Update a saved query

PUT /api/osquery/saved_queries/{id}

Api key auth Basic auth

Update a saved query using the query ID.

You cannot update a prebuilt saved query.

Path parameters

id string | null Required

The ID of a saved query.

application/json; Elastic-Api-Version=2023-10-31

Body Required

description string | null

The saved query description.
ecs_mapping object | null

Map osquery results columns or static values to Elastic Common Schema (ECS) fields
Hide ecs_mapping attribute Show ecs_mapping attribute object | null
- * object Additional properties
  
  Additional properties are allowed.
  Hide * attributes Show * attributes object
  
  field string
  
  The ECS field to map to.
  
  value string | array[string]
  
  The value to map to the ECS field.
  
  One of:
  string-1 string array-2 array[string]
id string | null

The ID of a saved query.
interval string

An interval, in seconds, on which to run the query.
platform string | null

Restricts the query to a specified platform. The default is all platforms. To specify multiple platforms, use commas. For example, linux,darwin.
query string

The SQL query you want to run.
removed boolean | null

Indicates whether the query is removed.
snapshot boolean | null

Indicates whether the query is a snapshot.
version string | null

Uses the Osquery versions greater than or equal to the specified version string.

Responses

200 application/json; Elastic-Api-Version=2023-10-31

OK

Additional properties are allowed.

PUT /api/osquery/saved_queries/{id}

curl \
 --request PUT https://localhost:5601/api/osquery/saved_queries/3c42c847-eb30-4452-80e0-728584042334 \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json; Elastic-Api-Version=2023-10-31"

Request example

{
  "id": "updated_my_saved_query_name"
}

Response examples (200)

{
  "data": {}
}

Update a saved query

Path parameters

Body Required

value string | array[string]

Responses