mirror of
synced 2025-03-09 14:34:43 +00:00
[DOCS] Migrated rest-api topics from x-pack repo to x-pack-elasticsearch.
Original commit: elastic/x-pack-elasticsearch@46c9bf780a
This commit is contained in:
Normal file
Normal file
@ -0,0 +1,8 @@
== Graph APIs
:imagesdir: images/graph
* <<graph-api-explore>>
Normal file
Normal file
@ -0,0 +1,254 @@
=== Explore API
The Graph "explore" API is accessible via the /_xpack/graph/_explore endpoint.
One of the best ways to understand the behaviour of this API is to use the Kibana
Graph UI to visually click around connected data and then view the "Last request"
panel (accessible from the button with the cog icon). This panel shows the JSON request/response
pair of the last user operation.
image::spy.jpg["Viewing the last request in the Kibana Graph UI"]
- <<basic-search, Basic exploration>>
- <<optional-controls, Optional controls>>
- <<spider-search, "Spidering" operations>>
=== Basic exploration
An initial search typically begins with a query to identify strongly related terms.
POST clicklogs/_xpack/graph/_explore
"query": { <1>
"match": {
"query.raw": "midi"
"vertices": [ <2>
"field": "product"
"connections": { <3>
"vertices": [
"field": "query.raw"
<1> A query is used to "seed" the exploration - here we are looking in clicklogs for people who searched for "midi". Any of the
usual elasticsearch query syntax can be used here to identify the documents of interest.
<2> A list of fields is provided - here we want to find product codes that are significantly associated with searches for "midi"
<3> A list of fields is provided again - here we are looking for other search terms that led people to click on the products found in 2)
NOTE: Further "connections" can be nested inside the "connections" object to continue exploring out the relationships in the data. Each level of nesting
is commonly referred to as a "hop" and proximity in a graph is often thought of in terms of "hop depth".
The response from a graph exploration is as follows:
"took": 0,
"timed_out": false,
"failures": [],
"vertices": [ <1>
"field": "query.raw",
"term": "midi cable",
"weight": 0.08745858139552132,
"depth": 1
"field": "product",
"term": "8567446",
"weight": 0.13247784285434397,
"depth": 0
"field": "product",
"term": "1112375",
"weight": 0.018600718471158982,
"depth": 0
"field": "query.raw",
"term": "midi keyboard",
"weight": 0.04802242866755111,
"depth": 1
"connections": [ <2>
"source": 0,
"target": 1,
"weight": 0.04802242866755111,
"doc_count": 13
"source": 2,
"target": 3,
"weight": 0.08120623870976627,
"doc_count": 23
<1> An array of all of the vertices that were discovered. A vertex is an indexed term so the field and term value are supplied. The `weight` attribute denotes a significance score while `depth` is at which hop-level the term was first encountered.
<2> The connections between the vertices in the array. The `source` and `target` properties are indexes into the vertices array and indicate which vertex term led to the other as part of exploration.
The `doc_count` value indicates how many documents contain this pairing of terms was found in the sample of documents analyzed (this is not a global count for all documents in the index)
In the Kibana Graph UI response data is visualized in a diagram like this:
image::midiclicks.jpg["An example visualization of product/search click data using the Kibana Graph UI",width="50%", align="center"]
=== Optional controls
The previous basic example omitted several parameters that have default values. This fuller example illustrates the additional parameters that can be used in graph explore requests.
POST clicklogs/_xpack/graph/_explore
"query": {<1>
"bool": {
"must": {
"match": {
"query.raw": "midi"
"filter": [
"range": {
"query_time": {
"gte": "2015-10-01 00:00:00"
"controls": {
"use_significance": true,<2>
"sample_size": 2000,<3>
"timeout": 2000,<4>
"sample_diversity": {<5>
"field": "category.raw",
"max_docs_per_value": 500
"vertices": [
"field": "product",
"size": 5,<6>
"min_doc_count": 10,<7>
"shard_min_doc_count": 3<8>
"connections": {
"query": {<9>
"bool": {
"filter": [
"range": {
"query_time": {
"gte": "2015-10-01 00:00:00"
"vertices": [
"field": "query.raw",
"size": 5,
"min_doc_count": 10,
"shard_min_doc_count": 3
<1> This seed query iin this example is a more complex query for the word "midi" but with a date filter.
<2> The `use_significance` flag defaults to true and is used to filter associated terms to only those that are significantly associated with our query.
The algorithm used to calculate significance are explained in the documentation for the {ref}/search-aggregations-bucket-significantterms-aggregation.html[significant_terms aggregation].
<3> Each "hop" considers a sample of the best-matching documents on each shard (default is 100 documents). Using samples has the dual benefit of keeping exploration focused on meaningfully-connected terms and improving the speed of execution. Very small values (less than 50) may not provide sufficient weight-of-evidence to identify significant connections between terms while very large sample sizes may dilute the quality and be slow.
<4> A `timeout` setting (expressed here in milliseconds) after which exploration will be halted and results gathered so far are returned. This is a best-effort approach to termination so
may overrun if, for example, a long pause is encountered while FieldData is loaded for a field.
<5> To avoid the top-matching documents sample being dominated by a single source of results sometimes it can prove necessary to request diversity in the sample. This is achieved by
selecting a single-value field and a maximum number of documents per value in that field. In this example we are requiring that there are no more than 500 click documents from any one department in the store.
This might help us consider products from the electronics, book and video departments whereas without this diversification our results may be entirely dominated by the electronics department.
<6> We can control the maximum number of vertex terms returned for each field using the `size` property (default is 5)
<7> `min_doc_count` acts as a certainty threshold - just how many documents have to contain a pair of terms before we consider this to be a useful connection? (default is 3)
<8> `shard_min_doc_count` is an advanced setting - just how many documents on a shard have to contain a pair of terms before we return this for global consideration? (default is 2)
<9> Optionally, a "guiding query" can be used to guide the Graph API as it explores connected terms. In this case we are guiding the hop from products to related queries by only considering documents that are also clicks that have been recorded recently.
The default settings are configured to remove noisy data and get "the big picture" from data. For more detailed forensic type work where every document could be of interest see the <<graph-troubleshooting,troubleshooting guide>> for tips on tuning the settings for this type of work.
=== "Spidering" operations
After an initial search users typically want to review the results using a form of graph visualization tool like the one in the Kibana Graph UI.
Users will frequently then select one or more vertices of interest and ask to load more vertices that may be connected to their current selection. In graph-speak, this operation is often called "spidering" or "spidering out".
In order to spider out it is typically necessary to define two things:
* The set of vertices from which you would like to spider
* The set of vertices you already have in your workspace which you want to avoid seeing again in results
These two pieces of information when passed to the Graph API will ensure you are returned new vertices that can be attached to the existing selection.
An example request is as follows:
POST clicklogs/_xpack/graph/_explore
"vertices": [
"field": "product",
"include": [ "1854873" ] <1>
"connections": {
"vertices": [
"field": "query.raw",
"exclude": [ <2>
"midi keyboard",
<1> Here we list the mandatory start points from which we want to spider using an `include` array of the terms of interest (in this case a single product code). Note that because
we have an `include` clause here there is no need to define a seed query - we are implicitly querying for documents that contain any of the terms
listed in our include clauses. Instead of passing plain strings in this array it is also possible to pass objects with `term` and `boost` values to
boost matches on certain terms over others.
<2> The `exclude` clause avoids returning specific terms. Here we are asking for more search terms that have led people to click on product 1854873 but explicitly exclude the search terms the client already
knows about.
The `include`and `exclude` clauses provide the essential features that enable clients to progressively build up a picture of related information in their workspace.
The `include` clause is used to define the set of start points from which users wish to spider. Include clauses can also be used to limit the end points users wish to reach, thereby "filling in" some of the missing links between existing vertices in their client-side workspace.
The `exclude` clause can be used to avoid the Graph API returning vertices already visible in a client's workspace or perhaps could list undesirable vertices that the client has blacklisted from their workspace and never wants to see returned.
Normal file
Normal file
@ -0,0 +1,98 @@
= {xpack} APIs
{xpack} exposes a wide range of REST APIs to manage and monitor its features.
* <<info-api, Info API>>
* <<security-api, Security APIs>>
* <<watcher-api, Watcher APIs>>
* <<graph-api, Graph APIs>>
* <<ml-apis, Machine Learning APIs>>
== Info API
The info API provides general information on the installed {xpack}. This
information includes:
* Build Information - including the build number and timestamp.
* License Information - basic information about the currently installed license.
* Features Information - The features that are currently enabled and available
under the current license.
The following example queries the info API:
GET /_xpack
Example response:
"build": {
"hash": "2798b1a3ce779b3611bb53a0082d4d741e4d3168",
"timestamp": "2015-04-07T13:34:42Z"
"license": {
"uid": "893361dc-9749-4997-93cb-802e3dofh7aa",
"type": "internal",
"mode": "platinum",
"status": "active",
"expiry_date": "2030-08-29T23:59:59.999Z",
"expiry_date_in_millis": 1914278399999
"features": {
"graph": {
"description": "Graph Data Exploration for the Elastic Stack",
"available": true,
"enabled": true
"monitoring": {
"description": "Monitoring for the Elastic Stack",
"available": true,
"enabled": true
"security": {
"description": "Security for the Elastic Stack",
"available": true,
"enabled": true
"watcher": {
"description": "Alerting, Notification and Automation for the Elastic Stack",
"available": true,
"enabled": true
"tagline": "You know, for X"
You can also control what information is returned using the `categories` and
`human` parameters.
The following example only returns the build and features information:
GET /_xpack?categories=build,features
The following example removes the descriptions from the response:
GET /_xpack?human=false
Normal file
Normal file
@ -0,0 +1,13 @@
== Security APIs
* <<security-api-authenticate>>
* <<security-api-clear-cache>>
* <<security-api-users>>
* <<security-api-roles>>
Normal file
Normal file
@ -0,0 +1,28 @@
=== Authenticate API
The Authenticate API enables you to submit a request with a basic auth header to
authenticate a user and retrieve information about the authenticated user.
Returns a 401 status code if the user cannot be authenticated.
To authenticate a user, submit a GET request to the `_xpack/security/_authenticate` endpoint:
GET _xpack/security/_authenticate
A successful call returns a JSON structure that shows what roles are assigned
to the user.
"username": "rdeniro",
"roles": [
Normal file
Normal file
@ -0,0 +1,26 @@
=== Change Password API
The Change Password API enables you to submit a request to change the password
of a user. Every user can change their own password and users with the
`manage_security` privilege can change passwords of other users.
To change the password of the logged in user, submit a POST request to the
`_xpack/security/user/_password` endpoint:
POST _xpack/security/user/elastic/_password
"password": "changeme"
A successful call returns an empty JSON structure.
Normal file
Normal file
@ -0,0 +1,32 @@
=== Clear Cache API
The Clear Cache API evicts users from the user cache. You can completely clear
the cache or evict specific users.
For example, to evict all users cached by the `file` realm:
POST _xpack/security/realm/default_file/_clear_cache
To evict selected users, specify the `usernames` parameter:
POST _xpack/security/realm/default_file/_clear_cache?usernames=rdeniro,alpacino
To clear the caches for multiple realms, specify the realms as a comma-delimited
[source, js]
POST _xpack/security/realm/default_file,ldap1/_clear_cache
For more information, see <<controlling-user-cache, Controlling the User Cache>>.
Normal file
Normal file
@ -0,0 +1,143 @@
=== Role Management APIs
The Roles API enables you to add, remove, and retrieve roles in the `native`
realm. To use this API, you must have at least the `manage_security` cluster
NOTE: The Roles API is now the preferred way to manage roles.
To add a role, submit a PUT or POST request to the `/_xpack/security/role/<rolename>`
POST /_xpack/security/role/my_admin_role
"cluster": ["all"],
"indices": [
"names": [ "index1", "index2" ],
"privileges": ["all"],
"field_security" : { // optional
"grant" : [ "title", "body" ]
"query": "{\"match\": {\"title\": \"foo\"}}" // optional
"run_as": [ "other_user" ], // optional
"metadata" : { // optional
"version" : 1
The `name`, `cluster`, and `indices` fields are required at the top-level.
Within the `indices` array, the `names` and `privileges` fields are required.
Within the `metadata` object, keys beginning with `_` are reserved for system
The `field_security` and `query` fields are both optional. They are used to
implement <<field-and-document-access-control, Field and Document Level Security>>.
A successful call returns a JSON structure that shows whether the role has been
created or updated.
"role": {
"created": true <1>
<1> When an existing role is updated, `created` is set to false.
To retrieve a role from the `native` Security realm, issue a GET request to the
`/_xpack/security/role/<rolename>` endpoint:
GET /_xpack/security/role/my_admin_role
// TEST[continued]
A successful call returns an array of roles with the JSON representation of the
role. If the role is not defined in the `native` realm, the request 404s.
"my_admin_role": {
"cluster" : [ "all" ],
"indices" : [ {
"names" : [ "index1", "index2" ],
"privileges" : [ "all" ],
"field_security" : {
"grant" : [ "title", "body" ]
"query" : "{\"match\": {\"title\": \"foo\"}}"
} ],
"run_as" : [ "other_user" ],
"metadata" : {
"version" : 1
"transient_metadata": {
"enabled": true
You can specify multiple roles as a comma-separated list. To retrieve all roles,
omit the role name.
# Retrieve roles "r1", "r2", and "my_admin_role"
GET /_xpack/security/role/r1,r2,my_admin_role
# Retrieve all roles
GET /_xpack/security/role
// TEST[continued]
To delete a role, submit a DELETE request to the `/_xpack/security/role/<rolename>`
DELETE /_xpack/security/role/my_admin_role
// TEST[continued]
If the role is successfully deleted, the request returns `{"found": true}`.
Otherwise, `found` is set to false.
"found" : true
The Clear Roles Cache API evicts roles from the native role cache. To clear the
cache for a role, submit a POST request `/_xpack/security/role/<rolename>/_clear_cache`
POST /_xpack/security/role/my_admin_role/_clear_cache
Normal file
Normal file
@ -0,0 +1,179 @@
=== User Management APIs
The `user` API enables you to create, read, update, and delete users from the
`native` realm. These users are commonly referred to as *native users*.
To use this API, you must have at least the `manage_security` cluster privilege.
To add a user, submit a PUT or POST request to the `/_xpack/security/user/<username>`
NOTE: A username must be at least 1 character and no longer than 30 characters.
The first character must be a letter (`a-z` or `A-Z`) or an underscore (`_`).
Subsequent characters can be letters, underscores (`_`), digits (`0-9`),
or any of the following symbols `@`, `-`, `.` or `$`
POST /_xpack/security/user/jacknich
"password" : "j@rV1s",
"roles" : [ "admin", "other_role1" ],
"full_name" : "Jack Nicholson",
"email" : "jacknich@example.com",
"metadata" : {
"intelligence" : 7
.User Fields
| Name | Required | Description
| `password` | yes | The user's password. Passwords must be at least 6
characters long.
| `roles` | yes | A set of roles the user has. The roles determine
the user's access permissions
| `full_name` | no | The full name of the user
| `email` | no | The email of the user
| `metadata` | no | Arbitrary metadata that you want to associate with
the user.
A successful call returns a JSON structure that shows whether the user has been
created or updated.
"user": {
"created" : true <1>
<1> When an existing user is updated, `created` is set to false.
NOTE: You also use the PUT user API to update users. When updating a user, you
can update everything but its `username` and `password`. To change a user's
password, use the <<security-api-reset-user-password, reset password API>>.
Once you add a user through the Users API, requests from that user can be
curl -u eustace:secret-password http://localhost:9200/_cluster/health
To retrieve a native user, submit a GET request to the `/_xpack/security/user/<username>`
GET /_xpack/security/user/jacknich
// TEST[continued]
A successful call returns an array of users with the JSON representation of the
user. Note that user passwords are not included.
"jacknich": { <1>
"username" : "jacknich",
"roles" : [ "admin", "other_role1" ],
"full_name" : "Jack Nicholson",
"email" : "jacknich@example.com",
"enabled": true,
"metadata" : {
"intelligence" : 7
<1> If the user is not defined in the `native` realm, the request 404s.
You can specify multiple usernames as a comma-separated list:
GET /_xpack/security/user/jacknich,rdinero
// TEST[continued]
or omit the username all together to retrieve all users:
GET /_xpack/security/user
// TEST[continued]
To reset the password for a user, submit a PUT request to the
`/_xpack/security/user/<username>/_password` endpoint:
PUT /_xpack/security/user/jacknich/_password
"password" : "s3cr3t"
// TEST[continued]
To disable a user, submit a PUT request to the
`/_xpack/security/user/<username>/_disable` endpoint:
PUT /_xpack/security/user/jacknich/_disable
// TEST[continued]
To disable a user, submit a PUT request to the
`/_xpack/security/user/<username>/_enable` endpoint:
PUT /_xpack/security/user/jacknich/_enable
// TEST[continued]
To delete a user, submit a DELETE request to the `/_xpack/security/user/<username>`
DELETE /_xpack/security/user/jacknich
// TEST[continued]
If the user is successfully deleted, the request returns `{"found": true}`.
Otherwise, `found` is set to false.
"found" : true
Reference in New Issue
Block a user