通过 templateTimelineId 获取时间线模板
编辑通过 templateTimelineId 获取时间线模板
编辑使用 templateTimelineId
获取单个时间线模板的详细信息。
请求 URL
编辑GET <kibana 主机>:<端口>/api/timeline?template_timeline_id=<templateTimelineId>
URL 查询参数
编辑名称 | 类型 | 描述 | 必填 |
---|---|---|---|
|
字符串 |
现有时间线模板的 |
是 |
示例请求
编辑检索 templateTimelineId
值为 300afc76-072d-4261-864d-4149714bf3f1
的时间线模板的详细信息。
GET /api/timeline?template_timeline_id=300afc76-072d-4261-864d-4149714bf3f1
响应代码
编辑-
200
- 表示调用成功。
示例响应
编辑{ "data": { "getOneTimeline": { "savedObjectId": "f9ae2a43-823d-4abe-964f-084591607930", "version": "WzQwMjQsMV0=", "columns": [ { "columnHeaderType": "not-filtered", "id": "@timestamp", "type": "number" }, { "aggregatable": false, "description": "For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message.", "columnHeaderType": "not-filtered", "id": "message", "category": "base", "type": "string", "example": "Hello World" }, { "aggregatable": true, "description": "The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer.", "columnHeaderType": "not-filtered", "id": "event.action", "category": "event", "type": "string", "example": "user-password-change" }, { "aggregatable": true, "description": "In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc The field value must be normalized to lowercase for querying. See the documentation section \"Implementing ECS\".", "columnHeaderType": "not-filtered", "id": "network.type", "category": "network", "type": "string", "example": "ipv4" }, { "aggregatable": true, "description": "Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.) The field value must be normalized to lowercase for querying. See the documentation section \"Implementing ECS\".", "columnHeaderType": "not-filtered", "id": "network.transport", "category": "network", "type": "string", "example": "tcp" }, { "aggregatable": true, "description": "Direction of the network traffic. Recommended values are: * inbound * outbound * internal * external * unknown When mapping events from a host-based monitoring context, populate this field from the host's point of view. When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of your network perimeter.", "columnHeaderType": "not-filtered", "id": "network.direction", "category": "network", "type": "string", "example": "inbound" }, { "aggregatable": true, "description": "IP address of the source. Can be one or multiple IPv4 or IPv6 addresses.", "columnHeaderType": "not-filtered", "id": "source.ip", "category": "source", "type": "ip" }, { "columnHeaderType": "not-filtered", "id": "source.port" }, { "aggregatable": true, "description": "IP address of the destination. Can be one or multiple IPv4 or IPv6 addresses.", "columnHeaderType": "not-filtered", "id": "destination.ip", "category": "destination", "type": "ip" }, { "columnHeaderType": "not-filtered", "id": "destination.port" }, { "aggregatable": true, "description": "Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.", "columnHeaderType": "not-filtered", "id": "host.name", "category": "host", "type": "string" }, { "columnHeaderType": "not-filtered", "id": "user.name" } ], "dataProviders": [ { "excluded": false, "and": [], "kqlQuery": "", "name": "network", "queryMatch": { "displayValue": null, "field": "event.category", "displayField": null, "value": "network", "operator": ":" }, "id": "timeline-1-dbab0164-2150-47a1-a66f-75ebafe24d5c", "type": "default", "enabled": true }, { "excluded": false, "and": [], "kqlQuery": "", "name": "{signal.group.id}", "queryMatch": { "displayValue": null, "field": "signal.group.id", "displayField": null, "value": "{signal.group.id}", "operator": ":" }, "id": "timeline-1-15b52ead-4956-4ed0-bd12-e137eaf4467e", "type": "template", "enabled": true }, { "excluded": false, "and": [], "kqlQuery": "", "name": "{signal.original_event.id}", "queryMatch": { "field": "signal.original_event.id", "value": "{signal.original_event.id}", "operator": ":" }, "id": "timeline-1-2164774f-6409-4ac4-b73c-907914baf058", "type": "template", "enabled": true } ], "dataViewId": null, "description": "", "eqlOptions": { "tiebreakerField": "", "size": 100, "query": "", "eventCategoryField": "event.category", "timestampField": "@timestamp" }, "eventType": "all", "excludedRowRendererIds": [], "favorite": [], "filters": [], "indexNames": [], "kqlMode": "filter", "kqlQuery": { "filterQuery": null }, "title": "Comprehensive Network Timeline", "templateTimelineId": "300afc76-072d-4261-864d-4149714bf3f1", "templateTimelineVersion": 2, "dateRange": { "start": "2024-02-19T15:42:52.321Z", "end": "2024-02-20T15:42:52.322Z" }, "savedQueryId": null, "created": 1708443772322, "createdBy": "Elastic", "updated": 1708443772322, "updatedBy": "Elastic", "timelineType": "template", "status": "immutable", "sort": [ { "columnType": "number", "sortDirection": "desc", "columnId": "@timestamp" } ], "eventIdToNoteIds": [], "noteIds": [], "notes": [], "pinnedEventIds": [], "pinnedEventsSaveObject": [] } } }