For the most up-to-date API details, refer to {api-es}/group/endpoint-eql[EQL APIs].
Returns the current status and available results for an async EQL search or a stored synchronous EQL search.
GET /_eql/search/FkpMRkJGS1gzVDRlM3g4ZzMyRGlLbkEaTXlJZHdNT09TU2VTZVBoNDM3cFZMUToxMDM=-
If the {es} {security-features} are enabled, only the user who first submitted the EQL search can retrieve the search using this API.
See EQL limitations.
<search_id>-
(Required, string) Identifier for the search.
A search ID is provided in the EQL search API's response for an async search. A search ID is also provided if the request’s
keep_on_completionparameter istrue.
keep_alive-
(Optional, time value) Period for which the search and its results are stored on the cluster. Defaults to the
keep_alivevalue set by the search’s EQL search API request.If specified, this parameter sets a new
keep_aliveperiod for the search, starting when the get async EQL search API request executes. This new period overwrites the one specified in the EQL search API request.When this period expires, the search and its results are deleted, even if the search is ongoing.
wait_for_completion_timeout-
(Optional, time value) Timeout duration to wait for the request to finish. Defaults to no timeout, meaning the request waits for complete search results.
If this parameter is specified and the request completes during this period, complete search results are returned.
If the request does not complete during this period, the response returns an
is_partialvalue oftrueand no search results.
The async EQL search API returns the same response body as the EQL search API. See the EQL search API’s response body parameters.