POST /api/entity_store/enable
Api key auth

Spaces method and path for this operation:

post /s/{space_id}/api/entity_store/enable

Refer to Spaces for more information.

Initialize the entire Entity Store, creating engines for all or specified entity types.

application/json

Body Required

Configuration for the entity store initialization.

  • delay string

    The delay before the transform will run.

    Format should match the following pattern: [smdh]$. Default value is 1m.

  • docsPerSecond integer

    The number of documents per second to process.

    Default value is -1.

  • enrichPolicyExecutionInterval string

    Interval in which enrich policy runs. For example, "1h" means the rule runs every hour. Must be less than or equal to half the duration of the lookback period,

    Format should match the following pattern: ^[1-9]\d*[smh]$.

  • entityTypes array[string]

    The type of entity.

    Values are user, host, service, or generic.

  • fieldHistoryLength integer

    The number of historical values to keep for each field.

    Default value is 10.

  • filter string
  • frequency string

    The frequency at which the transform will run.

    Format should match the following pattern: [smdh]$. Default value is 1m.

  • indexPattern string

    An additional Elasticsearch index pattern to include as a source for entity data. Merged with the default data view indices when the engine runs.

  • lookbackPeriod string

    The amount of time the transform looks back to calculate the aggregations.

    Format should match the following pattern: [smdh]$. Default value is 3h.

  • maxPageSearchSize integer

    The initial page size to use for the composite aggregation of each checkpoint.

    Default value is 500.

  • timeout string

    The timeout for initializing the aggregating transform.

    Format should match the following pattern: [smdh]$. Default value is 180s.

  • timestampField string

    The field to use as the timestamp.

    Default value is @timestamp.

Responses

  • 200 application/json

    Successful response

    Hide response attributes Show response attributes object
    • engines array[object]

      The engine descriptors created during initialization.

      Hide engines attributes Show engines attributes object

      Describes a single entity engine, including its configuration and current status.

      • delay string

        The delay before the transform processes new data, allowing late-arriving documents to be included.

        Format should match the following pattern: [smdh]$. Default value is 1m.

      • docsPerSecond integer

        Throttle value for the number of documents processed per second. Use -1 for no throttle.

      • error object

        Present when the engine status is error. Describes the failure.

        Hide error attributes Show error attributes object
        • action string Required

          The lifecycle action that caused the error.

          Value is init.

        • message string Required

          A human-readable error message.

      • fieldHistoryLength integer Required

        The number of historical values retained per field.

      • filter string

        An optional Kibana Query Language (KQL) filter applied to source documents before aggregation.

      • frequency string

        How often the transform runs.

        Format should match the following pattern: [smdh]$. Default value is 1m.

      • indexPattern string Required

        An additional Elasticsearch index pattern to include as a source for entity data. Merged with the default data view indices when the engine runs.

      • lookbackPeriod string

        How far back the transform looks when calculating aggregations.

        Format should match the following pattern: [smdh]$. Default value is 24h.

      • status string Required

        The current operational status of an entity engine.

        Values are installing, started, stopped, updating, or error.

      • timeout string

        The timeout for initializing the aggregating transform.

        Format should match the following pattern: [smdh]$. Default value is 180s.

      • timestampField string

        The field used as the timestamp for source documents.

      • type string Required

        The type of entity.

        Values are user, host, service, or generic.

    • succeeded boolean

      Whether the Entity Store was initialized successfully.
  • 400

    Invalid request

POST /api/entity_store/enable 
curl \
 --request POST 'https://<KIBANA_URL>/api/entity_store/enable' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"delay":"1m","docsPerSecond":-1,"enrichPolicyExecutionInterval":"1h","entityTypes":["user"],"fieldHistoryLength":10,"filter":"string","frequency":"1m","indexPattern":"logs-*","lookbackPeriod":"3h","maxPageSearchSize":500,"timeout":"180s","timestampField":"@timestamp"}'
Response examples (200)
The Entity Store was successfully initialized, creating host and user engines in the installing state. 
{
  "engines": [
    {
      "delay": "1m",
      "fieldHistoryLength": 10,
      "frequency": "1m",
      "indexPattern": "",
      "lookbackPeriod": "24h",
      "status": "installing",
      "timeout": "180s",
      "timestampField": "@timestamp",
      "type": "host"
    },
    {
      "delay": "1m",
      "fieldHistoryLength": 10,
      "frequency": "1m",
      "indexPattern": "",
      "lookbackPeriod": "24h",
      "status": "installing",
      "timeout": "180s",
      "timestampField": "@timestamp",
      "type": "user"
    }
  ],
  "succeeded": true
}