OpenSearch/docs/reference/ml/anomaly-detection/apis/put-datafeed.asciidoc

157 lines
3.8 KiB
Plaintext

[role="xpack"]
[testenv="platinum"]
[[ml-put-datafeed]]
=== Create {dfeeds} API
[subs="attributes"]
++++
<titleabbrev>Create {dfeeds}</titleabbrev>
++++
Instantiates a {dfeed}.
[[ml-put-datafeed-request]]
==== {api-request-title}
`PUT _ml/datafeeds/<feed_id>`
[[ml-put-datafeed-prereqs]]
==== {api-prereq-title}
* You must create an {anomaly-job} before you create a {dfeed}.
* If {es} {security-features} are enabled, you must have `manage_ml` or `manage`
cluster privileges to use this API. See
<<security-privileges>>.
[[ml-put-datafeed-desc]]
==== {api-description-title}
You can associate only one {dfeed} to each {anomaly-job}.
[IMPORTANT]
====
* You must use {kib} or this API to create a {dfeed}. Do not put a
{dfeed} directly to the `.ml-config` index using the {es} index API. If {es}
{security-features} are enabled, do not give users `write` privileges on the
`.ml-config` index.
* When {es} {security-features} are enabled, your {dfeed} remembers which roles
the user who created it had at the time of creation and runs the query using
those same roles.
====
[[ml-put-datafeed-path-parms]]
==== {api-path-parms-title}
`<feed_id>`::
(Required, string)
include::{docdir}/ml/ml-shared.asciidoc[tag=datafeed-id]
[[ml-put-datafeed-request-body]]
==== {api-request-body-title}
`aggregations`::
(Optional, object)
include::{docdir}/ml/ml-shared.asciidoc[tag=aggregations]
`chunking_config`::
(Optional, object)
include::{docdir}/ml/ml-shared.asciidoc[tag=chunking-config]
`delayed_data_check_config`::
(Optional, object)
include::{docdir}/ml/ml-shared.asciidoc[tag=delayed-data-check-config]
`frequency`::
(Optional, <<time-units, time units>>)
include::{docdir}/ml/ml-shared.asciidoc[tag=frequency]
+
--
To learn more about the relationship between time related settings, see
<<ml-put-datafeed-time-related-settings>>.
--
`indices`::
(Required, array)
include::{docdir}/ml/ml-shared.asciidoc[tag=indices]
`job_id`::
(Required, string)
include::{docdir}/ml/ml-shared.asciidoc[tag=job-id-anomaly-detection]
`max_empty_searches`::
(Optional,integer)
include::{docdir}/ml/ml-shared.asciidoc[tag=max-empty-searches]
`query`::
(Optional, object)
include::{docdir}/ml/ml-shared.asciidoc[tag=query]
`query_delay`::
(Optional, <<time-units, time units>>)
include::{docdir}/ml/ml-shared.asciidoc[tag=query-delay]
+
--
To learn more about the relationship between time related settings, see
<<ml-put-datafeed-time-related-settings>>.
--
`script_fields`::
(Optional, object)
include::{docdir}/ml/ml-shared.asciidoc[tag=script-fields]
`scroll_size`::
(Optional, unsigned integer)
include::{docdir}/ml/ml-shared.asciidoc[tag=scroll-size]
[[ml-put-datafeed-time-related-settings]]
===== Interaction between time-related settings
Time-related settings have the following relationships:
* Queries run at `query_delay` after the end of
each `frequency`.
* When `frequency` is shorter than `bucket_span` of the associated job, interim
results for the last (partial) bucket are written, and then overwritten by the
full bucket results eventually.
[[ml-put-datafeed-example]]
==== {api-examples-title}
[source,console]
--------------------------------------------------
PUT _ml/datafeeds/datafeed-total-requests
{
"job_id": "total-requests",
"indices": ["server-metrics"]
}
--------------------------------------------------
// TEST[skip:setup:server_metrics_job]
When the {dfeed} is created, you receive the following results:
[source,console-result]
----
{
"datafeed_id": "datafeed-total-requests",
"job_id": "total-requests",
"query_delay": "83474ms",
"indices": [
"server-metrics"
],
"query": {
"match_all": {
"boost": 1.0
}
},
"scroll_size": 1000,
"chunking_config": {
"mode": "auto"
}
}
----
// TESTRESPONSE[s/"query_delay": "83474ms"/"query_delay": $body.query_delay/]
// TESTRESPONSE[s/"query.boost": "1.0"/"query.boost": $body.query.boost/]