You must stop and start the datafeed for the changes to be applied. When Elasticsearch security features are enabled, your datafeed remembers which roles the user who updated it had at the time of the update and runs the query using those same roles. If you provide secondary authorization headers, those credentials are used instead.
manage_mlA numerical character string that uniquely identifies the datafeed. This identifier can contain lowercase alphanumeric characters (a-z and 0-9), hyphens, and underscores. It must start and end with alphanumeric characters.
If true, wildcard indices expressions that resolve into no concrete indices are ignored. This includes the
_all string or when no indices are specified.
Type of index that wildcard patterns can match. If the request can target data streams, this argument determines whether wildcard expressions match hidden data streams. Supports comma-separated values.
Supported values include:
all: Match any data stream or index, including hidden ones.open: Match open, non-hidden indices. Also matches any non-hidden data stream.closed: Match closed, non-hidden indices. Also matches any non-hidden data stream. Data streams cannot be closed.hidden: Match hidden data streams and hidden indices. Must be combined with open, closed, or both.none: Wildcard expressions are not accepted.Values are all, open, closed, hidden, or none.
If true, concrete, expanded or aliased indices are ignored when frozen.
If true, unavailable indices (missing or closed) are ignored.
If set, the datafeed performs aggregation searches. Support for aggregations is limited and should be used only with low cardinality data.
A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and
d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
An array of index names. Wildcards are supported. If any of the indices are in remote clusters, the machine
learning nodes must have the remote_cluster_client role.
Controls how to deal with unavailable concrete indices (closed or missing), how wildcard expressions are expanded to actual indices (all, closed or open indices) and how to deal with wildcard expressions that resolve to no indices.
If false, the request returns an error if any wildcard expression, index alias, or _all value targets only
missing or closed indices. This behavior applies even if the request targets other open indices. For example,
a request targeting foo*,bar* returns an error if an index starts with foo but no index starts with bar.
If true, missing or closed indices are not included in the response.
Default value is false.
If true, concrete, expanded or aliased indices are ignored when frozen.
Default value is true.
If a real-time datafeed has never seen any data (including during any initial training period), it automatically
stops and closes the associated job after this many real-time searches return no documents. In other words,
it stops after frequency times max_empty_searches of real-time operation. If not set, a datafeed with no
end time that sees no data remains started until it is explicitly stopped. By default, it is not set.
An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and
d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
For type composite
For type lookup
A custom format for date type runtime fields.
Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
Defines the aggregations that are run as part of the search request.
If true, the request returns detailed information about score computation as part of a hit.
Default value is false.
Configuration of search extensions defined by Elasticsearch plugins.
The starting document offset, which must be non-negative.
By default, you cannot page through more than 10,000 hits using the from and size parameters.
To page through more hits, use the search_after parameter.
Default value is 0.
Number of hits matching the query to count accurately. If true, the exact number of hits is returned at the cost of some performance. If false, the response does not include the total number of hits matching the query. Defaults to 10,000 hits.
Boost the _score of documents from specified indices.
The boost value is the factor by which scores are multiplied.
A boost value greater than 1.0 increases the score.
A boost value between 0 and 1.0 decreases the score.
An array of wildcard (*) field patterns.
The request returns doc values for field names matching these patterns in the hits.fields property of the response.
A reference to a field with formatting instructions on how to return the value
A reference to a field with formatting instructions on how to return the value
The minimum _score for matching documents.
Documents with a lower _score are not included in search results or results collected by aggregations.
An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
Set to true to return detailed timing information about the execution of individual components in a search request.
NOTE: This is a debugging tool and adds significant overhead to search execution.
Default value is false.
An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
Retrieve a script evaluation (based on different fields) for each hit.
A field value.
The number of hits to return, which must not be negative.
By default, you cannot page through more than 10,000 hits using the from and size parameters.
To page through more hits, use the search_after property.
Default value is 10.
An array of wildcard (*) field patterns.
The request returns values for field names matching these patterns in the hits.fields property of the response.
A reference to a field with formatting instructions on how to return the value
A reference to a field with formatting instructions on how to return the value
The maximum number of documents to collect for each shard. If a query reaches this limit, Elasticsearch terminates the query early. Elasticsearch collects documents before sorting.
IMPORTANT: Use with caution. Elasticsearch applies this property to each shard handling the request. When possible, let Elasticsearch perform early termination automatically. Avoid specifying this property for requests that target data streams with backing indices across multiple data tiers.
If set to 0 (default), the query does not terminate early.
Default value is 0.
The period of time to wait for a response from each shard. If no response is received before the timeout expires, the request fails and returns an error. Defaults to no timeout.
If true, calculate and return document scores, even if the scores are not used for sorting.
Default value is false.
If true, the request returns the document version as part of a hit.
Default value is false.
If true, the request returns sequence number and primary term of the last modification of each hit.
The stats groups to associate with the search. Each group maintains a statistics aggregation for its associated searches. You can retrieve these stats using the indices stats API.
Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
Values are boolean, composite, date, double, geo_point, geo_shape, ip, keyword, long, or lookup.
Specifies scripts that evaluate custom expressions and returns script fields to the datafeed. The detector configuration objects in a job can contain functions that use these script fields.
Defines the aggregations that are run as part of the search request.
If true, the request returns detailed information about score computation as part of a hit.
Default value is false.
Configuration of search extensions defined by Elasticsearch plugins.
The starting document offset, which must be non-negative.
By default, you cannot page through more than 10,000 hits using the from and size parameters.
To page through more hits, use the search_after parameter.
Default value is 0.
Number of hits matching the query to count accurately. If true, the exact number of hits is returned at the cost of some performance. If false, the response does not include the total number of hits matching the query. Defaults to 10,000 hits.
Boost the _score of documents from specified indices.
The boost value is the factor by which scores are multiplied.
A boost value greater than 1.0 increases the score.
A boost value between 0 and 1.0 decreases the score.
An array of wildcard (*) field patterns.
The request returns doc values for field names matching these patterns in the hits.fields property of the response.
A reference to a field with formatting instructions on how to return the value
A reference to a field with formatting instructions on how to return the value
The minimum _score for matching documents.
Documents with a lower _score are not included in search results or results collected by aggregations.
An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
Set to true to return detailed timing information about the execution of individual components in a search request.
NOTE: This is a debugging tool and adds significant overhead to search execution.
Default value is false.
An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
Retrieve a script evaluation (based on different fields) for each hit.
A field value.
The number of hits to return, which must not be negative.
By default, you cannot page through more than 10,000 hits using the from and size parameters.
To page through more hits, use the search_after property.
Default value is 10.
An array of wildcard (*) field patterns.
The request returns values for field names matching these patterns in the hits.fields property of the response.
A reference to a field with formatting instructions on how to return the value
A reference to a field with formatting instructions on how to return the value
The maximum number of documents to collect for each shard. If a query reaches this limit, Elasticsearch terminates the query early. Elasticsearch collects documents before sorting.
IMPORTANT: Use with caution. Elasticsearch applies this property to each shard handling the request. When possible, let Elasticsearch perform early termination automatically. Avoid specifying this property for requests that target data streams with backing indices across multiple data tiers.
If set to 0 (default), the query does not terminate early.
Default value is 0.
The period of time to wait for a response from each shard. If no response is received before the timeout expires, the request fails and returns an error. Defaults to no timeout.
If true, calculate and return document scores, even if the scores are not used for sorting.
Default value is false.
If true, the request returns the document version as part of a hit.
Default value is false.
If true, the request returns sequence number and primary term of the last modification of each hit.
The stats groups to associate with the search. Each group maintains a statistics aggregation for its associated searches. You can retrieve these stats using the indices stats API.
Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
The size parameter that is used in Elasticsearch searches when the datafeed does not use aggregations.
The maximum value is the value of index.max_result_window.
Default value is 1000.
If a user ID was used for the most recent update to the datafeed, its roles at the time of the update are listed in the response.
If a service account was used for the most recent update to the datafeed, the account name is listed in the response.
A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and
d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
Controls how to deal with unavailable concrete indices (closed or missing), how wildcard expressions are expanded to actual indices (all, closed or open indices) and how to deal with wildcard expressions that resolve to no indices.
If false, the request returns an error if any wildcard expression, index alias, or _all value targets only
missing or closed indices. This behavior applies even if the request targets other open indices. For example,
a request targeting foo*,bar* returns an error if an index starts with foo but no index starts with bar.
If true, missing or closed indices are not included in the response.
Default value is false.
If true, concrete, expanded or aliased indices are ignored when frozen.
Default value is true.
An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and
d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
For type composite
For type lookup
A custom format for date type runtime fields.
Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
Defines the aggregations that are run as part of the search request.
If true, the request returns detailed information about score computation as part of a hit.
Default value is false.
Configuration of search extensions defined by Elasticsearch plugins.
The starting document offset, which must be non-negative.
By default, you cannot page through more than 10,000 hits using the from and size parameters.
To page through more hits, use the search_after parameter.
Default value is 0.
Number of hits matching the query to count accurately. If true, the exact number of hits is returned at the cost of some performance. If false, the response does not include the total number of hits matching the query. Defaults to 10,000 hits.
Boost the _score of documents from specified indices.
The boost value is the factor by which scores are multiplied.
A boost value greater than 1.0 increases the score.
A boost value between 0 and 1.0 decreases the score.
An array of wildcard (*) field patterns.
The request returns doc values for field names matching these patterns in the hits.fields property of the response.
The minimum _score for matching documents.
Documents with a lower _score are not included in search results or results collected by aggregations.
An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
Set to true to return detailed timing information about the execution of individual components in a search request.
NOTE: This is a debugging tool and adds significant overhead to search execution.
Default value is false.
An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
Retrieve a script evaluation (based on different fields) for each hit.
A field value.
The number of hits to return, which must not be negative.
By default, you cannot page through more than 10,000 hits using the from and size parameters.
To page through more hits, use the search_after property.
Default value is 10.
An array of wildcard (*) field patterns.
The request returns values for field names matching these patterns in the hits.fields property of the response.
The maximum number of documents to collect for each shard. If a query reaches this limit, Elasticsearch terminates the query early. Elasticsearch collects documents before sorting.
IMPORTANT: Use with caution. Elasticsearch applies this property to each shard handling the request. When possible, let Elasticsearch perform early termination automatically. Avoid specifying this property for requests that target data streams with backing indices across multiple data tiers.
If set to 0 (default), the query does not terminate early.
Default value is 0.
The period of time to wait for a response from each shard. If no response is received before the timeout expires, the request fails and returns an error. Defaults to no timeout.
If true, calculate and return document scores, even if the scores are not used for sorting.
Default value is false.
If true, the request returns the document version as part of a hit.
Default value is false.
If true, the request returns sequence number and primary term of the last modification of each hit.
The stats groups to associate with the search. Each group maintains a statistics aggregation for its associated searches. You can retrieve these stats using the indices stats API.
Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
Values are boolean, composite, date, double, geo_point, geo_shape, ip, keyword, long, or lookup.
Defines the aggregations that are run as part of the search request.
If true, the request returns detailed information about score computation as part of a hit.
Default value is false.
Configuration of search extensions defined by Elasticsearch plugins.
The starting document offset, which must be non-negative.
By default, you cannot page through more than 10,000 hits using the from and size parameters.
To page through more hits, use the search_after parameter.
Default value is 0.
Number of hits matching the query to count accurately. If true, the exact number of hits is returned at the cost of some performance. If false, the response does not include the total number of hits matching the query. Defaults to 10,000 hits.
Boost the _score of documents from specified indices.
The boost value is the factor by which scores are multiplied.
A boost value greater than 1.0 increases the score.
A boost value between 0 and 1.0 decreases the score.
An array of wildcard (*) field patterns.
The request returns doc values for field names matching these patterns in the hits.fields property of the response.
The minimum _score for matching documents.
Documents with a lower _score are not included in search results or results collected by aggregations.
An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
Set to true to return detailed timing information about the execution of individual components in a search request.
NOTE: This is a debugging tool and adds significant overhead to search execution.
Default value is false.
An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
Retrieve a script evaluation (based on different fields) for each hit.
A field value.
The number of hits to return, which must not be negative.
By default, you cannot page through more than 10,000 hits using the from and size parameters.
To page through more hits, use the search_after property.
Default value is 10.
An array of wildcard (*) field patterns.
The request returns values for field names matching these patterns in the hits.fields property of the response.
The maximum number of documents to collect for each shard. If a query reaches this limit, Elasticsearch terminates the query early. Elasticsearch collects documents before sorting.
IMPORTANT: Use with caution. Elasticsearch applies this property to each shard handling the request. When possible, let Elasticsearch perform early termination automatically. Avoid specifying this property for requests that target data streams with backing indices across multiple data tiers.
If set to 0 (default), the query does not terminate early.
Default value is 0.
The period of time to wait for a response from each shard. If no response is received before the timeout expires, the request fails and returns an error. Defaults to no timeout.
If true, calculate and return document scores, even if the scores are not used for sorting.
Default value is false.
If true, the request returns the document version as part of a hit.
Default value is false.
If true, the request returns sequence number and primary term of the last modification of each hit.
The stats groups to associate with the search. Each group maintains a statistics aggregation for its associated searches. You can retrieve these stats using the indices stats API.
Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
POST _ml/datafeeds/datafeed-test-job/_update
{
"query": {
"term": {
"geo.src": "US"
}
}
}resp = client.ml.update_datafeed(
datafeed_id="datafeed-test-job",
query={
"term": {
"geo.src": "US"
}
},
)const response = await client.ml.updateDatafeed({
datafeed_id: "datafeed-test-job",
query: {
term: {
"geo.src": "US",
},
},
});response = client.ml.update_datafeed(
datafeed_id: "datafeed-test-job",
body: {
"query": {
"term": {
"geo.src": "US"
}
}
}
)$resp = $client->ml()->updateDatafeed([
"datafeed_id" => "datafeed-test-job",
"body" => [
"query" => [
"term" => [
"geo.src" => "US",
],
],
],
]);curl -X POST -H "Authorization: ApiKey $ELASTIC_API_KEY" -H "Content-Type: application/json" -d '{"query":{"term":{"geo.src":"US"}}}' "$ELASTICSEARCH_URL/_ml/datafeeds/datafeed-test-job/_update"client.ml().updateDatafeed(u -> u
.datafeedId("datafeed-test-job")
.query(q -> q
.term(t -> t
.field("geo.src")
.value(FieldValue.of("US"))
)
)
);
{
"query": {
"term": {
"geo.src": "US"
}
}
}