@elk2 Afak, you need auditing to get the search request.. And 'standard' auditing isn't even enough. xpack.security.audit.logfile.events.emit_request_body need to be seto to true. Expect huuge amounts of audit logs... (also, you need gold or higher license I think). See https://www.elastic.co/guide/en/elasticsearch/reference/current/auditing-settings.html