Spaces method and path for this operation:
Refer to Spaces for more information.
Get a list of all saved Timelines or Timeline templates.
Query parameters
-
If
true, only Timelines that the current user has marked as favorite are returned.Values are
trueorfalse. -
Restrict results to
defaultinvestigation timelines ortemplatetimeline templates.Values are
defaultortemplate. -
Field used to sort the list (
title,description,updated, orcreated).Values are
title,description,updated, orcreated. -
Whether to sort the results
ascendingordescendingValues are
ascordesc. -
How many results should returned at once
-
How many pages should be skipped
-
Allows to search for timelines by their title
-
Filter by timeline lifecycle state (
active,draft, orimmutable).Values are
active,draft, orimmutable.
Responses
-
Indicates a successful call.
Hide response attributes Show response attributes object
-
The amount of custom Timeline templates in the results
-
The amount of
defaulttype Timelines in the results -
The amount of Elastic's Timeline templates in the results
-
The amount of favorited Timelines
-
The amount of Timeline templates in the results
-
Hide timeline attributes Show timeline attributes object
-
The Timeline's columns
Hide columns attributes Show columns attributes object
-
The time the Timeline was created, using a 13-digit Epoch timestamp.
-
The user who created the Timeline.
-
Object containing query clauses
Hide dataProviders attributes Show dataProviders attributes object
-
Hide and attributes Show and attributes object
-
Hide queryMatch attributes Show queryMatch attributes object
-
The type of data provider.
Values are
defaultortemplate.
-
-
ID of the Timeline's Data View
-
The Timeline's search period.
Hide dateRange attributes Show dateRange attributes object | null
-
The Timeline's description
-
EQL query that is used in the correlation tab
Hide eqlOptions attributes Show eqlOptions attributes object | null
-
Event types displayed in the Timeline
-
A list of row renderers that should not be used when in
Event renderersmodeValues are
alert,alerts,auditd,auditd_file,library,netflow,plain,registry,suricata,system,system_dns,system_endgame_process,system_file,system_fim,system_security_event,system_socket,threat_match, orzeek. -
A list of filters that should be applied to the query
Hide filters attributes Show filters attributes object
-
A list of index names to use in the query (e.g. when the default data view has been modified)
-
Indicates whether the KQL bar filters the query results or searches for additional results, where:
filter: filters query resultssearch: displays additional search results
-
KQL bar query.
Hide kqlQuery attribute Show kqlQuery attribute object
-
The ID of the saved query that might be used in the Query tab
-
The ID of the saved search that is used in the ES|QL tab
-
The status of the Timeline.
Values are
active,draft, orimmutable. -
A unique ID (UUID) for Timeline templates. For Timelines, the value is
null. -
Timeline template version number. For Timelines, the value is
null. -
The type of Timeline.
Values are
defaultortemplate. -
The Timeline's title.
-
The last time the Timeline was updated, using a 13-digit Epoch timestamp
-
The user who last updated the Timeline
-
The
savedObjectIdof the Timeline or Timeline template -
The version of the Timeline or Timeline template
-
A list of all the notes that are associated to this Timeline.
Hide eventIdToNoteIds attributes Show eventIdToNoteIds attributes object
-
The time the note was created, using a 13-digit Epoch timestamp.
-
The user who created the note.
-
The last time the note was updated, using a 13-digit Epoch timestamp
-
The user who last updated the note
-
Elasticsearch document
_idfor the event or alert this note refers to. Same value as thedocumentIdsquery parameter when fetching notes via GET /api/note. -
The text of the note
-
The
savedObjectIdof the Timeline this note belongs to (not the note's own ID). -
The
savedObjectIdof the note -
The version of the note
-
-
A list of all the ids of notes that are associated to this Timeline.
-
A list of all the notes that are associated to this Timeline.
Hide notes attributes Show notes attributes object
-
The time the note was created, using a 13-digit Epoch timestamp.
-
The user who created the note.
-
The last time the note was updated, using a 13-digit Epoch timestamp
-
The user who last updated the note
-
Elasticsearch document
_idfor the event or alert this note refers to. Same value as thedocumentIdsquery parameter when fetching notes via GET /api/note. -
The text of the note
-
The
savedObjectIdof the Timeline this note belongs to (not the note's own ID). -
The
savedObjectIdof the note -
The version of the note
-
-
A list of all the ids of pinned events that are associated to this Timeline.
-
A list of all the pinned events that are associated to this Timeline.
Hide pinnedEventsSaveObject attributes Show pinnedEventsSaveObject attributes object
-
The time the pinned event was created, using a 13-digit Epoch timestamp.
-
The user who created the pinned event.
-
The last time the pinned event was updated, using a 13-digit Epoch timestamp
-
The user who last updated the pinned event
-
The
_idof the associated event for this pinned event. -
The
savedObjectIdof the timeline that this pinned event is associated with -
The
savedObjectIdof this pinned event -
The version of this pinned event
-
-
-
The total amount of results
-
-
Bad Request response.
curl \
--request GET 'https://<KIBANA_URL>/api/timelines' \
--header "Authorization: $API_KEY"{
"customTemplateTimelineCount": 0,
"defaultTimelineCount": 1,
"elasticTemplateTimelineCount": 0,
"favoriteCount": 0,
"templateTimelineCount": 0,
"timeline": [
{
"savedObjectId": "15c1929b-0af7-42bd-85a8-56e234cc7c4e",
"status": "active",
"timelineType": "default",
"title": "Phishing investigation",
"updated": 1741344876825,
"version": "WzE0LDFd"
}
],
"totalCount": 1
}{
"body": "get timeline error",
"statusCode": 400
}