Get scheduled query results Generally available; Added in 9.4.0

GET /api/osquery/scheduled_results/{scheduleId}/{executionCount}/results
Api key auth

Spaces method and path for this operation:

get /s/{space_id}/api/osquery/scheduled_results/{scheduleId}/{executionCount}/results

Refer to Spaces for more information.

Get paginated query result rows (the actual osquery output data) for a specific scheduled query execution.

Path parameters

  • scheduleId string Required

    The schedule ID of the scheduled query.

  • executionCount integer Required

    The execution count for this scheduled query run.

Query parameters

  • kuery string | null

    The kuery to filter the results by.

  • page integer | null

    The page number to return. The default is 1.

  • pageSize integer | null

    The number of results to return per page. The default is 20.

  • sort string | null

    The field that is used to sort the results.

    Default value is createdAt.

  • sortOrder string

    Specifies the sort order.

    Values are asc or desc.

  • startDate string

    The start date filter (ISO 8601) to narrow down results.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attribute Show response attribute object
    • data object

      The query results data wrapper.

      Hide data attributes Show data attributes object
      • edges array[object]

        The paginated list of query result rows.

      • inspect object

        Debug/inspection data for the search query.

      • total integer

        The total number of result rows.
GET /api/osquery/scheduled_results/{scheduleId}/{executionCount}/results 
curl \
 --request GET 'https://<KIBANA_URL>/api/osquery/scheduled_results/pack_my_pack_uptime/3/results' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "data": {
    "edges": [
      {
        "_id": "row-001",
        "fields": {
          "host.uptime": [
            "12345"
          ]
        }
      },
      {
        "_id": "row-002",
        "fields": {
          "host.uptime": [
            "67890"
          ]
        }
      }
    ],
    "total": 2
  }
}