Searches reference
COMMERCIAL FEATURE: Access the web UI in the packaged Sensu Go distribution. For more information, read Get started with commercial features.
With the saved searches feature in the web UI, you can apply search parameters to your entities, events, and resources and save them to etcd in a namespaced resource named searches.
The saved searches feature is designed to be used directly in the web UI. However, you can create, retrieve, update, and delete saved searches with enterprise/searches/v1 API endpoints.
Search for events with any status except passing
The following saved search will retrieve all events that have any status except passing:
YMLJSON
---
type: Search
api_version: searches/v1
metadata:
name: events-not-passing
spec:
parameters:
- status:incident
- status:warning
- status:critical
- status:unknown
resource: core.v2/Event{
"type": "Search",
"api_version": "searches/v1",
"metadata": {
"name": "events-not-passing"
},
"spec": {
"parameters": [
"status:incident",
"status:warning",
"status:critical",
"status:unknown"
],
"resource": "core.v2/Event"
}
}Search for published checks with a specific subscription and region
The following saved search will retrieve all published checks for the us-west-1 region with the linux subscription:
YMLJSON
---
type: Search
api_version: searches/v1
metadata:
name: published-checks-linux-uswest
spec:
parameters:
- published:true
- subscription:linux
- 'labelSelector: region == "us-west-1"'
resource: core.v2/CheckConfig{
"type": "Search",
"api_version": "searches/v1",
"metadata": {
"name": "published-checks-linux-uswest"
},
"spec": {
"parameters": [
"published:true",
"subscription:linux",
"labelSelector: region == \"us-west-1\""
],
"resource": "core.v2/CheckConfig"
}
}Search specification
Top-level attributes
| api_version | |
|---|---|
| description | Top-level attribute that specifies the Sensu API group and version. For searches in this version of Sensu, the api_version should always be searches/v1. |
| required | Required for search entry definitions in wrapped-json or yaml format for use with sensuctl create. |
| type | String |
| example | YMLJSON
|
| metadata | |
|---|---|
| description | Top-level collection of metadata about the search that includes name and namespace. The metadata map is always at the top level of the search definition. This means that in wrapped-json and yaml formats, the metadata scope occurs outside the spec scope. Read metadata attributes for details. |
| required | Required for search entry definitions in wrapped-json or yaml format for use with sensuctl create. |
| type | Map of key-value pairs |
| example | YMLJSON
|
| spec | |
|---|---|
| description | Top-level map that includes the search spec attributes. The spec contents will depend on the search parameters you apply and save. |
| required | Required for silences in wrapped-json or yaml format for use with sensuctl create. |
| type | Map of key-value pairs |
| example | YMLJSON
|
| type | |
|---|---|
| description | Top-level attribute that specifies the sensuctl create resource type. Searches should always be type Search. |
| required | Required for search entry definitions in wrapped-json or yaml format for use with sensuctl create. |
| type | String |
| example | YMLJSON
|
Metadata attributes
| name | |
|---|---|
| description | Search identifier generated from the combination of a subscription name and check name. |
| required | true |
| type | String |
| example | YMLJSON
|
| namespace | |
|---|---|
| description | Sensu RBAC namespace that the search belongs to. |
| required | false |
| type | String |
| default | default |
| example | YMLJSON
|
Spec attributes
| parameters | |
|---|---|
| description | Parameters the search will apply. |
| required | true |
| type | Array |
| example | YMLJSON
|
| resource | |
|---|---|
| description | Fully qualified name of the resource included in the search. |
| required | true |
| type | String |
| example | YMLJSON
|
Parameters
| action | |
|---|---|
| description | For event filter searches, the type of filter to include in the search: allow or deny. |
| required | false |
| type | String |
| example | YMLJSON
|
| check | |
|---|---|
| description | Name of the check to include in the search. |
| required | false |
| type | String |
| example | YMLJSON
|
| class | |
|---|---|
| description | For entity searches, the entity class to include in the search: agent or proxy. |
| required | false |
| type | String |
| example | YMLJSON
|
| entity | |
|---|---|
| description | Name of the entity to include in the search. |
| required | false |
| type | String |
| example | YMLJSON
|
| event | |
|---|---|
| description | Name of the event to include in the search. |
| required | false |
| type | String |
| example | YMLJSON
|
| published | |
|---|---|
| description | If true, the search will include only published resources. Otherwise, false. |
| required | false |
| type | Boolean |
| example | YMLJSON
|
| silenced | |
|---|---|
| description | If true, the search will include only silenced events. Otherwise, false. |
| required | false |
| type | Boolean |
| example | YMLJSON
|
| status | |
|---|---|
| description | Status of the events, entities, or resources to include in the search. |
| required | false |
| type | String |
| example | YMLJSON
|
| subscription | |
|---|---|
| description | Name of the subscription to include in the search. |
| required | false |
| type | String |
| example | YMLJSON
|
| type | |
|---|---|
| description | For handler searches, the type of hander to include in the search: pipe, set, tcp, or udp. |
| required | false |
| type | String |
| example | YMLJSON
|
