Get unified query history | Kibana Serverless API documentation

Get unified query history Generally available; Added in 9.4.0

GET /api/osquery/history

Spaces method and path for this operation:

get /s/{space_id}/api/osquery/history

Refer to Spaces for more information.

Get a unified, time-sorted history of live, rule-triggered, and scheduled osquery executions. The response uses cursor-based pagination.

Query parameters

pageSize integer

The number of results to return per page.

Minimum value is 1, maximum value is 100. Default value is 20.
nextPage string

A base64-encoded cursor for pagination. Use the value from the previous response to fetch the next page.
kuery string

A search string to filter history entries by pack name, query text, or query ID.
userIds string

Comma-separated list of user IDs to filter live query history.
sourceFilters string

Comma-separated list of source types to include. Valid values are live, rule, and scheduled.
startDate string

The start of the time range filter (ISO 8601).
endDate string

The end of the time range filter (ISO 8601).

Responses

200 application/json

Indicates a successful call.
Hide response attributes Show response attributes object
- data array[object] Required
  
  The list of unified history rows for the current page.
  
  One of:
  live object scheduled object
  
  Hide attributes Show attributes
  
  agentCount integer Required
  
  The number of agents targeted by the query.
  
  errorCount integer | null
  
  The number of agent responses with errors.
  
  id string Required
  
  Unique identifier for the history row.
  
  packId string
  
  The ID of the pack containing the query.
  
  packName string
  
  The name of the pack containing the query.
  
  queryName string
  
  The name of the query, if available.
  
  queryText string Required
  
  The SQL query that was executed.
  
  spaceId string
  
  The Kibana space ID where the query was executed.
  
  successCount integer | null
  
  The number of successful agent responses.
  
  timestamp string Required
  
  The timestamp of the query execution.
  
  totalRows integer | null
  
  The total number of result rows returned across all agents.
  
  actionId string
  
  The Fleet action ID for the live query.
  
  agentAll boolean
  
  Whether the query targeted all agents.
  
  agentIds array[string]
  
  List of targeted agent IDs.
  
  agentPlatforms array[string]
  
  List of targeted agent platforms.
  
  agentPolicyIds array[string]
  
  List of targeted agent policy IDs.
  
  ecsMapping object
  
  ECS mapping configuration used for the query.
  
  Additional properties are allowed.
  
  queriesTotal integer
  
  The total number of sub-queries in the live action.
  
  queriesWithResults integer
  
  The number of sub-queries that returned results.
  
  savedQueryId string
  
  The saved query ID, if the live query was based on a saved query.
  
  source string Required
  
  Whether this was a manually run live query or triggered by a rule.
  
  Values are Live or Rule.
  
  sourceType string Required Discriminator
  
  Identifies this as a live query history row.
  
  Value is live.
  
  timeout integer
  
  The query timeout in seconds.
  
  userId string
  
  The ID of the user who ran the query.
  
  userProfileUid string
  
  The user profile UID of the user who ran the query.
  
  Hide attributes Show attributes
  
  agentCount integer Required
  
  The number of agents targeted by the query.
  
  errorCount integer | null
  
  The number of agent responses with errors.
  
  id string Required
  
  Unique identifier for the history row.
  
  packId string
  
  The ID of the pack containing the query.
  
  packName string
  
  The name of the pack containing the query.
  
  queryName string
  
  The name of the query, if available.
  
  queryText string Required
  
  The SQL query that was executed.
  
  spaceId string
  
  The Kibana space ID where the query was executed.
  
  successCount integer | null
  
  The number of successful agent responses.
  
  timestamp string Required
  
  The timestamp of the query execution.
  
  totalRows integer | null
  
  The total number of result rows returned across all agents.
  
  executionCount integer
  
  The execution count for this scheduled query run.
  
  plannedTime string
  
  The planned execution time for the scheduled query.
  
  scheduleId string
  
  The schedule ID for the scheduled query.
  
  source string Required
  
  Indicates this is a scheduled query execution.
  
  Value is Scheduled.
  
  sourceType string Required Discriminator
  
  Identifies this as a scheduled query history row.
  
  Value is scheduled.
- hasMore boolean Required
  
  Whether there are more results beyond the current page.
- nextPage string
  
  A base64-encoded cursor to fetch the next page. Absent when there are no more results.

GET /api/osquery/history

curl \
 --request GET 'https://<KIBANA_URL>/api/osquery/history' \
 --header "Authorization: $API_KEY"

Response examples (200)

{
  "data": [
    {
      "actionId": "609c4c66-ba3d-43fa-afdd-53e244577aa0",
      "agentCount": 5,
      "errorCount": 0,
      "id": "3c42c847-eb30-4452-80e0-728584042334",
      "queryName": "uptime_query",
      "queryText": "select * from uptime;",
      "source": "Live",
      "sourceType": "live",
      "successCount": 5,
      "timestamp": "2024-07-26T09:59:32.220Z",
      "totalRows": 42,
      "userId": "elastic"
    },
    {
      "agentCount": 10,
      "errorCount": 1,
      "executionCount": 3,
      "id": "pack_my_pack_uptime_3",
      "packId": "42ba9c50-0cc5-11ed-aa1d-2b27890bc90d",
      "packName": "My Pack",
      "plannedTime": "2024-07-26T09:00:00.000Z",
      "queryName": "uptime",
      "queryText": "select * from uptime;",
      "scheduleId": "pack_my_pack_uptime",
      "source": "Scheduled",
      "sourceType": "scheduled",
      "successCount": 9,
      "timestamp": "2024-07-26T09:00:00.000Z",
      "totalRows": 100
    }
  ],
  "hasMore": true,
  "nextPage": "eyJhY3Rpb25TZWFyY2hBZnRlciI6WzE3..."
}