GET /api/osquery/live_queries
Api key auth

Spaces method and path for this operation:

get /s/{space_id}/api/osquery/live_queries

Refer to Spaces for more information.

Get a list of all live queries.

Query parameters

  • kuery string | null

    A KQL search string to filter live queries.

  • page integer | null

    The page number to return.

  • pageSize integer | null

    The number of results to return per page.

  • sort string | null

    The field to sort results by.

    Default value is createdAt.

  • sortOrder string

    The sort order.

    Values are asc or desc.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attribute Show response attribute object
    • data object
      Hide data attributes Show data attributes object
      • items array[object]

        An array of live query action items.

        Hide items attribute Show items attribute object
        • _source object
          Hide _source attributes Show _source attributes object
          • @timestamp string(date-time)
          • action_id string
          • agents array[string]
          • expiration string(date-time)
          • pack_id string
          • queries array[object]
            Hide queries attributes Show queries attributes object
            • action_id string
            • agents array[string]
            • ecs_mapping object

              Map osquery results columns or static values to Elastic Common Schema (ECS) fields

              Hide ecs_mapping attribute Show ecs_mapping attribute object
              • * object Additional properties
                Hide * attributes Show * attributes object
            • id string
            • query string
            • saved_query_id string
          • result_counts object

            Result count statistics (present when withResultCounts is true).

            Hide result_counts attributes Show result_counts attributes object
            • error_agents integer
            • responded_agents integer
            • successful_agents integer
            • total_rows integer
          • user_id string
      • total integer

        The total number of live queries.
GET /api/osquery/live_queries 
curl \
 --request GET 'https://<KIBANA_URL>/api/osquery/live_queries' \
 --header "Authorization: $API_KEY"