Get scheduled action results Generally available; Added in 9.4.0

GET /api/osquery/scheduled_results/{scheduleId}/{executionCount}
Api key auth

Spaces method and path for this operation:

get /s/{space_id}/api/osquery/scheduled_results/{scheduleId}/{executionCount}

Refer to Spaces for more information.

Get paginated per-agent action results for a specific scheduled query execution, with success/failure aggregation and execution metadata (pack name, query name/text, timestamp).

Path parameters

  • scheduleId string Required

    The schedule ID of the scheduled query.

  • executionCount integer Required

    The execution count for this scheduled query run.

Query parameters

  • kuery string | null

    The kuery to filter the results by.

  • page integer | null

    The page number to return. The default is 1.

  • pageSize integer | null

    The number of results to return per page. The default is 20.

  • sort string | null

    The field that is used to sort the results.

    Default value is createdAt.

  • sortOrder string

    Specifies the sort order.

    Values are asc or desc.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • aggregations object
      Hide aggregations attributes Show aggregations attributes object
      • failed integer

        The number of agents that returned errors.

      • pending integer

        The number of agents with pending responses.

      • successful integer

        The number of agents that completed successfully.

      • totalResponded integer

        The total number of agents that responded.

      • totalRowCount integer

        The total number of result rows across all agents.

    • currentPage integer

      The current page number (zero-based).

    • edges array[object]

      The paginated list of per-agent action results.

    • inspect object

      Debug/inspection data for the search query.

    • metadata object

      Execution metadata resolved from the pack saved object.

      Hide metadata attributes Show metadata attributes object
      • executionCount integer

        The execution count for this scheduled query run.

      • packId string

        The ID of the pack containing the query.

      • packName string

        The name of the pack containing the query.

      • queryName string

        The name of the query within the pack.

      • queryText string

        The SQL query that was executed.

      • scheduleId string

        The schedule ID for the scheduled query.

      • timestamp string

        The timestamp of the most recent response for this execution.

    • pageSize integer

      The number of results per page.

    • total integer

      The total number of action results.

    • totalPages integer

      The total number of pages.
GET /api/osquery/scheduled_results/{scheduleId}/{executionCount} 
curl \
 --request GET 'https://<KIBANA_URL>/api/osquery/scheduled_results/pack_my_pack_uptime/3' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "aggregations": {
    "failed": 1,
    "pending": 0,
    "successful": 9,
    "totalResponded": 10,
    "totalRowCount": 42
  },
  "currentPage": 0,
  "edges": [
    {
      "_id": "result-001",
      "fields": {
        "agent_id": "16d7caf5-efd2-4212-9b62-73dafc91fa13",
        "rows_count": 5,
        "status": "success"
      }
    }
  ],
  "metadata": {
    "executionCount": 3,
    "packId": "42ba9c50-0cc5-11ed-aa1d-2b27890bc90d",
    "packName": "My Pack",
    "queryName": "uptime",
    "queryText": "select * from uptime;",
    "scheduleId": "pack_my_pack_uptime",
    "timestamp": "2024-07-26T09:00:00.000Z"
  },
  "pageSize": 20,
  "total": 10,
  "totalPages": 1
}