OpenSearch/x-pack/docs/en/watcher/actions/index.asciidoc

111 lines
4.0 KiB
Plaintext
Raw Normal View History

[role="xpack"]
[[actions-index]]
=== Index action
Use the `index` action to index data into Elasticsearch.
See <<index-action-attributes>> for the supported attributes.
==== Configuring index actions
The following snippet shows a simple `index` action definition:
[source,js]
--------------------------------------------------
"actions" : {
"index_payload" : { <1>
"condition": { ... }, <2>
"transform": { ... }, <3>
"index" : {
"index" : "my-index-000001", <4>
"doc_id": "my-id" <5>
}
}
}
--------------------------------------------------
// NOTCONSOLE
<1> The id of the action
<2> An optional <<condition,condition>> to restrict action execution
<3> An optional <<transform,transform>> to transform the payload and prepare the data that should be indexed
<4> The index, alias, or data stream to which the data will be written
<5> An optional `_id` for the document
[[index-action-attributes]]
==== Index action attributes
[options="header"]
|======
|Name |Required | Default | Description
| `index` | yes | - | The index, alias, or data stream to index into.
| `doc_id` | no | - | The optional `_id` of the document.
| `op_type` | no | `index` | The <<docs-index-api-op_type,op_type>> for the index operation.
Must be one of either `index` or `create`. Must be `create` if
`index` is a data stream.
| `execution_time_field` | no | - | The field that will store/index the watch execution
time.
| `timeout` | no | 60s | The timeout for waiting for the index api call to
return. If no response is returned within this time,
the index action times out and fails. This setting
overrides the default timeouts.
| `refresh` | no | - | Optional setting of the {ref}/docs-refresh.html[refresh policy]
for the write request
|======
[[anatomy-actions-index-multi-doc-support]]
==== Multi-document support
Like with all other actions, you can use a <<transform, transform>> to replace
the current execution context payload with another and by that change the document
that will end up indexed.
The index action plays well with transforms with its support for the special `_doc`
payload field.
When resolving the document to be indexed, the index action first looks up for a
`_doc` field in the payload. When not found, the payload is indexed as a single
document.
When a `_doc` field exists, if the field holds an object, it is extracted and indexed
as a single document. If the field holds an array of objects, each object is treated as
a document and the index action indexes all of them in a bulk.
An `_index`, or `_id` value can be added per document to dynamically set the index and ID
of the indexed document.
The following snippet shows a multi-document `index` action definition:
[source,js]
--------------------------------------------------
"actions": {
"index_payload": {
"transform": {
"script": """
def documents = ctx.payload.hits.hits.stream()
.map(hit -> [
"_index": "my-index-000001", <1>
"_id": hit._id, <2>
"severity": "Sev: " + hit._source.severity <3>
])
.collect(Collectors.toList());
return [ "_doc" : documents]; <4>
"""
},
"index": {} <5>
}
}
--------------------------------------------------
// NOTCONSOLE
<1> The document's index
<2> An optional `_id` for the document
<3> A new `severity` field derived from the original document
<4> The payload `_doc` field which is an array of documents
<5> Since the `_index` was informed per document this should be empty