GET /api/osquery/live_queries
Api key auth

Spaces method and path for this operation:

get /s/{space_id}/api/osquery/live_queries

Refer to Spaces for more information.

Get a list of all live queries.

Query parameters

  • kuery string | null

    A KQL search string to filter live queries.

  • page integer | null

    The page number to return.

  • pageSize integer | null

    The number of results to return per page.

  • sort string | null

    The field to sort results by.

    Default value is createdAt.

  • sortOrder string

    The sort order.

    Values are asc or desc.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attribute Show response attribute object
    • data object
      Hide data attributes Show data attributes object
      • items array[object]

        An array of live query action items.

        Hide items attribute Show items attribute object
        • _source object
          Hide _source attributes Show _source attributes object
          • @timestamp string(date-time)
          • action_id string
          • agents array[string]
          • expiration string(date-time)
          • pack_id string
          • queries array[object]
            Hide queries attributes Show queries attributes object
            • action_id string
            • agents array[string]
            • ecs_mapping object

              Map osquery results columns or static values to Elastic Common Schema (ECS) fields

              Hide ecs_mapping attribute Show ecs_mapping attribute object
              • * object Additional properties
                Hide * attributes Show * attributes object
            • id string
            • query string
            • saved_query_id string
          • result_counts object

            Result count statistics (present when withResultCounts is true).

            Hide result_counts attributes Show result_counts attributes object
            • error_agents integer
            • responded_agents integer
            • successful_agents integer
            • total_rows integer
          • user_id string
      • total integer

        The total number of live queries.
GET /api/osquery/live_queries 
curl \
 --request GET 'https://<KIBANA_URL>/api/osquery/live_queries' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "data": {
    "items": [
      {
        "_source": {
          "@timestamp": "2023-10-31T00:00:00Z",
          "action_id": "3c42c847-eb30-4452-80e0-728584042334",
          "agents": [
            "16d7caf5-efd2-4212-9b62-73dafc91fa13"
          ],
          "expiration": "2023-10-31T00:00:00Z",
          "queries": [
            {
              "action_id": "609c4c66-ba3d-43fa-afdd-53e244577aa0",
              "agents": [
                "16d7caf5-efd2-4212-9b62-73dafc91fa13"
              ],
              "ecs_mapping": {
                "host.uptime": {
                  "field": "total_seconds"
                }
              },
              "id": "6724a474-cbba-41ef-a1aa-66aebf0879e2",
              "query": "select * from uptime;",
              "saved_query_id": "42ba9c50-0cc5-11ed-aa1d-2b27890bc90d"
            }
          ],
          "user_id": "elastic"
        }
      }
    ],
    "total": 1
  }
}