POST /api/entity_store/engines/{entityType}/init
Api key auth Basic auth

Spaces method and path for this operation:

post /s/{space_id}/api/entity_store/engines/{entityType}/init

Refer to Spaces for more information.

Initialize a single entity engine for the specified entity type.

Path parameters

  • entityType string Required

    The entity type of the engine.

    Values are user, host, service, or generic.

application/json

Body Required

Schema for the engine initialization

  • delay string

    The delay before the transform will run.

    Format should match the following pattern: [smdh]$. Default value is 1m.

  • docsPerSecond integer

    The number of documents per second to process.

    Default value is -1.

  • enrichPolicyExecutionInterval string

    Interval in which enrich policy runs. For example, "1h" means the rule runs every hour. Must be less than or equal to half the duration of the lookback period,

    Format should match the following pattern: ^[1-9]\d*[smh]$.

  • fieldHistoryLength integer

    The number of historical values to keep for each field.

    Default value is 10.

  • filter string
  • frequency string

    The frequency at which the transform will run.

    Format should match the following pattern: [smdh]$. Default value is 1m.

  • indexPattern string

    An additional Elasticsearch index pattern to include as a source for entity data. Merged with the default data view indices when the engine runs.

  • lookbackPeriod string

    The amount of time the transform looks back to calculate the aggregations.

    Format should match the following pattern: [smdh]$. Default value is 3h.

  • maxPageSearchSize integer

    The initial page size to use for the composite aggregation of each checkpoint.

    Default value is 500.

  • timeout string

    The timeout for initializing the aggregating transform.

    Format should match the following pattern: [smdh]$. Default value is 180s.

  • timestampField string

    The field to use as the timestamp for the entity type.

    Default value is @timestamp.

Responses

  • 200 application/json

    Successful response

    Hide response attributes Show response attributes object
    • delay string

      The delay before the transform processes new data, allowing late-arriving documents to be included.

      Format should match the following pattern: [smdh]$. Default value is 1m.

    • docsPerSecond integer

      Throttle value for the number of documents processed per second. Use -1 for no throttle.

    • error object

      Present when the engine status is error. Describes the failure.

      Hide error attributes Show error attributes object
      • action string Required

        The lifecycle action that caused the error.

        Value is init.

      • message string Required

        A human-readable error message.

    • fieldHistoryLength integer Required

      The number of historical values retained per field.

    • filter string

      An optional Kibana Query Language (KQL) filter applied to source documents before aggregation.

    • frequency string

      How often the transform runs.

      Format should match the following pattern: [smdh]$. Default value is 1m.

    • indexPattern string Required

      An additional Elasticsearch index pattern to include as a source for entity data. Merged with the default data view indices when the engine runs.

    • lookbackPeriod string

      How far back the transform looks when calculating aggregations.

      Format should match the following pattern: [smdh]$. Default value is 24h.

    • status string Required

      The current operational status of an entity engine.

      Values are installing, started, stopped, updating, or error.

    • timeout string

      The timeout for initializing the aggregating transform.

      Format should match the following pattern: [smdh]$. Default value is 180s.

    • timestampField string

      The field used as the timestamp for source documents.

    • type string Required

      The type of entity.

      Values are user, host, service, or generic.
  • 400

    Invalid request

POST /api/entity_store/engines/{entityType}/init 
curl \
 --request POST 'https://localhost:5601/api/entity_store/engines/{entityType}/init' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"delay":"1m","docsPerSecond":-1,"enrichPolicyExecutionInterval":"1h","fieldHistoryLength":10,"filter":"string","frequency":"1m","indexPattern":"logs-*","lookbackPeriod":"3h","maxPageSearchSize":500,"timeout":"180s","timestampField":"@timestamp"}'
Response examples (200)
A host engine was successfully initialized and is now in the installing state. 
{
  "delay": "1m",
  "fieldHistoryLength": 10,
  "frequency": "1m",
  "indexPattern": "",
  "lookbackPeriod": "3h",
  "status": "installing",
  "timeout": "180s",
  "timestampField": "@timestamp",
  "type": "host"
}