创建时间线或时间线模板
编辑创建时间线或时间线模板
编辑创建新的时间线或时间线模板。
使用 timeline
对象的 timelineType
字段来确定是创建时间线还是时间线模板,其中
-
default
创建新的时间线("timelineType": "default"
) -
template
创建新的时间线模板("timelineType": "template"
)
如果您未指定 timelineType
字段,则会创建一个新的时间线。
请求 URL
编辑POST <kibana host>:<port>/api/timeline
请求正文
编辑定义时间线或时间线模板查询和时间过滤器的 JSON 对象。
有关时间线对象模式及其对应的 UI 组件的详细信息,请参阅 时间线模式。
名称 | 类型 | 描述 | 必需 |
---|---|---|---|
|
时间线对象,定义了搜索条件和时间范围。唯一必需的字段是 当您创建时间线模板时,请提供以下字段以便您可以轻松 导入模板更新
|
是 |
|
|
字符串 |
如果提供,则对于新的时间线或模板,必须为 |
否 |
|
字符串 |
如果提供,则对于新的时间线或模板,必须为 |
否 |
示例请求
编辑示例 1
创建一个新的时间线。
POST api/timeline { "timeline": { "columns": [ { "id": "@timestamp" }, { "id": "user.name" }, { "id": "event.category" }, { "id": "event.action" }, { "id": "host.name" } ], "dataProviders": [ { "and": [ { "name": "event.category", "enabled": true, "excluded": false, "id": "timeline-1-914beb92-86ab-471c-a00b-25b7e20c2d11", "queryMatch": { "field": "event.category", "value": "process", "operator": ":" } }, { "name": "user.name", "enabled": true, "excluded": false, "id": "timeline-1-914beb92-86ab-471c-a00b-25b7e20c2d12", "queryMatch": { "field": "user.name", "value": "SYSTEM", "operator": ":" } } ], "enabled": true, "excluded": false, "id": "timeline-1-914beb92-86ab-471c-a00b-25b7e20c2d13", "name": "host.os.platform", "queryMatch": { "field": "host.os.platform", "value": "windows", "operator": ":" } } ], "dateRange": { "end": 1594005719000, "start": 1593832919000 }, "description": "Gets Windows system processes from all hosts", "title": "Windows system processes" } }
为了确保时间线在 UI 中正确显示,请在所有
|
示例 2
创建一个新的时间线模板
POST api/timeline { "timeline": { "columns": [ { "id": "@timestamp" }, { "id": "user.name" }, { "id": "event.category" }, { "id": "event.action" }, { "id": "host.name" } ], "dataProviders": [ { "and": [ { "name": "event.category", "enabled": true, "excluded": false, "id": "timeline-1-914beb92-86ab-471c-a00b-25b7e20c2d21", "queryMatch": { "field": "event.category", "operator": ":", "value": "process" } }, { "name": "user.name", "enabled": true, "excluded": false, "id": "timeline-1-914beb92-86ab-471c-a00b-25b7e20c2d22", "queryMatch": { "field": "user.name", "operator": ":", "value": "SYSTEM" } } ], "enabled": true, "excluded": false, "id": "timeline-1-914beb92-86ab-471c-a00b-25b7e20c2d23", "name": "host.os.platform", "queryMatch": { "field": "host.os.platform", "operator": ":", "value": "windows" } } ], "dateRange": { "end": 1594005719000, "start": 1593832919000 }, "description": "Template for investigating host events", "templateTimelineId": "6acb2c90-a01c-11ea-8e47-5dc21077d10c", "templateTimelineVersion": 1, "timelineType": "template", "title": "Host event template" } }
为了确保时间线模板在 UI 中正确显示,即使在时间线中调查警报时被替换,也要指定 |
|
模板 UUID。 |
|
模板版本号。 |
|
要创建模板, |
示例 3
创建使用 kqlQuery
对象(UI 中的 KQL 栏)的时间线模板,以确保在时间线中调查警报时仅显示 Windows 警报
POST api/timeline { "timeline": { "columns": [ { "id": "@timestamp" }, { "id": "user.name" }, { "id": "event.category" }, { "id": "event.action" }, { "id": "host.name" } ], "dataProviders": [ { "and": [ { "enabled": true, "excluded": false, "id": "timeline-1-914beb92-86ab-471c-a00b-25b7e20c2d31", "name": "user.name", "queryMatch": { "field": "user.name", "operator": ":", "value": "SYSTEM" } } ], "enabled": true, "excluded": false, "id": "timeline-1-914beb92-86ab-471c-a00b-25b7e20c2d32", "name": "event.category", "queryMatch": { "field": "event.category", "operator": ":", "value": "process" } } ], "dateRange": { "end": 1594005719000, "start": 1593832919000 }, "description": "Template for investigating Windows events", "kqlMode": "filter", "kqlQuery": { "filterQuery": { "kuery": { "expression": "host.os.platform : windows", "kind": "kuery" } } }, "templateTimelineId": "6f9a3480-bf4f-11ea-9fcd-ed4e5fd0dcd1", "templateTimelineVersion": 1, "timelineType": "template", "title": "Windows event template" } }
响应代码
编辑-
200
- 指示调用成功。
响应负载
编辑带有唯一 savedObjectId
及其 version
的 JSON 时间线对象。
示例 1
时间线响应负载
{ "data": { "persistTimeline": { "code": 200, "message": "success", "timeline": { "savedObjectId": "7f069820-bf57-11ea-9fcd-ed4e5fd0dcd1", "version": "WzQwMiwxXQ==", "columns": [ { "id": "@timestamp" }, { "id": "user.name" }, { "id": "event.category" }, { "id": "event.action" }, { "id": "host.name" } ], "dataProviders": [ { "and": [ { "name": "event.category", "enabled": true, "excluded": false, "id": "timeline-1-914beb92-86ab-471c-a00b-25b7e20c2d41", "queryMatch": { "field": "event.category", "value": "process", "operator": ":" } }, { "name": "user.name", "enabled": true, "excluded": false, "id": "timeline-1-914beb92-86ab-471c-a00b-25b7e20c2d42", "queryMatch": { "field": "user.name", "value": "SYSTEM", "operator": ":" } } ], "enabled": true, "excluded": false, "id": "timeline-1-914beb92-86ab-471c-a00b-25b7e20c2d43", "name": "host.os.platform", "queryMatch": { "field": "host.os.platform", "value": "windows", "operator": ":" } } ], "dateRange": { "end": 1594005719000, "start": 1593832919000 }, "description": "Gets Windows system processes from all hosts", "title": "Windows system processes", "created": 1594019310069, "createdBy": "elastic", "updated": 1594019310069, "updatedBy": "elastic", "timelineType": "default", "status": "active" } } } }
示例 2
时间线模板响应负载
{ "data": { "persistTimeline": { "code": 200, "message": "success", "timeline": { "savedObjectId": "75b6cf30-bf82-11ea-9fcd-ed4e5fd0dcd1", "version": "WzQ4MiwxXQ==", "columns": [ { "id": "@timestamp" }, { "id": "user.name" }, { "id": "event.category" }, { "id": "event.action" }, { "id": "host.name" } ], "dataProviders": [ { "and": [ { "enabled": true, "excluded": false, "id": "timeline-1-43112bd4-3081-491c-b973-605cce4c5f14", "name": "user.name", "queryMatch": { "field": "user.name", "operator": ":", "value": "SYSTEM" } } ], "enabled": true, "excluded": false, "id": "timeline-1-43112bd4-3081-491c-b973-605cce4c5f15", "name": "event.category", "queryMatch": { "field": "event.category", "operator": ":", "value": "process" } } ], "dateRange": { "end": 1594005719000, "start": 1593832919000 }, "description": "Template for investigating Windows events", "kqlMode": "filter", "kqlQuery": { "filterQuery": { "kuery": { "expression": "host.os.platform : windows", "kind": "kuery" } } }, "templateTimelineId": "6f9a3480-bf4f-11ea-9fcd-ed4e5fd0dcd1", "templateTimelineVersion": 1, "timelineType": "template", "title": "Windows event template", "created": 1594037762797, "createdBy": "elastic", "updated": 1594037762797, "updatedBy": "elastic", "status": "active" } } } }