Find users with a query Generally available; Added in 8.14.0

POST /_security/_query/user

Get information for users in a paginated manner. You can optionally filter the results with a query.

NOTE: As opposed to the get user API, built-in users are excluded from the result. This API is only for native users. ##Required authorization

  • Cluster privileges: read_security

Query parameters

  • with_profile_uid boolean

    Determines whether to retrieve the user profile UID, if it exists, for the users.

application/json

Body

  • query object
    Hide query attributes Show query attributes object
    • ids object
      Hide ids attributes Show ids attributes object
      • boost number

        Floating point number used to decrease or increase the relevance scores of the query. Boost values are relative to the default value of 1.0. A boost value between 0 and 1.0 decreases the relevance score. A value greater than 1.0 increases the relevance score.

      • _name string

      • values string | array[string]

        One of:
        Id string Ids array[string]
    • bool object
      Hide bool attributes Show bool attributes object
      • boost number

        Floating point number used to decrease or increase the relevance scores of the query. Boost values are relative to the default value of 1.0. A boost value between 0 and 1.0 decreases the relevance score. A value greater than 1.0 increases the relevance score.

      • _name string

      • filter object | array[object]

        The clause (query) must appear in matching documents. However, unlike must, the score of the query will be ignored.

        One of:
        QueryContainer object array-2 array[object]

        An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.

        Hide attributes Show attributes object
        External documentation
        • bool
        • boosting
        • common object Deprecated
        • combined_fields
        • constant_score
        • dis_max
        • distance_feature
        • exists
        • function_score
        • fuzzy object

          Returns documents that contain terms similar to the search term, as measured by a Levenshtein edit distance.

        • geo_bounding_box
        • geo_distance
        • geo_grid object

          Matches geo_point and geo_shape values that intersect a grid cell from a GeoGrid aggregation.

        • geo_polygon
        • geo_shape
        • has_child
        • has_parent
        • ids
        • intervals object

          Returns documents based on the order and proximity of matching terms.

        • knn
        • match object

          Returns documents that match a provided text, number, date or boolean value. The provided text is analyzed before matching.

        • match_all
        • match_bool_prefix object

          Analyzes its input and constructs a bool query from the terms. Each term except the last is used in a term query. The last term is used in a prefix query.

        • match_none
        • match_phrase object

          Analyzes the text and creates a phrase query out of the analyzed text.

        • match_phrase_prefix object

          Returns documents that contain the words of a provided text, in the same order as provided. The last term of the provided text is treated as a prefix, matching any words that begin with that term.

        • more_like_this
        • multi_match
        • nested
        • parent_id
        • percolate
        • pinned
        • prefix object

          Returns documents that contain a specific prefix in a provided field.

        • query_string
        • range object

          Returns documents that contain terms within a provided range.

        • rank_feature
        • regexp object

          Returns documents that contain terms matching a regular expression.

        • rule
        • script
        • script_score
        • semantic
        • shape
        • simple_query_string
        • span_containing
        • span_field_masking
        • span_first
        • span_multi
        • span_near
        • span_not
        • span_or
        • span_term object

          Matches spans containing a term.

        • span_within
        • sparse_vector
        • term object

          Returns documents that contain an exact term in a provided field. To return a document, the query term must exactly match the queried field's value, including whitespace and capitalization.

        • terms
        • terms_set object

          Returns documents that contain a minimum number of exact terms in a provided field. To return a document, a required number of terms must exactly match the field values, including whitespace and capitalization.

        • text_expansion object Deprecated Generally available; Added in 8.8.0

          Uses a natural language processing model to convert the query text into a list of token-weight pairs which are then used in a query against a sparse vector or rank features field.

        • weighted_tokens object Deprecated Generally available; Added in 8.13.0

          Supports returning text_expansion query results by sending in precomputed tokens with the query.

        • wildcard object

          Returns documents that contain terms matching a wildcard pattern.

        • wrapper
        • type

      • minimum_should_match number | string

        The minimum number of terms that should match as integer, percentage or range

        One of:
        MinimumShouldMatch number MinimumShouldMatch string

      • must object | array[object]

        The clause (query) must appear in matching documents and will contribute to the score.

        One of:
        QueryContainer object array-2 array[object]

        An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.

        Hide attributes Show attributes object
        External documentation
        • bool
        • boosting
        • common object Deprecated
        • combined_fields
        • constant_score
        • dis_max
        • distance_feature
        • exists
        • function_score
        • fuzzy object

          Returns documents that contain terms similar to the search term, as measured by a Levenshtein edit distance.

        • geo_bounding_box
        • geo_distance
        • geo_grid object

          Matches geo_point and geo_shape values that intersect a grid cell from a GeoGrid aggregation.

        • geo_polygon
        • geo_shape
        • has_child
        • has_parent
        • ids
        • intervals object

          Returns documents based on the order and proximity of matching terms.

        • knn
        • match object

          Returns documents that match a provided text, number, date or boolean value. The provided text is analyzed before matching.

        • match_all
        • match_bool_prefix object

          Analyzes its input and constructs a bool query from the terms. Each term except the last is used in a term query. The last term is used in a prefix query.

        • match_none
        • match_phrase object

          Analyzes the text and creates a phrase query out of the analyzed text.

        • match_phrase_prefix object

          Returns documents that contain the words of a provided text, in the same order as provided. The last term of the provided text is treated as a prefix, matching any words that begin with that term.

        • more_like_this
        • multi_match
        • nested
        • parent_id
        • percolate
        • pinned
        • prefix object

          Returns documents that contain a specific prefix in a provided field.

        • query_string
        • range object

          Returns documents that contain terms within a provided range.

        • rank_feature
        • regexp object

          Returns documents that contain terms matching a regular expression.

        • rule
        • script
        • script_score
        • semantic
        • shape
        • simple_query_string
        • span_containing
        • span_field_masking
        • span_first
        • span_multi
        • span_near
        • span_not
        • span_or
        • span_term object

          Matches spans containing a term.

        • span_within
        • sparse_vector
        • term object

          Returns documents that contain an exact term in a provided field. To return a document, the query term must exactly match the queried field's value, including whitespace and capitalization.

        • terms
        • terms_set object

          Returns documents that contain a minimum number of exact terms in a provided field. To return a document, a required number of terms must exactly match the field values, including whitespace and capitalization.

        • text_expansion object Deprecated Generally available; Added in 8.8.0

          Uses a natural language processing model to convert the query text into a list of token-weight pairs which are then used in a query against a sparse vector or rank features field.

        • weighted_tokens object Deprecated Generally available; Added in 8.13.0

          Supports returning text_expansion query results by sending in precomputed tokens with the query.

        • wildcard object

          Returns documents that contain terms matching a wildcard pattern.

        • wrapper
        • type

      • must_not object | array[object]

        The clause (query) must not appear in the matching documents. Because scoring is ignored, a score of 0 is returned for all documents.

        One of:
        QueryContainer object array-2 array[object]

        An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.

        Hide attributes Show attributes object
        External documentation
        • bool
        • boosting
        • common object Deprecated
        • combined_fields
        • constant_score
        • dis_max
        • distance_feature
        • exists
        • function_score
        • fuzzy object

          Returns documents that contain terms similar to the search term, as measured by a Levenshtein edit distance.

        • geo_bounding_box
        • geo_distance
        • geo_grid object

          Matches geo_point and geo_shape values that intersect a grid cell from a GeoGrid aggregation.

        • geo_polygon
        • geo_shape
        • has_child
        • has_parent
        • ids
        • intervals object

          Returns documents based on the order and proximity of matching terms.

        • knn
        • match object

          Returns documents that match a provided text, number, date or boolean value. The provided text is analyzed before matching.

        • match_all
        • match_bool_prefix object

          Analyzes its input and constructs a bool query from the terms. Each term except the last is used in a term query. The last term is used in a prefix query.

        • match_none
        • match_phrase object

          Analyzes the text and creates a phrase query out of the analyzed text.

        • match_phrase_prefix object

          Returns documents that contain the words of a provided text, in the same order as provided. The last term of the provided text is treated as a prefix, matching any words that begin with that term.

        • more_like_this
        • multi_match
        • nested
        • parent_id
        • percolate
        • pinned
        • prefix object

          Returns documents that contain a specific prefix in a provided field.

        • query_string
        • range object

          Returns documents that contain terms within a provided range.

        • rank_feature
        • regexp object

          Returns documents that contain terms matching a regular expression.

        • rule
        • script
        • script_score
        • semantic
        • shape
        • simple_query_string
        • span_containing
        • span_field_masking
        • span_first
        • span_multi
        • span_near
        • span_not
        • span_or
        • span_term object

          Matches spans containing a term.

        • span_within
        • sparse_vector
        • term object

          Returns documents that contain an exact term in a provided field. To return a document, the query term must exactly match the queried field's value, including whitespace and capitalization.

        • terms
        • terms_set object

          Returns documents that contain a minimum number of exact terms in a provided field. To return a document, a required number of terms must exactly match the field values, including whitespace and capitalization.

        • text_expansion object Deprecated Generally available; Added in 8.8.0

          Uses a natural language processing model to convert the query text into a list of token-weight pairs which are then used in a query against a sparse vector or rank features field.

        • weighted_tokens object Deprecated Generally available; Added in 8.13.0

          Supports returning text_expansion query results by sending in precomputed tokens with the query.

        • wildcard object

          Returns documents that contain terms matching a wildcard pattern.

        • wrapper
        • type

      • should object | array[object]

        The clause (query) should appear in the matching document.

        One of:
        QueryContainer object array-2 array[object]

        An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.

        Hide attributes Show attributes object
        External documentation
        • bool
        • boosting
        • common object Deprecated
        • combined_fields
        • constant_score
        • dis_max
        • distance_feature
        • exists
        • function_score
        • fuzzy object

          Returns documents that contain terms similar to the search term, as measured by a Levenshtein edit distance.

        • geo_bounding_box
        • geo_distance
        • geo_grid object

          Matches geo_point and geo_shape values that intersect a grid cell from a GeoGrid aggregation.

        • geo_polygon
        • geo_shape
        • has_child
        • has_parent
        • ids
        • intervals object

          Returns documents based on the order and proximity of matching terms.

        • knn
        • match object

          Returns documents that match a provided text, number, date or boolean value. The provided text is analyzed before matching.

        • match_all
        • match_bool_prefix object

          Analyzes its input and constructs a bool query from the terms. Each term except the last is used in a term query. The last term is used in a prefix query.

        • match_none
        • match_phrase object

          Analyzes the text and creates a phrase query out of the analyzed text.

        • match_phrase_prefix object

          Returns documents that contain the words of a provided text, in the same order as provided. The last term of the provided text is treated as a prefix, matching any words that begin with that term.

        • more_like_this
        • multi_match
        • nested
        • parent_id
        • percolate
        • pinned
        • prefix object

          Returns documents that contain a specific prefix in a provided field.

        • query_string
        • range object

          Returns documents that contain terms within a provided range.

        • rank_feature
        • regexp object

          Returns documents that contain terms matching a regular expression.

        • rule
        • script
        • script_score
        • semantic
        • shape
        • simple_query_string
        • span_containing
        • span_field_masking
        • span_first
        • span_multi
        • span_near
        • span_not
        • span_or
        • span_term object

          Matches spans containing a term.

        • span_within
        • sparse_vector
        • term object

          Returns documents that contain an exact term in a provided field. To return a document, the query term must exactly match the queried field's value, including whitespace and capitalization.

        • terms
        • terms_set object

          Returns documents that contain a minimum number of exact terms in a provided field. To return a document, a required number of terms must exactly match the field values, including whitespace and capitalization.

        • text_expansion object Deprecated Generally available; Added in 8.8.0

          Uses a natural language processing model to convert the query text into a list of token-weight pairs which are then used in a query against a sparse vector or rank features field.

        • weighted_tokens object Deprecated Generally available; Added in 8.13.0

          Supports returning text_expansion query results by sending in precomputed tokens with the query.

        • wildcard object

          Returns documents that contain terms matching a wildcard pattern.

        • wrapper
        • type
    • exists object
      Hide exists attributes Show exists attributes object
      • boost number

        Floating point number used to decrease or increase the relevance scores of the query. Boost values are relative to the default value of 1.0. A boost value between 0 and 1.0 decreases the relevance score. A value greater than 1.0 increases the relevance score.

      • _name string
      • field string Required

        Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.

    • match object

      Returns users that match a provided text, number, date or boolean value. The provided text is analyzed before matching.

    • match_all object
      Hide match_all attributes Show match_all attributes object
      • boost number

        Floating point number used to decrease or increase the relevance scores of the query. Boost values are relative to the default value of 1.0. A boost value between 0 and 1.0 decreases the relevance score. A value greater than 1.0 increases the relevance score.

      • _name string
    • prefix object

      Returns users that contain a specific prefix in a provided field.

    • range object

      Returns users that contain terms within a provided range.

    • simple_query_string object
      Hide simple_query_string attributes Show simple_query_string attributes object
      • boost number

        Floating point number used to decrease or increase the relevance scores of the query. Boost values are relative to the default value of 1.0. A boost value between 0 and 1.0 decreases the relevance score. A value greater than 1.0 increases the relevance score.

      • _name string
      • analyzer string

        Analyzer used to convert text in the query string into tokens.

      • analyze_wildcard boolean

        If true, the query attempts to analyze wildcard terms in the query string.

      • auto_generate_synonyms_phrase_query boolean

        If true, the parser creates a match_phrase query for each multi-position token.

      • default_operator string

        Values are and, AND, or, or OR.

      • fields array[string]

        Array of fields you wish to search. Accepts wildcard expressions. You also can boost relevance scores for matches to particular fields using a caret (^) notation. Defaults to the index.query.default_field index setting, which has a default value of *.

      • flags string

        Query flags can be either a single flag or a combination of flags, e.g. OR|AND|PREFIX

        One of:
        SimpleQueryStringFlag string PipeSeparatedFlagsSimpleQueryStringFlag string

        Query flags can be either a single flag or a combination of flags, e.g. OR|AND|PREFIX

        Values are NONE, AND, NOT, OR, PREFIX, PHRASE, PRECEDENCE, ESCAPE, WHITESPACE, FUZZY, NEAR, SLOP, or ALL.

        Query flags can be either a single flag or a combination of flags, e.g. OR|AND|PREFIX

      • fuzzy_max_expansions number

        Maximum number of terms to which the query expands for fuzzy matching.

      • fuzzy_prefix_length number

        Number of beginning characters left unchanged for fuzzy matching.

      • fuzzy_transpositions boolean

        If true, edits for fuzzy matching include transpositions of two adjacent characters (for example, ab to ba).

      • lenient boolean

        If true, format-based errors, such as providing a text value for a numeric field, are ignored.

      • minimum_should_match number | string

        The minimum number of terms that should match as integer, percentage or range

        One of:
        MinimumShouldMatch number MinimumShouldMatch string
      • query string Required

        Query string in the simple query string syntax you wish to parse and use for search.

      • quote_field_suffix string

        Suffix appended to quoted text in the query string.

    • term object

      Returns users that contain an exact term in a provided field. To return a document, the query term must exactly match the queried field's value, including whitespace and capitalization.

    • terms object
      Hide terms attributes Show terms attributes object
      • boost number

        Floating point number used to decrease or increase the relevance scores of the query. Boost values are relative to the default value of 1.0. A boost value between 0 and 1.0 decreases the relevance score. A value greater than 1.0 increases the relevance score.

      • _name string
    • wildcard object

      Returns users that contain terms matching a wildcard pattern.

  • from number

    The starting document offset. It must not be negative. By default, you cannot page through more than 10,000 hits using the from and size parameters. To page through more hits, use the search_after parameter.

  • sort string | object | array[string | object]

    One of:
    Field string SortOptions object Sort array[string | object]

    Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.

    One of:
    Field string SortOptions object

    Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.

  • size number

    The number of hits to return. It must not be negative. By default, you cannot page through more than 10,000 hits using the from and size parameters. To page through more hits, use the search_after parameter.

  • search_after array[number | string | boolean | null]

    A field value.

Responses

  • 200 application/json
    Hide response attributes Show response attributes object
    • total number Required

      The total number of users found.

    • count number Required

      The number of users returned in the response.

    • users array[object] Required

      A list of users that match the query.

      Hide users attributes Show users attributes object
POST /_security/_query/user 
GET /_security/_query/user

curl \
 --request POST 'http://api.example.com/_security/_query/user' \
 --header "Content-Type: application/json" \
 --data '"{\n    \"query\": {\n        \"prefix\": {\n            \"roles\": \"other\"\n        }\n    }\n}"'
Request examples
Run `POST /_security/_query/user?with_profile_uid=true` to get users that have roles that are prefixed with `other`. It will also include the user `profile_uid` in the response. 
{
    "query": {
        "prefix": {
            "roles": "other"
        }
    }
}
Run `POST /_security/_query/user`. Use a `bool` query to issue complex logical conditions: The `email` must end with `example.com`. The user must be enabled. The result will be filtered to only contain users with at least one role that contains the substring `other`. The offset to begin the search result is the second (zero-based index) user. The page size of the response is two users. The result is sorted by `username` in descending order. 
{
  "query": {
    "bool": {
      "must": [
        {
          "wildcard": {
            "email": "*example.com" 
          }
        },
        {
          "term": {
            "enabled": true 
          }
        }
      ],
      "filter": [
        {
          "wildcard": {
            "roles": "*other*" 
          }
        }
      ]
    }
  },
  "from": 1, 
  "size": 2, 
  "sort": [
    { "username": { "order": "desc"} } 
  ]
}
Response examples (200)
A successful response from `POST /_security/_query/user?with_profile_uid=true` that contains users that have roles that are prefixed with `other`. It also includes the user `profile_uid` in the response. 
{
    "total": 1,
    "count": 1,
    "users": [
        {
            "username": "jacknich",
            "roles": [
                "admin",
                "other_role1"
            ],
            "full_name": "Jack Nicholson",
            "email": "jacknich@example.com",
            "metadata": {
                "intelligence": 7
            },
            "enabled": true,
            "profile_uid": "u_79HkWkwmnBH5gqFKwoxggWPjEBOur1zLPXQPEl1VBW0_0"
        }
    ]
}
A successful response from `POST /_security/_query/user` that uses a `bool` query to issue complex logical conditions and uses `from`, `size`, and `sort` to help paginate the result. The sort value is `username`. 
{
    "total": 5,
    "count": 2,
    "users": [
        {
            "username": "ray",
            "roles": [
                "other_role3"
            ],
            "full_name": "Ray Nicholson",
            "email": "rayn@example.com",
            "metadata": {
                "intelligence": 7
            },
            "enabled": true,
            "_sort": [
                "ray" 
            ]
        },
        {
            "username": "lorraine",
            "roles": [
                "other_role3"
            ],
            "full_name": "Lorraine Nicholson",
            "email": "lorraine@example.com",
            "metadata": {
                "intelligence": 7
            },
            "enabled": true,
            "_sort": [
                "lorraine"
            ]
        }
    ]
}
A successful response from `GET /_security/_query/user`, which lists all users. It returns a JSON structure that contains the information retrieved from one or more users. 
{
    "total": 2,
    "count": 2,
    "users": [ 
        {
            "username": "jacknich",
            "roles": [
                "admin",
                "other_role1"
            ],
            "full_name": "Jack Nicholson",
            "email": "jacknich@example.com",
            "metadata": {
                "intelligence": 7
            },
            "enabled": true
        },
        {
            "username": "sandrakn",
            "roles": [
                "admin",
                "other_role1"
            ],
            "full_name": "Sandra Knight",
            "email": "sandrakn@example.com",
            "metadata": {
                "intelligence": 7
            },
            "enabled": true
        }
    ]
}

Documentation preview

This is a preview of your version @2025-06-09 which is not yet released.

View current documentation