Start datafeeds APIedit

Starts one or more datafeeds.


POST _ml/datafeeds/<feed_id>/_start


  • Before you can start a datafeed, the anomaly detection job must be open. Otherwise, an error occurs.
  • If Elasticsearch security features are enabled, you must have manage_ml or manage cluster privileges to use this API. See Security privileges and Machine learning security privileges.


A datafeed must be started in order to retrieve data from Elasticsearch. A datafeed can be started and stopped multiple times throughout its lifecycle.

When you start a datafeed, you can specify a start time. This enables you to include a training period, providing you have this data available in Elasticsearch. If you want to analyze from the beginning of a dataset, you can specify any date earlier than that beginning date.

If you do not specify a start time and the datafeed is associated with a new anomaly detection job, the analysis starts from the earliest time for which data is available.

When you start a datafeed, you can also specify an end time. If you do so, the job analyzes data from the start time until the end time, at which point the analysis stops. This scenario is useful for a one-off batch analysis. If you do not specify an end time, the datafeed runs continuously.

The start and end times can be specified by using one of the following formats:

  • ISO 8601 format with milliseconds, for example 2017-01-22T06:00:00.000Z
  • ISO 8601 format without milliseconds, for example 2017-01-22T06:00:00+00:00
  • Milliseconds since the epoch, for example 1485061200000

Date-time arguments using either of the ISO 8601 formats must have a time zone designator, where Z is accepted as an abbreviation for UTC time.

When a URL is expected (for example, in browsers), the + used in time zone designators must be encoded as %2B.

If the system restarts, any jobs that had datafeeds running are also restarted.

When a stopped datafeed is restarted, it continues processing input data from the next millisecond after it was stopped. If new data was indexed for that exact millisecond between stopping and starting, it will be ignored. If you specify a start value that is earlier than the timestamp of the latest processed record, the datafeed continues from 1 millisecond after the timestamp of the latest processed record.

When Elasticsearch security features are enabled, your datafeed remembers which roles the last user to create or update it had at the time of creation/update and runs the query using those same roles. If you provided secondary authorization headers when you created or updated the datafeed, those credentials are used instead.

Path parametersedit

(Required, string) A numerical character string that uniquely identifies the datafeed. This identifier can contain lowercase alphanumeric characters (a-z and 0-9), hyphens, and underscores. It must start and end with alphanumeric characters.

Request bodyedit

(Optional, string) The time that the datafeed should end. This value is exclusive. The default value is an empty string.
(Optional, string) The time that the datafeed should begin. This value is inclusive. The default value is an empty string.
(Optional, time) Controls the amount of time to wait until a datafeed starts. The default value is 20 seconds.

Response bodyedit

(string) The ID of the node that the datafeed was started on. If the datafeed is allowed to open lazily and has not yet been assigned to a node, this value is an empty string.
(Boolean) For a successful response, this value is always true. On failure, an exception is returned instead.


POST _ml/datafeeds/datafeed-total-requests/_start
  "start": "2017-04-07T18:22:16Z"

When the datafeed starts, you receive the following results:

  "started" : true,
  "node" : "node-1"