2020-07-09 13:12:38 -04:00
|
|
|
[role="xpack"]
|
2020-06-10 14:03:46 -04:00
|
|
|
[[use-a-data-stream]]
|
|
|
|
== Use a data stream
|
|
|
|
|
2020-06-11 11:29:05 -04:00
|
|
|
After you <<set-up-a-data-stream,set up a data stream>>, you can do
|
2020-06-10 14:03:46 -04:00
|
|
|
the following:
|
|
|
|
|
|
|
|
* <<add-documents-to-a-data-stream>>
|
|
|
|
* <<search-a-data-stream>>
|
2020-07-20 09:50:26 -04:00
|
|
|
* <<get-stats-for-a-data-stream>>
|
2020-06-10 14:03:46 -04:00
|
|
|
* <<manually-roll-over-a-data-stream>>
|
2020-07-01 11:22:45 -04:00
|
|
|
* <<open-closed-backing-indices>>
|
2020-06-12 11:21:31 -04:00
|
|
|
* <<reindex-with-a-data-stream>>
|
2020-07-21 17:04:13 -04:00
|
|
|
* <<update-docs-in-a-data-stream-by-query>>
|
|
|
|
* <<delete-docs-in-a-data-stream-by-query>>
|
2020-06-30 08:35:13 -04:00
|
|
|
* <<update-delete-docs-in-a-backing-index>>
|
2020-06-10 14:03:46 -04:00
|
|
|
|
|
|
|
////
|
|
|
|
[source,console]
|
|
|
|
----
|
2020-08-06 09:38:35 -04:00
|
|
|
PUT /_index_template/my-data-stream-template
|
2020-06-10 14:03:46 -04:00
|
|
|
{
|
2020-08-06 09:38:35 -04:00
|
|
|
"index_patterns": [ "my-data-stream*" ],
|
2020-07-14 17:28:43 -04:00
|
|
|
"data_stream": { }
|
2020-06-10 14:03:46 -04:00
|
|
|
}
|
|
|
|
|
2020-08-06 09:38:35 -04:00
|
|
|
PUT /_data_stream/my-data-stream
|
2020-07-06 08:39:04 -04:00
|
|
|
|
2020-08-06 09:38:35 -04:00
|
|
|
POST /my-data-stream/_rollover/
|
2020-07-06 08:39:04 -04:00
|
|
|
|
2020-08-06 09:38:35 -04:00
|
|
|
POST /my-data-stream/_rollover/
|
2020-07-06 08:39:04 -04:00
|
|
|
|
2020-08-06 09:38:35 -04:00
|
|
|
PUT /my-data-stream/_create/bfspvnIBr7VVZlfp2lqX?refresh=wait_for
|
2020-07-06 08:39:04 -04:00
|
|
|
{
|
|
|
|
"@timestamp": "2020-12-07T11:06:07.000Z",
|
|
|
|
"user": {
|
|
|
|
"id": "yWIumJd7"
|
|
|
|
},
|
|
|
|
"message": "Login successful"
|
|
|
|
}
|
|
|
|
|
2020-08-06 09:38:35 -04:00
|
|
|
PUT /_data_stream/my-data-stream-alt
|
2020-06-10 14:03:46 -04:00
|
|
|
----
|
2020-07-06 08:39:04 -04:00
|
|
|
// TESTSETUP
|
|
|
|
|
|
|
|
[source,console]
|
|
|
|
----
|
|
|
|
DELETE /_data_stream/*
|
|
|
|
|
|
|
|
DELETE /_index_template/*
|
|
|
|
----
|
|
|
|
// TEARDOWN
|
2020-06-10 14:03:46 -04:00
|
|
|
////
|
|
|
|
|
|
|
|
[discrete]
|
|
|
|
[[add-documents-to-a-data-stream]]
|
|
|
|
=== Add documents to a data stream
|
|
|
|
|
2020-10-24 14:39:13 -04:00
|
|
|
To add an individual document, use the <<docs-index_,index API>>.
|
|
|
|
<<ingest,Ingest pipelines>> are supported.
|
2020-06-10 14:03:46 -04:00
|
|
|
|
|
|
|
[source,console]
|
|
|
|
----
|
2020-08-06 09:38:35 -04:00
|
|
|
POST /my-data-stream/_doc/
|
2020-06-10 14:03:46 -04:00
|
|
|
{
|
|
|
|
"@timestamp": "2020-12-07T11:06:07.000Z",
|
|
|
|
"user": {
|
|
|
|
"id": "8a4f500d"
|
|
|
|
},
|
|
|
|
"message": "Login successful"
|
|
|
|
}
|
|
|
|
----
|
2020-06-30 08:35:13 -04:00
|
|
|
|
2020-10-24 14:39:13 -04:00
|
|
|
You cannot add new documents to a data stream using the index API's `PUT
|
|
|
|
/<target>/_doc/<_id>` request format. To specify a document ID, use the `PUT
|
|
|
|
/<target>/_create/<_id>` format instead. Only an
|
|
|
|
<<docs-index-api-op_type,`op_type`>> of `create` is supported.
|
2020-07-21 17:04:13 -04:00
|
|
|
|
2020-10-24 14:39:13 -04:00
|
|
|
To add multiple documents with a single request, use the <<docs-bulk,bulk API>>.
|
|
|
|
Only `create` actions are supported.
|
2020-06-10 14:03:46 -04:00
|
|
|
|
|
|
|
[source,console]
|
|
|
|
----
|
2020-08-06 09:38:35 -04:00
|
|
|
PUT /my-data-stream/_bulk?refresh
|
2020-07-06 08:39:04 -04:00
|
|
|
{"create":{ }}
|
2020-06-10 14:03:46 -04:00
|
|
|
{ "@timestamp": "2020-12-08T11:04:05.000Z", "user": { "id": "vlb44hny" }, "message": "Login attempt failed" }
|
2020-07-06 08:39:04 -04:00
|
|
|
{"create":{ }}
|
2020-06-10 14:03:46 -04:00
|
|
|
{ "@timestamp": "2020-12-08T11:06:07.000Z", "user": { "id": "8a4f500d" }, "message": "Login successful" }
|
2020-07-06 08:39:04 -04:00
|
|
|
{"create":{ }}
|
2020-06-10 14:03:46 -04:00
|
|
|
{ "@timestamp": "2020-12-09T11:07:08.000Z", "user": { "id": "l7gk7f82" }, "message": "Logout successful" }
|
|
|
|
----
|
|
|
|
|
|
|
|
[discrete]
|
|
|
|
[[search-a-data-stream]]
|
|
|
|
=== Search a data stream
|
|
|
|
|
|
|
|
The following search APIs support data streams:
|
|
|
|
|
|
|
|
* <<search-search, Search>>
|
|
|
|
* <<async-search, Async search>>
|
|
|
|
* <<search-multi-search, Multi search>>
|
|
|
|
* <<search-field-caps, Field capabilities>>
|
|
|
|
* <<eql-search-api, EQL search>>
|
|
|
|
|
2020-07-20 09:50:26 -04:00
|
|
|
[discrete]
|
|
|
|
[[get-stats-for-a-data-stream]]
|
|
|
|
=== Get statistics for a data stream
|
|
|
|
|
2020-10-24 14:39:13 -04:00
|
|
|
Use the <<data-stream-stats-api,data stream stats API>> to get
|
|
|
|
statistics for one or more data streams:
|
2020-07-20 09:50:26 -04:00
|
|
|
|
|
|
|
[source,console]
|
|
|
|
----
|
2020-08-06 09:38:35 -04:00
|
|
|
GET /_data_stream/my-data-stream/_stats?human=true
|
2020-07-20 09:50:26 -04:00
|
|
|
----
|
|
|
|
|
2020-06-10 14:03:46 -04:00
|
|
|
[discrete]
|
|
|
|
[[manually-roll-over-a-data-stream]]
|
|
|
|
=== Manually roll over a data stream
|
|
|
|
|
2020-10-24 14:39:13 -04:00
|
|
|
Use the <<indices-rollover-index,rollover API>> to manually
|
|
|
|
<<data-streams-rollover,roll over>> a data stream:
|
2020-06-10 14:03:46 -04:00
|
|
|
|
|
|
|
[source,console]
|
|
|
|
----
|
2020-08-06 09:38:35 -04:00
|
|
|
POST /my-data-stream/_rollover/
|
2020-06-10 14:03:46 -04:00
|
|
|
----
|
|
|
|
|
2020-07-01 11:22:45 -04:00
|
|
|
[discrete]
|
|
|
|
[[open-closed-backing-indices]]
|
|
|
|
=== Open closed backing indices
|
|
|
|
|
2020-10-24 14:39:13 -04:00
|
|
|
You cannot search a <<indices-close,closed>> backing index, even by searching
|
|
|
|
its data stream. You also cannot <<update-docs-in-a-data-stream-by-query,update>>
|
|
|
|
or <<delete-docs-in-a-data-stream-by-query,delete>> documents in a closed index.
|
2020-07-01 11:22:45 -04:00
|
|
|
|
2020-10-24 14:39:13 -04:00
|
|
|
To re-open a closed backing index, submit an <<indices-open-close,open
|
|
|
|
index API request>> directly to the index:
|
2020-07-01 11:22:45 -04:00
|
|
|
|
|
|
|
[source,console]
|
|
|
|
----
|
2020-10-24 14:39:13 -04:00
|
|
|
POST /.ds-my-data-stream-000001/_open/
|
2020-07-01 11:22:45 -04:00
|
|
|
----
|
|
|
|
|
2020-10-24 14:39:13 -04:00
|
|
|
To re-open all closed backing indices for a data stream, submit an open index
|
|
|
|
API request to the stream:
|
2020-07-01 11:22:45 -04:00
|
|
|
|
|
|
|
[source,console]
|
|
|
|
----
|
2020-08-06 09:38:35 -04:00
|
|
|
POST /my-data-stream/_open/
|
2020-07-01 11:22:45 -04:00
|
|
|
----
|
|
|
|
|
2020-06-12 11:21:31 -04:00
|
|
|
[discrete]
|
|
|
|
[[reindex-with-a-data-stream]]
|
|
|
|
=== Reindex with a data stream
|
|
|
|
|
2020-10-24 14:39:13 -04:00
|
|
|
Use the <<docs-reindex,reindex API>> to copy documents from an
|
|
|
|
existing index, index alias, or data stream to a data stream. Because data streams are
|
|
|
|
<<data-streams-append-only,append-only>>, a reindex into a data stream must use
|
|
|
|
an `op_type` of `create`. A reindex cannot update existing documents in a data
|
|
|
|
stream.
|
2020-06-12 11:21:31 -04:00
|
|
|
|
|
|
|
////
|
|
|
|
[source,console]
|
|
|
|
----
|
|
|
|
PUT /_bulk?refresh=wait_for
|
|
|
|
{"create":{"_index" : "archive_1"}}
|
|
|
|
{ "@timestamp": "2020-12-08T11:04:05.000Z" }
|
|
|
|
{"create":{"_index" : "archive_2"}}
|
|
|
|
{ "@timestamp": "2020-12-08T11:06:07.000Z" }
|
|
|
|
{"create":{"_index" : "archive_2"}}
|
|
|
|
{ "@timestamp": "2020-12-09T11:07:08.000Z" }
|
|
|
|
{"create":{"_index" : "archive_2"}}
|
|
|
|
{ "@timestamp": "2020-12-09T11:07:08.000Z" }
|
|
|
|
|
|
|
|
POST /_aliases
|
|
|
|
{
|
|
|
|
"actions" : [
|
|
|
|
{ "add" : { "index" : "archive_1", "alias" : "archive" } },
|
|
|
|
{ "add" : { "index" : "archive_2", "alias" : "archive", "is_write_index" : true} }
|
|
|
|
]
|
|
|
|
}
|
|
|
|
----
|
|
|
|
////
|
|
|
|
|
|
|
|
[source,console]
|
|
|
|
----
|
|
|
|
POST /_reindex
|
|
|
|
{
|
|
|
|
"source": {
|
|
|
|
"index": "archive"
|
|
|
|
},
|
|
|
|
"dest": {
|
2020-08-06 09:38:35 -04:00
|
|
|
"index": "my-data-stream",
|
2020-06-12 11:21:31 -04:00
|
|
|
"op_type": "create"
|
|
|
|
}
|
|
|
|
}
|
|
|
|
----
|
|
|
|
// TEST[continued]
|
|
|
|
|
2020-06-17 12:41:24 -04:00
|
|
|
[discrete]
|
2020-07-21 17:04:13 -04:00
|
|
|
[[update-docs-in-a-data-stream-by-query]]
|
|
|
|
=== Update documents in a data stream by query
|
2020-06-17 12:41:24 -04:00
|
|
|
|
2020-10-24 14:39:13 -04:00
|
|
|
Use the <<docs-update-by-query,update by query API>> to update documents in a
|
|
|
|
data stream that match a provided query:
|
2020-06-30 08:35:13 -04:00
|
|
|
|
|
|
|
[source,console]
|
|
|
|
----
|
2020-08-06 09:38:35 -04:00
|
|
|
POST /my-data-stream/_update_by_query
|
2020-06-30 08:35:13 -04:00
|
|
|
{
|
|
|
|
"query": {
|
|
|
|
"match": {
|
2020-07-06 08:39:04 -04:00
|
|
|
"user.id": "l7gk7f82"
|
2020-06-30 08:35:13 -04:00
|
|
|
}
|
|
|
|
},
|
|
|
|
"script": {
|
|
|
|
"source": "ctx._source.user.id = params.new_id",
|
|
|
|
"params": {
|
|
|
|
"new_id": "XgdX0NoX"
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
----
|
|
|
|
|
2020-07-21 17:04:13 -04:00
|
|
|
[discrete]
|
|
|
|
[[delete-docs-in-a-data-stream-by-query]]
|
|
|
|
=== Delete documents in a data stream by query
|
|
|
|
|
2020-10-24 14:39:13 -04:00
|
|
|
Use the <<docs-delete-by-query,delete by query API>> to delete documents in a
|
|
|
|
data stream that match a provided query:
|
2020-06-30 08:35:13 -04:00
|
|
|
|
|
|
|
[source,console]
|
|
|
|
----
|
2020-08-06 09:38:35 -04:00
|
|
|
POST /my-data-stream/_delete_by_query
|
2020-06-30 08:35:13 -04:00
|
|
|
{
|
|
|
|
"query": {
|
|
|
|
"match": {
|
2020-07-06 08:39:04 -04:00
|
|
|
"user.id": "vlb44hny"
|
2020-06-30 08:35:13 -04:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
----
|
|
|
|
|
|
|
|
[discrete]
|
|
|
|
[[update-delete-docs-in-a-backing-index]]
|
|
|
|
=== Update or delete documents in a backing index
|
2020-06-17 12:41:24 -04:00
|
|
|
|
2020-10-24 14:39:13 -04:00
|
|
|
If needed, you can update or delete documents in a data stream by sending
|
|
|
|
requests to the backing index containing the document. You'll need:
|
2020-06-17 12:41:24 -04:00
|
|
|
|
|
|
|
* The <<mapping-id-field,document ID>>
|
2020-10-24 14:39:13 -04:00
|
|
|
* The name of the backing index containing the document
|
|
|
|
* If updating the document, its <<optimistic-concurrency-control,sequence number
|
|
|
|
and primary term>>
|
2020-06-17 12:41:24 -04:00
|
|
|
|
2020-10-24 14:39:13 -04:00
|
|
|
To get this information, use a <<search-a-data-stream,search request>>:
|
2020-06-17 12:41:24 -04:00
|
|
|
|
|
|
|
[source,console]
|
|
|
|
----
|
2020-08-06 09:38:35 -04:00
|
|
|
GET /my-data-stream/_search
|
2020-06-17 12:41:24 -04:00
|
|
|
{
|
|
|
|
"seq_no_primary_term": true,
|
|
|
|
"query": {
|
|
|
|
"match": {
|
|
|
|
"user.id": "yWIumJd7"
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
----
|
|
|
|
|
2020-10-24 14:39:13 -04:00
|
|
|
Response:
|
2020-06-17 12:41:24 -04:00
|
|
|
|
|
|
|
[source,console-result]
|
|
|
|
----
|
|
|
|
{
|
|
|
|
"took": 20,
|
|
|
|
"timed_out": false,
|
|
|
|
"_shards": {
|
2020-07-01 11:22:45 -04:00
|
|
|
"total": 3,
|
|
|
|
"successful": 3,
|
2020-06-17 12:41:24 -04:00
|
|
|
"skipped": 0,
|
|
|
|
"failed": 0
|
|
|
|
},
|
|
|
|
"hits": {
|
|
|
|
"total": {
|
|
|
|
"value": 1,
|
|
|
|
"relation": "eq"
|
|
|
|
},
|
|
|
|
"max_score": 0.2876821,
|
|
|
|
"hits": [
|
|
|
|
{
|
2020-08-06 09:38:35 -04:00
|
|
|
"_index": ".ds-my-data-stream-000003", <1>
|
2020-06-17 12:41:24 -04:00
|
|
|
"_type": "_doc",
|
|
|
|
"_id": "bfspvnIBr7VVZlfp2lqX", <2>
|
2020-07-06 08:39:04 -04:00
|
|
|
"_seq_no": 0, <3>
|
2020-06-17 12:41:24 -04:00
|
|
|
"_primary_term": 1, <4>
|
|
|
|
"_score": 0.2876821,
|
|
|
|
"_source": {
|
|
|
|
"@timestamp": "2020-12-07T11:06:07.000Z",
|
|
|
|
"user": {
|
|
|
|
"id": "yWIumJd7"
|
|
|
|
},
|
|
|
|
"message": "Login successful"
|
|
|
|
}
|
|
|
|
}
|
|
|
|
]
|
|
|
|
}
|
|
|
|
}
|
|
|
|
----
|
|
|
|
// TESTRESPONSE[s/"took": 20/"took": $body.took/]
|
2020-06-30 08:35:13 -04:00
|
|
|
// TESTRESPONSE[s/"max_score": 0.2876821/"max_score": $body.hits.max_score/]
|
|
|
|
// TESTRESPONSE[s/"_score": 0.2876821/"_score": $body.hits.hits.0._score/]
|
2020-06-17 12:41:24 -04:00
|
|
|
|
|
|
|
<1> Backing index containing the matching document
|
|
|
|
<2> Document ID for the document
|
|
|
|
<3> Current sequence number for the document
|
|
|
|
<4> Primary term for the document
|
|
|
|
|
2020-10-24 14:39:13 -04:00
|
|
|
To update the document, use an <<docs-index_,index API>> request with valid
|
|
|
|
`if_seq_no` and `if_primary_term` arguments:
|
2020-06-17 12:41:24 -04:00
|
|
|
|
|
|
|
[source,console]
|
|
|
|
----
|
2020-08-06 09:38:35 -04:00
|
|
|
PUT /.ds-my-data-stream-000003/_doc/bfspvnIBr7VVZlfp2lqX?if_seq_no=0&if_primary_term=1
|
2020-06-17 12:41:24 -04:00
|
|
|
{
|
|
|
|
"@timestamp": "2020-12-07T11:06:07.000Z",
|
|
|
|
"user": {
|
|
|
|
"id": "8a4f500d"
|
|
|
|
},
|
|
|
|
"message": "Login successful"
|
|
|
|
}
|
|
|
|
----
|
|
|
|
|
2020-10-24 14:39:13 -04:00
|
|
|
To delete the document, use the <<docs-delete,delete API>>:
|
2020-06-17 12:41:24 -04:00
|
|
|
|
|
|
|
[source,console]
|
|
|
|
----
|
2020-08-06 09:38:35 -04:00
|
|
|
DELETE /.ds-my-data-stream-000003/_doc/bfspvnIBr7VVZlfp2lqX
|
2020-06-17 12:41:24 -04:00
|
|
|
----
|
|
|
|
|
2020-10-24 14:39:13 -04:00
|
|
|
To delete or update multiple documents with a single request, use the
|
|
|
|
<<docs-bulk,bulk API>>'s `delete`, `index`, and `update` actions. For `index`
|
|
|
|
actions, include valid <<bulk-optimistic-concurrency-control,`if_seq_no` and
|
|
|
|
`if_primary_term`>> arguments.
|
2020-06-17 12:41:24 -04:00
|
|
|
|
|
|
|
[source,console]
|
|
|
|
----
|
|
|
|
PUT /_bulk?refresh
|
2020-08-06 09:38:35 -04:00
|
|
|
{ "index": { "_index": ".ds-my-data-stream-000003", "_id": "bfspvnIBr7VVZlfp2lqX", "if_seq_no": 0, "if_primary_term": 1 } }
|
2020-06-17 12:41:24 -04:00
|
|
|
{ "@timestamp": "2020-12-07T11:06:07.000Z", "user": { "id": "8a4f500d" }, "message": "Login successful" }
|
|
|
|
----
|
|
|
|
|