Path parameters

• id string Required

  Identifier for the search.

Query parameters

• keep_alive string

  Period for which the search and its results are stored on the cluster. Defaults to the keep_alive value set by the search’s EQL search API request.

  Values are -1 or 0.

• wait_for_completion_timeout string

  Timeout duration to wait for the request to finish. Defaults to no timeout, meaning the request waits for complete search results.

  Values are -1 or 0.

Responses

• 200 application/json
  Hide response attributes Show response attributes object

  • id string
  • is_partial boolean

    If true, the response does not contain complete search results.

  • is_running boolean

    If true, the search request is still executing.

  • took number

    Time unit for milliseconds

  • timed_out boolean

    If true, the request timed out before completion.

  • hits object Required
    Hide hits attributes Show hits attributes object

    • total object
      Hide total attributes Show total attributes object

      • relation string Required

        Values are eq or gte.

      • value number Required
    • events array[object]

      Contains events matching the query. Each object represents a matching event.

      Hide events attributes Show events attributes object

      • _index string Required
      • _id string Required
      • _source object Required

        Original JSON body passed for the event at index time.

      • missing boolean

        Set to true for events in a timespan-constrained sequence that do not meet a given condition.

      • fields object
        Hide fields attribute Show fields attribute object

        • * array[object] Additional properties
    • sequences array[object]

      Contains event sequences matching the query. Each object represents a matching sequence. This parameter is only returned for EQL queries containing a sequence.

      Hide sequences attributes Show sequences attributes object

      • events array[object] Required

        Contains events matching the query. Each object represents a matching event.

        Hide events attributes Show events attributes object

        • _index string Required
        • _id string Required
        • _source object Required

          Original JSON body passed for the event at index time.

        • missing boolean

          Set to true for events in a timespan-constrained sequence that do not meet a given condition.

        • fields object
      • join_keys array[object]

        Shared field values used to constrain matches in the sequence. These are defined using the by keyword in the EQL query syntax.
  • shard_failures array[object]

    Contains information about shard failures (if any), in case allow_partial_search_results=true

    Hide shard_failures attributes Show shard_failures attributes object

    • index string
    • node string
    • reason object Required
      Hide reason attributes Show reason attributes object

      • type string Required

        The type of error

      • reason string | null

        A human-readable explanation of the error, in English.

        One of:

        string-1 string string-2 string | null
      • stack_trace string

        The server stack trace. Present only if the error_trace=true parameter was sent with the request.

      • caused_by object
      • root_cause array[object]
      • suppressed array[object]
    • shard number Required
    • status string