2019-09-10 13:32:51 -04:00
|
|
|
[role="xpack"]
|
2017-03-28 17:23:01 -04:00
|
|
|
[[actions-index]]
|
2019-09-30 13:18:50 -04:00
|
|
|
=== Index action
|
2017-03-28 17:23:01 -04:00
|
|
|
|
|
|
|
Use the `index` action to index data into Elasticsearch.
|
|
|
|
See <<index-action-attributes>> for the supported attributes.
|
|
|
|
|
2019-09-30 13:18:50 -04:00
|
|
|
==== Configuring index actions
|
2017-03-28 17:23:01 -04:00
|
|
|
|
|
|
|
The following snippet shows a simple `index` action definition:
|
|
|
|
|
|
|
|
[source,js]
|
|
|
|
--------------------------------------------------
|
|
|
|
"actions" : {
|
|
|
|
"index_payload" : { <1>
|
|
|
|
"condition": { ... }, <2>
|
|
|
|
"transform": { ... }, <3>
|
|
|
|
"index" : {
|
2020-07-27 15:58:26 -04:00
|
|
|
"index" : "my-index-000001", <4>
|
2019-01-30 14:12:13 -05:00
|
|
|
"doc_id": "my-id" <5>
|
2017-03-28 17:23:01 -04:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
--------------------------------------------------
|
2018-06-22 21:09:37 -04:00
|
|
|
// NOTCONSOLE
|
2017-03-28 17:23:01 -04:00
|
|
|
<1> The id of the action
|
2019-09-30 13:18:50 -04:00
|
|
|
<2> An optional <<condition,condition>> to restrict action execution
|
|
|
|
<3> An optional <<transform,transform>> to transform the payload and prepare the data that should be indexed
|
2017-03-28 17:23:01 -04:00
|
|
|
<4> The elasticsearch index to store the data to
|
2019-01-30 14:12:13 -05:00
|
|
|
<5> An optional `_id` for the document, if it should always be the same document.
|
2017-03-28 17:23:01 -04:00
|
|
|
|
|
|
|
|
|
|
|
[[index-action-attributes]]
|
2019-09-30 13:18:50 -04:00
|
|
|
==== Index action attributes
|
2017-03-28 17:23:01 -04:00
|
|
|
|
|
|
|
[options="header"]
|
|
|
|
|======
|
|
|
|
|Name |Required | Default | Description
|
|
|
|
|
|
|
|
| `index` | yes | - | The Elasticsearch index to index into.
|
|
|
|
|
|
|
|
|
|
|
|
| `doc_id` | no | - | The optional `_id` of the document.
|
|
|
|
|
|
|
|
| `execution_time_field` | no | - | The field that will store/index the watch execution
|
2017-09-26 16:26:02 -04:00
|
|
|
time.
|
2017-03-28 17:23:01 -04:00
|
|
|
|
|
|
|
| `timeout` | no | 60s | The timeout for waiting for the index api call to
|
|
|
|
return. If no response is returned within this time,
|
|
|
|
the index action times out and fails. This setting
|
|
|
|
overrides the default timeouts.
|
|
|
|
|
2017-12-21 05:41:57 -05:00
|
|
|
| `refresh` | no | - | Optional setting of the {ref}/docs-refresh.html[refresh policy]
|
2017-12-21 04:18:16 -05:00
|
|
|
for the write request
|
|
|
|
|
2017-03-28 17:23:01 -04:00
|
|
|
|======
|
|
|
|
|
|
|
|
[[anatomy-actions-index-multi-doc-support]]
|
2019-09-30 13:18:50 -04:00
|
|
|
==== Multi-document support
|
2017-03-28 17:23:01 -04:00
|
|
|
|
|
|
|
Like with all other actions, you can use a <<transform, transform>> to replace
|
|
|
|
the current execution context payload with another and by that change the document
|
|
|
|
that will end up indexed.
|
|
|
|
|
|
|
|
The index action plays well with transforms with its support for the special `_doc`
|
|
|
|
payload field.
|
|
|
|
|
|
|
|
When resolving the document to be indexed, the index action first looks up for a
|
|
|
|
`_doc` field in the payload. When not found, the payload is indexed as a single
|
|
|
|
document.
|
|
|
|
|
|
|
|
When a `_doc` field exists, if the field holds an object, it is extracted and indexed
|
|
|
|
as a single document. If the field holds an array of objects, each object is treated as
|
|
|
|
a document and the index action indexes all of them in a bulk.
|
|
|
|
|
2020-05-20 16:57:45 -04:00
|
|
|
An `_index`, or `_id` value can be added per document to dynamically set the index and ID
|
2017-12-15 10:59:29 -05:00
|
|
|
of the indexed document.
|
2020-05-20 16:57:45 -04:00
|
|
|
|
|
|
|
The following snippet shows a multi-document `index` action definition:
|
|
|
|
|
|
|
|
[source,js]
|
|
|
|
--------------------------------------------------
|
|
|
|
"actions": {
|
|
|
|
"index_payload": {
|
|
|
|
"transform": {
|
|
|
|
"script": """
|
|
|
|
def documents = ctx.payload.hits.hits.stream()
|
|
|
|
.map(hit -> [
|
2020-07-27 15:58:26 -04:00
|
|
|
"_index": "my-index-000001", <1>
|
2020-05-20 16:57:45 -04:00
|
|
|
"_id": hit._id, <2>
|
|
|
|
"severity": "Sev: " + hit._source.severity <3>
|
|
|
|
])
|
|
|
|
.collect(Collectors.toList());
|
|
|
|
return [ "_doc" : documents]; <4>
|
|
|
|
"""
|
|
|
|
},
|
|
|
|
"index": {} <5>
|
|
|
|
}
|
|
|
|
}
|
|
|
|
--------------------------------------------------
|
|
|
|
// NOTCONSOLE
|
|
|
|
<1> The document's index
|
|
|
|
<2> An optional `_id` for the document
|
|
|
|
<3> A new `severity` field derived from the original document
|
|
|
|
<4> The payload `_doc` field which is an array of documents
|
|
|
|
<5> Since the `_index` was informed per document this should be empty
|