IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

› ›

Set up a data stream

edit

Set up a data stream

edit

To set up a data stream, follow these steps:

Optional: Configure an ILM lifecycle policy

edit

While optional, we recommend you configure an index lifecycle management (ILM) policy to automate the management of your data stream’s backing indices.

In Kibana, open the menu and go to Stack Management > Index Lifecycle Policies. Click Index Lifecycle Policies.

API example

Use the create lifecycle policy API to configure a policy:

PUT /_ilm/policy/my-data-stream-policy
{
  "policy": {
    "phases": {
      "hot": {
        "actions": {
          "rollover": {
            "max_size": "25GB"
          }
        }
      },
      "delete": {
        "min_age": "30d",
        "actions": {
          "delete": {}
        }
      }
    }
  }
}

Create an index template

edit

In Kibana, open the menu and go to Stack Management > Index Management.
In the Index Templates tab, click Create template.
In the Create template wizard, use the Data stream toggle to indicate the template is used for data streams.
Use the wizard to finish defining your template. Specify:
- One or more index patterns that match the data stream’s name.
- Mappings and settings for the stream’s backing indices.
- A priority for the index template
  Elasticsearch has built-in index templates, each with a priority of 100, for the following index patterns:
  
  logs-*-*
  
  metrics-*-*
  
  synthetics-*-*
  
  Elastic Agent uses these templates to create data streams. If you use the Elastic Agent, assign your index templates a priority lower than 100 to avoid overriding the built-in templates.Otherwise, to avoid accidentally applying the built-in templates, do one or more of the following:
  
  To disable all built-in index and component templates, set stack.templates.enabled to false in elasticsearch.yml.
  
  Use a non-overlapping index pattern.
  
  Assign templates with an overlapping pattern a priority higher than 100. For example, if you don’t use the Elastic Agent and want to create a template for the logs-* index pattern, assign your template a priority of 200. This ensures your template is applied instead of the built-in template for logs-*-*.

The Elastic data stream naming scheme

The Elastic Agent uses the Elastic data stream naming scheme to name its data streams. To help you organize your data consistently and avoid naming collisions, we recommend you also use the Elastic naming scheme for your other data streams.

The naming scheme splits data into different data streams based on the following components. Each component corresponds to a constant keyword field defined in the Elastic Common Schema (ECS).

type: Generic type describing the data, such as logs, metrics, or synthetics. Corresponds to the data_stream.type field.
dataset: Describes the ingested data and its structure. Corresponds to the data_stream.dataset field. Defaults to generic.
namespace: User-configurable arbitrary grouping. Corresponds to the data_stream.dataset field. Defaults to default.

The naming scheme separates these components with a - character:

<type>-<dataset>-<namespace>

For example, the Elastic Agent uses the logs-nginx.access-production data stream to store data with a type of logs, a dataset of nginx.access, and a namespace of production. If you use the Elastic Agent to ingest a log file, it stores the data in the logs-generic-default data stream.

For more information about the naming scheme and its benefits, see our An introduction to the Elastic data stream naming scheme blog post.

Every document indexed to a data stream must contain a @timestamp field, mapped as a date or date_nanos field type. If the index template doesn’t specify a mapping for the @timestamp field, Elasticsearch maps @timestamp as a date field with default options.

If using ILM, specify your lifecycle policy in the index.lifecycle.name setting.

Carefully consider your template’s mappings and settings. Later changes may require reindexing. See Change mappings and settings for a data stream.

API example

Use the put index template API to create an index template. The template must include an empty data_stream object, indicating it’s used for data streams.

PUT /_index_template/my-data-stream-template
{
  "index_patterns": [ "my-data-stream*" ],
  "data_stream": { },
  "priority": 200,
  "template": {
    "settings": {
      "index.lifecycle.name": "my-data-stream-policy"
    }
  }
}

Create the data stream

edit

To automatically create the data stream, submit an indexing request to the stream. The stream’s name must match one of your template’s index patterns.

POST /my-data-stream/_doc/
{
  "@timestamp": "2020-12-06T11:04:05.000Z",
  "user": {
    "id": "vlb44hny"
  },
  "message": "Login attempt failed"
}

You can also use the create data stream API to manually create the data stream. The stream’s name must match one of your template’s index patterns.

PUT /_data_stream/my-data-stream

Secure the data stream

edit

To control access to the data stream and its data, use Elasticsearch’s security features.

Get information about a data stream

edit

In Kibana, open the menu and go to Stack Management > Index Management. In the Data Streams tab, click the data stream’s name.

API example

Use the get data stream API to retrieve information about one or more data streams:

GET /_data_stream/my-data-stream

Delete a data stream

edit

To delete a data stream and its backing indices, open the Kibana menu and go to Stack Management > Index Management. In the Data Streams tab, click the trash can icon.

API example

Use the delete data stream API to delete a data stream and its backing indices:

DELETE /_data_stream/my-data-stream

« Data streams Use a data stream »