GET /api/osquery/live_queries/{id}/results/{actionId}
Api key auth

Spaces method and path for this operation:

get /s/{space_id}/api/osquery/live_queries/{id}/results/{actionId}

Refer to Spaces for more information.

Get the results of a live query using the query action ID.

Path parameters

  • id string Required

    The ID of the live query.

  • actionId string Required

    The ID of the query action.

Query parameters

  • kuery string | null

    A KQL search string to filter results.

  • page integer | null

    The page number to return.

  • pageSize integer | null

    The number of results to return per page.

  • sort string | null

    The field to sort results by.

    Default value is createdAt.

  • sortOrder string

    The sort order.

    Values are asc or desc.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attribute Show response attribute object
    • data object
      Hide data attributes Show data attributes object
      • edges array[object]

        The result rows from the query execution.

        Hide edges attributes Show edges attributes object
        • _id string
        • _source object

          The Elasticsearch document source containing query results.

      • total integer

        The total number of result rows.
GET /api/osquery/live_queries/{id}/results/{actionId} 
curl \
 --request GET 'https://<KIBANA_URL>/api/osquery/live_queries/3c42c847-eb30-4452-80e0-728584042334/results/609c4c66-ba3d-43fa-afdd-53e244577aa0' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "data": {
    "edges": [
      {
        "_id": "doc1",
        "_source": {
          "action_id": "609c4c66-ba3d-43fa-afdd-53e244577aa0",
          "agent": {
            "id": "16d7caf5-efd2-4212-9b62-73dafc91fa13"
          },
          "osquery": {
            "total_seconds": "12345"
          }
        }
      },
      {
        "_id": "doc2",
        "_source": {
          "action_id": "609c4c66-ba3d-43fa-afdd-53e244577aa0",
          "agent": {
            "id": "16d7caf5-efd2-4212-9b62-73dafc91fa13"
          },
          "osquery": {
            "total_seconds": "67890"
          }
        }
      }
    ],
    "total": 2
  }
}