Create Timeline or Timeline templateedit
Creates a new Timeline or Timeline template.
Use the timeline
object’s timelineType
field
to determine whether a timeline or a timeline template is created, where:
-
default
creates a new Timeline ("timelineType": "default"
) -
template
creates a new Timeline template ("timelineType": "template"
)
If you do not specify the timelineType
field, a new timeline is created.
Request URLedit
POST <kibana host>:<port>/api/timeline
Request bodyedit
A JSON object defining the Timeline or Timeline template query and time filter.
For detailed information about the Timeline object schema and its corresponding UI components, see Timeline schema.
Name | Type | Description | Required |
---|---|---|---|
|
The timeline object, which
defines the search criteria and time range. The only required field is When you are creating a Timeline template, provide these fields to so you can easily import template updates:
|
Yes |
|
|
String |
If provided, must be |
No |
|
String |
If provided, must be |
No |
Example requestsedit
Example 1
Creates a new Timeline.
POST api/timeline { "timeline": { "columns": [ { "id": "@timestamp" }, { "id": "user.name" }, { "id": "event.category" }, { "id": "event.action" }, { "id": "host.name" } ], "dataProviders": [ { "and": [ { "name": "event.category", "enabled": true, "excluded": false, "id": "timeline-1-914beb92-86ab-471c-a00b-25b7e20c2d11", "queryMatch": { "field": "event.category", "value": "process", "operator": ":" } }, { "name": "user.name", "enabled": true, "excluded": false, "id": "timeline-1-914beb92-86ab-471c-a00b-25b7e20c2d12", "queryMatch": { "field": "user.name", "value": "SYSTEM", "operator": ":" } } ], "enabled": true, "excluded": false, "id": "timeline-1-914beb92-86ab-471c-a00b-25b7e20c2d13", "name": "host.os.platform", "queryMatch": { "field": "host.os.platform", "value": "windows", "operator": ":" } } ], "dateRange": { "end": 1594005719000, "start": 1593832919000 }, "description": "Gets Windows system processes from all hosts", "title": "Windows system processes" } }
To ensure the Timeline is displayed correctly in the UI, specify these
fields in all
|
Example 2
Creates a new Timeline template:
POST api/timeline { "timeline": { "columns": [ { "id": "@timestamp" }, { "id": "user.name" }, { "id": "event.category" }, { "id": "event.action" }, { "id": "host.name" } ], "dataProviders": [ { "and": [ { "name": "event.category", "enabled": true, "excluded": false, "id": "timeline-1-914beb92-86ab-471c-a00b-25b7e20c2d21", "queryMatch": { "field": "event.category", "operator": ":", "value": "process" } }, { "name": "user.name", "enabled": true, "excluded": false, "id": "timeline-1-914beb92-86ab-471c-a00b-25b7e20c2d22", "queryMatch": { "field": "user.name", "operator": ":", "value": "SYSTEM" } } ], "enabled": true, "excluded": false, "id": "timeline-1-914beb92-86ab-471c-a00b-25b7e20c2d23", "name": "host.os.platform", "queryMatch": { "field": "host.os.platform", "operator": ":", "value": "windows" } } ], "dateRange": { "end": 1594005719000, "start": 1593832919000 }, "description": "Template for investigating host events", "templateTimelineId": "6acb2c90-a01c-11ea-8e47-5dc21077d10c", "templateTimelineVersion": 1, "timelineType": "template", "title": "Host event template" } }
To ensure the Timeline template is displayed correctly in the UI, specify
the |
|
Template UUID. |
|
Template version number. |
|
To create templates, the |
Example 3
Creates the Timeline template that uses the kqlQuery
object (KQL bar in the
UI) to ensure only Windows alerts are displayed when alerts are investigated in
Timeline:
POST api/timeline { "timeline": { "columns": [ { "id": "@timestamp" }, { "id": "user.name" }, { "id": "event.category" }, { "id": "event.action" }, { "id": "host.name" } ], "dataProviders": [ { "and": [ { "enabled": true, "excluded": false, "id": "timeline-1-914beb92-86ab-471c-a00b-25b7e20c2d31", "name": "user.name", "queryMatch": { "field": "user.name", "operator": ":", "value": "SYSTEM" } } ], "enabled": true, "excluded": false, "id": "timeline-1-914beb92-86ab-471c-a00b-25b7e20c2d32", "name": "event.category", "queryMatch": { "field": "event.category", "operator": ":", "value": "process" } } ], "dateRange": { "end": 1594005719000, "start": 1593832919000 }, "description": "Template for investigating Windows events", "kqlMode": "filter", "kqlQuery": { "filterQuery": { "kuery": { "expression": "host.os.platform : windows", "kind": "kuery" } } }, "templateTimelineId": "6f9a3480-bf4f-11ea-9fcd-ed4e5fd0dcd1", "templateTimelineVersion": 1, "timelineType": "template", "title": "Windows event template" } }
Response codeedit
-
200
- Indicates a successful call.
Response payloadedit
A JSON Timeline object with a unique savedObjectId
and its version
.
Example 1
Timeline response payload:
{ "data": { "persistTimeline": { "code": 200, "message": "success", "timeline": { "savedObjectId": "7f069820-bf57-11ea-9fcd-ed4e5fd0dcd1", "version": "WzQwMiwxXQ==", "columns": [ { "id": "@timestamp" }, { "id": "user.name" }, { "id": "event.category" }, { "id": "event.action" }, { "id": "host.name" } ], "dataProviders": [ { "and": [ { "name": "event.category", "enabled": true, "excluded": false, "id": "timeline-1-914beb92-86ab-471c-a00b-25b7e20c2d41", "queryMatch": { "field": "event.category", "value": "process", "operator": ":" } }, { "name": "user.name", "enabled": true, "excluded": false, "id": "timeline-1-914beb92-86ab-471c-a00b-25b7e20c2d42", "queryMatch": { "field": "user.name", "value": "SYSTEM", "operator": ":" } } ], "enabled": true, "excluded": false, "id": "timeline-1-914beb92-86ab-471c-a00b-25b7e20c2d43", "name": "host.os.platform", "queryMatch": { "field": "host.os.platform", "value": "windows", "operator": ":" } } ], "dateRange": { "end": 1594005719000, "start": 1593832919000 }, "description": "Gets Windows system processes from all hosts", "title": "Windows system processes", "created": 1594019310069, "createdBy": "elastic", "updated": 1594019310069, "updatedBy": "elastic", "timelineType": "default", "status": "active" } } } }
Example 2
Timeline template response payload:
{ "data": { "persistTimeline": { "code": 200, "message": "success", "timeline": { "savedObjectId": "75b6cf30-bf82-11ea-9fcd-ed4e5fd0dcd1", "version": "WzQ4MiwxXQ==", "columns": [ { "id": "@timestamp" }, { "id": "user.name" }, { "id": "event.category" }, { "id": "event.action" }, { "id": "host.name" } ], "dataProviders": [ { "and": [ { "enabled": true, "excluded": false, "id": "timeline-1-43112bd4-3081-491c-b973-605cce4c5f14", "name": "user.name", "queryMatch": { "field": "user.name", "operator": ":", "value": "SYSTEM" } } ], "enabled": true, "excluded": false, "id": "timeline-1-43112bd4-3081-491c-b973-605cce4c5f15", "name": "event.category", "queryMatch": { "field": "event.category", "operator": ":", "value": "process" } } ], "dateRange": { "end": 1594005719000, "start": 1593832919000 }, "description": "Template for investigating Windows events", "kqlMode": "filter", "kqlQuery": { "filterQuery": { "kuery": { "expression": "host.os.platform : windows", "kind": "kuery" } } }, "templateTimelineId": "6f9a3480-bf4f-11ea-9fcd-ed4e5fd0dcd1", "templateTimelineVersion": 1, "timelineType": "template", "title": "Windows event template", "created": 1594037762797, "createdBy": "elastic", "updated": 1594037762797, "updatedBy": "elastic", "status": "active" } } } }