2020-07-09 13:12:38 -04:00
|
|
|
|
[role="xpack"]
|
2020-06-05 10:10:03 -04:00
|
|
|
|
[[data-streams]]
|
2020-06-10 14:03:46 -04:00
|
|
|
|
= Data streams
|
2020-06-11 11:32:09 -04:00
|
|
|
|
++++
|
|
|
|
|
|
<titleabbrev>Data streams</titleabbrev>
|
|
|
|
|
|
++++
|
2020-06-05 10:10:03 -04:00
|
|
|
|
|
2020-10-24 17:06:30 -04:00
|
|
|
|
A data stream lets you store append-only time series
|
2020-10-24 14:39:13 -04:00
|
|
|
|
data across multiple indices while giving you a single named resource for
|
|
|
|
|
|
requests. Data streams are well-suited for logs, events, metrics, and other
|
|
|
|
|
|
continuously generated data.
|
2020-06-05 10:10:03 -04:00
|
|
|
|
|
2020-06-11 11:32:09 -04:00
|
|
|
|
You can submit indexing and search requests directly to a data stream. The
|
2020-10-24 14:39:13 -04:00
|
|
|
|
stream automatically routes the request to backing indices that store the
|
|
|
|
|
|
stream's data. You can use <<index-lifecycle-management,{ilm} ({ilm-init})>> to
|
|
|
|
|
|
automate the management of these backing indices. For example, you can use
|
|
|
|
|
|
{ilm-init} to automatically move older backing indices to less expensive
|
|
|
|
|
|
hardware and delete unneeded indices. {ilm-init} can help you reduce costs and
|
|
|
|
|
|
overhead as your data grows.
|
2020-06-10 14:03:46 -04:00
|
|
|
|
|
|
|
|
|
|
[discrete]
|
2020-07-21 17:04:13 -04:00
|
|
|
|
[[backing-indices]]
|
|
|
|
|
|
== Backing indices
|
2020-06-10 14:03:46 -04:00
|
|
|
|
|
2020-10-24 14:39:13 -04:00
|
|
|
|
A data stream consists of one or more <<index-hidden,hidden>>, auto-generated
|
|
|
|
|
|
backing indices.
|
2020-07-21 17:04:13 -04:00
|
|
|
|
|
2020-10-24 14:39:13 -04:00
|
|
|
|
image::images/data-streams/data-streams-diagram.svg[align="center"]
|
2020-07-21 17:04:13 -04:00
|
|
|
|
|
2020-10-24 19:49:30 -04:00
|
|
|
|
Each data stream requires a matching <<indices-templates,index template>>. The
|
|
|
|
|
|
template contains the mappings and settings used to configure the stream's
|
|
|
|
|
|
backing indices.
|
2020-07-21 17:04:13 -04:00
|
|
|
|
|
2020-10-24 14:39:13 -04:00
|
|
|
|
Every document indexed to a data stream must contain a `@timestamp` field,
|
|
|
|
|
|
mapped as a <<date,`date`>> or <<date_nanos,`date_nanos`>> field type. If the
|
|
|
|
|
|
index template doesn't specify a mapping for the `@timestamp` field, {es} maps
|
|
|
|
|
|
`@timestamp` as a `date` field with default options.
|
2020-07-21 17:04:13 -04:00
|
|
|
|
|
2020-10-24 14:39:13 -04:00
|
|
|
|
The same index template can be used for multiple data streams. You cannot
|
|
|
|
|
|
delete an index template in use by a data stream.
|
2020-07-21 17:04:13 -04:00
|
|
|
|
|
|
|
|
|
|
[discrete]
|
|
|
|
|
|
[[data-stream-read-requests]]
|
|
|
|
|
|
== Read requests
|
|
|
|
|
|
|
2020-10-24 14:39:13 -04:00
|
|
|
|
When you submit a read request to a data stream, the stream routes the request
|
|
|
|
|
|
to all its backing indices.
|
2020-07-21 17:04:13 -04:00
|
|
|
|
|
|
|
|
|
|
image::images/data-streams/data-streams-search-request.svg[align="center"]
|
|
|
|
|
|
|
|
|
|
|
|
[discrete]
|
|
|
|
|
|
[[data-stream-write-index]]
|
|
|
|
|
|
== Write index
|
|
|
|
|
|
|
2020-10-24 14:39:13 -04:00
|
|
|
|
The most recently created backing index is the data stream’s write index.
|
|
|
|
|
|
The stream adds new documents to this index only.
|
2020-07-21 17:04:13 -04:00
|
|
|
|
|
|
|
|
|
|
image::images/data-streams/data-streams-index-request.svg[align="center"]
|
|
|
|
|
|
|
2020-10-24 14:39:13 -04:00
|
|
|
|
You cannot add new documents to other backing indices, even by sending requests
|
|
|
|
|
|
directly to the index.
|
2020-07-21 17:04:13 -04:00
|
|
|
|
|
2020-10-24 14:39:13 -04:00
|
|
|
|
You also cannot perform operations on a write index that may hinder indexing,
|
|
|
|
|
|
such as:
|
2020-07-21 17:04:13 -04:00
|
|
|
|
|
|
|
|
|
|
* <<indices-clone-index,Clone>>
|
|
|
|
|
|
* <<indices-close,Close>>
|
|
|
|
|
|
* <<indices-delete-index,Delete>>
|
|
|
|
|
|
* <<freeze-index-api,Freeze>>
|
|
|
|
|
|
* <<indices-shrink-index,Shrink>>
|
|
|
|
|
|
* <<indices-split-index,Split>>
|
|
|
|
|
|
|
|
|
|
|
|
[discrete]
|
|
|
|
|
|
[[data-streams-rollover]]
|
|
|
|
|
|
== Rollover
|
|
|
|
|
|
|
2020-10-24 14:39:13 -04:00
|
|
|
|
When you create a data stream, {es} automatically creates a backing index for
|
|
|
|
|
|
the stream. This index also acts as the stream's first write index. A
|
|
|
|
|
|
<<indices-rollover-index,rollover>> creates a new backing index that becomes the
|
|
|
|
|
|
stream's new write index.
|
|
|
|
|
|
|
|
|
|
|
|
We recommend using <<index-lifecycle-management,{ilm-init}>> to automatically
|
|
|
|
|
|
roll over data streams when the write index reaches a specified age or size.
|
|
|
|
|
|
If needed, you can also <<manually-roll-over-a-data-stream,manually roll over>>
|
|
|
|
|
|
a data stream.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[discrete]
|
|
|
|
|
|
[[data-streams-generation]]
|
|
|
|
|
|
== Generation
|
|
|
|
|
|
|
|
|
|
|
|
Each data stream tracks its generation: a six-digit, zero-padded integer that
|
|
|
|
|
|
acts as a cumulative count of the stream's rollovers, starting at `000001`.
|
2020-07-21 17:04:13 -04:00
|
|
|
|
|
2020-10-24 14:39:13 -04:00
|
|
|
|
When a backing index is created, the index is named using the following
|
|
|
|
|
|
convention:
|
2020-07-21 17:04:13 -04:00
|
|
|
|
|
2020-10-24 14:39:13 -04:00
|
|
|
|
[source,text]
|
|
|
|
|
|
----
|
|
|
|
|
|
.ds-<data-stream>-<generation>
|
|
|
|
|
|
----
|
|
|
|
|
|
|
|
|
|
|
|
Backing indices with a higher generation contain more recent data. For example,
|
|
|
|
|
|
the `web-server-logs` data stream has a generation of `34`. The stream's most
|
|
|
|
|
|
recent backing index is named `.ds-web-server-logs-000034`.
|
2020-07-21 17:04:13 -04:00
|
|
|
|
|
2020-10-24 14:39:13 -04:00
|
|
|
|
Some operations, such as a <<indices-shrink-index,shrink>> or
|
|
|
|
|
|
<<snapshots-restore-snapshot,restore>>, can change a backing index's name.
|
|
|
|
|
|
These name changes do not remove a backing index from its data stream.
|
2020-07-21 17:04:13 -04:00
|
|
|
|
|
|
|
|
|
|
[discrete]
|
|
|
|
|
|
[[data-streams-append-only]]
|
|
|
|
|
|
== Append-only
|
|
|
|
|
|
|
2020-10-24 14:39:13 -04:00
|
|
|
|
Data streams are designed for use cases where existing data is rarely,
|
|
|
|
|
|
if ever, updated. You cannot send update or deletion requests for existing
|
|
|
|
|
|
documents directly to a data stream. Instead, use the
|
|
|
|
|
|
<<update-docs-in-a-data-stream-by-query,update by query>> and
|
|
|
|
|
|
<<delete-docs-in-a-data-stream-by-query,delete by query>> APIs.
|
2020-07-21 17:04:13 -04:00
|
|
|
|
|
2020-10-24 14:39:13 -04:00
|
|
|
|
If needed, you can <<update-delete-docs-in-a-backing-index,update or delete
|
|
|
|
|
|
documents>> by submitting requests directly to the document's backing index.
|
2020-07-21 17:04:13 -04:00
|
|
|
|
|
2020-10-24 14:39:13 -04:00
|
|
|
|
TIP: If you frequently update or delete existing documents, use an
|
|
|
|
|
|
<<indices-add-alias,index alias>> and <<indices-templates,index template>>
|
|
|
|
|
|
instead of a data stream. You can still use
|
|
|
|
|
|
<<index-lifecycle-management,{ilm-init}>> to manage indices for the alias.
|
2020-06-11 11:32:09 -04:00
|
|
|
|
|
2020-06-10 14:03:46 -04:00
|
|
|
|
include::set-up-a-data-stream.asciidoc[]
|
|
|
|
|
|
include::use-a-data-stream.asciidoc[]
|
2020-06-16 16:20:32 -04:00
|
|
|
|
include::change-mappings-and-settings.asciidoc[]
|
