Document kuery (KQL) filtering and improve Fleet API page structure#7067
Document kuery (KQL) filtering and improve Fleet API page structure#7067charlotte-hoblik wants to merge 4 commits into
Conversation
charlotte-hoblik
added
the
documentation
Elastic Docs AI PR menuCheck the box to run an AI review for this pull request.
Powered by GitHub Agentic Workflows and docs-actions. For more information, reach out to the docs team. |
🔍 Preview links for changed docs |
✅ Elastic Docs Style Checker (Vale)No issues found on modified lines! The Vale linter checks documentation changes against the Elastic Docs style guide. To use Vale locally or report issues, refer to Elastic style guide for Vale. |
| You can run {{fleet}} API requests through the {{kib}} Console. | ||
|
|
||
| 1. Open the {{kib}} menu and go to **Management → Dev Tools**. | ||
| 1. From the {{kib}} menu, go to **Management → Dev Tools**. |
There was a problem hiding this comment.
I don't think this wording aligns with our guidance on referring to apps and pages.
There was a problem hiding this comment.
| The {{fleet}} list endpoints for agents, agent policies, package policies, and enrollment tokens accept a `kuery` query parameter that takes a [{{kib}} Query Language (KQL)](elasticsearch://reference/query-languages/kql.md) string to filter results. To check whether another endpoint accepts `kuery`, refer to its parameters in the [Kibana API docs]({{kib-apis}}). | ||
|
|
||
| Reference each field by the saved object type that stores it. {{fleet}} stores package policies as `ingest-package-policies` objects, so to filter package policies by integration name, query the `ingest-package-policies.package.name` field. |
There was a problem hiding this comment.
I'm pretty sure this isn't true. Agents and enrollment tokens are not saved objects. They are stored in .fleet-* system indices so they must be referenced directly with no saved object prefix.
Your example for package policies works in [redacted] test cluster (I'll share w/you on Slack).
GET kbn:/api/fleet/package_policies?kuery=ingest-package-policies.package.name:activemq
✅
{
"items": [
{
"id": "9xxxxa3-b6b2-4xxx-8f20-bb9822xxxxxe",
"version": "WxxxxxxxxxQ==",
"name": "activemq-1",
...
However, appending the saved object type to an agent call does not work:
GET kbn:/api/fleet/agents?kuery=ingest-agents.status:online
{
"statusCode": 400,
"error": "Bad Request",
"message": "[request query.kuery]: KQLSyntaxError: This key 'ingest-agents.status' does NOT exist in fleet-agents saved object index patterns"
}
Excluding the saved object type from an agent call does work:
GET kbn:/api/fleet/agents?kuery=status:online
✅
{
"items": [
{
"id": "3xxxx1-4a0a-4b00-bxxxx20xxxxx9d4",
"type": "PERMANENT",
"active": true,
...
There was a problem hiding this comment.
Ok, so actually only these two Fleet endpoints are backed by saved objects:
- Agent policies (
GET /api/fleet/agent_policies): stored as afleet-agent-policiessaved object, or, on deployments where space awareness is off, as the legacyingest-agent-policiessaved object (#1 and #2).- Use
fleet-agent-policies.<field>in the KQL prefix; the legacyingest-agent-policies.<field>also works because Fleet normalizes either prefix at runtime (#3)
- Use
- Package policies (
GET /api/fleet/package_policies): stored as afleet-package-policiessaved object, or, on deployments where space awareness is off, as the legacyingest-package-policiessaved object (#1, and #2).- Use
fleet-package-policies.<field>, but the legacyingest-package-policies.<field>also works for the same reason as above (#3).
- Use
Agents (GET /api/fleet/agents) are stored in the .fleet-agents ES system index (#1). So these should be referenced without a prefix (e.g., status:online). However, here fleet-agents.status:online also works because Fleet strips it from the kuery (#2), but ingest-agents. does not exist, and that returns an error.
Enrollment API keys (GET /api/fleet/enrollment_api_keys) are stored in the .fleet-enrollment-api-keys ES system index (#1), but here no prefix should be used as the kuery is passed straight through to the index search (e.g., policy_id:"<policy-id>").
| * [Kibana API docs]({{kib-apis}}) | ||
| * [Run API requests](/explore-analyze/query-filter/tools/console.md) | ||
| * [Roles and privileges](/reference/fleet/fleet-roles-privileges.md) | ||
| * [Fleet enrollment tokens](/reference/fleet/fleet-enrollment-tokens.md) |
There was a problem hiding this comment.
This is the same link that's right above this section. I'm not sure how useful it is to list it twice.
3 participants
Summary
Adds KQL filtering guidance to the Fleet API page and brings the page in line with the how-to content type. Closes #3401.
Connected issue: #3401
kuery / KQL filtering (the issue)
kuery, the saved-object field-prefix rule, a verifiedpackage_policiesexample, and links to the KQL reference. The API reference nameskuerybut never explains it or links out, this is the missing on-ramp.Structure and navigation (applied the Elastic docs skills)
descriptionto the frontmatter (no longer duplicated by the intro).Copy edits throughout
curlexample.Tool(s) and model(s) used:
Claude Opus 4.8
Elastic docs review skills