Path parameters

• idstring Required

  Identifier for the search.

Query parameters

• keep_alivestring

  Period for which the search and its results are stored on the cluster. Defaults to the keep_alive value set by the search’s EQL search API request.

  Values are -1 or 0.

• wait_for_completion_timeoutstring

  Timeout duration to wait for the request to finish. Defaults to no timeout, meaning the request waits for complete search results.

  Values are -1 or 0.

Responses

• 200 application/json
  Hide response attributes Show response attributes object

  • idstring
  • is_partialboolean

    If true, the response does not contain complete search results.

  • is_runningboolean

    If true, the search request is still executing.

  • tooknumber

    Time unit for milliseconds

  • timed_outboolean

    If true, the request timed out before completion.

  • hitsobject Required
    Hide hits attributes Show hits attributes object

    • totalobject
      Hide total attributes Show total attributes object

      • relationstring Required

        Values are eq or gte.

      • valuenumber Required
    • eventsarray[object]

      Contains events matching the query. Each object represents a matching event.

      Hide events attributes Show events attributes object

      • _indexstring Required
      • _idstring Required
      • _sourceobject Required

        Original JSON body passed for the event at index time.

      • missingboolean

        Set to true for events in a timespan-constrained sequence that do not meet a given condition.

      • fieldsobject
        Hide fields attribute Show fields attribute object

        • *array[object] Additional properties
    • sequencesarray[object]

      Contains event sequences matching the query. Each object represents a matching sequence. This parameter is only returned for EQL queries containing a sequence.

      Hide sequences attributes Show sequences attributes object

      • eventsarray[object] Required

        Contains events matching the query. Each object represents a matching event.

        Hide events attributes Show events attributes object

        • _indexstring Required
        • _idstring Required
        • _sourceobject Required

          Original JSON body passed for the event at index time.

        • missingboolean

          Set to true for events in a timespan-constrained sequence that do not meet a given condition.

        • fieldsobject
      • join_keysarray[object]

        Shared field values used to constrain matches in the sequence. These are defined using the by keyword in the EQL query syntax.
  • shard_failuresarray[object]

    Contains information about shard failures (if any), in case allow_partial_search_results=true

    Hide shard_failures attributes Show shard_failures attributes object

    • indexstring
    • nodestring
    • reasonobject Required
      Hide reason attributes Show reason attributes object

      • typestring Required

        The type of error

      • reasonstring | null

        A human-readable explanation of the error, in English.

        One of:

        string-1stringstring-2string | null
      • stack_tracestring

        The server stack trace. Present only if the error_trace=true parameter was sent with the request.

      • caused_byobject
      • root_causearray[object]
      • suppressedarray[object]
    • shardnumber Required
    • statusstring