I have been trying to get all the rules (thousands of them) from my Elasticsearch Security using the curl API, however the only example and way shown on the website is able to obtain only one single rule at a time by running: curl -X GET <ip address>:<port>/api/detection_engine/rules?rule_id=<rule_id>
and since it doesn't accept wildcards, I can't get what I want.
So far, I am unable to get all the rules, only one single rule at a time which is undesirable to what I am achieving. Even tried using the _find method which is to run curl -X GET <ip address>:<port>/api/detection_engine/rules/_find?page=100&per_page=100
, I still didn't get what I want and in addition, this method added new fields to the curl result which I do not want.
Hello @xynobob
Maybe this API call will help you. It allows you to get rules with pagination, but if you specify per_page, you can probably get all your rules
api/detection_engine/rules/_find?page=1&per_page=1000
Hi @Nikita_Khristinin thanks for the suggestion but, unfortunately this still doesn't get me all my rules as I have over 2000+ rules and if i changed to &per_page=3000
, I will get this error:
{"message":"all shards failed: search_phase_execution_exception: [query_shard_exception] Reason: failed to create query: maxClauseCount is set to 1024","status_code":400}
Any ideas if there are any other ways to retrieve all my rules?
Will it help to send several requests like?
api/detection_engine/rules/_find?page=1&per_page=1000
api/detection_engine/rules/_find?page=2&per_page=1000
api/detection_engine/rules/_find?page=3&per_page=1000
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.