WARNING: Version 5.4 of the Elastic Stack has passed its EOL date.
This documentation is no longer being maintained and may be removed. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.
Create Datafeeds
editCreate Datafeeds
editThe create datafeed API enables you to instantiate a datafeed.
Request
editPUT _xpack/ml/datafeeds/<feed_id>
Description
editYou must create a job before you create a datafeed. You can associate only one datafeed to each job.
Path Parameters
edit-
feed_id
(required) - (string) A numerical character string that uniquely identifies the datafeed.
Request Body
edit-
aggregations
- (object) If set, the datafeed performs aggregation searches. For more information, see Datafeed Resources.
-
chunking_config
- (object) Specifies how data searches are split into time chunks. See Chunking Configuration Objects.
-
frequency
-
(time units) The interval at which scheduled queries are made while the datafeed
runs in real time. The default value is either the bucket span for short
bucket spans, or, for longer bucket spans, a sensible fraction of the bucket
span. For example:
150s
. -
indexes
(required) -
(array) An array of index names. Wildcards are supported. For example:
["it_ops_metrics", "server*"]
. -
job_id
(required) - (string) A numerical character string that uniquely identifies the job.
-
query
-
(object) The Elasticsearch query domain-specific language (DSL). This value
corresponds to the query object in an Elasticsearch search POST body. All the
options that are supported by Elasticsearch can be used, as this object is
passed verbatim to Elasticsearch. By default, this property has the following
value:
{"match_all": {"boost": 1}}
. -
query_delay
-
(time units) The number of seconds behind real time that data is queried. For
example, if data from 10:04 a.m. might not be searchable in Elasticsearch until
10:06 a.m., set this property to 120 seconds. The default value is
60s
. -
script_fields
- (object) Specifies scripts that evaluate custom expressions and returns script fields to the datafeed. The detector configuration objects in a job can contain functions that use these script fields. For more information, see Script Fields.
-
scroll_size
-
(unsigned integer) The
size
parameter that is used in Elasticsearch searches. The default value is1000
. -
types
(required) -
(array) A list of types to search for within the specified indices.
For example:
["network","sql","kpi"]
.
For more information about these properties, see Datafeed Resources.
Authorization
editYou must have manage_ml
, or manage
cluster privileges to use this API.
For more information, see Cluster Privileges.
Examples
editThe following example creates the datafeed-it-ops-kpi
datafeed:
PUT _xpack/ml/datafeeds/datafeed-it-ops-kpi { "job_id": "it-ops-kpi", "indexes": ["it_ops_metrics"], "types": ["kpi","network","sql"], "query": { "match_all": { "boost": 1 } } }
When the datafeed is created, you receive the following results:
{ "datafeed_id": "datafeed-it-ops-kpi", "job_id": "it-ops-kpi", "query_delay": "1m", "indexes": [ "it_ops_metrics" ], "types": [ "kpi", "network", "sql" ], "query": { "match_all": { "boost": 1 } }, "scroll_size": 1000, "chunking_config": { "mode": "auto" } }