//lcawley Verified example output 2017-04-11 [[ml-put-datafeed]] ==== Create {dfeeds-cap} The create {dfeed} API enables you to instantiate a {dfeed}. ===== Request `PUT _xpack/ml/datafeeds/` ===== Description You must create a job before you create a {dfeed}. You can associate only one {dfeed} to each job. ===== Path Parameters `feed_id` (required):: (string) A numerical character string that uniquely identifies the {dfeed}. ===== Request Body `aggregations`:: (object) If set, the {dfeed} performs aggregation searches. For more information, see <>. `chunking_config`:: (object) Specifies how data searches are split into time chunks. See <>. `frequency`:: (time units) The interval at which scheduled queries are made while the {dfeed} runs in real time. The default value is either the bucket span for short bucket spans, or, for longer bucket spans, a sensible fraction of the bucket span. For example: "150s". `indices` (required):: (array) An array of index names. Wildcards are supported. For example: ["it_ops_metrics", "server*"]. `job_id` (required):: (string) A numerical character string that uniquely identifies the job. `query`:: (object) The {es} query domain-specific language (DSL). This value corresponds to the query object in an {es} search POST body. All the options that are supported by {Es} can be used, as this object is passed verbatim to {es}. By default, this property has the following value: `{"match_all": {"boost": 1}}`. `query_delay`:: (time units) The number of seconds behind real time that data is queried. For example, if data from 10:04 a.m. might not be searchable in {es} until 10:06 a.m., set this property to 120 seconds. The default value is `60s`. `scroll_size`:: (unsigned integer) The `size` parameter that is used in {es} searches. The default value is `1000`. `types` (required):: (array) A list of types to search for within the specified indices. For example: ["network","sql","kpi"]. For more information about these properties, see <>. ===== Authorization You must have `manage_ml`, or `manage` cluster privileges to use this API. For more information, see <>. ===== Examples The following example creates the `datafeed-it-ops-kpi` {dfeed}: [source,js] -------------------------------------------------- PUT _xpack/ml/datafeeds/datafeed-it-ops-kpi { "job_id": "it-ops-kpi", "indices": ["it_ops_metrics"], "types": ["kpi","network","sql"], "query": { "match_all": { "boost": 1 } } } -------------------------------------------------- // CONSOLE // TEST[skip:todo] When the {dfeed} is created, you receive the following results: [source,js] ---- { "datafeed_id": "datafeed-it-ops-kpi", "job_id": "it-ops-kpi", "query_delay": "1m", "indices": [ "it_ops_metrics" ], "types": [ "kpi", "network", "sql" ], "query": { "match_all": { "boost": 1 } }, "scroll_size": 1000, "chunking_config": { "mode": "auto" } } ----