://api.example.com/api/fleet/settings' \
 --header "Authorization: $API_KEY"

Initiate Fleet setup

POST /api/fleet/setup

Api key auth

[Required authorization] Route required privileges: fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup.

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Responses

200 application/json
Hide response attributes Show response attributes object
- isInitialized boolean Required
- nonFatalErrors array[object] Required
  
  Hide nonFatalErrors attributes Show nonFatalErrors attributes object
  
  message string Required
  
  name string Required
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number
500 application/json
Hide response attribute Show response attribute object
- message string Required

POST /api/fleet/setup

curl \
 --request POST 'http://api.example.com/api/fleet/setup' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: true"

Get package policies

GET /api/fleet/package_policies

Api key auth

Query parameters

page number
perPage number
sortField string
sortOrder string

Values are desc or asc.
showUpgradeable boolean
kuery string
format string

Values are simplified or legacy.
withAgentCount boolean

Responses

200 application/json
Hide response attributes Show response attributes object
- items array[object] Required
  
  Hide items attributes Show items attributes object
  
  additional_datastreams_permissions array[string] | null
  
  Additional datastream permissions, that will be added to the agent policy.
  
  agents number
  
  created_at string Required
  
  created_by string Required
  
  description string
  
  Package policy description
  
  elasticsearch object
  
  Additional properties are allowed.
  
  Hide elasticsearch attribute Show elasticsearch attribute object
  
  privileges object
  
  Additional properties are allowed.
  
  Hide privileges attribute Show privileges attribute object
  
  cluster array[string]
  
  enabled boolean Required
  
  id string Required
  
  inputs array[object] | object Required
  
  Any of:
  array-1 array[object] object-2 object
  
  Hide attributes Show attributes object
  
  config object
  
  Package variable (see integration documentation for more information)
  
  Hide config attribute Show config attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
  
  enabled boolean Required
  
  id string
  
  keep_enabled boolean
  
  policy_template string
  
  streams array[object] Required
  
  Hide streams attributes Show streams attributes object
  
  config object
  
  Package variable (see integration documentation for more information)
  
  Hide config attribute Show config attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
  
  data_stream object Required
  
  Additional properties are NOT allowed.
  
  Hide data_stream attributes Show data_stream attributes object
  
  dataset string Required
  
  elasticsearch object
  
  Additional properties are NOT allowed.
  
  Hide elasticsearch attributes Show elasticsearch attributes object
  
  dynamic_dataset boolean
  
  dynamic_namespace boolean
  
  privileges object
  
  Additional properties are NOT allowed.
  
  Hide privileges attribute Show privileges attribute object
  
  indices array[string]
  
  type string Required
  
  enabled boolean Required
  
  id string
  
  keep_enabled boolean
  
  release string
  
  Values are ga, beta, or experimental.
  
  vars object
  
  Package variable (see integration documentation for more information)
  
  Hide vars attribute Show vars attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
  
  type string Required
  
  vars object
  
  Package variable (see integration documentation for more information)
  
  Hide vars attribute Show vars attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
  
  Package policy inputs (see integration documentation to know what inputs are available)
  
  Hide attribute Show attribute
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  enabled boolean
  
  enable or disable that input, (default to true)
  
  streams object
  
  Input streams (see integration documentation to know what streams are available)
  
  Hide streams attribute Show streams attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  enabled boolean
  
  enable or disable that stream, (default to true)
  
  vars object
  
  Input/stream level variable (see integration documentation for more information)
  
  vars object
  
  Input/stream level variable (see integration documentation for more information)
  
  is_managed boolean
  
  name string Required
  
  Package policy name (should be unique)
  
  namespace string
  
  The package policy namespace. Leave blank to inherit the agent policy's namespace.
  
  output_id string | null
  
  overrides object | null
  
  Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.
  
  Additional properties are NOT allowed.
  
  Hide overrides attribute Show overrides attribute object | null
  
  inputs object
  
  Additional properties are allowed.
  
  package object
  
  Additional properties are NOT allowed.
  
  Hide package attributes Show package attributes object
  
  experimental_data_stream_features array[object]
  
  Hide experimental_data_stream_features attributes Show experimental_data_stream_features attributes object
  
  data_stream string Required
  
  features object Required
  
  Additional properties are NOT allowed.
  
  Hide features attributes Show features attributes object
  
  doc_value_only_numeric boolean
  
  doc_value_only_other boolean
  
  synthetic_source boolean
  
  tsdb boolean
  
  name string Required
  
  Package name
  
  requires_root boolean
  
  title string
  
  version string Required
  
  Package version
  
  policy_id string | null Deprecated
  
  Agent policy ID where that package policy will be added
  
  policy_ids array[string]
  
  Agent policy IDs where that package policy will be added
  
  revision number Required
  
  secret_references array[object]
  
  Hide secret_references attribute Show secret_references attribute object
  
  id string Required
  
  spaceIds array[string]
  
  supports_agentless boolean | null
  
  Indicates whether the package policy belongs to an agentless agent policy.
  
  Default value is false.
  
  updated_at string Required
  
  updated_by string Required
  
  vars object
  
  Any of:
  object-1 object object-2 object
  
  Package variable (see integration documentation for more information)
  
  Hide attribute Show attribute
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
  
  version string
- page number Required
- perPage number Required
- total number Required
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number

GET /api/fleet/package_policies

curl \
 --request GET 'http://api.example.com/api/fleet/package_policies' \
 --header "Authorization: $API_KEY"

Bulk get package policies

POST /api/fleet/package_policies/_bulk_get

Api key auth

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Query parameters

format string

Values are simplified or legacy.

application/json

Body

ids array[string] Required

list of package policy ids
ignoreMissing boolean

Responses

200 application/json
Hide response attribute Show response attribute object
- items array[object] Required
  
  Hide items attributes Show items attributes object
  
  additional_datastreams_permissions array[string] | null
  
  Additional datastream permissions, that will be added to the agent policy.
  
  agents number
  
  created_at string Required
  
  created_by string Required
  
  description string
  
  Package policy description
  
  elasticsearch object
  
  Additional properties are allowed.
  
  Hide elasticsearch attribute Show elasticsearch attribute object
  
  privileges object
  
  Additional properties are allowed.
  
  Hide privileges attribute Show privileges attribute object
  
  cluster array[string]
  
  enabled boolean Required
  
  id string Required
  
  inputs array[object] | object Required
  
  Any of:
  array-1 array[object] object-2 object
  
  Hide attributes Show attributes object
  
  config object
  
  Package variable (see integration documentation for more information)
  
  Hide config attribute Show config attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
  
  enabled boolean Required
  
  id string
  
  keep_enabled boolean
  
  policy_template string
  
  streams array[object] Required
  
  Hide streams attributes Show streams attributes object
  
  config object
  
  Package variable (see integration documentation for more information)
  
  Hide config attribute Show config attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
  
  data_stream object Required
  
  Additional properties are NOT allowed.
  
  Hide data_stream attributes Show data_stream attributes object
  
  dataset string Required
  
  elasticsearch object
  
  Additional properties are NOT allowed.
  
  Hide elasticsearch attributes Show elasticsearch attributes object
  
  dynamic_dataset boolean
  
  dynamic_namespace boolean
  
  privileges object
  
  Additional properties are NOT allowed.
  
  Hide privileges attribute Show privileges attribute object
  
  indices array[string]
  
  type string Required
  
  enabled boolean Required
  
  id string
  
  keep_enabled boolean
  
  release string
  
  Values are ga, beta, or experimental.
  
  vars object
  
  Package variable (see integration documentation for more information)
  
  Hide vars attribute Show vars attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
  
  type string Required
  
  vars object
  
  Package variable (see integration documentation for more information)
  
  Hide vars attribute Show vars attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
  
  Package policy inputs (see integration documentation to know what inputs are available)
  
  Hide attribute Show attribute
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  enabled boolean
  
  enable or disable that input, (default to true)
  
  streams object
  
  Input streams (see integration documentation to know what streams are available)
  
  Hide streams attribute Show streams attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  enabled boolean
  
  enable or disable that stream, (default to true)
  
  vars object
  
  Input/stream level variable (see integration documentation for more information)
  
  vars object
  
  Input/stream level variable (see integration documentation for more information)
  
  is_managed boolean
  
  name string Required
  
  Package policy name (should be unique)
  
  namespace string
  
  The package policy namespace. Leave blank to inherit the agent policy's namespace.
  
  output_id string | null
  
  overrides object | null
  
  Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.
  
  Additional properties are NOT allowed.
  
  Hide overrides attribute Show overrides attribute object | null
  
  inputs object
  
  Additional properties are allowed.
  
  package object
  
  Additional properties are NOT allowed.
  
  Hide package attributes Show package attributes object
  
  experimental_data_stream_features array[object]
  
  Hide experimental_data_stream_features attributes Show experimental_data_stream_features attributes object
  
  data_stream string Required
  
  features object Required
  
  Additional properties are NOT allowed.
  
  Hide features attributes Show features attributes object
  
  doc_value_only_numeric boolean
  
  doc_value_only_other boolean
  
  synthetic_source boolean
  
  tsdb boolean
  
  name string Required
  
  Package name
  
  requires_root boolean
  
  title string
  
  version string Required
  
  Package version
  
  policy_id string | null Deprecated
  
  Agent policy ID where that package policy will be added
  
  policy_ids array[string]
  
  Agent policy IDs where that package policy will be added
  
  revision number Required
  
  secret_references array[object]
  
  Hide secret_references attribute Show secret_references attribute object
  
  id string Required
  
  spaceIds array[string]
  
  supports_agentless boolean | null
  
  Indicates whether the package policy belongs to an agentless agent policy.
  
  Default value is false.
  
  updated_at string Required
  
  updated_by string Required
  
  vars object
  
  Any of:
  object-1 object object-2 object
  
  Package variable (see integration documentation for more information)
  
  Hide attribute Show attribute
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
  
  version string
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number
404 application/json
Hide response attribute Show response attribute object
- message string Required

POST /api/fleet/package_policies/_bulk_get

curl \
 --request POST 'http://api.example.com/api/fleet/package_policies/_bulk_get' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"ids":["string"],"ignoreMissing":true}'

Get a package policy

GET /api/fleet/package_policies/{packagePolicyId}

Api key auth

Get a package policy by ID.

Path parameters

packagePolicyId string Required

Query parameters

format string

Values are simplified or legacy.

Responses

200 application/json
Hide response attribute Show response attribute object
- item object Required
  
  Additional properties are NOT allowed.
  
  Hide item attributes Show item attributes object
  
  additional_datastreams_permissions array[string] | null
  
  Additional datastream permissions, that will be added to the agent policy.
  
  agents number
  
  created_at string Required
  
  created_by string Required
  
  description string
  
  Package policy description
  
  elasticsearch object
  
  Additional properties are allowed.
  
  Hide elasticsearch attribute Show elasticsearch attribute object
  
  privileges object
  
  Additional properties are allowed.
  
  Hide privileges attribute Show privileges attribute object
  
  cluster array[string]
  
  enabled boolean Required
  
  id string Required
  
  inputs array[object] | object Required
  
  Any of:
  array-1 array[object] object-2 object
  
  Hide attributes Show attributes object
  
  config object
  
  Package variable (see integration documentation for more information)
  
  Hide config attribute Show config attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
  
  enabled boolean Required
  
  id string
  
  keep_enabled boolean
  
  policy_template string
  
  streams array[object] Required
  
  Hide streams attributes Show streams attributes object
  
  config object
  
  Package variable (see integration documentation for more information)
  
  Hide config attribute Show config attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
  
  data_stream object Required
  
  Additional properties are NOT allowed.
  
  Hide data_stream attributes Show data_stream attributes object
  
  dataset string Required
  
  elasticsearch object
  
  Additional properties are NOT allowed.
  
  Hide elasticsearch attributes Show elasticsearch attributes object
  
  dynamic_dataset boolean
  
  dynamic_namespace boolean
  
  privileges object
  
  Additional properties are NOT allowed.
  
  Hide privileges attribute Show privileges attribute object
  
  indices array[string]
  
  type string Required
  
  enabled boolean Required
  
  id string
  
  keep_enabled boolean
  
  release string
  
  Values are ga, beta, or experimental.
  
  vars object
  
  Package variable (see integration documentation for more information)
  
  Hide vars attribute Show vars attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
  
  type string Required
  
  vars object
  
  Package variable (see integration documentation for more information)
  
  Hide vars attribute Show vars attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
  
  Package policy inputs (see integration documentation to know what inputs are available)
  
  Hide attribute Show attribute
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  enabled boolean
  
  enable or disable that input, (default to true)
  
  streams object
  
  Input streams (see integration documentation to know what streams are available)
  
  Hide streams attribute Show streams attribute object
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  enabled boolean
  
  enable or disable that stream, (default to true)
  
  vars object
  
  Input/stream level variable (see integration documentation for more information)
  
  vars object
  
  Input/stream level variable (see integration documentation for more information)
  
  is_managed boolean
  
  name string Required
  
  Package policy name (should be unique)
  
  namespace string
  
  The package policy namespace. Leave blank to inherit the agent policy's namespace.
  
  output_id string | null
  
  overrides object | null
  
  Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.
  
  Additional properties are NOT allowed.
  
  Hide overrides attribute Show overrides attribute object | null
  
  inputs object
  
  Additional properties are allowed.
  
  package object
  
  Additional properties are NOT allowed.
  
  Hide package attributes Show package attributes object
  
  experimental_data_stream_features array[object]
  
  Hide experimental_data_stream_features attributes Show experimental_data_stream_features attributes object
  
  data_stream string Required
  
  features object Required
  
  Additional properties are NOT allowed.
  
  Hide features attributes Show features attributes object
  
  doc_value_only_numeric boolean
  
  doc_value_only_other boolean
  
  synthetic_source boolean
  
  tsdb boolean
  
  name string Required
  
  Package name
  
  requires_root boolean
  
  title string
  
  version string Required
  
  Package version
  
  policy_id string | null Deprecated
  
  Agent policy ID where that package policy will be added
  
  policy_ids array[string]
  
  Agent policy IDs where that package policy will be added
  
  revision number Required
  
  secret_references array[object]
  
  Hide secret_references attribute Show secret_references attribute object
  
  id string Required
  
  spaceIds array[string]
  
  supports_agentless boolean | null
  
  Indicates whether the package policy belongs to an agentless agent policy.
  
  Default value is false.
  
  updated_at string Required
  
  updated_by string Required
  
  vars object
  
  Any of:
  object-1 object object-2 object
  
  Package variable (see integration documentation for more information)
  
  Hide attribute Show attribute
  
  * object Additional properties
  
  Additional properties are NOT allowed.
  
  Hide * attributes Show * attributes object
  
  frozen boolean
  
  type string
  
  version string
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number
404 application/json
Hide response attribute Show response attribute object
- message string Required

GET /api/fleet/package_policies/{packagePolicyId}

curl \
 --request GET 'http://api.example.com/api/fleet/package_policies/{packagePolicyId}' \
 --header "Authorization: $API_KEY"

Delete a package policy

DELETE /api/fleet/package_policies/{packagePolicyId}

Api key auth

Delete a package policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all AND integrations-all.

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

packagePolicyId string Required

Query parameters

force boolean

Responses

200 application/json
Hide response attribute Show response attribute object
- id string Required
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number

DELETE /api/fleet/package_policies/{packagePolicyId}

curl \
 --request DELETE 'http://api.example.com/api/fleet/package_policies/{packagePolicyId}' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: true"

Bulk delete package policies

POST /api/fleet/package_policies/delete

Api key auth

[Required authorization] Route required privileges: fleet-agent-policies-all AND integrations-all.

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

application/json

Body

force boolean
packagePolicyIds array[string] Required

Responses

200 application/json
Hide response attributes Show response attributes object
- body object
  
  Additional properties are NOT allowed.
  
  Hide body attribute Show body attribute object
  
  message string Required
- id string Required
- name string
- output_id string | null
- package object Required
  
  Additional properties are NOT allowed.
  
  Hide package attributes Show package attributes object
  
  experimental_data_stream_features array[object]
  
  Hide experimental_data_stream_features attributes Show experimental_data_stream_features attributes object
  
  data_stream string Required
  
  features object Required
  
  Additional properties are NOT allowed.
  
  Hide features attributes Show features attributes object
  
  doc_value_only_numeric boolean
  
  doc_value_only_other boolean
  
  synthetic_source boolean
  
  tsdb boolean
  
  name string Required
  
  Package name
  
  requires_root boolean
  
  title string
  
  version string Required
  
  Package version
- policy_id string | null Deprecated
  
  Use policy_ids instead
- policy_ids array[string] Required
- statusCode number
- success boolean Required
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number

POST /api/fleet/package_policies/delete

curl \
 --request POST 'http://api.example.com/api/fleet/package_policies/delete' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"force":true,"packagePolicyIds":["string"]}'

Upgrade a package policy

POST /api/fleet/package_policies/upgrade

Api key auth

Upgrade a package policy to a newer package version.

[Required authorization] Route required privileges: fleet-agent-policies-all AND integrations-all.

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

application/json

Body

packagePolicyIds array[string] Required

Responses

200 application/json
Hide response attributes Show response attributes object
- body object
  
  Additional properties are NOT allowed.
  
  Hide body attribute Show body attribute object
  
  message string Required
- id string Required
- name string
- statusCode number
- success boolean Required
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number

POST /api/fleet/package_policies/upgrade

curl \
 --request POST 'http://api.example.com/api/fleet/package_policies/upgrade' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"packagePolicyIds":["string"]}'

Create a proxy

POST /api/fleet/proxies

Api key auth

[Required authorization] Route required privileges: fleet-settings-all.

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

application/json

Body

certificate string | null
certificate_authorities string | null
certificate_key string | null
id string
is_preconfigured boolean

Default value is false.
name string Required
proxy_headers object | null
url string Required

Responses

200 application/json
Hide response attribute Show response attribute object
- item object Required
  
  Additional properties are NOT allowed.
  
  Hide item attributes Show item attributes object
  
  certificate string | null
  
  certificate_authorities string | null
  
  certificate_key string | null
  
  id string Required
  
  is_preconfigured boolean
  
  Default value is false.
  
  name string Required
  
  proxy_headers object | null
  
  url string Required
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number

POST /api/fleet/proxies

curl \
 --request POST 'http://api.example.com/api/fleet/proxies' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"certificate":"string","certificate_authorities":"string","certificate_key":"string","id":"string","is_preconfigured":false,"name":"string","proxy_headers":{},"url":"string"}'

Get a proxy

GET /api/fleet/proxies/{itemId}

Api key auth

Get a proxy by ID.

[Required authorization] Route required privileges: fleet-settings-read.

Path parameters

itemId string Required

Responses

200 application/json
Hide response attribute Show response attribute object
- item object Required
  
  Additional properties are NOT allowed.
  
  Hide item attributes Show item attributes object
  
  certificate string | null
  
  certificate_authorities string | null
  
  certificate_key string | null
  
  id string Required
  
  is_preconfigured boolean
  
  Default value is false.
  
  name string Required
  
  proxy_headers object | null
  
  url string Required
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number

GET /api/fleet/proxies/{itemId}

curl \
 --request GET 'http://api.example.com/api/fleet/proxies/{itemId}' \
 --header "Authorization: $API_KEY"

Update a proxy

PUT /api/fleet/proxies/{itemId}

Api key auth

Update a proxy by ID.

[Required authorization] Route required privileges: fleet-settings-all.

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

itemId string Required

application/json

Body

certificate string | null Required
certificate_authorities string | null Required
certificate_key string | null Required
name string
proxy_headers object | null Required
url string

Responses

200 application/json
Hide response attribute Show response attribute object
- item object Required
  
  Additional properties are NOT allowed.
  
  Hide item attributes Show item attributes object
  
  certificate string | null
  
  certificate_authorities string | null
  
  certificate_key string | null
  
  id string Required
  
  is_preconfigured boolean
  
  Default value is false.
  
  name string Required
  
  proxy_headers object | null
  
  url string Required
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number

PUT /api/fleet/proxies/{itemId}

curl \
 --request PUT 'http://api.example.com/api/fleet/proxies/{itemId}' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"certificate":"string","certificate_authorities":"string","certificate_key":"string","name":"string","proxy_headers":{},"url":"string"}'

Delete a proxy

DELETE /api/fleet/proxies/{itemId}

Api key auth

Delete a proxy by ID

[Required authorization] Route required privileges: fleet-settings-all.

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

itemId string Required

Responses

200 application/json
Hide response attribute Show response attribute object
- id string Required
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number

DELETE /api/fleet/proxies/{itemId}

curl \
 --request DELETE 'http://api.example.com/api/fleet/proxies/{itemId}' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: true"

Update a Fleet Server host

PUT /api/fleet/fleet_server_hosts/{itemId}

Api key auth

Update a Fleet Server host by ID.

[Required authorization] Route required privileges: fleet-settings-all.

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

itemId string Required

application/json

Body

host_urls array[string]

At least 1 element.
is_default boolean
is_internal boolean
name string
proxy_id string | null Required
secrets object

Additional properties are NOT allowed.
Hide secrets attribute Show secrets attribute object
- ssl object
  
  Additional properties are NOT allowed.
  Hide ssl attributes Show ssl attributes object
  
  es_key object | string
  
  Any of:
  object-1 object string-2 string
  
  Hide attribute Show attribute
  
  id string Required
  
  key object | string
  
  Any of:
  object-1 object string-2 string
  
  Hide attribute Show attribute
  
  id string Required
ssl object | null

Additional properties are NOT allowed.
Hide ssl attributes Show ssl attributes object | null
- certificate string
- certificate_authorities array[string]
- client_auth string
  
  Values are optional, required, or none.
- es_certificate string
- es_certificate_authorities array[string]
- es_key string
- key string

Responses

200 application/json
Hide response attribute Show response attribute object
- item object Required
  
  Additional properties are NOT allowed.
  
  Hide item attributes Show item attributes object
  
  host_urls array[string] Required
  
  At least 1 element.
  
  id string Required
  
  is_default boolean
  
  Default value is false.
  
  is_internal boolean
  
  is_preconfigured boolean
  
  Default value is false.
  
  name string Required
  
  proxy_id string | null
  
  secrets object
  
  Additional properties are NOT allowed.
  
  Hide secrets attribute Show secrets attribute object
  
  ssl object
  
  Additional properties are NOT allowed.
  
  Hide ssl attributes Show ssl attributes object
  
  es_key object | string
  
  Any of:
  object-1 object string-2 string
  
  Hide attribute Show attribute
  
  id string Required
  
  key object | string
  
  Any of:
  object-1 object string-2 string
  
  Hide attribute Show attribute
  
  id string Required
  
  ssl object | null
  
  Additional properties are NOT allowed.
  
  Hide ssl attributes Show ssl attributes object | null
  
  certificate string
  
  certificate_authorities array[string]
  
  client_auth string
  
  Values are optional, required, or none.
  
  es_certificate string
  
  es_certificate_authorities array[string]
  
  es_key string
  
  key string
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number

PUT /api/fleet/fleet_server_hosts/{itemId}

curl \
 --request PUT 'http://api.example.com/api/fleet/fleet_server_hosts/{itemId}' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"host_urls":["string"],"is_default":true,"is_internal":true,"name":"string","proxy_id":"string","secrets":{"ssl":{"es_key":{"id":"string"},"key":{"id":"string"}}},"ssl":{"certificate":"string","certificate_authorities":["string"],"client_auth":"optional","es_certificate":"string","es_certificate_authorities":["string"],"es_key":"string","key":"string"}}'

Get a decrypted uninstall token

GET /api/fleet/uninstall_tokens/{uninstallTokenId}

Api key auth

Get one decrypted uninstall token by its ID.

[Required authorization] Route required privileges: fleet-agents-all.

Path parameters

uninstallTokenId string Required

Responses

200 application/json
Hide response attribute Show response attribute object
- item object Required
  
  Additional properties are NOT allowed.
  
  Hide item attributes Show item attributes object
  
  created_at string Required
  
  id string Required
  
  namespaces array[string]
  
  policy_id string Required
  
  policy_name string | null
  
  token string Required
400 application/json
Hide response attributes Show response attributes object
- error string
- errorType string
- message string Required
- statusCode number

GET /api/fleet/uninstall_tokens/{uninstallTokenId}

curl \
 --request GET 'http://api.example.com/api/fleet/uninstall_tokens/{uninstallTokenId}' \
 --header "Authorization: $API_KEY"

Get a role

GET /api/security/role/{name}

Api key auth

Path parameters

name string Required

The role name.

Minimum length is 1.

Query parameters

replaceDeprecatedPrivileges boolean

If true and the response contains any privileges that are associated with deprecated features, they are omitted in favor of details about the appropriate replacement feature privileges.

Responses

200

Indicates a successful call.

GET /api/security/role/{name}

curl \
 --request GET 'http://api.example.com/api/security/role/{name}' \
 --header "Authorization: $API_KEY"

Delete a role

DELETE /api/security/role/{name}

Api key auth

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

name string Required

Minimum length is 1.

Responses

204

Indicates a successful call.

DELETE /api/security/role/{name}

curl \
 --request DELETE 'http://api.example.com/api/security/role/{name}' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: true"

Export saved objects

POST /api/saved_objects/_export

Api key auth

Retrieve sets of saved objects that you want to import into Kibana. You must include type or objects in the request body.

Exported saved objects are not backwards compatible and cannot be imported into an older version of Kibana.

NOTE: The savedObjects.maxImportExportSize configuration setting limits the number of saved objects which may be exported.

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

application/json

Body

excludeExportDetails boolean

Do not add export details entry at the end of the stream.

Default value is false.
hasReference object | array[object]
Any of:
object-1 object array-2 array[object]
Hide attributes Show attributes

id string Required

type string Required
Hide attributes Show attributes object

id string Required

type string Required
includeReferencesDeep boolean

Includes all of the referenced objects in the exported objects.

Default value is false.
objects array[object]

A list of objects to export. NOTE: this optiona cannot be combined with types option

Not more than 10000 elements.
Hide objects attributes Show objects attributes object
- id string Required
- type string Required
search string

Search for documents to export using the Elasticsearch Simple Query String syntax.
type string | array[string]

The saved object types to include in the export. Use * to export all the types.

Any of:
string-1 string array-2 array[string]

Responses

200 application/x-ndjson

Indicates a successfull call.
400 application/json

Bad request.
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
  
  Value is 400.

POST /api/saved_objects/_export

curl \
 --request POST 'http://api.example.com/api/saved_objects/_export' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"objects":[{"id":"de71f4f0-1902-11e9-919b-ffe5949a18d2","type":"map"}],"excludeExportDetails":true,"includeReferencesDeep":false}'

Request example

{
  "objects": [
    {
      "id": "de71f4f0-1902-11e9-919b-ffe5949a18d2",
      "type": "map"
    }
  ],
  "excludeExportDetails": true,
  "includeReferencesDeep": false
}

Response examples (200)

{
  "id": "de71f4f0-1902-11e9-919b-ffe5949a18d2",
  "type": "map",
  "managed": false,
  "version": "WzEzLDFd",
  "attributes": {
    "title": "[Logs] Total Requests and Bytes",
    "description": "",
    "uiStateJSON": "{\"isDarkMode\":false}",
    "mapStateJSON": "{\"zoom\":3.64,\"center\":{\"lon\":-88.92107,\"lat\":42.16337},\"timeFilters\":{\"from\":\"now-7d\",\"to\":\"now\"},\"refreshConfig\":{\"isPaused\":true,\"interval\":0},\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"settings\":{\"autoFitToDataBounds\":false}}",
    "layerListJSON": "[{\"id\":\"0hmz5\",\"alpha\":1,\"sourceDescriptor\":{\"type\":\"EMS_TMS\",\"isAutoSelect\":true,\"lightModeDefault\":\"road_map_desaturated\"},\"visible\":true,\"style\":{},\"type\":\"EMS_VECTOR_TILE\",\"minZoom\":0,\"maxZoom\":24},{\"id\":\"edh66\",\"label\":\"Total Requests by Destination\",\"minZoom\":0,\"maxZoom\":24,\"alpha\":0.5,\"sourceDescriptor\":{\"type\":\"EMS_FILE\",\"id\":\"world_countries\",\"tooltipProperties\":[\"name\",\"iso2\"]},\"visible\":true,\"style\":{\"type\":\"VECTOR\",\"properties\":{\"fillColor\":{\"type\":\"DYNAMIC\",\"options\":{\"field\":{\"name\":\"__kbnjoin__count__673ff994-fc75-4c67-909b-69fcb0e1060e\",\"origin\":\"join\"},\"color\":\"Greys\",\"fieldMetaOptions\":{\"isEnabled\":false,\"sigma\":3}}},\"lineColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#FFFFFF\"}},\"lineWidth\":{\"type\":\"STATIC\",\"options\":{\"size\":1}},\"iconSize\":{\"type\":\"STATIC\",\"options\":{\"size\":10}},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}},\"icon\":{\"type\":\"STATIC\",\"options\":{\"value\":\"marker\"}}}},\"type\":\"GEOJSON_VECTOR\",\"joins\":[{\"leftField\":\"iso2\",\"right\":{\"type\":\"ES_TERM_SOURCE\",\"id\":\"673ff994-fc75-4c67-909b-69fcb0e1060e\",\"indexPatternTitle\":\"kibana_sample_data_logs\",\"term\":\"geo.dest\",\"indexPatternRefName\":\"layer_1_join_0_index_pattern\",\"metrics\":[{\"type\":\"count\",\"label\":\"web logs count\"}],\"applyGlobalQuery\":true}}]},{\"id\":\"gaxya\",\"label\":\"Actual Requests\",\"minZoom\":9,\"maxZoom\":24,\"alpha\":1,\"sourceDescriptor\":{\"id\":\"b7486535-171b-4d3b-bb2e-33c1a0a2854c\",\"type\":\"ES_SEARCH\",\"geoField\":\"geo.coordinates\",\"limit\":2048,\"filterByMapBounds\":true,\"tooltipProperties\":[\"clientip\",\"timestamp\",\"host\",\"request\",\"response\",\"machine.os\",\"agent\",\"bytes\"],\"indexPatternRefName\":\"layer_2_source_index_pattern\",\"applyGlobalQuery\":true,\"scalingType\":\"LIMIT\"},\"visible\":true,\"style\":{\"type\":\"VECTOR\",\"properties\":{\"fillColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#2200ff\"}},\"lineColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#FFFFFF\"}},\"lineWidth\":{\"type\":\"STATIC\",\"options\":{\"size\":2}},\"iconSize\":{\"type\":\"DYNAMIC\",\"options\":{\"field\":{\"name\":\"bytes\",\"origin\":\"source\"},\"minSize\":1,\"maxSize\":23,\"fieldMetaOptions\":{\"isEnabled\":false,\"sigma\":3}}},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}},\"icon\":{\"type\":\"STATIC\",\"options\":{\"value\":\"marker\"}}}},\"type\":\"GEOJSON_VECTOR\"},{\"id\":\"tfi3f\",\"label\":\"Total Requests and Bytes\",\"minZoom\":0,\"maxZoom\":9,\"alpha\":1,\"sourceDescriptor\":{\"type\":\"ES_GEO_GRID\",\"resolution\":\"COARSE\",\"id\":\"8aaa65b5-a4e9-448b-9560-c98cb1c5ac5b\",\"geoField\":\"geo.coordinates\",\"requestType\":\"point\",\"metrics\":[{\"type\":\"count\",\"label\":\"web logs count\"},{\"type\":\"sum\",\"field\":\"bytes\"}],\"indexPatternRefName\":\"layer_3_source_index_pattern\",\"applyGlobalQuery\":true},\"visible\":true,\"style\":{\"type\":\"VECTOR\",\"properties\":{\"fillColor\":{\"type\":\"DYNAMIC\",\"options\":{\"field\":{\"name\":\"doc_count\",\"origin\":\"source\"},\"color\":\"Blues\",\"fieldMetaOptions\":{\"isEnabled\":false,\"sigma\":3}}},\"lineColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#cccccc\"}},\"lineWidth\":{\"type\":\"STATIC\",\"options\":{\"size\":1}},\"iconSize\":{\"type\":\"DYNAMIC\",\"options\":{\"field\":{\"name\":\"sum_of_bytes\",\"origin\":\"source\"},\"minSize\":7,\"maxSize\":25,\"fieldMetaOptions\":{\"isEnabled\":false,\"sigma\":3}}},\"labelText\":{\"type\":\"DYNAMIC\",\"options\":{\"field\":{\"name\":\"doc_count\",\"origin\":\"source\"},\"fieldMetaOptions\":{\"isEnabled\":false,\"sigma\":3}}},\"labelSize\":{\"type\":\"DYNAMIC\",\"options\":{\"field\":{\"name\":\"doc_count\",\"origin\":\"source\"},\"minSize\":12,\"maxSize\":24,\"fieldMetaOptions\":{\"isEnabled\":false,\"sigma\":3}}},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}},\"icon\":{\"type\":\"STATIC\",\"options\":{\"value\":\"marker\"}}}},\"type\":\"GEOJSON_VECTOR\"}]"
  },
  "created_at": "2023-08-23T20:03:32.204Z",
  "references": [
    {
      "id": "90943e30-9a47-11e8-b64d-95841ca0b247",
      "name": "layer_1_join_0_index_pattern",
      "type": "index-pattern"
    },
    {
      "id": "90943e30-9a47-11e8-b64d-95841ca0b247",
      "name": "layer_2_source_index_pattern",
      "type": "index-pattern"
    },
    {
      "id": "90943e30-9a47-11e8-b64d-95841ca0b247",
      "name": "layer_3_source_index_pattern",
      "type": "index-pattern"
    }
  ],
  "updated_at": "2023-08-23T20:03:32.204Z",
  "coreMigrationVersion": "8.8.0",
  "typeMigrationVersion": "8.4.0"
}

Apply a bulk action to anonymization fields

POST /api/security_ai_assistant/anonymization_fields/_bulk_action

Api key auth

Apply a bulk action to multiple anonymization fields. The bulk action is applied to all anonymization fields that match the filter or to the list of anonymization fields by their IDs.

application/json

Body

create array[object]
Hide create attributes Show create attributes object
- allowed boolean
- anonymized boolean
- field string Required
delete object
Hide delete attributes Show delete attributes object
- ids array[string]
  
  Array of anonymization fields IDs
  
  At least 1 element.
- query string
  
  Query to filter anonymization fields
update array[object]
Hide update attributes Show update attributes object
- allowed boolean
- anonymized boolean
- id string Required

Responses

200 application/json

Indicates a successful call.
Hide response attributes Show response attributes object
- anonymization_fields_count integer
- attributes object Required
  
  Hide attributes attributes Show attributes attributes object
  
  errors array[object]
  
  Hide errors attributes Show errors attributes object
  
  anonymization_fields array[object] Required
  
  Hide anonymization_fields attributes Show anonymization_fields attributes object
  
  id string Required
  
  name string
  
  err_code string
  
  message string Required
  
  status_code integer Required
  
  results object Required
  
  Hide results attributes Show results attributes object
  
  created array[object] Required
  
  Hide created attributes Show created attributes object
  
  allowed boolean
  
  anonymized boolean
  
  createdAt string
  
  createdBy string
  
  field string Required
  
  id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  namespace string
  
  Kibana space
  
  timestamp string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  updatedAt string
  
  updatedBy string
  
  deleted array[string] Required
  
  skipped array[object] Required
  
  Hide skipped attributes Show skipped attributes object
  
  id string Required
  
  name string
  
  skip_reason string Required
  
  Value is ANONYMIZATION_FIELD_NOT_MODIFIED.
  
  updated array[object] Required
  
  Hide updated attributes Show updated attributes object
  
  allowed boolean
  
  anonymized boolean
  
  createdAt string
  
  createdBy string
  
  field string Required
  
  id string(nonempty) Required
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  namespace string
  
  Kibana space
  
  timestamp string(nonempty)
  
  A string that does not contain only whitespace characters
  
  Minimum length is 1.
  
  updatedAt string
  
  updatedBy string
  
  summary object Required
  
  Hide summary attributes Show summary attributes object
  
  failed integer Required
  
  skipped integer Required
  
  succeeded integer Required
  
  total integer Required
- message string
- status_code integer
- success boolean
400 application/json

Generic Error
Hide response attributes Show response attributes object
- error string
- message string
- statusCode number

POST /api/security_ai_assistant/anonymization_fields/_bulk_action

curl \
 --request POST 'http://api.example.com/api/security_ai_assistant/anonymization_fields/_bulk_action' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"create":[{"allowed":true,"anonymized":true,"field":"string"}],"delete":{"ids":["string"],"query":"string"},"update":[{"allowed":true,"anonymized":true,"id":"string"}]}'

POST /api/security_ai_assistant/chat/complete

Api key auth

Create a model response for the given chat conversation.

Query parameters

content_references_disabled boolean

If true, the response will not include content references.

Default value is false.

application/json

Body Required

connectorId string Required
conversationId string(nonempty)

A string that does not contain only whitespace characters

Minimum length is 1.
isStream boolean
langSmithApiKey string
langSmithProject string
messages array[object] Required

AI assistant message.
Hide messages attributes Show messages attributes object
- content string
  
  Message content.
- data object
  
  ECS object to attach to the context of the message.
  
  Additional properties are allowed.
- fields_to_anonymize array[string]
- role string Required
  
  Message role.
  
  Values are system, user, or assistant.
model string
persist boolean Required
promptId string
responseLanguage string

Responses

200 application/octet-stream

Indicates a successful call.
400 application/json

Generic Error
Hide response attributes Show response attributes object
- error string
- message string
- statusCode number

POST /api/security_ai_assistant/chat/complete

curl \
 --request POST 'http://api.example.com/api/security_ai_assistant/chat/complete' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"connectorId":"string","conversationId":"string","isStream":true,"langSmithApiKey":"string","langSmithProject":"string","messages":[{"content":"string","data":{},"fields_to_anonymize":["string"],"role":"system"}],"model":"string","persist":true,"promptId":"string","responseLanguage":"string"}'

Body Required

Body Required

Body Required

Body Required

Get a list of dashboards Technical Preview

Get a dashboard Technical Preview

query string | object Required

size_in_bytes_formatted number | string Required

Body Required

Body Required

Body Required

agents array[string] | string Required

agents array[string] | string Required