Copies timeline or timeline template
Copies and returns a timeline or timeline template.
Body
Required
-
timeline
object Required Hide timeline attributes Show timeline attributes object
-
columns
array[object] | null The Timeline's columns
Hide columns attributes Show columns attributes object
-
aggregatable
boolean | null -
category
string | null -
columnHeaderType
string | null -
description
string | null -
example
string | null -
id
string | null -
indexes
array[string] | null -
name
string | null -
placeholder
string | null -
searchable
boolean | null -
type
string | null
-
-
created
number | null The time the Timeline was created, using a 13-digit Epoch timestamp.
-
createdBy
string | null The user who created the Timeline.
-
dataProviders
array[object] | null Object containing query clauses
Hide dataProviders attributes Show dataProviders attributes object
-
and
array[object] | null Hide and attributes Show and attributes object
-
enabled
boolean | null -
excluded
boolean | null -
id
string | null -
kqlQuery
string | null -
name
string | null -
queryMatch
object | null Hide queryMatch attributes Show queryMatch attributes object | null
-
displayField
string | null -
displayValue
string | null -
field
string | null -
operator
string | null value
string | null | array[string]
-
-
type
string | null The type of data provider.
Values are
defaultortemplate.
-
-
enabled
boolean | null -
excluded
boolean | null -
id
string | null -
kqlQuery
string | null -
name
string | null -
queryMatch
object | null Hide queryMatch attributes Show queryMatch attributes object | null
-
displayField
string | null -
displayValue
string | null -
field
string | null -
operator
string | null value
string | null | array[string]
-
-
type
string | null The type of data provider.
Values are
defaultortemplate.
-
-
dataViewId
string | null ID of the Timeline's Data View
-
dateRange
object | null The Timeline's search period.
Hide dateRange attributes Show dateRange attributes object | null
-
description
string | null The Timeline's description
-
eqlOptions
object | null EQL query that is used in the correlation tab
Hide eqlOptions attributes Show eqlOptions attributes object | null
-
eventCategoryField
string | null -
query
string | null size
string | null | number -
tiebreakerField
string | null -
timestampField
string | null
-
-
eventType
string | null Deprecated Event types displayed in the Timeline
-
excludedRowRendererIds
array[string] | null A list of row renderers that should not be used when in
Event renderersmodeValues are
alert,alerts,auditd,auditd_file,library,netflow,plain,registry,suricata,system,system_dns,system_endgame_process,system_file,system_fim,system_security_event,system_socket,threat_match, orzeek. -
favorite
array[object] | null Indicates when and who marked a Timeline as a favorite.
Hide favorite attributes Show favorite attributes object
-
favoriteDate
number | null -
fullName
string | null -
userName
string | null
-
-
filters
array[object] | null A list of filters that should be applied to the query
Hide filters attributes Show filters attributes object
-
indexNames
array[string] | null A list of index names to use in the query (e.g. when the default data view has been modified)
-
kqlMode
string | null Indicates whether the KQL bar filters the query results or searches for additional results, where:
filter: filters query resultssearch: displays additional search results
-
kqlQuery
object | null KQL bar query.
Hide kqlQuery attribute Show kqlQuery attribute object | null
-
filterQuery
object | null Hide filterQuery attributes Show filterQuery attributes object | null
-
kuery
object | null Hide kuery attributes Show kuery attributes object | null
-
expression
string | null -
kind
string | null
-
-
serializedQuery
string | null
-
-
-
savedQueryId
string | null The ID of the saved query that might be used in the Query tab
-
savedSearchId
string | null The ID of the saved search that is used in the ES|QL tab
sort
object | null | array[object] One of: Object indicating how rows are sorted in the Timeline's grid
Hide attributes Show attributes
-
columnId
string | null -
columnType
string | null -
sortDirection
string | null
Object indicating how rows are sorted in the Timeline's grid
Hide attributes Show attributes object
-
columnId
string | null -
columnType
string | null -
sortDirection
string | null
-
-
status
string | null The status of the Timeline.
Values are
active,draft, orimmutable. -
templateTimelineId
string | null A unique ID (UUID) for Timeline templates. For Timelines, the value is
null. -
templateTimelineVersion
number | null Timeline template version number. For Timelines, the value is
null. -
timelineType
string | null The type of Timeline.
Values are
defaultortemplate. -
title
string | null The Timeline's title.
-
updated
number | null The last time the Timeline was updated, using a 13-digit Epoch timestamp
-
updatedBy
string | null The user who last updated the Timeline
-
-
timelineIdToCopy
string Required
Responses
-
200 application/json
Indicates that the timeline has been successfully copied.
Hide response attributes Show response attributes object
-
columns
array[object] | null The Timeline's columns
Hide columns attributes Show columns attributes object
-
aggregatable
boolean | null -
category
string | null -
columnHeaderType
string | null -
description
string | null -
example
string | null -
id
string | null -
indexes
array[string] | null -
name
string | null -
placeholder
string | null -
searchable
boolean | null -
type
string | null
-
-
created
number | null The time the Timeline was created, using a 13-digit Epoch timestamp.
-
createdBy
string | null The user who created the Timeline.
-
dataProviders
array[object] | null Object containing query clauses
Hide dataProviders attributes Show dataProviders attributes object
-
and
array[object] | null Hide and attributes Show and attributes object
-
enabled
boolean | null -
excluded
boolean | null -
id
string | null -
kqlQuery
string | null -
name
string | null -
queryMatch
object | null Hide queryMatch attributes Show queryMatch attributes object | null
-
displayField
string | null -
displayValue
string | null -
field
string | null -
operator
string | null value
string | null | array[string]
-
-
type
string | null The type of data provider.
Values are
defaultortemplate.
-
-
enabled
boolean | null -
excluded
boolean | null -
id
string | null -
kqlQuery
string | null -
name
string | null -
queryMatch
object | null Hide queryMatch attributes Show queryMatch attributes object | null
-
displayField
string | null -
displayValue
string | null -
field
string | null -
operator
string | null value
string | null | array[string]
-
-
type
string | null The type of data provider.
Values are
defaultortemplate.
-
-
dataViewId
string | null ID of the Timeline's Data View
-
dateRange
object | null The Timeline's search period.
Hide dateRange attributes Show dateRange attributes object | null
-
description
string | null The Timeline's description
-
eqlOptions
object | null EQL query that is used in the correlation tab
Hide eqlOptions attributes Show eqlOptions attributes object | null
-
eventCategoryField
string | null -
query
string | null size
string | null | number size
string | null | number -
tiebreakerField
string | null -
timestampField
string | null
-
-
eventType
string | null Deprecated Event types displayed in the Timeline
-
excludedRowRendererIds
array[string] | null A list of row renderers that should not be used when in
Event renderersmodeValues are
alert,alerts,auditd,auditd_file,library,netflow,plain,registry,suricata,system,system_dns,system_endgame_process,system_file,system_fim,system_security_event,system_socket,threat_match, orzeek. -
favorite
array[object] | null Indicates when and who marked a Timeline as a favorite.
Hide favorite attributes Show favorite attributes object
-
favoriteDate
number | null -
fullName
string | null -
userName
string | null
-
-
filters
array[object] | null A list of filters that should be applied to the query
Hide filters attributes Show filters attributes object
-
indexNames
array[string] | null A list of index names to use in the query (e.g. when the default data view has been modified)
-
kqlMode
string | null Indicates whether the KQL bar filters the query results or searches for additional results, where:
filter: filters query resultssearch: displays additional search results
-
kqlQuery
object | null KQL bar query.
Hide kqlQuery attribute Show kqlQuery attribute object | null
-
filterQuery
object | null Hide filterQuery attributes Show filterQuery attributes object | null
-
kuery
object | null Hide kuery attributes Show kuery attributes object | null
-
expression
string | null -
kind
string | null
-
-
serializedQuery
string | null
-
-
-
savedQueryId
string | null The ID of the saved query that might be used in the Query tab
-
savedSearchId
string | null The ID of the saved search that is used in the ES|QL tab
sort
object | null | array[object] One of: Object indicating how rows are sorted in the Timeline's grid
Hide attributes Show attributes
-
columnId
string | null -
columnType
string | null -
sortDirection
string | null
Object indicating how rows are sorted in the Timeline's grid
Hide attributes Show attributes object
-
columnId
string | null -
columnType
string | null -
sortDirection
string | null
-
sort
object | null | array[object] One of: Object indicating how rows are sorted in the Timeline's grid
Hide attributes Show attributes
-
columnId
string | null -
columnType
string | null -
sortDirection
string | null
Object indicating how rows are sorted in the Timeline's grid
Hide attributes Show attributes object
-
columnId
string | null -
columnType
string | null -
sortDirection
string | null
-
-
status
string | null The status of the Timeline.
Values are
active,draft, orimmutable. -
templateTimelineId
string | null A unique ID (UUID) for Timeline templates. For Timelines, the value is
null. -
templateTimelineVersion
number | null Timeline template version number. For Timelines, the value is
null. -
timelineType
string | null The type of Timeline.
Values are
defaultortemplate. -
title
string | null The Timeline's title.
-
updated
number | null The last time the Timeline was updated, using a 13-digit Epoch timestamp
-
updatedBy
string | null The user who last updated the Timeline
-
savedObjectId
string Required The
savedObjectIdof the Timeline or Timeline template -
version
string Required The version of the Timeline or Timeline template
-
eventIdToNoteIds
array[object] | null A list of all the notes that are associated to this Timeline.
Hide eventIdToNoteIds attributes Show eventIdToNoteIds attributes object
-
created
number | null The time the note was created, using a 13-digit Epoch timestamp.
-
createdBy
string | null The user who created the note.
-
updated
number | null The last time the note was updated, using a 13-digit Epoch timestamp
-
updatedBy
string | null The user who last updated the note
-
eventId
string | null The
_idof the associated event for this note. -
note
string | null The text of the note
-
timelineId
string Required The
savedObjectIdof the Timeline that this note is associated with -
noteId
string Required The
savedObjectIdof the note -
version
string Required The version of the note
-
-
noteIds
array[string] | null A list of all the ids of notes that are associated to this Timeline.
-
notes
array[object] | null A list of all the notes that are associated to this Timeline.
Hide notes attributes Show notes attributes object
-
created
number | null The time the note was created, using a 13-digit Epoch timestamp.
-
createdBy
string | null The user who created the note.
-
updated
number | null The last time the note was updated, using a 13-digit Epoch timestamp
-
updatedBy
string | null The user who last updated the note
-
eventId
string | null The
_idof the associated event for this note. -
note
string | null The text of the note
-
timelineId
string Required The
savedObjectIdof the Timeline that this note is associated with -
noteId
string Required The
savedObjectIdof the note -
version
string Required The version of the note
-
-
pinnedEventIds
array[string] | null A list of all the ids of pinned events that are associated to this Timeline.
-
pinnedEventsSaveObject
array[object] | null A list of all the pinned events that are associated to this Timeline.
Hide pinnedEventsSaveObject attributes Show pinnedEventsSaveObject attributes object
-
created
number | null The time the pinned event was created, using a 13-digit Epoch timestamp.
-
createdBy
string | null The user who created the pinned event.
-
updated
number | null The last time the pinned event was updated, using a 13-digit Epoch timestamp
-
updatedBy
string | null The user who last updated the pinned event
-
eventId
string Required The
_idof the associated event for this pinned event. -
timelineId
string Required The
savedObjectIdof the timeline that this pinned event is associated with -
pinnedEventId
string Required The
savedObjectIdof this pinned event -
version
string Required The version of this pinned event
-
-
curl \
--request GET 'https://localhost:5601/api/timeline/_copy' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--data '{"timeline":{"columns":[{"id":"@timestamp","columnHeaderType":"not-filtered"},{"id":"event.category","columnHeaderType":"not-filtered"}],"created":1587468588922,"createdBy":"casetester","dataProviders":[{"id":"id-d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b","name":"d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b","enabled":true,"excluded":false,"queryMatch":{"field":"_id,","value":"d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b,","operator":":"}}],"dataViewId":"security-solution-default","dateRange":{"end":1587456479201,"start":1587370079200},"description":"Investigating exposure of CVE XYZ","eqlOptions":{"size":100,"query":"sequence\\n[process where process.name == \"sudo\"]\\n[any where true]","timestampField":"@timestamp","eventCategoryField":"event.category"},"eventType":"all","excludedRowRendererIds":["alert"],"favorite":[{"userName":"elastic","favoriteDate":1741337636741}],"filters":[{"meta":{"key":"@timestamp","type":"exists","alias":"Custom filter name","index":".alerts-security.alerts-default,logs-*","value":"exists","negate":"false,","disabled":false},"query":"{\"exists\":{\"field\":\"@timestamp\"}}"}],"indexNames":[".logs*"],"kqlMode":"search","kqlQuery":{"kuery":{"kind":"kuery","expression":"_id : *"},"filterQuery":null,"serializedQuery":"{\"bool\":{\"should\":[{\"exists\":{\"field\":\"_id\"}}],\"minimum_should_match\":1}}"},"savedQueryId":"c7b16904-02d7-4f32-b8f2-cc20f9625d6e","savedSearchId":"6ce1b592-84e3-4b4a-9552-f189d4b82075","sort":{"columnId":"@timestamp","sortDirection":"desc"},"status":"active","templateTimelineId":"6ce1b592-84e3-4b4a-9552-f189d4b82075","templateTimelineVersion":12,"timelineType":"default","title":"CVE XYZ investigation","updated":1741344876825,"updatedBy":"casetester"},"timelineIdToCopy":"string"}'