POST /api/osquery/saved_queries
Api key auth

Spaces method and path for this operation:

post /s/{space_id}/api/osquery/saved_queries

Refer to Spaces for more information.

Create and save a query for later use.

application/json

Body Required

  • description string

    The saved query description.

  • ecs_mapping object

    Map osquery results columns or static values to Elastic Common Schema (ECS) fields

    Hide ecs_mapping attribute Show ecs_mapping attribute object
    • * object Additional properties
      Hide * attributes Show * attributes object
  • id string

    The ID of a saved query.

  • interval string

    An interval, in seconds, on which to run the query.

  • platform string

    Restricts the query to a specified platform. The default is all platforms. To specify multiple platforms, use commas. For example, linux,darwin.

  • query string

    The SQL query you want to run.

  • removed boolean

    Indicates whether the query is removed.

  • snapshot boolean

    Indicates whether the query is a snapshot.

  • version string

    Uses the Osquery versions greater than or equal to the specified version string.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attribute Show response attribute object
    • data object Required
      Hide data attributes Show data attributes object
      • created_at string(date-time)
      • created_by string | null
      • created_by_profile_uid string
      • description string

        The saved query description.

      • ecs_mapping object

        Map osquery results columns or static values to Elastic Common Schema (ECS) fields

        Hide ecs_mapping attribute Show ecs_mapping attribute object
        • * object Additional properties
          Hide * attributes Show * attributes object
      • id string Required

        The ID of a saved query.

      • interval integer | string

        An interval, in seconds, on which to run the query. May be returned as number or string.

        One of:
        integer-1 integer string-2 string
      • platform string

        Restricts the query to a specified platform. The default is all platforms. To specify multiple platforms, use commas. For example, linux,darwin.

      • prebuilt boolean

        Whether the saved query is prebuilt.

      • query string

        The SQL query you want to run.

      • removed boolean

        Indicates whether the query is removed.

      • saved_object_id string Required

        The saved object ID of the saved query.

      • snapshot boolean

        Indicates whether the query is a snapshot.

      • timeout integer

        The query timeout in seconds.

      • updated_at string(date-time)
      • updated_by string | null
      • updated_by_profile_uid string

      • version integer | string

        The saved query version.

        One of:
        integer-1 integer string-2 string
POST /api/osquery/saved_queries 
curl \
 --request POST 'https://<KIBANA_URL>/api/osquery/saved_queries' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"description":"Saved query description","ecs_mapping":{"host.uptime":{"field":"total_seconds"}},"id":"my_saved_query","interval":"60","platform":"linux,darwin","query":"select * from uptime;","timeout":120}'
Request example 
{
  "description": "Saved query description",
  "ecs_mapping": {
    "host.uptime": {
      "field": "total_seconds"
    }
  },
  "id": "my_saved_query",
  "interval": "60",
  "platform": "linux,darwin",
  "query": "select * from uptime;",
  "timeout": 120
}
Response examples (200) 
{
  "data": {
    "created_at": "2025-02-26T13:37:30.452Z",
    "created_by": "elastic",
    "description": "Saved query description",
    "ecs_mapping": {
      "host.uptime": {
        "field": "total_seconds"
      }
    },
    "id": "my_saved_query",
    "interval": "60",
    "platform": "linux,darwin",
    "query": "select * from uptime;",
    "saved_object_id": "42ba1280-2172-11ee-8523-5765fca79a3c",
    "timeout": 120,
    "updated_at": "2025-02-26T13:37:30.452Z",
    "updated_by": "elastic"
  }
}