Create or update a stream | Kibana Serverless API documentation

Create or update a stream Technical Preview

PUT /api/streams/{name}

Spaces method and path for this operation:

put /s/{space_id}/api/streams/{name}

Refer to Spaces for more information.

Creates or updates a stream definition. Classic streams can not be created through this API, only updated

[Required authorization] Route required privileges: manage_stream.

Headers

kbn-xsrf string Required

A required header to protect against CSRF attacks

Path parameters

name string Required

application/json

Body object

stream object Required

Additional properties are allowed.
Hide stream attributes Show stream attributes object
- ingest object Required
  
  Additional properties are allowed.
  Hide ingest attributes Show ingest attributes object
  
  processing object Required
  
  Additional properties are allowed.
  
  Hide processing attributes Show processing attributes object
  
  updated_at Required
  
  steps array[object] Required
  
  Any of:
  object-1 object object-2 object object-3 object object-4 object object-5 object object-6 object object-7 object object-8 object object-9 object object-10 object object-11 object object-12 object object-13 object object-2 object
  
  Grok processor - Extract fields from text using grok patterns
  
  Hide attributes Show attributes
  
  action string Required
  
  Value is grok.
  
  customIdentifier string
  
  Custom identifier to correlate this processor across outputs
  
  Minimum length is 1.
  
  description string
  
  Human-readable notes about this processor step
  
  from string Required
  
  Source field to parse with grok patterns
  
  Minimum length is 1.
  
  ignore_failure boolean
  
  Continue pipeline execution if this processor fails
  
  ignore_missing boolean
  
  Skip processing when source field is missing
  
  pattern_definitions object
  
  Hide pattern_definitions attribute Show pattern_definitions attribute object
  
  * string Additional properties
  
  patterns array[string] Required
  
  Grok patterns applied in order to extract fields
  
  At least 1 element. Minimum length of each is 1.
  
  where object
  
  Conditional expression controlling whether this processor runs
  
  Any of:
  object-1 object object-2 object object-2 object object-3 object object-4 object object-5 object object-6 object
  
  A condition that compares a field to a value or range using an operator as the key.
  
  Hide attributes Show attributes
  
  contains
  
  endsWith
  
  eq
  
  field string Required
  
  The document field to filter on.
  
  Minimum length is 1.
  
  gt
  
  gte
  
  lt
  
  lte
  
  neq
  
  range object
  
  Range comparison values.
  
  Additional properties are NOT allowed.
  
  startsWith
  
  A condition that checks for the existence or non-existence of a field.
  
  Hide attributes Show attributes
  
  exists boolean
  
  Indicates whether the field exists or not.
  
  field string Required
  
  The document field to check.
  
  Minimum length is 1.
  
  A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.
  
  Hide attribute Show attribute
  
  always object Required
  
  An empty object. This condition always matches.
  
  Additional properties are NOT allowed.
  
  Dissect processor - Extract fields from text using a lightweight, delimiter-based parser
  
  Hide attributes Show attributes
  
  action string Required
  
  Value is dissect.
  
  append_separator string
  
  Separator inserted when target fields are concatenated
  
  Minimum length is 1.
  
  customIdentifier string
  
  Custom identifier to correlate this processor across outputs
  
  Minimum length is 1.
  
  description string
  
  Human-readable notes about this processor step
  
  from string Required
  
  Source field to parse with dissect pattern
  
  Minimum length is 1.
  
  ignore_failure boolean
  
  Continue pipeline execution if this processor fails
  
  ignore_missing boolean
  
  Skip processing when source field is missing
  
  pattern string Required
  
  Dissect pattern describing field boundaries
  
  Minimum length is 1.
  
  where object
  
  Conditional expression controlling whether this processor runs
  
  Any of:
  object-1 object object-2 object object-2 object object-3 object object-4 object object-5 object object-6 object
  
  A condition that compares a field to a value or range using an operator as the key.
  
  Hide attributes Show attributes
  
  contains
  
  endsWith
  
  eq
  
  field string Required
  
  The document field to filter on.
  
  Minimum length is 1.
  
  gt
  
  gte
  
  lt
  
  lte
  
  neq
  
  range object
  
  Range comparison values.
  
  Additional properties are NOT allowed.
  
  startsWith
  
  A condition that checks for the existence or non-existence of a field.
  
  Hide attributes Show attributes
  
  exists boolean
  
  Indicates whether the field exists or not.
  
  field string Required
  
  The document field to check.
  
  Minimum length is 1.
  
  A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.
  
  Hide attribute Show attribute
  
  always object Required
  
  An empty object. This condition always matches.
  
  Additional properties are NOT allowed.
  
  Date processor - Parse dates from strings using one or more expected formats
  
  Hide attributes Show attributes
  
  action string Required
  
  Value is date.
  
  customIdentifier string
  
  Custom identifier to correlate this processor across outputs
  
  Minimum length is 1.
  
  description string
  
  Human-readable notes about this processor step
  
  formats array[string] Required
  
  Accepted input date formats, tried in order
  
  Minimum length of each is 1.
  
  from string Required
  
  Source field containing the date/time text
  
  Minimum length is 1.
  
  ignore_failure boolean
  
  Continue pipeline execution if this processor fails
  
  locale string
  
  Optional locale for date parsing
  
  Minimum length is 1.
  
  output_format string
  
  Optional output format for storing the parsed date as text
  
  Minimum length is 1.
  
  timezone string
  
  Optional timezone for date parsing
  
  Minimum length is 1.
  
  to string
  
  Target field for the parsed date (defaults to source)
  
  Minimum length is 1.
  
  where object
  
  Conditional expression controlling whether this processor runs
  
  Any of:
  object-1 object object-2 object object-2 object object-3 object object-4 object object-5 object object-6 object
  
  A condition that compares a field to a value or range using an operator as the key.
  
  Hide attributes Show attributes
  
  contains
  
  endsWith
  
  eq
  
  field string Required
  
  The document field to filter on.
  
  Minimum length is 1.
  
  gt
  
  gte
  
  lt
  
  lte
  
  neq
  
  range object
  
  Range comparison values.
  
  Additional properties are NOT allowed.
  
  startsWith
  
  A condition that checks for the existence or non-existence of a field.
  
  Hide attributes Show attributes
  
  exists boolean
  
  Indicates whether the field exists or not.
  
  field string Required
  
  The document field to check.
  
  Minimum length is 1.
  
  A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.
  
  Hide attribute Show attribute
  
  always object Required
  
  An empty object. This condition always matches.
  
  Additional properties are NOT allowed.
  
  Base processor options plus conditional execution
  
  Hide attributes Show attributes
  
  action string Required
  
  Value is drop_document.
  
  customIdentifier string
  
  Custom identifier to correlate this processor across outputs
  
  Minimum length is 1.
  
  description string
  
  Human-readable notes about this processor step
  
  ignore_failure boolean
  
  Continue pipeline execution if this processor fails
  
  where object
  
  Conditional expression controlling whether this processor runs
  
  Any of:
  object-1 object object-2 object object-2 object object-3 object object-4 object object-5 object object-6 object
  
  A condition that compares a field to a value or range using an operator as the key.
  
  Hide attributes Show attributes
  
  contains
  
  endsWith
  
  eq
  
  field string Required
  
  The document field to filter on.
  
  Minimum length is 1.
  
  gt
  
  gte
  
  lt
  
  lte
  
  neq
  
  range object
  
  Range comparison values.
  
  Additional properties are NOT allowed.
  
  startsWith
  
  A condition that checks for the existence or non-existence of a field.
  
  Hide attributes Show attributes
  
  exists boolean
  
  Indicates whether the field exists or not.
  
  field string Required
  
  The document field to check.
  
  Minimum length is 1.
  
  A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.
  
  Hide attribute Show attribute
  
  always object Required
  
  An empty object. This condition always matches.
  
  Additional properties are NOT allowed.
  
  Base processor options plus conditional execution
  
  Hide attributes Show attributes
  
  action string Required
  
  Value is math.
  
  customIdentifier string
  
  Custom identifier to correlate this processor across outputs
  
  Minimum length is 1.
  
  description string
  
  Human-readable notes about this processor step
  
  expression string Required
  
  A non-empty string.
  
  Minimum length is 1.
  
  ignore_failure boolean
  
  Continue pipeline execution if this processor fails
  
  ignore_missing boolean
  
  to string Required
  
  A non-empty string.
  
  Minimum length is 1.
  
  where object
  
  Conditional expression controlling whether this processor runs
  
  Any of:
  object-1 object object-2 object object-2 object object-3 object object-4 object object-5 object object-6 object
  
  A condition that compares a field to a value or range using an operator as the key.
  
  Hide attributes Show attributes
  
  contains
  
  endsWith
  
  eq
  
  field string Required
  
  The document field to filter on.
  
  Minimum length is 1.
  
  gt
  
  gte
  
  lt
  
  lte
  
  neq
  
  range object
  
  Range comparison values.
  
  Additional properties are NOT allowed.
  
  startsWith
  
  A condition that checks for the existence or non-existence of a field.
  
  Hide attributes Show attributes
  
  exists boolean
  
  Indicates whether the field exists or not.
  
  field string Required
  
  The document field to check.
  
  Minimum length is 1.
  
  A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.
  
  Hide attribute Show attribute
  
  always object Required
  
  An empty object. This condition always matches.
  
  Additional properties are NOT allowed.
  
  Rename processor - Change a field name and optionally its location
  
  Hide attributes Show attributes
  
  action string Required
  
  Value is rename.
  
  customIdentifier string
  
  Custom identifier to correlate this processor across outputs
  
  Minimum length is 1.
  
  description string
  
  Human-readable notes about this processor step
  
  from string Required
  
  Existing source field to rename or move
  
  Minimum length is 1.
  
  ignore_failure boolean
  
  Continue pipeline execution if this processor fails
  
  ignore_missing boolean
  
  Skip when source field is missing
  
  override boolean
  
  Allow overwriting the target field if it already exists
  
  to string Required
  
  New field name or destination path
  
  Minimum length is 1.
  
  where object
  
  Conditional expression controlling whether this processor runs
  
  Any of:
  object-1 object object-2 object object-2 object object-3 object object-4 object object-5 object object-6 object
  
  A condition that compares a field to a value or range using an operator as the key.
  
  Hide attributes Show attributes
  
  contains
  
  endsWith
  
  eq
  
  field string Required
  
  The document field to filter on.
  
  Minimum length is 1.
  
  gt
  
  gte
  
  lt
  
  lte
  
  neq
  
  range object
  
  Range comparison values.
  
  Additional properties are NOT allowed.
  
  startsWith
  
  A condition that checks for the existence or non-existence of a field.
  
  Hide attributes Show attributes
  
  exists boolean
  
  Indicates whether the field exists or not.
  
  field string Required
  
  The document field to check.
  
  Minimum length is 1.
  
  A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.
  
  Hide attribute Show attribute
  
  always object Required
  
  An empty object. This condition always matches.
  
  Additional properties are NOT allowed.
  
  Set processor - Assign a literal or copied value to a field (mutually exclusive inputs)
  
  Hide attributes Show attributes
  
  action string Required
  
  Value is set.
  
  copy_from string
  
  Copy value from another field instead of providing a literal
  
  Minimum length is 1.
  
  customIdentifier string
  
  Custom identifier to correlate this processor across outputs
  
  Minimum length is 1.
  
  description string
  
  Human-readable notes about this processor step
  
  ignore_failure boolean
  
  Continue pipeline execution if this processor fails
  
  override boolean
  
  Allow overwriting an existing target field
  
  to string Required
  
  Target field to set or create
  
  Minimum length is 1.
  
  value
  
  Literal value to assign to the target field
  
  where object
  
  Conditional expression controlling whether this processor runs
  
  Any of:
  object-1 object object-2 object object-2 object object-3 object object-4 object object-5 object object-6 object
  
  A condition that compares a field to a value or range using an operator as the key.
  
  Hide attributes Show attributes
  
  contains
  
  endsWith
  
  eq
  
  field string Required
  
  The document field to filter on.
  
  Minimum length is 1.
  
  gt
  
  gte
  
  lt
  
  lte
  
  neq
  
  range object
  
  Range comparison values.
  
  Additional properties are NOT allowed.
  
  startsWith
  
  A condition that checks for the existence or non-existence of a field.
  
  Hide attributes Show attributes
  
  exists boolean
  
  Indicates whether the field exists or not.
  
  field string Required
  
  The document field to check.
  
  Minimum length is 1.
  
  A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.
  
  Hide attribute Show attribute
  
  always object Required
  
  An empty object. This condition always matches.
  
  Additional properties are NOT allowed.
  
  Append processor - Append one or more values to an existing or new array field
  
  Hide attributes Show attributes
  
  action string Required
  
  Value is append.
  
  allow_duplicates boolean
  
  If true, do not deduplicate appended values
  
  customIdentifier string
  
  Custom identifier to correlate this processor across outputs
  
  Minimum length is 1.
  
  description string
  
  Human-readable notes about this processor step
  
  ignore_failure boolean
  
  Continue pipeline execution if this processor fails
  
  to string Required
  
  Array field to append values to
  
  Minimum length is 1.
  
  value array Required
  
  Values to append (must be literal, no templates)
  
  At least 1 element.
  
  where object
  
  Conditional expression controlling whether this processor runs
  
  Any of:
  object-1 object object-2 object object-2 object object-3 object object-4 object object-5 object object-6 object
  
  A condition that compares a field to a value or range using an operator as the key.
  
  Hide attributes Show attributes
  
  contains
  
  endsWith
  
  eq
  
  field string Required
  
  The document field to filter on.
  
  Minimum length is 1.
  
  gt
  
  gte
  
  lt
  
  lte
  
  neq
  
  range object
  
  Range comparison values.
  
  Additional properties are NOT allowed.
  
  startsWith
  
  A condition that checks for the existence or non-existence of a field.
  
  Hide attributes Show attributes
  
  exists boolean
  
  Indicates whether the field exists or not.
  
  field string Required
  
  The document field to check.
  
  Minimum length is 1.
  
  A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.
  
  Hide attribute Show attribute
  
  always object Required
  
  An empty object. This condition always matches.
  
  Additional properties are NOT allowed.
  
  Remove by prefix processor - Remove a field and all nested fields matching the prefix
  
  Hide attributes Show attributes
  
  action string Required
  
  Value is remove_by_prefix.
  
  customIdentifier string
  
  Custom identifier to correlate this processor across outputs
  
  Minimum length is 1.
  
  description string
  
  Human-readable notes about this processor step
  
  from string Required
  
  Field to remove along with all its nested fields
  
  Minimum length is 1.
  
  ignore_failure boolean
  
  Continue pipeline execution if this processor fails
  
  Remove processor - Delete one or more fields from the document
  
  Hide attributes Show attributes
  
  action string Required
  
  Value is remove.
  
  customIdentifier string
  
  Custom identifier to correlate this processor across outputs
  
  Minimum length is 1.
  
  description string
  
  Human-readable notes about this processor step
  
  from string Required
  
  Field to remove from the document
  
  Minimum length is 1.
  
  ignore_failure boolean
  
  Continue pipeline execution if this processor fails
  
  ignore_missing boolean
  
  Skip processing when source field is missing
  
  where object
  
  Conditional expression controlling whether this processor runs
  
  Any of:
  object-1 object object-2 object object-2 object object-3 object object-4 object object-5 object object-6 object
  
  A condition that compares a field to a value or range using an operator as the key.
  
  Hide attributes Show attributes
  
  contains
  
  endsWith
  
  eq
  
  field string Required
  
  The document field to filter on.
  
  Minimum length is 1.
  
  gt
  
  gte
  
  lt
  
  lte
  
  neq
  
  range object
  
  Range comparison values.
  
  Additional properties are NOT allowed.
  
  startsWith
  
  A condition that checks for the existence or non-existence of a field.
  
  Hide attributes Show attributes
  
  exists boolean
  
  Indicates whether the field exists or not.
  
  field string Required
  
  The document field to check.
  
  Minimum length is 1.
  
  A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.
  
  Hide attribute Show attribute
  
  always object Required
  
  An empty object. This condition always matches.
  
  Additional properties are NOT allowed.
  
  Base processor options plus conditional execution
  
  Hide attributes Show attributes
  
  action string Required
  
  Value is replace.
  
  customIdentifier string
  
  Custom identifier to correlate this processor across outputs
  
  Minimum length is 1.
  
  description string
  
  Human-readable notes about this processor step
  
  from string Required
  
  A non-empty string.
  
  Minimum length is 1.
  
  ignore_failure boolean
  
  Continue pipeline execution if this processor fails
  
  ignore_missing boolean
  
  pattern string Required
  
  A non-empty string or string with whitespace.
  
  Minimum length is 1.
  
  replacement string Required
  
  to string
  
  A non-empty string.
  
  Minimum length is 1.
  
  where object
  
  Conditional expression controlling whether this processor runs
  
  Any of:
  object-1 object object-2 object object-2 object object-3 object object-4 object object-5 object object-6 object
  
  A condition that compares a field to a value or range using an operator as the key.
  
  Hide attributes Show attributes
  
  contains
  
  endsWith
  
  eq
  
  field string Required
  
  The document field to filter on.
  
  Minimum length is 1.
  
  gt
  
  gte
  
  lt
  
  lte
  
  neq
  
  range object
  
  Range comparison values.
  
  Additional properties are NOT allowed.
  
  startsWith
  
  A condition that checks for the existence or non-existence of a field.
  
  Hide attributes Show attributes
  
  exists boolean
  
  Indicates whether the field exists or not.
  
  field string Required
  
  The document field to check.
  
  Minimum length is 1.
  
  A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.
  
  Hide attribute Show attribute
  
  always object Required
  
  An empty object. This condition always matches.
  
  Additional properties are NOT allowed.
  
  Convert processor - Change the data type of a field value (integer, long, double, boolean, or string)
  
  Hide attributes Show attributes
  
  action string Required
  
  Value is convert.
  
  customIdentifier string
  
  Custom identifier to correlate this processor across outputs
  
  Minimum length is 1.
  
  description string
  
  Human-readable notes about this processor step
  
  from string Required
  
  Source field to convert to a different data type
  
  Minimum length is 1.
  
  ignore_failure boolean
  
  Continue pipeline execution if this processor fails
  
  ignore_missing boolean
  
  Skip processing when source field is missing
  
  to string
  
  Target field for the converted value (defaults to source)
  
  Minimum length is 1.
  
  type string Required
  
  Target data type: integer, long, double, boolean, or string
  
  Values are integer, long, double, boolean, or string.
  
  where object
  
  Conditional expression controlling whether this processor runs
  
  Any of:
  object-1 object object-2 object object-2 object object-3 object object-4 object object-5 object object-6 object
  
  A condition that compares a field to a value or range using an operator as the key.
  
  Hide attributes Show attributes
  
  contains
  
  endsWith
  
  eq
  
  field string Required
  
  The document field to filter on.
  
  Minimum length is 1.
  
  gt
  
  gte
  
  lt
  
  lte
  
  neq
  
  range object
  
  Range comparison values.
  
  Additional properties are NOT allowed.
  
  startsWith
  
  A condition that checks for the existence or non-existence of a field.
  
  Hide attributes Show attributes
  
  exists boolean
  
  Indicates whether the field exists or not.
  
  field string Required
  
  The document field to check.
  
  Minimum length is 1.
  
  A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.
  
  Hide attribute Show attribute
  
  always object Required
  
  An empty object. This condition always matches.
  
  Additional properties are NOT allowed.
  
  Manual ingest pipeline wrapper around native Elasticsearch processors
  
  Hide attributes Show attributes
  
  action string Required
  
  Manual ingest pipeline - executes raw Elasticsearch ingest processors
  
  Value is manual_ingest_pipeline.
  
  customIdentifier string
  
  Custom identifier to correlate this processor across outputs
  
  Minimum length is 1.
  
  description string
  
  Human-readable notes about this processor step
  
  ignore_failure boolean
  
  Continue pipeline execution if this processor fails
  
  on_failure array[object]
  
  Fallback processors to run when a processor fails
  
  Additional properties are allowed.
  
  processors array[object] Required
  
  List of raw Elasticsearch ingest processors to run
  
  Additional properties are NOT allowed.
  
  tag string
  
  Optional ingest processor tag for Elasticsearch
  
  where object
  
  Conditional expression controlling whether this processor runs
  
  Any of:
  object-1 object object-2 object object-2 object object-3 object object-4 object object-5 object object-6 object
  
  A condition that compares a field to a value or range using an operator as the key.
  
  Hide attributes Show attributes
  
  contains
  
  endsWith
  
  eq
  
  field string Required
  
  The document field to filter on.
  
  Minimum length is 1.
  
  gt
  
  gte
  
  lt
  
  lte
  
  neq
  
  range object
  
  Range comparison values.
  
  Additional properties are NOT allowed.
  
  startsWith
  
  A condition that checks for the existence or non-existence of a field.
  
  Hide attributes Show attributes
  
  exists boolean
  
  Indicates whether the field exists or not.
  
  field string Required
  
  The document field to check.
  
  Minimum length is 1.
  
  A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.
  
  Hide attribute Show attribute
  
  always object Required
  
  An empty object. This condition always matches.
  
  Additional properties are NOT allowed.
  
  Hide attributes Show attributes
  
  condition object Required
  
  Any of:
  object-1 object object-2 object object-2 object object-3 object object-4 object object-5 object object-6 object
  
  A condition that compares a field to a value or range using an operator as the key.
  
  Hide attributes Show attributes
  
  steps array Required
  
  contains
  
  endsWith
  
  eq
  
  field string Required
  
  The document field to filter on.
  
  Minimum length is 1.
  
  gt
  
  gte
  
  lt
  
  lte
  
  neq
  
  range object
  
  Range comparison values.
  
  Additional properties are NOT allowed.
  
  startsWith
  
  A condition that checks for the existence or non-existence of a field.
  
  Hide attributes Show attributes
  
  steps array Required
  
  exists boolean
  
  Indicates whether the field exists or not.
  
  field string Required
  
  The document field to check.
  
  Minimum length is 1.
  
  A logical AND that groups multiple conditions.
  
  Hide attributes Show attributes
  
  steps array Required
  
  and array Required
  
  An array of conditions. All sub-conditions must be true for this condition to be true.
  
  A logical OR that groups multiple conditions.
  
  Hide attributes Show attributes
  
  steps array Required
  
  or array Required
  
  An array of conditions. At least one sub-condition must be true for this condition to be true.
  
  A condition that always evaluates to false.
  
  Hide attributes Show attributes
  
  steps array Required
  
  never object Required
  
  An empty object. This condition never matches.
  
  Additional properties are NOT allowed.
  
  A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.
  
  Hide attributes Show attributes
  
  steps array Required
  
  always object Required
  
  An empty object. This condition always matches.
  
  Additional properties are NOT allowed.
  
  customIdentifier string
  
  failure_store object Required
  
  Any of:
  object-1 object object-2 object object-1 object object-2 object
  
  Hide attribute Show attribute
  
  lifecycle object Required
  
  Additional properties are NOT allowed.
  
  Hide lifecycle attribute Show lifecycle attribute object
  
  enabled object Required
  
  Additional properties are NOT allowed.
  
  Hide enabled attribute Show enabled attribute object
  
  data_retention string
  
  A non-empty string.
  
  Minimum length is 1.
  
  Hide attribute Show attribute
  
  lifecycle object Required
  
  Additional properties are NOT allowed.
  
  Hide lifecycle attribute Show lifecycle attribute object
  
  disabled object Required
  
  Additional properties are NOT allowed.
  
  failure_store object Required
  
  Any of:
  object-1 object object-2 object object-1 object object-2 object
  
  Hide attribute Show attribute
  
  lifecycle object Required
  
  Additional properties are NOT allowed.
  
  Hide lifecycle attribute Show lifecycle attribute object
  
  enabled object Required
  
  Additional properties are NOT allowed.
  
  Hide enabled attribute Show enabled attribute object
  
  data_retention string
  
  A non-empty string.
  
  Minimum length is 1.
  
  Hide attribute Show attribute
  
  lifecycle object Required
  
  Additional properties are NOT allowed.
  
  Hide lifecycle attribute Show lifecycle attribute object
  
  disabled object Required
  
  Additional properties are NOT allowed.
  
  lifecycle object Required
  
  Any of:
  object-1 object object-2 object object-3 object
  
  Hide attribute Show attribute
  
  dsl object Required
  
  Additional properties are NOT allowed.
  
  Hide dsl attribute Show dsl attribute object
  
  data_retention string
  
  A non-empty string.
  
  Minimum length is 1.
  
  Hide attribute Show attribute
  
  ilm object Required
  
  Additional properties are NOT allowed.
  
  Hide ilm attribute Show ilm attribute object
  
  policy string Required
  
  A non-empty string.
  
  Minimum length is 1.
  
  lifecycle object Required
  
  Any of:
  object-1 object object-2 object object-3 object
  
  Hide attribute Show attribute
  
  dsl object Required
  
  Additional properties are NOT allowed.
  
  Hide dsl attribute Show dsl attribute object
  
  data_retention string
  
  A non-empty string.
  
  Minimum length is 1.
  
  Hide attribute Show attribute
  
  ilm object Required
  
  Additional properties are NOT allowed.
  
  Hide ilm attribute Show ilm attribute object
  
  policy string Required
  
  A non-empty string.
  
  Minimum length is 1.
  
  settings object Required
  
  Additional properties are NOT allowed.
  
  Hide settings attributes Show settings attributes object
  
  index.number_of_replicas object
  
  Additional properties are NOT allowed.
  
  Hide index.number_of_replicas attribute Show index.number_of_replicas attribute object
  
  value number Required
  
  index.number_of_shards object
  
  Additional properties are NOT allowed.
  
  Hide index.number_of_shards attribute Show index.number_of_shards attribute object
  
  value number Required
  
  index.refresh_interval object
  
  Additional properties are NOT allowed.
  
  Hide index.refresh_interval attributes Show index.refresh_interval attributes object
  
  value string | number Required
  
  Any of:
  string-1 string number-2 number
  
  Value is -1.
  
  value string | number Required
  
  Any of:
  string-1 string number-2 number
  
  Value is -1.
  
  wired object Required
  
  Additional properties are NOT allowed.
  
  Hide wired attributes Show wired attributes object
  
  fields object Required
  
  routing array[object] Required
  
  Hide routing attributes Show routing attributes object
  
  destination string Required
  
  A non-empty string.
  
  Minimum length is 1.
  
  status string
  
  Values are enabled or disabled.
  
  where object Required
  
  The root condition object. It can be a simple filter or a combination of other conditions.
  
  Any of:
  object-1 object object-2 object object-2 object object-3 object object-4 object object-5 object object-6 object
  
  A condition that compares a field to a value or range using an operator as the key.
  
  Hide attributes Show attributes
  
  contains string | number | boolean
  
  Contains comparison value.
  
  Any of:
  string-1 string number-2 number boolean-3 boolean
  
  endsWith string | number | boolean
  
  Ends-with comparison value.
  
  Any of:
  string-1 string number-2 number boolean-3 boolean
  
  eq string | number | boolean
  
  Equality comparison value.
  
  Any of:
  string-1 string number-2 number boolean-3 boolean
  
  field string Required
  
  The document field to filter on.
  
  Minimum length is 1.
  
  gt string | number | boolean
  
  Greater-than comparison value.
  
  Any of:
  string-1 string number-2 number boolean-3 boolean
  
  gte string | number | boolean
  
  Greater-than-or-equal comparison value.
  
  Any of:
  string-1 string number-2 number boolean-3 boolean
  
  lt string | number | boolean
  
  Less-than comparison value.
  
  Any of:
  string-1 string number-2 number boolean-3 boolean
  
  lte string | number | boolean
  
  Less-than-or-equal comparison value.
  
  Any of:
  string-1 string number-2 number boolean-3 boolean
  
  neq string | number | boolean
  
  Inequality comparison value.
  
  Any of:
  string-1 string number-2 number boolean-3 boolean
  
  range object
  
  Range comparison values.
  
  Additional properties are NOT allowed.
  
  Hide range attributes Show range attributes object
  
  gt string | number | boolean
  
  A value that can be a string, number, or boolean.
  
  Any of:
  string-1 string number-2 number boolean-3 boolean
  
  gte string | number | boolean
  
  A value that can be a string, number, or boolean.
  
  Any of:
  string-1 string number-2 number boolean-3 boolean
  
  lt string | number | boolean
  
  A value that can be a string, number, or boolean.
  
  Any of:
  string-1 string number-2 number boolean-3 boolean
  
  lte string | number | boolean
  
  A value that can be a string, number, or boolean.
  
  Any of:
  string-1 string number-2 number boolean-3 boolean
  
  startsWith string | number | boolean
  
  Starts-with comparison value.
  
  Any of:
  string-1 string number-2 number boolean-3 boolean
  
  A condition that checks for the existence or non-existence of a field.
  
  Hide attributes Show attributes
  
  exists boolean
  
  Indicates whether the field exists or not.
  
  field string Required
  
  The document field to check.
  
  Minimum length is 1.
  
  A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.
  
  Hide attribute Show attribute
  
  always object Required
  
  An empty object. This condition always matches.
  
  Additional properties are NOT allowed.
- name Required
- updated_at Required
- description string Required
dashboards array[string] Required
queries array[object] Required
Hide queries attributes Show queries attributes object
- id string Required
  
  A non-empty string.
  
  Minimum length is 1.
- title string Required
  
  A non-empty string.
  
  Minimum length is 1.
- evidence array[string]
- feature object
  
  Additional properties are NOT allowed.
  Hide feature attributes Show feature attributes object
  
  filter object Required
  
  The root condition object. It can be a simple filter or a combination of other conditions.
  
  Any of:
  object-1 object object-2 object object-2 object object-3 object object-4 object object-5 object object-6 object
  
  A condition that compares a field to a value or range using an operator as the key.
  
  Hide attributes Show attributes
  
  contains string | number | boolean
  
  Contains comparison value.
  
  Any of:
  string-1 string number-2 number boolean-3 boolean
  
  endsWith string | number | boolean
  
  Ends-with comparison value.
  
  Any of:
  string-1 string number-2 number boolean-3 boolean
  
  eq string | number | boolean
  
  Equality comparison value.
  
  Any of:
  string-1 string number-2 number boolean-3 boolean
  
  field string Required
  
  The document field to filter on.
  
  Minimum length is 1.
  
  gt string | number | boolean
  
  Greater-than comparison value.
  
  Any of:
  string-1 string number-2 number boolean-3 boolean
  
  gte string | number | boolean
  
  Greater-than-or-equal comparison value.
  
  Any of:
  string-1 string number-2 number boolean-3 boolean
  
  lt string | number | boolean
  
  Less-than comparison value.
  
  Any of:
  string-1 string number-2 number boolean-3 boolean
  
  lte string | number | boolean
  
  Less-than-or-equal comparison value.
  
  Any of:
  string-1 string number-2 number boolean-3 boolean
  
  neq string | number | boolean
  
  Inequality comparison value.
  
  Any of:
  string-1 string number-2 number boolean-3 boolean
  
  range object
  
  Range comparison values.
  
  Additional properties are NOT allowed.
  
  Hide range attributes Show range attributes object
  
  gt string | number | boolean
  
  A value that can be a string, number, or boolean.
  
  Any of:
  string-1 string number-2 number boolean-3 boolean
  
  gte string | number | boolean
  
  A value that can be a string, number, or boolean.
  
  Any of:
  string-1 string number-2 number boolean-3 boolean
  
  lt string | number | boolean
  
  A value that can be a string, number, or boolean.
  
  Any of:
  string-1 string number-2 number boolean-3 boolean
  
  lte string | number | boolean
  
  A value that can be a string, number, or boolean.
  
  Any of:
  string-1 string number-2 number boolean-3 boolean
  
  startsWith string | number | boolean
  
  Starts-with comparison value.
  
  Any of:
  string-1 string number-2 number boolean-3 boolean
  
  A condition that checks for the existence or non-existence of a field.
  
  Hide attributes Show attributes
  
  exists boolean
  
  Indicates whether the field exists or not.
  
  field string Required
  
  The document field to check.
  
  Minimum length is 1.
  
  A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.
  
  Hide attribute Show attribute
  
  always object Required
  
  An empty object. This condition always matches.
  
  Additional properties are NOT allowed.
  
  name string Required
  
  A non-empty string.
  
  Minimum length is 1.
  
  type string Required
  
  Value is system.
- kql object Required
  
  Additional properties are NOT allowed.
  Hide kql attribute Show kql attribute object
  
  query string Required
- severity_score number
rules array[string] Required

stream object Required

Additional properties are allowed.
Hide stream attributes Show stream attributes object
- ingest object Required
  
  Additional properties are allowed.
  Hide ingest attributes Show ingest attributes object
  
  processing object Required
  
  Additional properties are allowed.
  
  Hide processing attributes Show processing attributes object
  
  updated_at Required
  
  steps array[object] Required
  
  Any of:
  object-1 object object-2 object object-3 object object-4 object object-5 object object-6 object object-7 object object-8 object object-9 object object-10 object object-11 object object-12 object object-13 object object-2 object
  
  Grok processor - Extract fields from text using grok patterns
  
  Hide attributes Show attributes
  
  action string Required
  
  Value is grok.
  
  customIdentifier string
  
  Custom identifier to correlate this processor across outputs
  
  Minimum length is 1.
  
  description string
  
  Human-readable notes about this processor step
  
  from string Required
  
  Source field to parse with grok patterns
  
  Minimum length is 1.
  
  ignore_failure boolean
  
  Continue pipeline execution if this processor fails
  
  ignore_missing boolean
  
  Skip processing when source field is missing
  
  pattern_definitions object
  
  Hide pattern_definitions attribute Show pattern_definitions attribute object
  
  * string Additional properties
  
  patterns array[string] Required
  
  Grok patterns applied in order to extract fields
  
  At least 1 element. Minimum length of each is 1.
  
  where object
  
  Conditional expression controlling whether this processor runs
  
  Any of:
  object-1 object object-2 object object-2 object object-3 object object-4 object object-5 object object-6 object
  
  A condition that compares a field to a value or range using an operator as the key.
  
  Hide attributes Show attributes
  
  contains
  
  endsWith
  
  eq
  
  field string Required
  
  The document field to filter on.
  
  Minimum length is 1.
  
  gt
  
  gte
  
  lt
  
  lte
  
  neq
  
  range object
  
  Range comparison values.
  
  Additional properties are NOT allowed.
  
  startsWith
  
  A condition that checks for the existence or non-existence of a field.
  
  Hide attributes Show attributes
  
  exists boolean
  
  Indicates whether the field exists or not.
  
  field string Required
  
  The document field to check.
  
  Minimum length is 1.
  
  A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.
  
  Hide attribute Show attribute
  
  always object Required
  
  An empty object. This condition always matches.
  
  Additional properties are NOT allowed.
  
  Dissect processor - Extract fields from text using a lightweight, delimiter-based parser
  
  Hide attributes Show attributes
  
  action string Required
  
  Value is dissect.
  
  append_separator string
  
  Separator inserted when target fields are concatenated
  
  Minimum length is 1.
  
  customIdentifier string
  
  Custom identifier to correlate this processor across outputs
  
  Minimum length is 1.
  
  description string
  
  Human-readable notes about this processor step
  
  from string Required
  
  Source field to parse with dissect pattern
  
  Minimum length is 1.
  
  ignore_failure boolean
  
  Continue pipeline execution if this processor fails
  
  ignore_missing boolean
  
  Skip processing when source field is missing
  
  pattern string Required
  
  Dissect pattern describing field boundaries
  
  Minimum length is 1.
  
  where object
  
  Conditional expression controlling whether this processor runs
  
  Any of:
  object-1 object object-2 object object-2 object object-3 object object-4 object object-5 object object-6 object
  
  A condition that compares a field to a value or range using an operator as the key.
  
  Hide attributes Show attributes
  
  contains
  
  endsWith
  
  eq
  
  field string Required
  
  The document field to filter on.
  
  Minimum length is 1.
  
  gt
  
  gte
  
  lt
  
  lte
  
  neq
  
  range object
  
  Range comparison values.
  
  Additional properties are NOT allowed.
  
  startsWith
  
  A condition that checks for the existence or non-existence of a field.
  
  Hide attributes Show attributes
  
  exists boolean
  
  Indicates whether the field exists or not.
  
  field string Required
  
  The document field to check.
  
  Minimum length is 1.
  
  A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.
  
  Hide attribute Show attribute
  
  always object Required
  
  An empty object. This condition always matches.
  
  Additional properties are NOT allowed.
  
  Date processor - Parse dates from strings using one or more expected formats
  
  Hide attributes Show attributes
  
  action string Required
  
  Value is date.
  
  customIdentifier string
  
  Custom identifier to correlate this processor across outputs
  
  Minimum length is 1.
  
  description string
  
  Human-readable notes about this processor step
  
  formats array[string] Required
  
  Accepted input date formats, tried in order
  
  Minimum length of each is 1.
  
  from string Required
  
  Source field containing the date/time text
  
  Minimum length is 1.
  
  ignore_failure boolean
  
  Continue pipeline execution if this processor fails
  
  locale string
  
  Optional locale for date parsing
  
  Minimum length is 1.
  
  output_format string
  
  Optional output format for storing the parsed date as text
  
  Minimum length is 1.
  
  timezone string
  
  Optional timezone for date parsing
  
  Minimum length is 1.
  
  to string
  
  Target field for the parsed date (defaults to source)
  
  Minimum length is 1.
  
  where object
  
  Conditional expression controlling whether this processor runs
  
  Any of:
  object-1 object object-2 object object-2 object object-3 object object-4 object object-5 object object-6 object
  
  A condition that compares a field to a value or range using an operator as the key.
  
  Hide attributes Show attributes
  
  contains
  
  endsWith
  
  eq
  
  field string Required
  
  The document field to filter on.
  
  Minimum length is 1.
  
  gt
  
  gte
  
  lt
  
  lte
  
  neq
  
  range object
  
  Range comparison values.
  
  Additional properties are NOT allowed.
  
  startsWith
  
  A condition that checks for the existence or non-existence of a field.
  
  Hide attributes Show attributes
  
  exists boolean
  
  Indicates whether the field exists or not.
  
  field string Required
  
  The document field to check.
  
  Minimum length is 1.
  
  A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.
  
  Hide attribute Show attribute
  
  always object Required
  
  An empty object. This condition always matches.
  
  Additional properties are NOT allowed.
  
  Base processor options plus conditional execution
  
  Hide attributes Show attributes
  
  action string Required
  
  Value is drop_document.
  
  customIdentifier string
  
  Custom identifier to correlate this processor across outputs
  
  Minimum length is 1.
  
  description string
  
  Human-readable notes about this processor step
  
  ignore_failure boolean
  
  Continue pipeline execution if this processor fails
  
  where object
  
  Conditional expression controlling whether this processor runs
  
  Any of:
  object-1 object object-2 object object-2 object object-3 object object-4 object object-5 object object-6 object
  
  A condition that compares a field to a value or range using an operator as the key.
  
  Hide attributes Show attributes
  
  contains
  
  endsWith
  
  eq
  
  field string Required
  
  The document field to filter on.
  
  Minimum length is 1.
  
  gt
  
  gte
  
  lt
  
  lte
  
  neq
  
  range object
  
  Range comparison values.
  
  Additional properties are NOT allowed.
  
  startsWith
  
  A condition that checks for the existence or non-existence of a field.
  
  Hide attributes Show attributes
  
  exists boolean
  
  Indicates whether the field exists or not.
  
  field string Required
  
  The document field to check.
  
  Minimum length is 1.
  
  A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.
  
  Hide attribute Show attribute
  
  always object Required
  
  An empty object. This condition always matches.
  
  Additional properties are NOT allowed.
  
  Base processor options plus conditional execution
  
  Hide attributes Show attributes
  
  action string Required
  
  Value is math.
  
  customIdentifier string
  
  Custom identifier to correlate this processor across outputs
  
  Minimum length is 1.
  
  description string
  
  Human-readable notes about this processor step
  
  expression string Required
  
  A non-empty string.
  
  Minimum length is 1.
  
  ignore_failure boolean
  
  Continue pipeline execution if this processor fails
  
  ignore_missing boolean
  
  to string Required
  
  A non-empty string.
  
  Minimum length is 1.
  
  where object
  
  Conditional expression controlling whether this processor runs
  
  Any of:
  object-1 object object-2 object object-2 object object-3 object object-4 object object-5 object object-6 object
  
  A condition that compares a field to a value or range using an operator as the key.
  
  Hide attributes Show attributes
  
  contains
  
  endsWith
  
  eq
  
  field string Required
  
  The document field to filter on.
  
  Minimum length is 1.
  
  gt
  
  gte
  
  lt
  
  lte
  
  neq
  
  range object
  
  Range comparison values.
  
  Additional properties are NOT allowed.
  
  startsWith
  
  A condition that checks for the existence or non-existence of a field.
  
  Hide attributes Show attributes
  
  exists boolean
  
  Indicates whether the field exists or not.
  
  field string Required
  
  The document field to check.
  
  Minimum length is 1.
  
  A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.
  
  Hide attribute Show attribute
  
  always object Required
  
  An empty object. This condition always matches.
  
  Additional properties are NOT allowed.
  
  Rename processor - Change a field name and optionally its location
  
  Hide attributes Show attributes
  
  action string Required
  
  Value is rename.
  
  customIdentifier string
  
  Custom identifier to correlate this processor across outputs
  
  Minimum length is 1.
  
  description string
  
  Human-readable notes about this processor step
  
  from string Required
  
  Existing source field to rename or move
  
  Minimum length is 1.
  
  ignore_failure boolean
  
  Continue pipeline execution if this processor fails
  
  ignore_missing boolean
  
  Skip when source field is missing
  
  override boolean
  
  Allow overwriting the target field if it already exists
  
  to string Required
  
  New field name or destination path
  
  Minimum length is 1.
  
  where object
  
  Conditional expression controlling whether this processor runs
  
  Any of:
  object-1 object object-2 object object-2 object object-3 object object-4 object object-5 object object-6 object
  
  A condition that compares a field to a value or range using an operator as the key.
  
  Hide attributes Show attributes
  
  contains
  
  endsWith
  
  eq
  
  field string Required
  
  The document field to filter on.
  
  Minimum length is 1.
  
  gt
  
  gte
  
  lt
  
  lte
  
  neq
  
  range object
  
  Range comparison values.
  
  Additional properties are NOT allowed.
  
  startsWith
  
  A condition that checks for the existence or non-existence of a field.
  
  Hide attributes Show attributes
  
  exists boolean
  
  Indicates whether the field exists or not.
  
  field string Required
  
  The document field to check.
  
  Minimum length is 1.
  
  A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.
  
  Hide attribute Show attribute
  
  always object Required
  
  An empty object. This condition always matches.
  
  Additional properties are NOT allowed.
  
  Set processor - Assign a literal or copied value to a field (mutually exclusive inputs)
  
  Hide attributes Show attributes
  
  action string Required
  
  Value is set.
  
  copy_from string
  
  Copy value from another field instead of providing a literal
  
  Minimum length is 1.
  
  customIdentifier string
  
  Custom identifier to correlate this processor across outputs
  
  Minimum length is 1.
  
  description string
  
  Human-readable notes about this processor step
  
  ignore_failure boolean
  
  Continue pipeline execution if this processor fails
  
  override boolean
  
  Allow overwriting an existing target field
  
  to string Required
  
  Target field to set or create
  
  Minimum length is 1.
  
  value
  
  Literal value to assign to the target field
  
  where object
  
  Conditional expression controlling whether this processor runs
  
  Any of:
  object-1 object object-2 object object-2 object object-3 object object-4 object object-5 object object-6 object
  
  A condition that compares a field to a value or range using an operator as the key.
  
  Hide attributes Show attributes
  
  contains
  
  endsWith
  
  eq
  
  field string Required
  
  The document field to filter on.
  
  Minimum length is 1.
  
  gt
  
  gte
  
  lt
  
  lte
  
  neq
  
  range object
  
  Range comparison values.
  
  Additional properties are NOT allowed.
  
  startsWith
  
  A condition that checks for the existence or non-existence of a field.
  
  Hide attributes Show attributes
  
  exists boolean
  
  Indicates whether the field exists or not.
  
  field string Required
  
  The document field to check.
  
  Minimum length is 1.
  
  A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.
  
  Hide attribute Show attribute
  
  always object Required
  
  An empty object. This condition always matches.
  
  Additional properties are NOT allowed.
  
  Append processor - Append one or more values to an existing or new array field
  
  Hide attributes Show attributes
  
  action string Required
  
  Value is append.
  
  allow_duplicates boolean
  
  If true, do not deduplicate appended values
  
  customIdentifier string
  
  Custom identifier to correlate this processor across outputs
  
  Minimum length is 1.
  
  description string
  
  Human-readable notes about this processor step
  
  ignore_failure boolean
  
  Continue pipeline execution if this processor fails
  
  to string Required
  
  Array field to append values to
  
  Minimum length is 1.
  
  value array Required
  
  Values to append (must be literal, no templates)
  
  At least 1 element.
  
  where object
  
  Conditional expression controlling whether this processor runs
  
  Any of:
  object-1 object object-2 object object-2 object object-3 object object-4 object object-5 object object-6 object
  
  A condition that compares a field to a value or range using an operator as the key.
  
  Hide attributes Show attributes
  
  contains
  
  endsWith
  
  eq
  
  field string Required
  
  The document field to filter on.
  
  Minimum length is 1.
  
  gt
  
  gte
  
  lt
  
  lte
  
  neq
  
  range object
  
  Range comparison values.
  
  Additional properties are NOT allowed.
  
  startsWith
  
  A condition that checks for the existence or non-existence of a field.
  
  Hide attributes Show attributes
  
  exists boolean
  
  Indicates whether the field exists or not.
  
  field string Required
  
  The document field to check.
  
  Minimum length is 1.
  
  A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.
  
  Hide attribute Show attribute
  
  always object Required
  
  An empty object. This condition always matches.
  
  Additional properties are NOT allowed.
  
  Remove by prefix processor - Remove a field and all nested fields matching the prefix
  
  Hide attributes Show attributes
  
  action string Required
  
  Value is remove_by_prefix.
  
  customIdentifier string
  
  Custom identifier to correlate this processor across outputs
  
  Minimum length is 1.
  
  description string
  
  Human-readable notes about this processor step
  
  from string Required
  
  Field to remove along with all its nested fields
  
  Minimum length is 1.
  
  ignore_failure boolean
  
  Continue pipeline execution if this processor fails
  
  Remove processor - Delete one or more fields from the document
  
  Hide attributes Show attributes
  
  action string Required
  
  Value is remove.
  
  customIdentifier string
  
  Custom identifier to correlate this processor across outputs
  
  Minimum length is 1.
  
  description string
  
  Human-readable notes about this processor step
  
  from string Required
  
  Field to remove from the document
  
  Minimum length is 1.
  
  ignore_failure boolean
  
  Continue pipeline execution if this processor fails
  
  ignore_missing boolean
  
  Skip processing when source field is missing
  
  where object
  
  Conditional expression controlling whether this processor runs
  
  Any of:
  object-1 object object-2 object object-2 object object-3 object object-4 object object-5 object object-6 object
  
  A condition that compares a field to a value or range using an operator as the key.
  
  Hide attributes Show attributes
  
  contains
  
  endsWith
  
  eq
  
  field string Required
  
  The document field to filter on.
  
  Minimum length is 1.
  
  gt
  
  gte
  
  lt
  
  lte
  
  neq
  
  range object
  
  Range comparison values.
  
  Additional properties are NOT allowed.
  
  startsWith
  
  A condition that checks for the existence or non-existence of a field.
  
  Hide attributes Show attributes
  
  exists boolean
  
  Indicates whether the field exists or not.
  
  field string Required
  
  The document field to check.
  
  Minimum length is 1.
  
  A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.
  
  Hide attribute Show attribute
  
  always object Required
  
  An empty object. This condition always matches.
  
  Additional properties are NOT allowed.
  
  Base processor options plus conditional execution
  
  Hide attributes Show attributes
  
  action string Required
  
  Value is replace.
  
  customIdentifier string
  
  Custom identifier to correlate this processor across outputs
  
  Minimum length is 1.
  
  description string
  
  Human-readable notes about this processor step
  
  from string Required
  
  A non-empty string.
  
  Minimum length is 1.
  
  ignore_failure boolean
  
  Continue pipeline execution if this processor fails
  
  ignore_missing boolean
  
  pattern string Required
  
  A non-empty string or string with whitespace.
  
  Minimum length is 1.
  
  replacement string Required
  
  to string
  
  A non-empty string.
  
  Minimum length is 1.
  
  where object
  
  Conditional expression controlling whether this processor runs
  
  Any of:
  object-1 object object-2 object object-2 object object-3 object object-4 object object-5 object object-6 object
  
  A condition that compares a field to a value or range using an operator as the key.
  
  Hide attributes Show attributes
  
  contains
  
  endsWith
  
  eq
  
  field string Required
  
  The document field to filter on.
  
  Minimum length is 1.
  
  gt
  
  gte
  
  lt
  
  lte
  
  neq
  
  range object
  
  Range comparison values.
  
  Additional properties are NOT allowed.
  
  startsWith
  
  A condition that checks for the existence or non-existence of a field.
  
  Hide attributes Show attributes
  
  exists boolean
  
  Indicates whether the field exists or not.
  
  field string Required
  
  The document field to check.
  
  Minimum length is 1.
  
  A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.
  
  Hide attribute Show attribute
  
  always object Required
  
  An empty object. This condition always matches.
  
  Additional properties are NOT allowed.
  
  Convert processor - Change the data type of a field value (integer, long, double, boolean, or string)
  
  Hide attributes Show attributes
  
  action string Required
  
  Value is convert.
  
  customIdentifier string
  
  Custom identifier to correlate this processor across outputs
  
  Minimum length is 1.
  
  description string
  
  Human-readable notes about this processor step
  
  from string Required
  
  Source field to convert to a different data type
  
  Minimum length is 1.
  
  ignore_failure boolean
  
  Continue pipeline execution if this processor fails
  
  ignore_missing boolean
  
  Skip processing when source field is missing
  
  to string
  
  Target field for the converted value (defaults to source)
  
  Minimum length is 1.
  
  type string Required
  
  Target data type: integer, long, double, boolean, or string
  
  Values are integer, long, double, boolean, or string.
  
  where object
  
  Conditional expression controlling whether this processor runs
  
  Any of:
  object-1 object object-2 object object-2 object object-3 object object-4 object object-5 object object-6 object
  
  A condition that compares a field to a value or range using an operator as the key.
  
  Hide attributes Show attributes
  
  contains
  
  endsWith
  
  eq
  
  field string Required
  
  The document field to filter on.
  
  Minimum length is 1.
  
  gt
  
  gte
  
  lt
  
  lte
  
  neq
  
  range object
  
  Range comparison values.
  
  Additional properties are NOT allowed.
  
  startsWith
  
  A condition that checks for the existence or non-existence of a field.
  
  Hide attributes Show attributes
  
  exists boolean
  
  Indicates whether the field exists or not.
  
  field string Required
  
  The document field to check.
  
  Minimum length is 1.
  
  A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.
  
  Hide attribute Show attribute
  
  always object Required
  
  An empty object. This condition always matches.
  
  Additional properties are NOT allowed.
  
  Manual ingest pipeline wrapper around native Elasticsearch processors
  
  Hide attributes Show attributes
  
  action string Required
  
  Manual ingest pipeline - executes raw Elasticsearch ingest processors
  
  Value is manual_ingest_pipeline.
  
  customIdentifier string
  
  Custom identifier to correlate this processor across outputs
  
  Minimum length is 1.
  
  description string
  
  Human-readable notes about this processor step
  
  ignore_failure boolean
  
  Continue pipeline execution if this processor fails
  
  on_failure array[object]
  
  Fallback processors to run when a processor fails
  
  Additional properties are allowed.
  
  processors array[object] Required
  
  List of raw Elasticsearch ingest processors to run
  
  Additional properties are NOT allowed.
  
  tag string
  
  Optional ingest processor tag for Elasticsearch
  
  where object
  
  Conditional expression controlling whether this processor runs
  
  Any of:
  object-1 object object-2 object object-2 object object-3 object object-4 object object-5 object object-6 object
  
  A condition that compares a field to a value or range using an operator as the key.
  
  Hide attributes Show attributes
  
  contains
  
  endsWith
  
  eq
  
  field string Required
  
  The document field to filter on.
  
  Minimum length is 1.
  
  gt
  
  gte
  
  lt
  
  lte
  
  neq
  
  range object
  
  Range comparison values.
  
  Additional properties are NOT allowed.
  
  startsWith
  
  A condition that checks for the existence or non-existence of a field.
  
  Hide attributes Show attributes
  
  exists boolean
  
  Indicates whether the field exists or not.
  
  field string Required
  
  The document field to check.
  
  Minimum length is 1.
  
  A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.
  
  Hide attribute Show attribute
  
  always object Required
  
  An empty object. This condition always matches.
  
  Additional properties are NOT allowed.
  
  Hide attributes Show attributes
  
  condition object Required
  
  Any of:
  object-1 object object-2 object object-2 object object-3 object object-4 object object-5 object object-6 object
  
  A condition that compares a field to a value or range using an operator as the key.
  
  Hide attributes Show attributes
  
  steps array Required
  
  contains
  
  endsWith
  
  eq
  
  field string Required
  
  The document field to filter on.
  
  Minimum length is 1.
  
  gt
  
  gte
  
  lt
  
  lte
  
  neq
  
  range object
  
  Range comparison values.
  
  Additional properties are NOT allowed.
  
  startsWith
  
  A condition that checks for the existence or non-existence of a field.
  
  Hide attributes Show attributes
  
  steps array Required
  
  exists boolean
  
  Indicates whether the field exists or not.
  
  field string Required
  
  The document field to check.
  
  Minimum length is 1.
  
  A logical AND that groups multiple conditions.
  
  Hide attributes Show attributes
  
  steps array Required
  
  and array Required
  
  An array of conditions. All sub-conditions must be true for this condition to be true.
  
  A logical OR that groups multiple conditions.
  
  Hide attributes Show attributes
  
  steps array Required
  
  or array Required
  
  An array of conditions. At least one sub-condition must be true for this condition to be true.
  
  A condition that always evaluates to false.
  
  Hide attributes Show attributes
  
  steps array Required
  
  never object Required
  
  An empty object. This condition never matches.
  
  Additional properties are NOT allowed.
  
  A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.
  
  Hide attributes Show attributes
  
  steps array Required
  
  always object Required
  
  An empty object. This condition always matches.
  
  Additional properties are NOT allowed.
  
  customIdentifier string
  
  failure_store object Required
  
  Any of:
  object-1 object object-2 object object-1 object object-2 object
  
  Hide attribute Show attribute
  
  lifecycle object Required
  
  Additional properties are NOT allowed.
  
  Hide lifecycle attribute Show lifecycle attribute object
  
  enabled object Required
  
  Additional properties are NOT allowed.
  
  Hide enabled attribute Show enabled attribute object
  
  data_retention string
  
  A non-empty string.
  
  Minimum length is 1.
  
  Hide attribute Show attribute
  
  lifecycle object Required
  
  Additional properties are NOT allowed.
  
  Hide lifecycle attribute Show lifecycle attribute object
  
  disabled object Required
  
  Additional properties are NOT allowed.
  
  failure_store object Required
  
  Any of:
  object-1 object object-2 object object-1 object object-2 object
  
  Hide attribute Show attribute
  
  lifecycle object Required
  
  Additional properties are NOT allowed.
  
  Hide lifecycle attribute Show lifecycle attribute object
  
  enabled object Required
  
  Additional properties are NOT allowed.
  
  Hide enabled attribute Show enabled attribute object
  
  data_retention string
  
  A non-empty string.
  
  Minimum length is 1.
  
  Hide attribute Show attribute
  
  lifecycle object Required
  
  Additional properties are NOT allowed.
  
  Hide lifecycle attribute Show lifecycle attribute object
  
  disabled object Required
  
  Additional properties are NOT allowed.
  
  lifecycle object Required
  
  Any of:
  object-1 object object-2 object object-3 object
  
  Hide attribute Show attribute
  
  dsl object Required
  
  Additional properties are NOT allowed.
  
  Hide dsl attribute Show dsl attribute object
  
  data_retention string
  
  A non-empty string.
  
  Minimum length is 1.
  
  Hide attribute Show attribute
  
  ilm object Required
  
  Additional properties are NOT allowed.
  
  Hide ilm attribute Show ilm attribute object
  
  policy string Required
  
  A non-empty string.
  
  Minimum length is 1.
  
  lifecycle object Required
  
  Any of:
  object-1 object object-2 object object-3 object
  
  Hide attribute Show attribute
  
  dsl object Required
  
  Additional properties are NOT allowed.
  
  Hide dsl attribute Show dsl attribute object
  
  data_retention string
  
  A non-empty string.
  
  Minimum length is 1.
  
  Hide attribute Show attribute
  
  ilm object Required
  
  Additional properties are NOT allowed.
  
  Hide ilm attribute Show ilm attribute object
  
  policy string Required
  
  A non-empty string.
  
  Minimum length is 1.
  
  settings object Required
  
  Additional properties are NOT allowed.
  
  Hide settings attributes Show settings attributes object
  
  index.number_of_replicas object
  
  Additional properties are NOT allowed.
  
  Hide index.number_of_replicas attribute Show index.number_of_replicas attribute object
  
  value number Required
  
  index.number_of_shards object
  
  Additional properties are NOT allowed.
  
  Hide index.number_of_shards attribute Show index.number_of_shards attribute object
  
  value number Required
  
  index.refresh_interval object
  
  Additional properties are NOT allowed.
  
  Hide index.refresh_interval attributes Show index.refresh_interval attributes object
  
  value string | number Required
  
  Any of:
  string-1 string number-2 number
  
  Value is -1.
  
  value string | number Required
  
  Any of:
  string-1 string number-2 number
  
  Value is -1.
  
  classic object Required
  
  Additional properties are NOT allowed.
  
  Hide classic attribute Show classic attribute object
  
  field_overrides object
- name Required
- updated_at Required
- description string Required
dashboards array[string] Required
queries array[object] Required
Hide queries attributes Show queries attributes object
- id string Required
  
  A non-empty string.
  
  Minimum length is 1.
- title string Required
  
  A non-empty string.
  
  Minimum length is 1.
- evidence array[string]
- feature object
  
  Additional properties are NOT allowed.
  Hide feature attributes Show feature attributes object
  
  filter object Required
  
  The root condition object. It can be a simple filter or a combination of other conditions.
  
  Any of:
  object-1 object object-2 object object-2 object object-3 object object-4 object object-5 object object-6 object
  
  A condition that compares a field to a value or range using an operator as the key.
  
  Hide attributes Show attributes
  
  contains string | number | boolean
  
  Contains comparison value.
  
  Any of:
  string-1 string number-2 number boolean-3 boolean
  
  endsWith string | number | boolean
  
  Ends-with comparison value.
  
  Any of:
  string-1 string number-2 number boolean-3 boolean
  
  eq string | number | boolean
  
  Equality comparison value.
  
  Any of:
  string-1 string number-2 number boolean-3 boolean
  
  field string Required
  
  The document field to filter on.
  
  Minimum length is 1.
  
  gt string | number | boolean
  
  Greater-than comparison value.
  
  Any of:
  string-1 string number-2 number boolean-3 boolean
  
  gte string | number | boolean
  
  Greater-than-or-equal comparison value.
  
  Any of:
  string-1 string number-2 number boolean-3 boolean
  
  lt string | number | boolean
  
  Less-than comparison value.
  
  Any of:
  string-1 string number-2 number boolean-3 boolean
  
  lte string | number | boolean
  
  Less-than-or-equal comparison value.
  
  Any of:
  string-1 string number-2 number boolean-3 boolean
  
  neq string | number | boolean
  
  Inequality comparison value.
  
  Any of:
  string-1 string number-2 number boolean-3 boolean
  
  range object
  
  Range comparison values.
  
  Additional properties are NOT allowed.
  
  Hide range attributes Show range attributes object
  
  gt string | number | boolean
  
  A value that can be a string, number, or boolean.
  
  Any of:
  string-1 string number-2 number boolean-3 boolean
  
  gte string | number | boolean
  
  A value that can be a string, number, or boolean.
  
  Any of:
  string-1 string number-2 number boolean-3 boolean
  
  lt string | number | boolean
  
  A value that can be a string, number, or boolean.
  
  Any of:
  string-1 string number-2 number boolean-3 boolean
  
  lte string | number | boolean
  
  A value that can be a string, number, or boolean.
  
  Any of:
  string-1 string number-2 number boolean-3 boolean
  
  startsWith string | number | boolean
  
  Starts-with comparison value.
  
  Any of:
  string-1 string number-2 number boolean-3 boolean
  
  A condition that checks for the existence or non-existence of a field.
  
  Hide attributes Show attributes
  
  exists boolean
  
  Indicates whether the field exists or not.
  
  field string Required
  
  The document field to check.
  
  Minimum length is 1.
  
  A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.
  
  Hide attribute Show attribute
  
  always object Required
  
  An empty object. This condition always matches.
  
  Additional properties are NOT allowed.
  
  name string Required
  
  A non-empty string.
  
  Minimum length is 1.
  
  type string Required
  
  Value is system.
- kql object Required
  
  Additional properties are NOT allowed.
  Hide kql attribute Show kql attribute object
  
  query string Required
- severity_score number
rules array[string] Required

stream object Required

Additional properties are allowed.
Hide stream attributes Show stream attributes object
- ingest object
  
  Additional properties are allowed.
  Hide ingest attribute Show ingest attribute object
  
  processing object Required
  
  Additional properties are allowed.
  
  Hide processing attribute Show processing attribute object
  
  updated_at
- name Required
- updated_at Required
- description string Required
- group object Required
  
  Additional properties are NOT allowed.
  Hide group attributes Show group attributes object
  
  members array[string] Required
  
  metadata object Required
  
  Hide metadata attribute Show metadata attribute object
  
  * string Additional properties
  
  tags array[string] Required
dashboards array[string] Required
queries array[object] Required
Hide queries attributes Show queries attributes object
- id string Required
  
  A non-empty string.
  
  Minimum length is 1.
- title string Required
  
  A non-empty string.
  
  Minimum length is 1.
- evidence array[string]
- feature object
  
  Additional properties are NOT allowed.
  Hide feature attributes Show feature attributes object
  
  filter object Required
  
  The root condition object. It can be a simple filter or a combination of other conditions.
  
  Any of:
  object-1 object object-2 object object-2 object object-3 object object-4 object object-5 object object-6 object
  
  A condition that compares a field to a value or range using an operator as the key.
  
  Hide attributes Show attributes
  
  contains string | number | boolean
  
  Contains comparison value.
  
  Any of:
  string-1 string number-2 number boolean-3 boolean
  
  endsWith string | number | boolean
  
  Ends-with comparison value.
  
  Any of:
  string-1 string number-2 number boolean-3 boolean
  
  eq string | number | boolean
  
  Equality comparison value.
  
  Any of:
  string-1 string number-2 number boolean-3 boolean
  
  field string Required
  
  The document field to filter on.
  
  Minimum length is 1.
  
  gt string | number | boolean
  
  Greater-than comparison value.
  
  Any of:
  string-1 string number-2 number boolean-3 boolean
  
  gte string | number | boolean
  
  Greater-than-or-equal comparison value.
  
  Any of:
  string-1 string number-2 number boolean-3 boolean
  
  lt string | number | boolean
  
  Less-than comparison value.
  
  Any of:
  string-1 string number-2 number boolean-3 boolean
  
  lte string | number | boolean
  
  Less-than-or-equal comparison value.
  
  Any of:
  string-1 string number-2 number boolean-3 boolean
  
  neq string | number | boolean
  
  Inequality comparison value.
  
  Any of:
  string-1 string number-2 number boolean-3 boolean
  
  range object
  
  Range comparison values.
  
  Additional properties are NOT allowed.
  
  Hide range attributes Show range attributes object
  
  gt string | number | boolean
  
  A value that can be a string, number, or boolean.
  
  Any of:
  string-1 string number-2 number boolean-3 boolean
  
  gte string | number | boolean
  
  A value that can be a string, number, or boolean.
  
  Any of:
  string-1 string number-2 number boolean-3 boolean
  
  lt string | number | boolean
  
  A value that can be a string, number, or boolean.
  
  Any of:
  string-1 string number-2 number boolean-3 boolean
  
  lte string | number | boolean
  
  A value that can be a string, number, or boolean.
  
  Any of:
  string-1 string number-2 number boolean-3 boolean
  
  startsWith string | number | boolean
  
  Starts-with comparison value.
  
  Any of:
  string-1 string number-2 number boolean-3 boolean
  
  A condition that checks for the existence or non-existence of a field.
  
  Hide attributes Show attributes
  
  exists boolean
  
  Indicates whether the field exists or not.
  
  field string Required
  
  The document field to check.
  
  Minimum length is 1.
  
  A condition that always evaluates to true. Useful for catch-all scenarios, but use with caution as partitions are ordered.
  
  Hide attribute Show attribute
  
  always object Required
  
  An empty object. This condition always matches.
  
  Additional properties are NOT allowed.
  
  name string Required
  
  A non-empty string.
  
  Minimum length is 1.
  
  type string Required
  
  Value is system.
- kql object Required
  
  Additional properties are NOT allowed.
  Hide kql attribute Show kql attribute object
  
  query string Required
- severity_score number
rules array[string] Required

PUT /api/streams/{name}

curl \
 --request PUT 'https://<KIBANA_URL>/api/streams/{name}' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"stream":{"ingest":{"processing":{"steps":[{"action":"grok","customIdentifier":"string","description":"string","from":"string","ignore_failure":true,"ignore_missing":true,"pattern_definitions":{"additionalProperty1":"string","additionalProperty2":"string"},"patterns":["string"],"where":{"field":"string","range":{}}}]},"failure_store":{"inherit":{}},"lifecycle":{"dsl":{"data_retention":"string"}},"settings":{"index.number_of_replicas":{"value":42.0},"index.number_of_shards":{"value":42.0},"index.refresh_interval":{"value":"string"}},"wired":{"fields":{},"routing":[{"destination":"string","status":"enabled","where":{"contains":"string","endsWith":"string","eq":"string","field":"string","gt":"string","gte":"string","lt":"string","lte":"string","neq":"string","range":{"gt":"string","gte":"string","lt":"string","lte":"string"},"startsWith":"string"}}]}},"description":"string"},"dashboards":["string"],"queries":[{"id":"string","title":"string","evidence":["string"],"feature":{"filter":{"contains":"string","endsWith":"string","eq":"string","field":"string","gt":"string","gte":"string","lt":"string","lte":"string","neq":"string","range":{"gt":"string","gte":"string","lt":"string","lte":"string"},"startsWith":"string"},"name":"string","type":"system"},"kql":{"query":"string"},"severity_score":42.0}],"rules":["string"]}'

Create or update a stream Technical Preview

Headers

Path parameters

Body object

failure_store object Required

failure_store object Required

lifecycle object Required

lifecycle object Required

value string | number Required

value string | number Required

where object Required

filter object Required

failure_store object Required

failure_store object Required

lifecycle object Required

lifecycle object Required

value string | number Required

value string | number Required

filter object Required

filter object Required