Fleet Agent Cannot Export to CSV

I have a need to list all fleet agents with status and such for document purposes. I didn't find an export agent feature like on the Wazuh Dashboard. As a result, I tried to query Dev Tools but still didn't get the right status results. Do you have any suggestions or do I have to manually copy one by one from hundreds of total agents?

Honestly, the lack of an agent status export feature made me waste a lot of time. Until now i can't get a result query information like Status, Agent Policy, CPU, Memory.

maybe in the .fleet-policies* index you will find the information you are looking for?

Howdy - we've added an "export CSV" feature to the agents listing table that will be available starting in 8.18.

• [Fleet] Added Export CSV bulk action to Agent list by juliaElastic · Pull Request #196635 · elastic/kibana · GitHub
• [Fleet] Feature to support columns when exporting agents to CSV by juliaElastic · Pull Request #203103 · elastic/kibana · GitHub
• [Fleet] added tour component, removed search by juliaElastic · Pull Request #203741 · elastic/kibana · GitHub

If upgrading your stack isn't an option, you can use the Fleet API's /agents endpoint to fetch all of your agents and convert the results to a CSV using jq or another tool. See API docs here.

You could run this query in Kibana Dev Tools

GET _sql?format=csv
{
  "query": """
    SELECT "local_metadata.host.name","last_checkin_status" FROM ".fleet-agents-7" ORDER BY "local_metadata.host.name"
  """,
  "fetch_size": "10000"
}

This returns a CSV with a column with the hostname and other with the last checkin status.

To know which fields are available you could get information about any agent just to see the fields that are returned.

GET kbn:/api/fleet/agents/any-agent-id

Unfortunately the Agent Management page lacks a lot of information, we opened a couple of enhancement requests with Elastic, but still didn't get feedback, one thing that we are doing is to use the Fleet API to get agent information and create a custom index in Elasticsearch which this data, so we can have a better view and control of our agents.

Do you have more than 10k agents? If you have more than 10k agents you will need to use some WHERE clauses in the SQL query because the fleet API does not return more than 10k agents and also does not paginate.

Do you have more than 10k agents? If you have more than 10k agents you will need to use some WHERE clauses in the SQL query because the fleet API does not return more than 10k agents and also does not paginate.

We are taking a look at adding point-in-time query support to the agents API to solve the 10k problem some time in 9.0. See [Fleet] List agents API should support more than 10k results · Issue #206924 · elastic/kibana · GitHub.

This blocks other use cases too like executing an osquery operation across more than 10k agents, so it's high on our list to address.