Find users with a query | Elasticsearch API documentation

Find users with a query Generally available; Added in 8.14.0

POST /_security/_query/user

Api key auth Basic auth Bearer auth

All methods and paths for this operation:

GET /_security/_query/user

POST /_security/_query/user

Get information for users in a paginated manner. You can optionally filter the results with a query.

NOTE: As opposed to the get user API, built-in users are excluded from the result. This API is only for native users.

highlight#highlightFromAnchor" href="#topic-required-authorization"> Required authorization

Cluster privileges: read_security

Query parameters

with_profile_uid boolean

Determines whether to retrieve the user profile UID, if it exists, for the users.

application/json

Body

query object
details#setActive"> Hide query attributes Show query attributes object
- ids
- bool
- exists
- match object
  
  Returns users that match a provided text, number, date or boolean value. The provided text is analyzed before matching.
- match_all
- prefix object
  
  Returns users that contain a specific prefix in a provided field.
- range object
  
  Returns users that contain terms within a provided range.
- simple_query_string
- term object
  
  Returns users that contain an exact term in a provided field. To return a document, the query term must exactly match the queried field's value, including whitespace and capitalization.
- terms
- wildcard object
  
  Returns users that contain terms matching a wildcard pattern.
from number

The starting document offset. It must not be negative. By default, you cannot page through more than 10,000 hits using the from and size parameters. To page through more hits, use the search_after parameter.

Default value is 0.
sort string | object | array[string | object]
alternative#change alternative:form->explorer-send-request#updateRequest" data-tabs-scroll="true">
One of:
tabs#change click->alternative#change " data-tabs-target="tab" href="#operation-security-query-user-body-application-json" role="tab" aria-controls="operation-security-query-user-body-application-json" tabindex="0"> Field string tabs#change click->alternative#change " data-tabs-target="tab" href="#operation-security-query-user-body-application-json-sortoptions-object" role="tab" aria-controls="operation-security-query-user-body-application-json-sortoptions-object" tabindex="0"> SortOptions object tabs#change click->alternative#change " data-tabs-target="tab" href="#operation-security-query-user-body-application-json-array-2-array-string-object" role="tab" aria-controls="operation-security-query-user-body-application-json-array-2-array-string-object" tabindex="0"> array-2 array[string | object]

Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
details#setActive"> Hide attributes Show attributes

_score object

details#setActive"> Hide _score attribute Show _score attribute object

order string

Values are asc or desc.

_doc object

details#setActive"> Hide _doc attribute Show _doc attribute object

order string

Values are asc or desc.

_geo_distance object

details#setActive"> Hide _geo_distance attributes Show _geo_distance attributes object

mode string

Values are min, max, sum, avg, or median.

distance_type string

Values are arc or plane.

ignore_unmapped boolean

order string

Values are asc or desc.

unit string

Values are in, ft, yd, mi, nmi, km, m, cm, or mm.

nested object

details#setActive"> Hide nested attributes Show nested attributes object

filter object

An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.

External documentation

max_children number

nested object

path string Required

Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.

_script object

details#setActive"> Hide _script attributes Show _script attributes object

order string

Values are asc or desc.

script object Required

details#setActive"> Hide script attributes Show script attributes object

source string | object

alternative#change alternative:form->explorer-send-request#updateRequest" data-tabs-scroll="true">
One of:
tabs#change click->alternative#change " data-tabs-target="tab" href="#operation-security-query-user-body-application-json-sortoptions-object-_script-script" role="tab" aria-controls="operation-security-query-user-body-application-json-sortoptions-object-_script-script" tabindex="0"> string-1 string tabs#change click->alternative#change " data-tabs-target="tab" href="#operation-security-query-user-body-application-json-sortoptions-object-_script-script-searchrequestbody-object" role="tab" aria-controls="operation-security-query-user-body-application-json-sortoptions-object-_script-script-searchrequestbody-object" tabindex="0"> SearchRequestBody object

id string

params object

Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.

details#setActive"> Hide params attribute Show params attribute object

* object Additional properties

lang string

alternative#change alternative:form->explorer-send-request#updateRequest" data-tabs-scroll="true">
Any of:
tabs#change click->alternative#change " data-tabs-target="tab" href="#operation-security-query-user-body-application-json-sortoptions-object-_script-script" role="tab" aria-controls="operation-security-query-user-body-application-json-sortoptions-object-_script-script" tabindex="0"> string-1 string tabs#change click->alternative#change " data-tabs-target="tab" href="#operation-security-query-user-body-application-json-sortoptions-object-_script-script-string-2-string" role="tab" aria-controls="operation-security-query-user-body-application-json-sortoptions-object-_script-script-string-2-string" tabindex="0"> string-2 string

Values are painless, expression, mustache, or java.

options object

details#setActive"> Hide options attribute Show options attribute object

* string Additional properties

type string

Values are string, number, or version.

mode string

Values are min, max, sum, avg, or median.

nested object

details#setActive"> Hide nested attributes Show nested attributes object

filter object

An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.

External documentation

max_children number

nested object

path string Required

Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
alternative#change alternative:form->explorer-send-request#updateRequest" data-tabs-scroll="true">
One of:
tabs#change click->alternative#change " data-tabs-target="tab" href="#operation-security-query-user-body-application-json-array-2-array-string-object" role="tab" aria-controls="operation-security-query-user-body-application-json-array-2-array-string-object" tabindex="0"> Field string tabs#change click->alternative#change " data-tabs-target="tab" href="#operation-security-query-user-body-application-json-array-2-array-string-object-sortoptions-object" role="tab" aria-controls="operation-security-query-user-body-application-json-array-2-array-string-object-sortoptions-object" tabindex="0"> SortOptions object

Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.

details#setActive"> Hide attributes Show attributes

_score object

details#setActive"> Hide _score attribute Show _score attribute object

order string

Values are asc or desc.

_doc object

details#setActive"> Hide _doc attribute Show _doc attribute object

order string

Values are asc or desc.

_geo_distance object

details#setActive"> Hide _geo_distance attributes Show _geo_distance attributes object

mode string

Values are min, max, sum, avg, or median.

distance_type string

Values are arc or plane.

ignore_unmapped boolean

order string

Values are asc or desc.

unit string

Values are in, ft, yd, mi, nmi, km, m, cm, or mm.

nested object

details#setActive"> Hide nested attributes Show nested attributes object

filter object

An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.

max_children number

nested object

path string Required

Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.

_script object

details#setActive"> Hide _script attributes Show _script attributes object

order string

Values are asc or desc.

script object Required

details#setActive"> Hide script attributes Show script attributes object

source

id string

params object

Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.

lang

options object

type string

Values are string, number, or version.

mode string

Values are min, max, sum, avg, or median.

nested object

details#setActive"> Hide nested attributes Show nested attributes object

filter object

An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.

max_children number

nested object

path string Required

Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
size number

The number of hits to return. It must not be negative. By default, you cannot page through more than 10,000 hits using the from and size parameters. To page through more hits, use the search_after parameter.

Default value is 10.
search_after array[number | string | boolean | null]

A field value.

Responses

200 application/json
details#setActive"> Hide response attributes Show response attributes object
- total number Required
  
  The total number of users found.
- count number Required
  
  The number of users returned in the response.
- users array[object] Required
  
  A list of users that match the query.
  
  details#setActive"> Hide users attributes Show users attributes object
  
  email string | null
  
  alternative#change alternative:form->explorer-send-request#updateRequest" data-tabs-scroll="true">
  One of:
  tabs#change click->alternative#change " data-tabs-target="tab" href="#operation-security-query-user-200-body-application-json-users-email" role="tab" aria-controls="operation-security-query-user-200-body-application-json-users-email" tabindex="0"> string-1 string tabs#change click->alternative#change " data-tabs-target="tab" href="#operation-security-query-user-200-body-application-json-users-string-2-email-string-null" role="tab" aria-controls="operation-security-query-user-200-body-application-json-users-string-2-email-string-null" tabindex="0"> string-2 string | null
  
  full_name string | null
  
  alternative#change alternative:form->explorer-send-request#updateRequest" data-tabs-scroll="true">
  One of:
  tabs#change click->alternative#change " data-tabs-target="tab" href="#operation-security-query-user-200-body-application-json-users-full_name" role="tab" aria-controls="operation-security-query-user-200-body-application-json-users-full_name" tabindex="0"> Name string tabs#change click->alternative#change " data-tabs-target="tab" href="#operation-security-query-user-200-body-application-json-users-string-2-full_name-string-null" role="tab" aria-controls="operation-security-query-user-200-body-application-json-users-string-2-full_name-string-null" tabindex="0"> string-2 string | null
  
  metadata object Required
  
  details#setActive"> Hide metadata attribute Show metadata attribute object
  
  * object Additional properties
  
  roles array[string] Required
  
  username string Required
  
  enabled boolean Required
  
  profile_uid string
  
  _sort array[number | string | boolean | null]
  
  A field value.

POST /_security/_query/user

POST /_security/_query/user?with_profile_uid=true
{
    "query": {
        "prefix": {
            "roles": "other"
        }
    }
}

resp = client.security.query_user(
    with_profile_uid=True,
    query={
        "prefix": {
            "roles": "other"
        }
    },
)

const response = await client.security.queryUser({
  with_profile_uid: "true",
  query: {
    prefix: {
      roles: "other",
    },
  },
});

response = client.security.query_user(
  with_profile_uid: "true",
  body: {
    "query": {
      "prefix": {
        "roles": "other"
      }
    }
  }
)

$resp = $client->security()->queryUser([
    "with_profile_uid" => "true",
    "body" => [
        "query" => [
            "prefix" => [
                "roles" => "other",
            ],
        ],
    ],
]);

curl -X POST -H "Authorization: ApiKey $ELASTIC_API_KEY" -H "Content-Type: application/json" -d '{"query":{"prefix":{"roles":"other"}}}' "$ELASTICSEARCH_URL/_security/_query/user?with_profile_uid=true"

client.security().queryUser(q -> q
    .query(qu -> qu
        .prefix(p -> p
            .field("roles")
            .value("other")
        )
    )
    .withProfileUid(true)
);

Request examples

Run `POST /_security/_query/user?with_profile_uid=true` to get users that have roles that are prefixed with `other`. It will also include the user `profile_uid` in the response.

{
    "query": {
        "prefix": {
            "roles": "other"
        }
    }
}

Run `POST /_security/_query/user`. Use a `bool` query to issue complex logical conditions: The `email` must end with `example.com`. The user must be enabled. The result will be filtered to only contain users with at least one role that contains the substring `other`. The offset to begin the search result is the second (zero-based index) user. The page size of the response is two users. The result is sorted by `username` in descending order.

{
  "query": {
    "bool": {
      "must": [
        {
          "wildcard": {
            "email": "*example.com" 
          }
        },
        {
          "term": {
            "enabled": true 
          }
        }
      ],
      "filter": [
        {
          "wildcard": {
            "roles": "*other*" 
          }
        }
      ]
    }
  },
  "from": 1, 
  "size": 2, 
  "sort": [
    { "username": { "order": "desc"} } 
  ]
}

Response examples (200)

A successful response from `POST /_security/_query/user?with_profile_uid=true` that contains users that have roles that are prefixed with `other`. It also includes the user `profile_uid` in the response.

{
    "total": 1,
    "count": 1,
    "users": [
        {
            "username": "jacknich",
            "roles": [
                "admin",
                "other_role1"
            ],
            "full_name": "Jack Nicholson",
            "email": "jacknich@example.com",
            "metadata": {
                "intelligence": 7
            },
            "enabled": true,
            "profile_uid": "u_79HkWkwmnBH5gqFKwoxggWPjEBOur1zLPXQPEl1VBW0_0"
        }
    ]
}

A successful response from `POST /_security/_query/user` that uses a `bool` query to issue complex logical conditions and uses `from`, `size`, and `sort` to help paginate the result. The sort value is `username`.

{
    "total": 5,
    "count": 2,
    "users": [
        {
            "username": "ray",
            "roles": [
                "other_role3"
            ],
            "full_name": "Ray Nicholson",
            "email": "rayn@example.com",
            "metadata": {
                "intelligence": 7
            },
            "enabled": true,
            "_sort": [
                "ray" 
            ]
        },
        {
            "username": "lorraine",
            "roles": [
                "other_role3"
            ],
            "full_name": "Lorraine Nicholson",
            "email": "lorraine@example.com",
            "metadata": {
                "intelligence": 7
            },
            "enabled": true,
            "_sort": [
                "lorraine"
            ]
        }
    ]
}

A successful response from `GET /_security/_query/user`, which lists all users. It returns a JSON structure that contains the information retrieved from one or more users.

{
    "total": 2,
    "count": 2,
    "users": [ 
        {
            "username": "jacknich",
            "roles": [
                "admin",
                "other_role1"
            ],
            "full_name": "Jack Nicholson",
            "email": "jacknich@example.com",
            "metadata": {
                "intelligence": 7
            },
            "enabled": true
        },
        {
            "username": "sandrakn",
            "roles": [
                "admin",
                "other_role1"
            ],
            "full_name": "Sandra Knight",
            "email": "sandrakn@example.com",
            "metadata": {
                "intelligence": 7
            },
            "enabled": true
        }
    ]
}

Find users with a query Generally available; Added in 8.14.0

highlight#highlightFromAnchor" href="#topic-required-authorization"> Required authorization

Query parameters

Body

sort string | object | array[string | object]

source string | object

lang string

Responses

email string | null

full_name string | null