Initiate a detection alert migration | Kibana API documentation

Initiate a detection alert migration Deprecated

POST /api/detection_engine/signals/migration

Spaces method and path for this operation:

post /s/{space_id}/api/detection_engine/signals/migration

Refer to Spaces for more information.

DEPRECATED. Legacy API for on-demand reindexing of old .siem-signals-* alert indices. Do not build new integrations; upgrade the Elastic Stack and rely on product-managed data lifecycle instead. WARNING: Migrations can be resource intensive and should be planned during a maintenance window.

Initiate a migration of detection alerts. Migrations are initiated per index. The process is not destructive and should not remove existing data, but it can consume significant cluster resources. Plan capacity accordingly.

application/json

Body Required

Alerts migration parameters

index array[string(nonempty)] Required

Array of index names to migrate.

At least 1 element. Minimum length of each is 1.
requests_per_second integer

The throttle for the migration task in sub-requests per second. Corresponds to requests_per_second on the Reindex API.

Minimum value is 1.
size integer

Number of alerts to migrate per batch. Corresponds to the source.size option on the Reindex API.

Minimum value is 1.
slices integer

The number of subtasks for the migration task. Corresponds to slices on the Reindex API.

Minimum value is 1.

Responses

200 application/json

Successful response
Hide response attribute Show response attribute object
- indices array[object] Required
  
  One of:
  Security_Detections_API_AlertsIndexMigrationSuccess object Security_Detections_API_AlertsIndexMigrationError object Security_Detections_API_SkippedAlertsIndexMigration object
  
  Hide attributes Show attributes
  
  error object Required
  
  Hide error attributes Show error attributes object
  
  message string Required
  
  status_code string Required
  
  index string Required
400 application/json

Invalid input data response
One of:
Security_Detections_API_PlatformErrorResponse object Security_Detections_API_SiemErrorResponse object
Hide attributes Show attributes

error string Required

message string Required

statusCode integer Required
Hide attributes Show attributes

message string Required

status_code integer Required
401 application/json

Unsuccessful authentication response
Hide response attributes Show response attributes object
- error string Required
- message string Required
- statusCode integer Required
500 application/json

Internal server error response
Hide response attributes Show response attributes object
- message string Required
- status_code integer Required

POST /api/detection_engine/signals/migration

curl \
 --request POST 'https://localhost:5601/api/detection_engine/signals/migration' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"index":[".siem-signals-default-000001"]}'

Request example

{
  "index": [
    ".siem-signals-default-000001"
  ]
}

Response examples (200)

{
  "indices": [
    {
      "index": ".siem-signals-default-000001,",
      "migration_id": "923f7c50-505f-11eb-ae0a-3fa2e626a51d",
      "migration_index": ".siem-signals-default-000001-r000016"
    }
  ]
}

Response examples (400)

{
  "error": "Bad Request",
  "message": "[request body].index: at least one index name is required to start a migration",
  "statusCode": 400
}

Response examples (401)

{
  "error": "Unauthorized",
  "message": "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]",
  "statusCode": 401
}

Response examples (500)

{
  "message": "Internal Server Error",
  "status_code": 500
}