Start datafeeds APIedit

Starts one or more datafeeds. A datafeed must be started in order to retrieve data from Elasticsearch. A datafeed can be started and stopped multiple times throughout its lifecycle.


POST _ml/datafeeds/<feed_id>/_start


  • Before you can start a datafeed, the anomaly detection job must be open. Otherwise, an error occurs.
  • If Elasticsearch security features are enabled, you must have manage_ml, or manage cluster privileges to use this API. For more information, see Security privileges.


When you start a datafeed, you can specify a start time. This enables you to include a training period, providing you have this data available in Elasticsearch. If you want to analyze from the beginning of a dataset, you can specify any date earlier than that beginning date.

If you do not specify a start time and the datafeed is associated with a new anomaly detection job, the analysis starts from the earliest time for which data is available.

When you start a datafeed, you can also specify an end time. If you do so, the job analyzes data from the start time until the end time, at which point the analysis stops. This scenario is useful for a one-off batch analysis. If you do not specify an end time, the datafeed runs continuously.

The start and end times can be specified by using one of the following formats:

  • ISO 8601 format with milliseconds, for example 2017-01-22T06:00:00.000Z
  • ISO 8601 format without milliseconds, for example 2017-01-22T06:00:00+00:00
  • Seconds from the Epoch, for example 1390370400

Date-time arguments using either of the ISO 8601 formats must have a time zone designator, where Z is accepted as an abbreviation for UTC time.

When a URL is expected (for example, in browsers), the + used in time zone designators must be encoded as %2B.

If the system restarts, any jobs that had datafeeds running are also restarted.

When a stopped datafeed is restarted, it continues processing input data from the next millisecond after it was stopped. If new data was indexed for that exact millisecond between stopping and starting, it will be ignored. If you specify a start value that is earlier than the timestamp of the latest processed record, the datafeed continues from 1 millisecond after the timestamp of the latest processed record.

Path parametersedit

(Required, string) Identifier for the datafeed.

Request bodyedit

(string) The time that the datafeed should end. This value is exclusive. The default value is an empty string.
(string) The time that the datafeed should begin. This value is inclusive. The default value is an empty string.
(time) Controls the amount of time to wait until a datafeed starts. The default value is 20 seconds.

Security integrationedit

When Elasticsearch security features are enabled, your datafeed remembers which roles the last user to create or update it had at the time of creation/update and runs the query using those same roles.


The following example starts the datafeed-total-requests datafeed:

POST _ml/datafeeds/datafeed-total-requests/_start
  "start": "2017-04-07T18:22:16Z"

When the datafeed starts, you receive the following results:

  "started": true