Preview significant events | Kibana API documentation

Preview significant events Experimental; added in 9.1.0

POST /api/streams/{name}/significant_events/_preview

Spaces method and path for this operation:

post /s/{space_id}/api/streams/{name}/significant_events/_preview

Refer to Spaces for more information.

Preview significant event results based on a given query

[Required authorization] Route required privileges: read_stream.

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

name string Required

The name of the stream.

Query parameters

from string Required

Start of the time range as an ISO 8601 date string.
to string Required

End of the time range as an ISO 8601 date string.
bucketSize string Required

The bucket size for aggregating events (e.g. "1m", "1h").

Format should match the following pattern: ^(\d+)([smhd])$.

application/json

Body

query object Required

Additional properties are NOT allowed.
Hide query attribute Show query attribute object
- esql object Required
  
  Additional properties are NOT allowed.
  Hide esql attribute Show esql attribute object
  
  query string Required

Responses

200

Significant event preview results.

POST /api/streams/{name}/significant_events/_preview

curl \
 --request POST 'https://localhost:5601/api/streams/{name}/significant_events/_preview?from=string&to=string&bucketSize=string' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"query":{"esql":{"query":"FROM logs.nginx | WHERE log.level == \"error\" | STATS count = COUNT(*) BY host.name"}}}'

Request example

{
  "query": {
    "esql": {
      "query": "FROM logs.nginx | WHERE log.level == \"error\" | STATS count = COUNT(*) BY host.name"
    }
  }
}