Retrieving results by using kibanaSavedObjectMeta.searchSourceJSON from a saved search

Elastic Stack Kibana
1

I have a use-case that demands reading out the API for saved searches in Kibana and retrieving the results.

There seems to be no API for Kibana to do this.
A defined saved search can be retrieved and in it's json response you can find the field 'kibanaSavedObjectMeta.searchSourceJSON' which has the following structure:

{
"index": "a40f4f20-972d-11e9-a4aa-9b663566a96d",
"highlightAll": true,
"version": true,
"query": {
"language": "kuery",
"query": ""
},
"filter": [
{
"$state": {
"store": "appState"
},
"meta": {
"alias": null,
"disabled": false,
"index": "a40f4f20-972d-11e9-a4aa-9b663566a96d",
"key": "_type",
"negate": false,
"params": {
"query": "datacenter-patching",
"type": "phrase"
},
"type": "phrase",
"value": "datacenter-patching"
},
"query": {
"match": {
"_type": {
"query": "datacenter-patching",
"type": "phrase"
}
}
}
},
{
"meta": {
"negate": false,
"index": "a40f4f20-972d-11e9-a4aa-9b663566a96d",
"type": "phrase",
"key": "doc.Patching Status",
"value": "Non-compliant",
"params": {
"query": "Non-compliant",
"type": "phrase"
},
"disabled": false,
"alias": null
},
"query": {
"match": {
"doc.Patching Status": {
"query": "Non-compliant",
"type": "phrase"
}
}
},
"$state": {
"store": "appState"
}
}
]
}

Now, after a lot of Google searches I can't seem to find a way to transform this in a Elasticsearch query or something useful to retrieve the actual results.
Strange because if you go to the saved search in the UI > Inspect > Request, you can see the actual Elasticsearch query I need.

Anybody any idea?

2

Hello Lars,

Your best bet would probably be to interact with your saved searches via the Saved Object API, since Saved Searches are just a type of Saved Object in Kibana. We do expose the Elasticsearch queries occurring to the user via Inspect as you noticed, but I don't believe they're available via query.

You could use a Python (or other) script to retrieve the Saved Objects, filter for Saved Searches and then re-execute the searches using the same parameters.

Regards,
Aaron

3

Hi Aaron,

Thanks for your answer,
What I do now is re-parse the saved search parameters into an Elastic Search query, which feels dirty.

Is there a way to execute the query directly? (without reparsing the parameters, querystring, filters, aggregations, ...)