Find users with a query Generally available; Added in 8.14.0

GET /_security/_query/user

Get information for users in a paginated manner. You can optionally filter the results with a query.

NOTE: As opposed to the get user API, built-in users are excluded from the result. This API is only for native users.

Required authorization

  • Cluster privileges: read_security

Query parameters

  • with_profile_uid boolean

    Determines whether to retrieve the user profile UID, if it exists, for the users.

application/json

Body

  • query object

    A query to filter which users to return. If the query parameter is missing, it is equivalent to a match_all query. The query supports a subset of query types, including match_all, bool, term, terms, match, ids, prefix, wildcard, exists, range, and simple_query_string. You can query the following information associated with user: username, roles, enabled, full_name, and email.

    Hide query attributes Show query attributes object
    • ids object

      Returns users based on their IDs. This query uses the user document IDs stored in the _id field.

      Hide ids attributes Show ids attributes object
      • boost number

        Floating point number used to decrease or increase the relevance scores of the query. Boost values are relative to the default value of 1.0. A boost value between 0 and 1.0 decreases the relevance score. A value greater than 1.0 increases the relevance score.

        Default value is 1.0.

      • _name string
      • values
    • bool object

      matches users matching boolean combinations of other queries.

      Hide bool attributes Show bool attributes object
      • boost number

        Floating point number used to decrease or increase the relevance scores of the query. Boost values are relative to the default value of 1.0. A boost value between 0 and 1.0 decreases the relevance score. A value greater than 1.0 increases the relevance score.

        Default value is 1.0.

      • _name string

      • filter object | array[object]

        The clause (query) must appear in matching documents. However, unlike must, the score of the query will be ignored.

        One of:
        QueryContainer object array-2 array[object]

        An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.

      • minimum_should_match

      • must object | array[object]

        The clause (query) must appear in matching documents and will contribute to the score.

        One of:
        QueryContainer object array-2 array[object]

        An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.

      • must_not object | array[object]

        The clause (query) must not appear in the matching documents. Because scoring is ignored, a score of 0 is returned for all documents.

        One of:
        QueryContainer object array-2 array[object]

        An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.

      • should object | array[object]

        The clause (query) should appear in the matching document.

        One of:
        QueryContainer object array-2 array[object]

        An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.

    • exists object

      Returns users that contain an indexed value for a field.

      Hide exists attributes Show exists attributes object
      • boost number

        Floating point number used to decrease or increase the relevance scores of the query. Boost values are relative to the default value of 1.0. A boost value between 0 and 1.0 decreases the relevance score. A value greater than 1.0 increases the relevance score.

        Default value is 1.0.

      • _name string
      • field string Required

        Name of the field you wish to search.

    • match object

      Returns users that match a provided text, number, date or boolean value. The provided text is analyzed before matching.

    • match_all object

      Matches all users, giving them all a _score of 1.0.

      Hide match_all attributes Show match_all attributes object
      • boost number

        Floating point number used to decrease or increase the relevance scores of the query. Boost values are relative to the default value of 1.0. A boost value between 0 and 1.0 decreases the relevance score. A value greater than 1.0 increases the relevance score.

        Default value is 1.0.

      • _name string
    • prefix object

      Returns users that contain a specific prefix in a provided field.

    • range object

      Returns users that contain terms within a provided range.

    • simple_query_string object

      Returns users based on a provided query string, using a parser with a limited but fault-tolerant syntax.

      Hide simple_query_string attributes Show simple_query_string attributes object
      • boost number

        Floating point number used to decrease or increase the relevance scores of the query. Boost values are relative to the default value of 1.0. A boost value between 0 and 1.0 decreases the relevance score. A value greater than 1.0 increases the relevance score.

        Default value is 1.0.

      • _name string
      • analyzer string

        Analyzer used to convert text in the query string into tokens.

      • analyze_wildcard boolean

        If true, the query attempts to analyze wildcard terms in the query string.

        Default value is false.

      • auto_generate_synonyms_phrase_query boolean

        If true, the parser creates a match_phrase query for each multi-position token.

        Default value is true.

      • default_operator string

        Default boolean logic used to interpret text in the query string if no operators are specified.

        Values are and, AND, or, or OR.

      • fields array[string]

        Array of fields you wish to search. Accepts wildcard expressions. You also can boost relevance scores for matches to particular fields using a caret (^) notation. Defaults to the index.query.default_field index setting, which has a default value of *.

      • fuzzy_max_expansions number

        Maximum number of terms to which the query expands for fuzzy matching.

        Default value is 50.0.

      • fuzzy_prefix_length number

        Number of beginning characters left unchanged for fuzzy matching.

        Default value is 0.0.

      • fuzzy_transpositions boolean

        If true, edits for fuzzy matching include transpositions of two adjacent characters (for example, ab to ba).

      • lenient boolean

        If true, format-based errors, such as providing a text value for a numeric field, are ignored.

        Default value is false.

      • minimum_should_match
      • query string Required

        Query string in the simple query string syntax you wish to parse and use for search.

      • quote_field_suffix string

        Suffix appended to quoted text in the query string.

    • term object

      Returns users that contain an exact term in a provided field. To return a document, the query term must exactly match the queried field's value, including whitespace and capitalization.

    • terms object

      Returns users that contain one or more exact terms in a provided field. To return a document, one or more terms must exactly match a field value, including whitespace and capitalization.

      Hide terms attributes Show terms attributes object
      • boost number

        Floating point number used to decrease or increase the relevance scores of the query. Boost values are relative to the default value of 1.0. A boost value between 0 and 1.0 decreases the relevance score. A value greater than 1.0 increases the relevance score.

        Default value is 1.0.

      • _name string
    • wildcard object

      Returns users that contain terms matching a wildcard pattern.

  • from number

    The starting document offset. It must not be negative. By default, you cannot page through more than 10,000 hits using the from and size parameters. To page through more hits, use the search_after parameter.

    Default value is 0.0.

  • sort string | object | array[string | object]

    The sort definition. Fields eligible for sorting are: username, roles, enabled. In addition, sort can also be applied to the _doc field to sort by index order.

    External documentation
    One of:
    Field string SortOptions object array-2 array[string | object]

    Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.

    External documentation
    External documentation
  • size number

    The number of hits to return. It must not be negative. By default, you cannot page through more than 10,000 hits using the from and size parameters. To page through more hits, use the search_after parameter.

    Default value is 10.0.

  • search_after array[number | string | boolean | null]

    The search after definition

Responses

  • 200 application/json
    Hide response attributes Show response attributes object
    • total number Required

      The total number of users found.

    • count number Required

      The number of users returned in the response.

    • users array[object] Required

      A list of users that match the query.

      Hide users attributes Show users attributes object
GET /_security/_query/user 
curl \
 --request GET 'http://api.example.com/_security/_query/user' \
 --header "Content-Type: application/json" \
 --data '"{\n    \"query\": {\n        \"prefix\": {\n            \"roles\": \"other\"\n        }\n    }\n}"'
Request examples
Run `POST /_security/_query/user?with_profile_uid=true` to get users that have roles that are prefixed with `other`. It will also include the user `profile_uid` in the response. 
{
    "query": {
        "prefix": {
            "roles": "other"
        }
    }
}
Run `POST /_security/_query/user`. Use a `bool` query to issue complex logical conditions: The `email` must end with `example.com`. The user must be enabled. The result will be filtered to only contain users with at least one role that contains the substring `other`. The offset to begin the search result is the second (zero-based index) user. The page size of the response is two users. The result is sorted by `username` in descending order. 
{
  "query": {
    "bool": {
      "must": [
        {
          "wildcard": {
            "email": "*example.com" 
          }
        },
        {
          "term": {
            "enabled": true 
          }
        }
      ],
      "filter": [
        {
          "wildcard": {
            "roles": "*other*" 
          }
        }
      ]
    }
  },
  "from": 1, 
  "size": 2, 
  "sort": [
    { "username": { "order": "desc"} } 
  ]
}
Response examples (200)
A successful response from `POST /_security/_query/user?with_profile_uid=true` that contains users that have roles that are prefixed with `other`. It also includes the user `profile_uid` in the response. 
{
    "total": 1,
    "count": 1,
    "users": [
        {
            "username": "jacknich",
            "roles": [
                "admin",
                "other_role1"
            ],
            "full_name": "Jack Nicholson",
            "email": "jacknich@example.com",
            "metadata": {
                "intelligence": 7
            },
            "enabled": true,
            "profile_uid": "u_79HkWkwmnBH5gqFKwoxggWPjEBOur1zLPXQPEl1VBW0_0"
        }
    ]
}
A successful response from `POST /_security/_query/user` that uses a `bool` query to issue complex logical conditions and uses `from`, `size`, and `sort` to help paginate the result. The sort value is `username`. 
{
    "total": 5,
    "count": 2,
    "users": [
        {
            "username": "ray",
            "roles": [
                "other_role3"
            ],
            "full_name": "Ray Nicholson",
            "email": "rayn@example.com",
            "metadata": {
                "intelligence": 7
            },
            "enabled": true,
            "_sort": [
                "ray" 
            ]
        },
        {
            "username": "lorraine",
            "roles": [
                "other_role3"
            ],
            "full_name": "Lorraine Nicholson",
            "email": "lorraine@example.com",
            "metadata": {
                "intelligence": 7
            },
            "enabled": true,
            "_sort": [
                "lorraine"
            ]
        }
    ]
}
A successful response from `GET /_security/_query/user`, which lists all users. It returns a JSON structure that contains the information retrieved from one or more users. 
{
    "total": 2,
    "count": 2,
    "users": [ 
        {
            "username": "jacknich",
            "roles": [
                "admin",
                "other_role1"
            ],
            "full_name": "Jack Nicholson",
            "email": "jacknich@example.com",
            "metadata": {
                "intelligence": 7
            },
            "enabled": true
        },
        {
            "username": "sandrakn",
            "roles": [
                "admin",
                "other_role1"
            ],
            "full_name": "Sandra Knight",
            "email": "sandrakn@example.com",
            "metadata": {
                "intelligence": 7
            },
            "enabled": true
        }
    ]
}