Get saved queries

GET /api/osquery/saved_queries

Api key auth

Spaces method and path for this operation:

get /s/{space_id}/api/osquery/saved_queries

Refer to Spaces for more information.

Get a list of all saved queries.

Query parameters

page integer | null

The page number to return.
pageSize integer | null

The number of results to return per page.
sort string | null

The field to sort results by.

Default value is createdAt.
sortOrder string

The sort order.

Values are asc or desc.

Responses

200 application/json

Indicates a successful call.
Hide response attributes Show response attributes object
- data array[object] Required
  
  An array of saved query objects.
  
  Hide data attributes Show data attributes object
  
  created_at string(date-time)
  
  created_by string | null
  
  created_by_profile_uid string
  
  description string
  
  The saved query description.
  
  ecs_mapping object
  
  Map osquery results columns or static values to Elastic Common Schema (ECS) fields
  
  Hide ecs_mapping attribute Show ecs_mapping attribute object
  
  * object Additional properties
  
  Hide * attributes Show * attributes object
  
  field string
  
  The ECS field to map to.
  
  value string | array[string]
  
  The value to map to the ECS field.
  
  One of:
  string-1 string array-2 array[string]
  
  id string Required
  
  The ID of a saved query.
  
  interval integer | string
  
  One of:
  integer-1 integer string-2 string
  
  platform string
  
  Restricts the query to a specified platform. The default is all platforms. To specify multiple platforms, use commas. For example, linux,darwin.
  
  prebuilt boolean
  
  query string
  
  The SQL query you want to run.
  
  removed boolean
  
  Indicates whether the query is removed.
  
  saved_object_id string Required
  
  snapshot boolean
  
  Indicates whether the query is a snapshot.
  
  timeout integer
  
  updated_at string(date-time)
  
  updated_by string | null
  
  updated_by_profile_uid string
  
  version integer | string
  
  One of:
  integer-1 integer string-2 string
- page integer Required
  
  The current page number.
- per_page integer Required
  
  The number of results per page.
- total integer Required
  
  The total number of saved queries.

GET /api/osquery/saved_queries

curl \
 --request GET 'https://<KIBANA_URL>/api/osquery/saved_queries' \
 --header "Authorization: $API_KEY"

Get saved queries

Query parameters

Responses

value string | array[string]

interval integer | string

version integer | string