2017-04-11 21:52:47 -04:00
|
|
|
//lcawley Verified example output 2017-04-11
|
2017-04-04 18:26:39 -04:00
|
|
|
[[ml-datafeed-resource]]
|
2017-05-02 15:45:42 -04:00
|
|
|
==== {dfeed-cap} Resources
|
2017-04-04 18:26:39 -04:00
|
|
|
|
2017-05-02 15:45:42 -04:00
|
|
|
A {dfeed} resource has the following properties:
|
2017-04-04 18:26:39 -04:00
|
|
|
|
2017-04-10 11:59:27 -04:00
|
|
|
`aggregations`::
|
2017-05-02 15:45:42 -04:00
|
|
|
(object) If set, the {dfeed} performs aggregation searches.
|
2017-04-26 14:18:51 -04:00
|
|
|
For syntax information, see {ref}/search-aggregations.html[Aggregations].
|
2017-04-27 14:17:06 -04:00
|
|
|
Support for aggregations is limited and should only be used with
|
2017-05-15 12:30:30 -04:00
|
|
|
low cardinality data. For example:
|
|
|
|
+
|
|
|
|
--
|
|
|
|
[source,js]
|
|
|
|
----------------------------------
|
|
|
|
{
|
|
|
|
"@timestamp": {
|
|
|
|
"histogram": {
|
|
|
|
"field": "@timestamp",
|
|
|
|
"interval": 30000,
|
|
|
|
"offset": 0,
|
|
|
|
"order": {"_key": "asc"},
|
|
|
|
"keyed": false,
|
|
|
|
"min_doc_count": 0
|
|
|
|
},
|
|
|
|
"aggregations": {
|
|
|
|
"events_per_min": {
|
|
|
|
"sum": {
|
|
|
|
"field": "events_per_min"
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
----------------------------------
|
|
|
|
--
|
2017-04-10 11:59:27 -04:00
|
|
|
|
2017-04-27 14:17:06 -04:00
|
|
|
//TBD link to a Working with aggregations page
|
2017-04-11 21:52:47 -04:00
|
|
|
`chunking_config`::
|
2017-04-27 13:51:48 -04:00
|
|
|
(object) Specifies how data searches are split into time chunks.
|
|
|
|
See <<ml-datafeed-chunking-config>>.
|
2017-05-15 12:30:30 -04:00
|
|
|
For example: `{"mode": "manual", "time_span": "3h"}`
|
2017-04-11 21:52:47 -04:00
|
|
|
|
2017-04-10 11:59:27 -04:00
|
|
|
`datafeed_id`::
|
2017-05-02 15:45:42 -04:00
|
|
|
(string) A numerical character string that uniquely identifies the {dfeed}.
|
2017-04-10 11:59:27 -04:00
|
|
|
|
|
|
|
`frequency`::
|
2017-05-02 15:45:42 -04:00
|
|
|
(time units) The interval at which scheduled queries are made while the
|
|
|
|
{dfeed} runs in real time. The default value is either the bucket span for short
|
2017-04-26 14:18:51 -04:00
|
|
|
bucket spans, or, for longer bucket spans, a sensible fraction of the bucket
|
2017-05-15 12:30:30 -04:00
|
|
|
span. For example: `150s`.
|
2017-04-10 11:59:27 -04:00
|
|
|
|
2017-05-08 09:53:04 -04:00
|
|
|
`indices`::
|
2017-05-15 12:30:30 -04:00
|
|
|
(array) An array of index names. For example: `["it_ops_metrics"]`
|
2017-04-10 11:59:27 -04:00
|
|
|
|
2017-05-08 09:53:04 -04:00
|
|
|
`job_id`::
|
2017-05-02 15:45:42 -04:00
|
|
|
(string) The unique identifier for the job to which the {dfeed} sends data.
|
2017-04-10 11:59:27 -04:00
|
|
|
|
|
|
|
`query`::
|
2017-04-27 14:17:06 -04:00
|
|
|
(object) The {es} query domain-specific language (DSL). This value
|
|
|
|
corresponds to the query object in an {es} search POST body. All the
|
|
|
|
options that are supported by {es} can be used, as this object is
|
|
|
|
passed verbatim to {es}. By default, this property has the following
|
|
|
|
value: `{"match_all": {"boost": 1}}`.
|
2017-04-10 11:59:27 -04:00
|
|
|
|
|
|
|
`query_delay`::
|
2017-04-27 14:17:06 -04:00
|
|
|
(time units) The number of seconds behind real time that data is queried. For
|
|
|
|
example, if data from 10:04 a.m. might not be searchable in {es} until
|
|
|
|
10:06 a.m., set this property to 120 seconds. The default value is `60s`.
|
2017-04-10 11:59:27 -04:00
|
|
|
|
2017-05-15 12:30:30 -04:00
|
|
|
`script_fields`::
|
|
|
|
(object) Specifies scripts that evaluate custom expressions and returns
|
|
|
|
script fields to the {dfeed}.
|
|
|
|
The <<ml-detectorconfig,detector configuration objects>> in a job can contain
|
|
|
|
functions that use these script fields.
|
|
|
|
For more information, see {ref}/search-request-script-fields.html[Script Fields].
|
|
|
|
For example:
|
|
|
|
+
|
|
|
|
--
|
|
|
|
[source,js]
|
|
|
|
----------------------------------
|
|
|
|
{
|
|
|
|
"script_fields": {
|
|
|
|
"total_error_count": {
|
|
|
|
"script": {
|
|
|
|
"lang": "painless",
|
|
|
|
"inline": "doc['error_count'].value + doc['aborted_count'].value"
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
----------------------------------
|
|
|
|
--
|
|
|
|
|
2017-04-10 11:59:27 -04:00
|
|
|
`scroll_size`::
|
2017-04-27 14:17:06 -04:00
|
|
|
(unsigned integer) The `size` parameter that is used in {es} searches.
|
2017-04-10 11:59:27 -04:00
|
|
|
The default value is `1000`.
|
|
|
|
|
2017-05-08 09:53:04 -04:00
|
|
|
`types`::
|
2017-04-26 14:18:51 -04:00
|
|
|
(array) A list of types to search for within the specified indices.
|
2017-05-15 12:30:30 -04:00
|
|
|
For example: `["network","sql","kpi"]`.
|
2017-04-26 13:05:27 -04:00
|
|
|
|
|
|
|
[[ml-datafeed-chunking-config]]
|
|
|
|
===== Chunking Configuration Objects
|
|
|
|
|
2017-05-02 15:45:42 -04:00
|
|
|
{dfeeds-cap} might be required to search over long time periods, for several months
|
2017-04-27 13:51:48 -04:00
|
|
|
or years. This search is split into time chunks in order to ensure the load
|
|
|
|
on {es} is managed. Chunking configuration controls how the size of these time
|
|
|
|
chunks are calculated and is an advanced configuration option.
|
|
|
|
|
2017-04-26 13:05:27 -04:00
|
|
|
A chunking configuration object has the following properties:
|
|
|
|
|
2017-05-08 09:53:04 -04:00
|
|
|
`mode`::
|
2017-04-26 14:18:51 -04:00
|
|
|
There are three available modes: +
|
2017-04-27 14:17:06 -04:00
|
|
|
`auto`::: The chunk size will be dynamically calculated. This is the default
|
2017-04-27 13:51:48 -04:00
|
|
|
and recommended value.
|
2017-04-26 14:18:51 -04:00
|
|
|
`manual`::: Chunking will be applied according to the specified `time_span`.
|
|
|
|
`off`::: No chunking will be applied.
|
2017-04-26 13:05:27 -04:00
|
|
|
|
|
|
|
`time_span`::
|
|
|
|
(time units) The time span that each search will be querying.
|
|
|
|
This setting is only applicable when the mode is set to `manual`.
|
2017-05-15 12:30:30 -04:00
|
|
|
For example: `3h`.
|
2017-04-10 11:59:27 -04:00
|
|
|
|
2017-04-11 21:52:47 -04:00
|
|
|
[float]
|
2017-04-10 19:14:26 -04:00
|
|
|
[[ml-datafeed-counts]]
|
2017-05-02 15:45:42 -04:00
|
|
|
==== {dfeed-cap} Counts
|
2017-04-10 11:59:27 -04:00
|
|
|
|
2017-05-02 15:45:42 -04:00
|
|
|
The get {dfeed} statistics API provides information about the operational
|
|
|
|
progress of a {dfeed}. For example:
|
2017-04-10 11:59:27 -04:00
|
|
|
|
2017-04-27 13:51:48 -04:00
|
|
|
`assignment_explanation`::
|
2017-05-02 15:45:42 -04:00
|
|
|
(string) For started {dfeeds} only, contains messages relating to the
|
2017-04-27 14:17:06 -04:00
|
|
|
selection of a node.
|
2017-04-11 21:52:47 -04:00
|
|
|
|
|
|
|
`datafeed_id`::
|
2017-05-02 15:45:42 -04:00
|
|
|
(string) A numerical character string that uniquely identifies the {dfeed}.
|
2017-04-10 11:59:27 -04:00
|
|
|
|
|
|
|
`node`::
|
2017-05-02 15:45:42 -04:00
|
|
|
(object) The node upon which the {dfeed} is started. The {dfeed} and job will
|
|
|
|
be on the same node.
|
2017-04-27 14:17:06 -04:00
|
|
|
`id`::: The unique identifier of the node. For example,
|
|
|
|
"0-o0tOoRTwKFZifatTWKNw".
|
2017-05-15 12:30:30 -04:00
|
|
|
`name`::: The node name. For example, `0-o0tOo`.
|
2017-04-27 14:17:06 -04:00
|
|
|
`ephemeral_id`::: The node ephemeral ID.
|
|
|
|
`transport_address`::: The host and port where transport HTTP connections are
|
2017-05-15 12:30:30 -04:00
|
|
|
accepted. For example, `127.0.0.1:9300`.
|
|
|
|
`attributes`::: For example, `{"max_running_jobs": "10"}`.
|
2017-04-10 11:59:27 -04:00
|
|
|
|
|
|
|
`state`::
|
2017-05-02 15:45:42 -04:00
|
|
|
(string) The status of the {dfeed}, which can be one of the following values: +
|
|
|
|
`started`::: The {dfeed} is actively receiving data.
|
|
|
|
`stopped`::: The {dfeed} is stopped and will not receive data until it is
|
2017-04-27 14:17:06 -04:00
|
|
|
re-started.
|