Create or update an autoscaling policy Added in 7.11.0

PUT /_autoscaling/policy/{name}

NOTE: This feature is designed for indirect use by Elasticsearch Service, Elastic Cloud Enterprise, and Elastic Cloud on Kubernetes. Direct use is not supported.

External documentation

Path parameters

name string Required

the name of the autoscaling policy

Query parameters

master_timeout string

Period to wait for a connection to the master node. If no response is received before the timeout expires, the request fails and returns an error.

Values are -1 or 0.
timeout string

Period to wait for a response. If no response is received before the timeout expires, the request fails and returns an error.

Values are -1 or 0.

application/json

Body Required

roles array[string] Required
deciders object Required

Decider settings.

External documentation
Hide deciders attribute Show deciders attribute object
- * object Additional properties

Responses

200 application/json
Hide response attribute Show response attribute object
- acknowledged boolean Required
  
  For a successful response, this value is always true. On failure, an exception is returned instead.

PUT /_autoscaling/policy/{name}

PUT /_autoscaling/policy/<name>
{
  "roles": [],
  "deciders": {
    "fixed": {
    }
  }
}

curl \
 --request PUT 'http://api.example.com/_autoscaling/policy/{name}' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '"{\n  \"roles\": [],\n  \"deciders\": {\n    \"fixed\": {\n    }\n  }\n}"'

Request examples

{
  "roles": [],
  "deciders": {
    "fixed": {
    }
  }
}

The API method and path for this request: `PUT /_autoscaling/policy/my_autoscaling_policy`. It creates `my_autoscaling_policy` using the fixed autoscaling decider, applying to the set of nodes having (only) the `data_hot` role.

{
  "roles" : [ "data_hot" ],
  "deciders": {
    "fixed": {
    }
  }
}

Response examples (200)

{
  "acknowledged": true
}

Get the autoscaling capacity Added in 7.11.0

GET /_autoscaling/capacity

Api key auth Basic auth Bearer auth

NOTE: This feature is designed for indirect use by Elasticsearch Service, Elastic Cloud Enterprise, and Elastic Cloud on Kubernetes. Direct use is not supported.

This API gets the current autoscaling capacity based on the configured autoscaling policy. It will return information to size the cluster appropriately to the current workload.

The required_capacity is calculated as the maximum of the required_capacity result of all individual deciders that are enabled for the policy.

The operator should verify that the current_nodes match the operator’s knowledge of the cluster to avoid making autoscaling decisions based on stale or incomplete information.

The response contains decider-specific information you can use to diagnose how and why autoscaling determined a certain capacity was required. This information is provided for diagnosis only. Do not use this information to make autoscaling decisions.

External documentation

Query parameters

master_timeout string

Period to wait for a connection to the master node. If no response is received before the timeout expires, the request fails and returns an error.

Values are -1 or 0.

Responses

200 application/json
Hide response attribute Show response attribute object
- policies object Required
  
  Hide policies attribute Show policies attribute object
  
  * object Additional properties
  
  Hide * attributes Show * attributes object
  
  required_capacity object Required
  
  Hide required_capacity attributes Show required_capacity attributes object
  
  node object Required
  
  Hide node attributes Show node attributes object
  
  storage number Required
  
  memory number Required
  
  total object Required
  
  Hide total attributes Show total attributes object
  
  storage number Required
  
  memory number Required
  
  current_capacity object Required
  
  Hide current_capacity attributes Show current_capacity attributes object
  
  node object Required
  
  Hide node attributes Show node attributes object
  
  storage number Required
  
  memory number Required
  
  total object Required
  
  Hide total attributes Show total attributes object
  
  storage number Required
  
  memory number Required
  
  current_nodes array[object] Required
  
  Hide current_nodes attribute Show current_nodes attribute object
  
  name string Required
  
  deciders object Required
  
  Hide deciders attribute Show deciders attribute object
  
  * object Additional properties
  
  Hide * attributes Show * attributes object
  
  required_capacity object Required
  
  Hide required_capacity attributes Show required_capacity attributes object
  
  node object Required
  
  total object Required
  
  reason_summary string
  
  reason_details object

GET /_autoscaling/capacity

GET /_autoscaling/capacity

curl \
 --request GET 'http://api.example.com/_autoscaling/capacity' \
 --header "Authorization: $API_KEY"

Response examples (200)

This may be a response to `GET /_autoscaling/capacity`.

{
  policies: {}
}

Compact and aligned text (CAT)

The compact and aligned text (CAT) APIs aim are intended only for human consumption using the Kibana console or command line. They are not intended for use by applications. For application consumption, it's recommend to use a corresponding JSON API. All the cat commands accept a query string parameter help to see all the headers and info they provide, and the /_cat command alone lists all the available commands.

Get component templates Added in 5.1.0

GET /_cat/component_templates

Api key auth Basic auth Bearer auth

Get information about component templates in a cluster. Component templates are building blocks for constructing index templates that specify index mappings, settings, and aliases.

IMPORTANT: CAT APIs are only intended for human consumption using the command line or Kibana console. They are not intended for use by applications. For application consumption, use the get component template API.

Query parameters

h string | array[string]

List of columns to appear in the response. Supports simple wildcards.
s string | array[string]

List of columns that determine how the table should be sorted. Sorting defaults to ascending and can be changed by setting :asc or :desc as a suffix to the column name.
local boolean

If true, the request computes the list of selected nodes from the local cluster state. If false the list of selected nodes are computed from the cluster state of the master node. In both cases the coordinating node will send requests for further information to each selected node.
master_timeout string

The period to wait for a connection to the master node.

Values are -1 or 0.

Responses

200 application/json
Hide response attributes Show response attributes object
- name string Required
- version string | null Required
  
  One of:
  string-1 string string-2 string | null
- alias_count string Required
- mapping_count string Required
- settings_count string Required
- metadata_count string Required
- included_in string Required

GET /_cat/component_templates

GET _cat/component_templates/my-template-*?v=true&s=name&format=json

curl \
 --request GET 'http://api.example.com/_cat/component_templates' \
 --header "Authorization: $API_KEY"

Response examples (200)

A successful response from `GET _cat/component_templates/my-template-*?v=true&s=name&format=json`.

[
  {
    "name": "my-template-1",
    "version": "null",
    "alias_count": "0",
    "mapping_count": "0",
    "settings_count": "1",
    "metadata_count": "0",
    "included_in": "[my-index-template]"
  },
    {
    "name": "my-template-2",
    "version": null,
    "alias_count": "0",
    "mapping_count": "3",
    "settings_count": "0",
    "metadata_count": "0",
    "included_in": "[my-index-template]"
  }
]

Get a document count

GET /_cat/count/{index}

Api key auth Basic auth Bearer auth

Get quick access to a document count for a data stream, an index, or an entire cluster. The document count only includes live documents, not deleted documents which have not yet been removed by the merge process.

IMPORTANT: CAT APIs are only intended for human consumption using the command line or Kibana console. They are not intended for use by applications. For application consumption, use the count API.

Path parameters

index string | array[string] Required

A comma-separated list of data streams, indices, and aliases used to limit the request. It supports wildcards (*). To target all data streams and indices, omit this parameter or use * or _all.

Query parameters

h string | array[string]

List of columns to appear in the response. Supports simple wildcards.
s string | array[string]

List of columns that determine how the table should be sorted. Sorting defaults to ascending and can be changed by setting :asc or :desc as a suffix to the column name.

Responses

200 application/json
Hide response attributes Show response attributes object
- epoch number | string
  
  Some APIs will return values such as numbers also as a string (notably epoch timestamps). This behavior is used to capture this behavior while keeping the semantics of the field type.
  
  Depending on the target language, code generators can keep the union or remove it and leniently parse strings to the target type.
  
  One of:
  UnitSeconds number StringifiedEpochTimeUnitSeconds string
  
  Time unit for seconds
- timestamp string
  
  Time of day, expressed as HH:MM:SS
- count string
  
  the document count

GET /_cat/count/{index}

GET /_cat/count/my-index-000001?v=true&format=json

curl \
 --request GET 'http://api.example.com/_cat/count/{index}' \
 --header "Authorization: $API_KEY"

Response examples (200)

A successful response from `GET /_cat/count/my-index-000001?v=true&format=json`. It retrieves the document count for the `my-index-000001` data stream or index.

[
  {
    "epoch": "1475868259",
    "timestamp": "15:24:20",
    "count": "120"
  }
]

A successful response from `GET /_cat/count?v=true&format=json`. It retrieves the document count for all data streams and indices in the cluster.

[
  {
    "epoch": "1475868259",
    "timestamp": "15:24:20",
    "count": "121"
  }
]

Get node information

GET /_cat/nodes

Api key auth Basic auth Bearer auth

Get information about the nodes in a cluster. IMPORTANT: cat APIs are only intended for human consumption using the command line or Kibana console. They are not intended for use by applications. For application consumption, use the nodes info API.

Query parameters

bytes string

The unit used to display byte values.

Values are b, kb, mb, gb, tb, or pb.
full_id boolean | string

If true, return the full node ID. If false, return the shortened node ID.
include_unloaded_segments boolean

If true, the response includes information from segments that are not loaded into memory.
h string | array[string]
A comma-separated list of columns names to display. It supports simple wildcards.

Supported values include:
- build (or b): The Elasticsearch build hash. For example: 5c03844.
- completion.size (or cs, completionSize): The size of completion. For example: 0b.
- cpu: The percentage of recent system CPU used.
- disk.avail (or d, disk, diskAvail): The available disk space. For example: 198.4gb.
- disk.total (or dt, diskTotal): The total disk space. For example: 458.3gb.
- disk.used (or du, diskUsed): The used disk space. For example: 259.8gb.
- disk.used_percent (or dup, diskUsedPercent): The percentage of disk space used.
- fielddata.evictions (or fe, fielddataEvictions): The number of fielddata cache evictions.
- fielddata.memory_size (or fm, fielddataMemory): The fielddata cache memory used. For example: 0b.
- file_desc.current (or fdc, fileDescriptorCurrent): The number of file descriptors used.
- file_desc.max (or fdm, fileDescriptorMax): The maximum number of file descriptors.
- file_desc.percent (or fdp, fileDescriptorPercent): The percentage of file descriptors used.
- flush.total (or ft, flushTotal): The number of flushes.
- flush.total_time (or ftt, flushTotalTime): The amount of time spent in flush.
- get.current (or gc, getCurrent): The number of current get operations.
- get.exists_time (or geti, getExistsTime): The time spent in successful get operations. For example: 14ms.
- get.exists_total (or geto, getExistsTotal): The number of successful get operations.
- get.missing_time (or gmti, getMissingTime): The time spent in failed get operations. For example: 0s.
- get.missing_total (or gmto, getMissingTotal): The number of failed get operations.
- get.time (or gti, getTime): The amount of time spent in get operations. For example: 14ms.
- get.total (or gto, getTotal): The number of get operations.
- heap.current (or hc, heapCurrent): The used heap size. For example: 311.2mb.
- heap.max (or hm, heapMax): The total heap size. For example: 4gb.
- heap.percent (or hp, heapPercent): The used percentage of total allocated Elasticsearch JVM heap. This value reflects only the Elasticsearch process running within the operating system and is the most direct indicator of its JVM, heap, or memory resource performance.
- http_address (or http): The bound HTTP address.
- id (or nodeId): The identifier for the node.
- indexing.delete_current (or idc, indexingDeleteCurrent): The number of current deletion operations.
- indexing.delete_time (or idti, indexingDeleteTime): The time spent in deletion operations. For example: 2ms.
- indexing.delete_total (or idto, indexingDeleteTotal): The number of deletion operations.
- indexing.index_current (or iic, indexingIndexCurrent): The number of current indexing operations.
- indexing.index_failed (or iif, indexingIndexFailed): The number of failed indexing operations.
- indexing.index_failed_due_to_version_conflict (or iifvc, indexingIndexFailedDueToVersionConflict): The number of indexing operations that failed due to version conflict.
- indexing.index_time (or iiti, indexingIndexTime): The time spent in indexing operations. For example: 134ms.
- indexing.index_total (or iito, indexingIndexTotal): The number of indexing operations.
- ip (or i): The IP address.
- jdk (or j): The Java version. For example: 1.8.0.
- load_1m (or l): The most recent load average. For example: 0.22.
- load_5m (or l): The load average for the last five minutes. For example: 0.78.
- load_15m (or l): The load average for the last fifteen minutes. For example: 1.24.
- mappings.total_count (or mtc, mappingsTotalCount): The number of mappings, including runtime and object fields.
- mappings.total_estimated_overhead_in_bytes (or mteo, mappingsTotalEstimatedOverheadInBytes): The estimated heap overhead, in bytes, of mappings on this node, which allows for 1KiB of heap for every mapped field.
- master (or m): Indicates whether the node is the elected master node. Returned values include * (elected master) and - (not elected master).
- merges.current (or mc, mergesCurrent): The number of current merge operations.
- merges.current_docs (or mcd, mergesCurrentDocs): The number of current merging documents.
- merges.current_size (or mcs, mergesCurrentSize): The size of current merges. For example: 0b.
- merges.total (or mt, mergesTotal): The number of completed merge operations.
- merges.total_docs (or mtd, mergesTotalDocs): The number of merged documents.
- merges.total_size (or mts, mergesTotalSize): The total size of merges. For example: 0b.
- merges.total_time (or mtt, mergesTotalTime): The time spent merging documents. For example: 0s.
- name (or n): The node name.
- node.role (or r, role, nodeRole): The roles of the node. Returned values include c (cold node), d (data node), f (frozen node), h (hot node), i (ingest node), l (machine learning node), m (master-eligible node), r (remote cluster client node), s (content node), t (transform node), v (voting-only node), w (warm node), and - (coordinating node only). For example, dim indicates a master-eligible data and ingest node.
- pid (or p): The process identifier.
- port (or po): The bound transport port number.
- query_cache.memory_size (or qcm, queryCacheMemory): The used query cache memory. For example: 0b.
- query_cache.evictions (or qce, queryCacheEvictions): The number of query cache evictions.
- query_cache.hit_count (or qchc, queryCacheHitCount): The query cache hit count.
- query_cache.miss_count (or qcmc, queryCacheMissCount): The query cache miss count.
- ram.current (or rc, ramCurrent): The used total memory. For example: 513.4mb.
- ram.max (or rm, ramMax): The total memory. For example: 2.9gb.
- ram.percent (or rp, ramPercent): The used percentage of the total operating system memory. This reflects all processes running on the operating system instead of only Elasticsearch and is not guaranteed to correlate to its performance.
- refresh.total (or rto, refreshTotal): The number of refresh operations.
- refresh.time (or rti, refreshTime): The time spent in refresh operations. For example: 91ms.
- request_cache.memory_size (or rcm, requestCacheMemory): The used request cache memory. For example: 0b.
- request_cache.evictions (or rce, requestCacheEvictions): The number of request cache evictions.
- request_cache.hit_count (or rchc, requestCacheHitCount): The request cache hit count.
- request_cache.miss_count (or rcmc, requestCacheMissCount): The request cache miss count.
- script.compilations (or scrcc, scriptCompilations): The number of total script compilations.
- script.cache_evictions (or scrce, scriptCacheEvictions): The number of total compiled scripts evicted from cache.
- search.fetch_current (or sfc, searchFetchCurrent): The number of current fetch phase operations.
- search.fetch_time (or sfti, searchFetchTime): The time spent in fetch phase. For example: 37ms.
- search.fetch_total (or sfto, searchFetchTotal): The number of fetch operations.
- search.open_contexts (or so, searchOpenContexts): The number of open search contexts.
- search.query_current (or sqc, searchQueryCurrent): The number of current query phase operations.
- search.query_time (or sqti, searchQueryTime): The time spent in query phase. For example: 43ms.
- search.query_total (or sqto, searchQueryTotal): The number of query operations.
- search.scroll_current (or scc, searchScrollCurrent): The number of open scroll contexts.
- search.scroll_time (or scti, searchScrollTime): The amount of time scroll contexts were held open. For example: 2m.
- search.scroll_total (or scto, searchScrollTotal): The number of completed scroll contexts.
- segments.count (or sc, segmentsCount): The number of segments.
- segments.fixed_bitset_memory (or sfbm, fixedBitsetMemory): The memory used by fixed bit sets for nested object field types and type filters for types referred in join fields. For example: 1.0kb.
- segments.index_writer_memory (or siwm, segmentsIndexWriterMemory): The memory used by the index writer. For example: 18mb.
- segments.memory (or sm, segmentsMemory): The memory used by segments. For example: 1.4kb.
- segments.version_map_memory (or svmm, segmentsVersionMapMemory): The memory used by the version map. For example: 1.0kb.
- shard_stats.total_count (or sstc, shards, shardStatsTotalCount): The number of shards assigned.
- suggest.current (or suc, suggestCurrent): The number of current suggest operations.
- suggest.time (or suti, suggestTime): The time spent in suggest operations.
- suggest.total (or suto, suggestTotal): The number of suggest operations.
- uptime (or u): The amount of node uptime. For example: 17.3m.
- version (or v): The Elasticsearch version. For example: 9.0.0.
s string | array[string]

A comma-separated list of column names or aliases that determines the sort order. Sorting defaults to ascending and can be changed by setting :asc or :desc as a suffix to the column name.
master_timeout string

The period to wait for a connection to the master node.

Values are -1 or 0.
time string

The unit used to display time values.

Values are nanos, micros, ms, s, m, h, or d.

Responses

200 application/json
Hide response attributes Show response attributes object
- id string
- pid string
  
  The process identifier.
- ip string
  
  The IP address.
- port string
  
  The bound transport port.
- http_address string
  
  The bound HTTP address.
- version string
- flavor string
  
  The Elasticsearch distribution flavor.
- type string
  
  The Elasticsearch distribution type.
- build string
  
  The Elasticsearch build hash.
- jdk string
  
  The Java version.
- disk.total number | string
  
  One of:
  ByteSize number ByteSize string
- disk.used number | string
  
  One of:
  ByteSize number ByteSize string
- disk.avail number | string
  
  One of:
  ByteSize number ByteSize string
- disk.used_percent string | number
  
  One of:
  Percentage string Percentage number
- heap.current string
  
  The used heap.
- heap.percent string | number
  
  One of:
  Percentage string Percentage number
- heap.max string
  
  The maximum configured heap.
- ram.current string
  
  The used machine memory.
- ram.percent string | number
  
  One of:
  Percentage string Percentage number
- ram.max string
  
  The total machine memory.
- file_desc.current string
  
  The used file descriptors.
- file_desc.percent string | number
  
  One of:
  Percentage string Percentage number
- file_desc.max string
  
  The maximum number of file descriptors.
- cpu string
  
  The recent system CPU usage as a percentage.
- load_1m string
  
  The load average for the most recent minute.
- load_5m string
  
  The load average for the last five minutes.
- load_15m string
  
  The load average for the last fifteen minutes.
- uptime string
  
  The node uptime.
- node.role string
  
  The roles of the node. Returned values include c(cold node), d(data node), f(frozen node), h(hot node), i(ingest node), l(machine learning node), m (master eligible node), r(remote cluster client node), s(content node), t(transform node), v(voting-only node), w(warm node),and -(coordinating node only).
- master string
  
  Indicates whether the node is the elected master node. Returned values include *(elected master) and -(not elected master).
- name string
- completion.size string
  
  The size of completion.
- fielddata.memory_size string
  
  The used fielddata cache.
- fielddata.evictions string
  
  The fielddata evictions.
- query_cache.memory_size string
  
  The used query cache.
- query_cache.evictions string
  
  The query cache evictions.
- query_cache.hit_count string
  
  The query cache hit counts.
- query_cache.miss_count string
  
  The query cache miss counts.
- request_cache.memory_size string
  
  The used request cache.
- request_cache.evictions string
  
  The request cache evictions.
- request_cache.hit_count string
  
  The request cache hit counts.
- request_cache.miss_count string
  
  The request cache miss counts.
- flush.total string
  
  The number of flushes.
- flush.total_time string
  
  The time spent in flush.
- get.current string
  
  The number of current get ops.
- get.time string
  
  The time spent in get.
- get.total string
  
  The number of get ops.
- get.exists_time string
  
  The time spent in successful gets.
- get.exists_total string
  
  The number of successful get operations.
- get.missing_time string
  
  The time spent in failed gets.
- get.missing_total string
  
  The number of failed gets.
- indexing.delete_current string
  
  The number of current deletions.
- indexing.delete_time string
  
  The time spent in deletions.
- indexing.delete_total string
  
  The number of delete operations.
- indexing.index_current string
  
  The number of current indexing operations.
- indexing.index_time string
  
  The time spent in indexing.
- indexing.index_total string
  
  The number of indexing operations.
- indexing.index_failed string
  
  The number of failed indexing operations.
- merges.current string
  
  The number of current merges.
- merges.current_docs string
  
  The number of current merging docs.
- merges.current_size string
  
  The size of current merges.
- merges.total string
  
  The number of completed merge operations.
- merges.total_docs string
  
  The docs merged.
- merges.total_size string
  
  The size merged.
- merges.total_time string
  
  The time spent in merges.
- refresh.total string
  
  The total refreshes.
- refresh.time string
  
  The time spent in refreshes.
- refresh.external_total string
  
  The total external refreshes.
- refresh.external_time string
  
  The time spent in external refreshes.
- refresh.listeners string
  
  The number of pending refresh listeners.
- script.compilations string
  
  The total script compilations.
- script.cache_evictions string
  
  The total compiled scripts evicted from the cache.
- script.compilation_limit_triggered string
  
  The script cache compilation limit triggered.
- search.fetch_current string
  
  The current fetch phase operations.
- search.fetch_time string
  
  The time spent in fetch phase.
- search.fetch_total string
  
  The total fetch operations.
- search.open_contexts string
  
  The open search contexts.
- search.query_current string
  
  The current query phase operations.
- search.query_time string
  
  The time spent in query phase.
- search.query_total string
  
  The total query phase operations.
- search.scroll_current string
  
  The open scroll contexts.
- search.scroll_time string
  
  The time scroll contexts held open.
- search.scroll_total string
  
  The completed scroll contexts.
- segments.count string
  
  The number of segments.
- segments.memory string
  
  The memory used by segments.
- segments.index_writer_memory string
  
  The memory used by the index writer.
- segments.version_map_memory string
  
  The memory used by the version map.
- segments.fixed_bitset_memory string
  
  The memory used by fixed bit sets for nested object field types and export type filters for types referred in _parent fields.
- suggest.current string
  
  The number of current suggest operations.
- suggest.time string
  
  The time spend in suggest.
- suggest.total string
  
  The number of suggest operations.
- bulk.total_operations string
  
  The number of bulk shard operations.
- bulk.total_time string
  
  The time spend in shard bulk.
- bulk.total_size_in_bytes string
  
  The total size in bytes of shard bulk.
- bulk.avg_time string
  
  The average time spend in shard bulk.
- bulk.avg_size_in_bytes string
  
  The average size in bytes of shard bulk.

GET /_cat/nodes

GET /_cat/nodes?v=true&format=json

curl \
 --request GET 'http://api.example.com/_cat/nodes' \
 --header "Authorization: $API_KEY"

Response examples (200)

A successful response from `GET /_cat/nodes?v=true&format=json`. The `ip`, `heap.percent`, `ram.percent`, `cpu`, and `load_*` columns provide the IP addresses and performance information of each node. The `node.role`, `master`, and `name` columns provide information useful for monitoring an entire cluster, particularly large ones.

[
  {
    "ip": "127.0.0.1",
    "heap.percent": "65",
    "ram.percent": "99",
    "cpu": "42",
    "load_1m": "3.07",
    "load_5m": null,
    "load_15m": null,
    "node.role": "cdfhilmrstw",
    "master": "*",
    "name": "mJw06l1"
  }
]

A successful response from `GET /_cat/nodes?v=true&h=id,ip,port,v,m&format=json`. It returns the `id`, `ip`, `port`, `v` (version), and `m` (master) columns.

[
  {
    "id": "veJR",
    "ip": "127.0.0.1",
    "port": "59938",
    "v": "9.0.0",
    "m": "*"
  }
]

Get segment information

GET /_cat/segments/{index}

Api key auth Basic auth Bearer auth

Get low-level information about the Lucene segments in index shards. For data streams, the API returns information about the backing indices. IMPORTANT: cat APIs are only intended for human consumption using the command line or Kibana console. They are not intended for use by applications. For application consumption, use the index segments API.

Path parameters

index string | array[string] Required

A comma-separated list of data streams, indices, and aliases used to limit the request. Supports wildcards (*). To target all data streams and indices, omit this parameter or use * or _all.

Query parameters

bytes string

The unit used to display byte values.

Values are b, kb, mb, gb, tb, or pb.
h string | array[string]

List of columns to appear in the response. Supports simple wildcards.
s string | array[string]

List of columns that determine how the table should be sorted. Sorting defaults to ascending and can be changed by setting :asc or :desc as a suffix to the column name.
local boolean

If true, the request computes the list of selected nodes from the local cluster state. If false the list of selected nodes are computed from the cluster state of the master node. In both cases the coordinating node will send requests for further information to each selected node.
master_timeout string

Period to wait for a connection to the master node.

Values are -1 or 0.

Responses

200 application/json
Hide response attributes Show response attributes object
- index string
- shard string
  
  The shard name.
- prirep string
  
  The shard type: primary or replica.
- ip string
  
  The IP address of the node where it lives.
- id string
- segment string
  
  The segment name, which is derived from the segment generation and used internally to create file names in the directory of the shard.
- generation string
  
  The segment generation number. Elasticsearch increments this generation number for each segment written then uses this number to derive the segment name.
- docs.count string
  
  The number of documents in the segment. This excludes deleted documents and counts any nested documents separately from their parents. It also excludes documents which were indexed recently and do not yet belong to a segment.
- docs.deleted string
  
  The number of deleted documents in the segment, which might be higher or lower than the number of delete operations you have performed. This number excludes deletes that were performed recently and do not yet belong to a segment. Deleted documents are cleaned up by the automatic merge process if it makes sense to do so. Also, Elasticsearch creates extra deleted documents to internally track the recent history of operations on a shard.
- size number | string
  
  One of:
  ByteSize number ByteSize string
- size.memory number | string
  
  One of:
  ByteSize number ByteSize string
- committed string
  
  If true, the segment is synced to disk. Segments that are synced can survive a hard reboot. If false, the data from uncommitted segments is also stored in the transaction log so that Elasticsearch is able to replay changes on the next start.
- searchable string
  
  If true, the segment is searchable. If false, the segment has most likely been written to disk but needs a refresh to be searchable.
- version string
- compound string
  
  If true, the segment is stored in a compound file. This means Lucene merged all files from the segment in a single file to save file descriptors.

GET /_cat/segments/{index}

GET /_cat/segments?v=true&format=json

curl \
 --request GET 'http://api.example.com/_cat/segments/{index}' \
 --header "Authorization: $API_KEY"

Response examples (200)

A successful response from `GET /_cat/segments?v=true&format=json`.

[
  {
    "index": "test",
    "shard": "0",
    "prirep": "p",
    "ip": "127.0.0.1",
    "segment": "_0",
    "generation": "0",
    "docs.count": "1",
    "docs.deleted": "0",
    "size": "3kb",
    "size.memory": "0",
    "committed": "false",
    "searchable": "true",
    "version": "9.12.0",
    "compound": "true"
  },
  {
    "index": "test1",
    "shard": "0",
    "prirep": "p",
    "ip": "127.0.0.1",
    "segment": "_0",
    "generation": "0",
    "docs.count": "1",
    "docs.deleted": "0",
    "size": "3kb",
    "size.memory": "0",
    "committed": "false",
    "searchable": "true",
    "version": "9.12.0",
    "compound": "true"
  }
]

Get snapshot information Added in 2.1.0

GET /_cat/snapshots/{repository}

Api key auth Basic auth Bearer auth

Get information about the snapshots stored in one or more repositories. A snapshot is a backup of an index or running Elasticsearch cluster. IMPORTANT: cat APIs are only intended for human consumption using the command line or Kibana console. They are not intended for use by applications. For application consumption, use the get snapshot API.

Path parameters

repository string | array[string] Required

A comma-separated list of snapshot repositories used to limit the request. Accepts wildcard expressions. _all returns all repositories. If any repository fails during the request, Elasticsearch returns an error.

Query parameters

ignore_unavailable boolean

If true, the response does not include information from unavailable snapshots.
h string | array[string]

List of columns to appear in the response. Supports simple wildcards.
s string | array[string]

List of columns that determine how the table should be sorted. Sorting defaults to ascending and can be changed by setting :asc or :desc as a suffix to the column name.
master_timeout string

Period to wait for a connection to the master node.

Values are -1 or 0.
time string

Unit used to display time values.

Values are nanos, micros, ms, s, m, h, or d.

Responses

200 application/json
Hide response attributes Show response attributes object
- id string
  
  The unique identifier for the snapshot.
- repository string
  
  The repository name.
- status string
  
  The state of the snapshot process. Returned values include: FAILED: The snapshot process failed. INCOMPATIBLE: The snapshot process is incompatible with the current cluster version. IN_PROGRESS: The snapshot process started but has not completed. PARTIAL: The snapshot process completed with a partial success. SUCCESS: The snapshot process completed with a full success.
- start_epoch number | string
  
  Some APIs will return values such as numbers also as a string (notably epoch timestamps). This behavior is used to capture this behavior while keeping the semantics of the field type.
  
  Depending on the target language, code generators can keep the union or remove it and leniently parse strings to the target type.
  
  One of:
  UnitSeconds number StringifiedEpochTimeUnitSeconds string
  
  Time unit for seconds
- start_time string | object
  
  A time of day, expressed either as hh:mm, noon, midnight, or an hour/minutes structure.
  
  One of:
  ScheduleTimeOfDay string HourAndMinute object
- end_epoch number | string
  
  Some APIs will return values such as numbers also as a string (notably epoch timestamps). This behavior is used to capture this behavior while keeping the semantics of the field type.
  
  Depending on the target language, code generators can keep the union or remove it and leniently parse strings to the target type.
  
  One of:
  UnitSeconds number StringifiedEpochTimeUnitSeconds string
  
  Time unit for seconds
- end_time string
  
  Time of day, expressed as HH:MM:SS
- duration string
  
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
- indices string
  
  The number of indices in the snapshot.
- successful_shards string
  
  The number of successful shards in the snapshot.
- failed_shards string
  
  The number of failed shards in the snapshot.
- total_shards string
  
  The total number of shards in the snapshot.
- reason string
  
  The reason for any snapshot failures.

GET /_cat/snapshots/{repository}

GET /_cat/snapshots/repo1?v=true&s=id&format=json

curl \
 --request GET 'http://api.example.com/_cat/snapshots/{repository}' \
 --header "Authorization: $API_KEY"

Response examples (200)

A successful response from `GET /_cat/snapshots/repo1?v=true&s=id&format=json`.

[
  {
    "id": "snap1",
    "repository": "repo1",
    "status": "FAILED",
    "start_epoch": "1445616705",
    "start_time": "18:11:45",
    "end_epoch": "1445616978",
    "end_time": "18:16:18",
    "duration": "4.6m",
    "indices": "1",
    "successful_shards": "4",
    "failed_shards": "1",
    "total_shards": "5"
  },
  {
    "id": "snap2",
    "repository": "repo1",
    "status": "SUCCESS",
    "start_epoch": "1445634298",
    "start_time": "23:04:58",
    "end_epoch": "1445634672",
    "end_time": "23:11:12",
    "duration": "6.2m",
    "indices": "2",
    "successful_shards": "10",
    "failed_shards": "0",
    "total_shards": "10"
  }
]

Explain the shard allocations Added in 5.0.0

GET /_cluster/allocation/explain

Api key auth Basic auth Bearer auth

Get explanations for shard allocations in the cluster. For unassigned shards, it provides an explanation for why the shard is unassigned. For assigned shards, it provides an explanation for why the shard is remaining on its current node and has not moved or rebalanced to another node. This API can be very useful when attempting to diagnose why a shard is unassigned or why a shard continues to remain on its current node when you might expect otherwise.

Query parameters

include_disk_info boolean

If true, returns information about disk usage and shard sizes.
include_yes_decisions boolean

If true, returns YES decisions in explanation.
master_timeout string

Period to wait for a connection to the master node.

Values are -1 or 0.

application/json

Body

current_node string

Specifies the node ID or the name of the node to only explain a shard that is currently located on the specified node.
index string
primary boolean

If true, returns explanation for the primary shard for the given shard ID.
shard number

Specifies the ID of the shard that you would like an explanation for.

Responses

200 application/json
Hide response attributes Show response attributes object
- allocate_explanation string
- allocation_delay string
  
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
- allocation_delay_in_millis number
  
  Time unit for milliseconds
- can_allocate string
  
  Values are yes, no, worse_balance, throttled, awaiting_info, allocation_delayed, no_valid_shard_copy, or no_attempt.
- can_move_to_other_node string
  
  Values are yes, no, worse_balance, throttled, awaiting_info, allocation_delayed, no_valid_shard_copy, or no_attempt.
- can_rebalance_cluster string
  
  Values are yes, no, worse_balance, throttled, awaiting_info, allocation_delayed, no_valid_shard_copy, or no_attempt.
- can_rebalance_cluster_decisions array[object]
  
  Hide can_rebalance_cluster_decisions attributes Show can_rebalance_cluster_decisions attributes object
  
  decider string Required
  
  decision string Required
  
  Values are NO, YES, THROTTLE, or ALWAYS.
  
  explanation string Required
- can_rebalance_to_other_node string
  
  Values are yes, no, worse_balance, throttled, awaiting_info, allocation_delayed, no_valid_shard_copy, or no_attempt.
- can_remain_decisions array[object]
  
  Hide can_remain_decisions attributes Show can_remain_decisions attributes object
  
  decider string Required
  
  decision string Required
  
  Values are NO, YES, THROTTLE, or ALWAYS.
  
  explanation string Required
- can_remain_on_current_node string
  
  Values are yes, no, worse_balance, throttled, awaiting_info, allocation_delayed, no_valid_shard_copy, or no_attempt.
- cluster_info object
  
  Hide cluster_info attributes Show cluster_info attributes object
  
  nodes object Required
  
  Hide nodes attribute Show nodes attribute object
  
  * object Additional properties
  
  Hide * attributes Show * attributes object
  
  node_name string Required
  
  least_available object Required
  
  Hide least_available attributes Show least_available attributes object
  
  path string Required
  
  total_bytes number Required
  
  used_bytes number Required
  
  free_bytes number Required
  
  free_disk_percent number Required
  
  used_disk_percent number Required
  
  most_available object Required
  
  Hide most_available attributes Show most_available attributes object
  
  path string Required
  
  total_bytes number Required
  
  used_bytes number Required
  
  free_bytes number Required
  
  free_disk_percent number Required
  
  used_disk_percent number Required
  
  shard_sizes object Required
  
  Hide shard_sizes attribute Show shard_sizes attribute object
  
  * number Additional properties
  
  shard_data_set_sizes object
  
  Hide shard_data_set_sizes attribute Show shard_data_set_sizes attribute object
  
  * string Additional properties
  
  shard_paths object Required
  
  Hide shard_paths attribute Show shard_paths attribute object
  
  * string Additional properties
  
  reserved_sizes array[object] Required
  
  Hide reserved_sizes attributes Show reserved_sizes attributes object
  
  node_id string Required
  
  path string Required
  
  total number Required
  
  shards array[string] Required
- configured_delay string
  
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
- configured_delay_in_millis number
  
  Time unit for milliseconds
- current_node object
  
  Hide current_node attributes Show current_node attributes object
  
  id string Required
  
  name string Required
  
  roles array[string] Required
  
  @doc_id node-roles
  
  Values are master, data, data_cold, data_content, data_frozen, data_hot, data_warm, client, ingest, ml, voting_only, transform, remote_cluster_client, or coordinating_only.
  
  attributes object Required
  
  Hide attributes attribute Show attributes attribute object
  
  * string Additional properties
  
  transport_address string Required
  
  weight_ranking number Required
- current_state string Required
- index string Required
- move_explanation string
- node_allocation_decisions array[object]
  
  Hide node_allocation_decisions attributes Show node_allocation_decisions attributes object
  
  deciders array[object] Required
  
  Hide deciders attributes Show deciders attributes object
  
  decider string Required
  
  decision string Required
  
  Values are NO, YES, THROTTLE, or ALWAYS.
  
  explanation string Required
  
  node_attributes object Required
  
  Hide node_attributes attribute Show node_attributes attribute object
  
  * string Additional properties
  
  node_decision string Required
  
  Values are yes, no, worse_balance, throttled, awaiting_info, allocation_delayed, no_valid_shard_copy, or no_attempt.
  
  node_id string Required
  
  node_name string Required
  
  roles array[string] Required
  
  @doc_id node-roles
  
  Values are master, data, data_cold, data_content, data_frozen, data_hot, data_warm, client, ingest, ml, voting_only, transform, remote_cluster_client, or coordinating_only.
  
  store object
  
  Hide store attributes Show store attributes object
  
  allocation_id string Required
  
  found boolean Required
  
  in_sync boolean Required
  
  matching_size_in_bytes number Required
  
  matching_sync_id boolean Required
  
  store_exception string Required
  
  transport_address string Required
  
  weight_ranking number Required
- primary boolean Required
- rebalance_explanation string
- remaining_delay string
  
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
- remaining_delay_in_millis number
  
  Time unit for milliseconds
- shard number Required
- unassigned_info object
  
  Hide unassigned_info attributes Show unassigned_info attributes object
  
  at string | number Required
  
  A date and time, either as a string whose format can depend on the context (defaulting to ISO 8601), or a number of milliseconds since the Epoch. Elasticsearch accepts both as input, but will generally output a string representation.
  
  One of:
  DateTime string UnitMillis number
  
  last_allocation_status string
  
  reason string Required
  
  Values are INDEX_CREATED, CLUSTER_RECOVERED, INDEX_REOPENED, DANGLING_INDEX_IMPORTED, NEW_INDEX_RESTORED, EXISTING_INDEX_RESTORED, REPLICA_ADDED, ALLOCATION_FAILED, NODE_LEFT, REROUTE_CANCELLED, REINITIALIZED, REALLOCATED_REPLICA, PRIMARY_FAILED, FORCED_EMPTY_PRIMARY, or MANUAL_ALLOCATION.
  
  details string
  
  failed_allocation_attempts number
  
  delayed boolean
  
  allocation_status string
- note string

GET /_cluster/allocation/explain

GET _cluster/allocation/explain
{
  "index": "my-index-000001",
  "shard": 0,
  "primary": false,
  "current_node": "my-node"
}

curl \
 --request GET 'http://api.example.com/_cluster/allocation/explain' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '"{\n  \"index\": \"my-index-000001\",\n  \"shard\": 0,\n  \"primary\": false,\n  \"current_node\": \"my-node\"\n}"'

Request example

Run `GET _cluster/allocation/explain` to get an explanation for a shard's current allocation.

{
  "index": "my-index-000001",
  "shard": 0,
  "primary": false,
  "current_node": "my-node"
}

Response examples (200)

An example of an allocation explanation for an unassigned primary shard. In this example, a newly created index has an index setting that requires that it only be allocated to a node named `nonexistent_node`, which does not exist, so the index is unable to allocate.

{
  "index" : "my-index-000001",
  "shard" : 0,
  "primary" : true,
  "current_state" : "unassigned",
  "unassigned_info" : {
    "reason" : "INDEX_CREATED",
    "at" : "2017-01-04T18:08:16.600Z",
    "last_allocation_status" : "no"
  },
  "can_allocate" : "no",
  "allocate_explanation" : "Elasticsearch isn't allowed to allocate this shard to any of the nodes in the cluster. Choose a node to which you expect this shard to be allocated, find this node in the node-by-node explanation, and address the reasons which prevent Elasticsearch from allocating this shard there.",
  "node_allocation_decisions" : [
    {
      "node_id" : "8qt2rY-pT6KNZB3-hGfLnw",
      "node_name" : "node-0",
      "transport_address" : "127.0.0.1:9401",
      "roles" : ["data", "data_cold", "data_content", "data_frozen", "data_hot", "data_warm", "ingest", "master", "ml", "remote_cluster_client", "transform"],
      "node_attributes" : {},
      "node_decision" : "no",
      "weight_ranking" : 1,
      "deciders" : [
        {
          "decider" : "filter",
          "decision" : "NO",
          "explanation" : "node does not match index setting [index.routing.allocation.include] filters [_name:\"nonexistent_node\"]"
        }
      ]
    }
  ]
}

An example of an allocation explanation for an unassigned primary shard that has reached the maximum number of allocation retry attempts. After the maximum number of retries is reached, Elasticsearch stops attempting to allocate the shard in order to prevent infinite retries which may impact cluster performance.

{
  "index" : "my-index-000001",
  "shard" : 0,
  "primary" : true,
  "current_state" : "unassigned",
  "unassigned_info" : {
    "at" : "2017-01-04T18:03:28.464Z",
    "failed shard on node [mEKjwwzLT1yJVb8UxT6anw]: failed recovery, failure RecoveryFailedException",
    "reason": "ALLOCATION_FAILED",
    "failed_allocation_attempts": 5,
    "last_allocation_status": "no",
  },
  "can_allocate": "no",
  "allocate_explanation": "cannot allocate because allocation is not permitted to any of the nodes",
  "node_allocation_decisions" : [
    {
      "node_id" : "3sULLVJrRneSg0EfBB-2Ew",
      "node_name" : "node_t0",
      "transport_address" : "127.0.0.1:9400",
      "roles" : ["data_content", "data_hot"],
      "node_decision" : "no",
      "store" : {
        "matching_size" : "4.2kb",
        "matching_size_in_bytes" : 4325
      },
      "deciders" : [
        {
          "decider": "max_retry",
          "decision" : "NO",
          "explanation": "shard has exceeded the maximum number of retries [5] on failed allocation attempts - manually call [POST /_cluster/reroute?retry_failed] to retry, [unassigned_info[[reason=ALLOCATION_FAILED], at[2024-07-30T21:04:12.166Z], failed_attempts[5], failed_nodes[[mEKjwwzLT1yJVb8UxT6anw]], delayed=false, details[failed shard on node [mEKjwwzLT1yJVb8UxT6anw]: failed recovery, failure RecoveryFailedException], allocation_status[deciders_no]]]"
        }
      ]
    }
  ]
}

Get remote cluster information Added in 6.1.0

GET /_remote/info

Api key auth Basic auth Bearer auth

Get information about configured remote clusters. The API returns connection and endpoint information keyed by the configured remote cluster alias.

This API returns information that reflects current state on the local cluster. The connected field does not necessarily reflect whether a remote cluster is down or unavailable, only whether there is currently an open connection to it. Elasticsearch does not spontaneously try to reconnect to a disconnected remote cluster. To trigger a reconnection, attempt a cross-cluster search, ES|QL cross-cluster search, or try the resolve cluster endpoint.

External documentation

Responses

200 application/json

GET /_remote/info

curl \
 --request GET 'http://api.example.com/_remote/info' \
 --header "Authorization: $API_KEY"

Reroute the cluster Added in 5.0.0

POST /_cluster/reroute

Api key auth Basic auth Bearer auth

Manually change the allocation of individual shards in the cluster. For example, a shard can be moved from one node to another explicitly, an allocation can be canceled, and an unassigned shard can be explicitly allocated to a specific node.

It is important to note that after processing any reroute commands Elasticsearch will perform rebalancing as normal (respecting the values of settings such as cluster.routing.rebalance.enable) in order to remain in a balanced state. For example, if the requested allocation includes moving a shard from node1 to node2 then this may cause a shard to be moved from node2 back to node1 to even things out.

The cluster can be set to disable allocations using the cluster.routing.allocation.enable setting. If allocations are disabled then the only allocations that will be performed are explicit ones given using the reroute command, and consequent allocations due to rebalancing.

The cluster will attempt to allocate a shard a maximum of index.allocation.max_retries times in a row (defaults to 5), before giving up and leaving the shard unallocated. This scenario can be caused by structural problems such as having an analyzer which refers to a stopwords file which doesn’t exist on all nodes.

Once the problem has been corrected, allocation can be manually retried by calling the reroute API with the ?retry_failed URI query parameter, which will attempt a single retry round for these shards.

Query parameters

dry_run boolean

If true, then the request simulates the operation. It will calculate the result of applying the commands to the current cluster state and return the resulting cluster state after the commands (and rebalancing) have been applied; it will not actually perform the requested changes.
explain boolean

If true, then the response contains an explanation of why the commands can or cannot run.
metric string | array[string]

Limits the information returned to the specified metrics.
retry_failed boolean

If true, then retries allocation of shards that are blocked due to too many subsequent allocation failures.
master_timeout string

Period to wait for a connection to the master node. If no response is received before the timeout expires, the request fails and returns an error.

Values are -1 or 0.
timeout string

Period to wait for a response. If no response is received before the timeout expires, the request fails and returns an error.

Values are -1 or 0.

application/json

Body

commands array[object]

Defines the commands to perform.
Hide commands attributes Show commands attributes object
- cancel object
  Hide cancel attributes Show cancel attributes object
  
  index string Required
  
  shard number Required
  
  node string Required
  
  allow_primary boolean
- move object
  Hide move attributes Show move attributes object
  
  index string Required
  
  shard number Required
  
  from_node string Required
  
  The node to move the shard from
  
  to_node string Required
  
  The node to move the shard to
- allocate_replica object
  Hide allocate_replica attributes Show allocate_replica attributes object
  
  index string Required
  
  shard number Required
  
  node string Required
- allocate_stale_primary object
  Hide allocate_stale_primary attributes Show allocate_stale_primary attributes object
  
  index string Required
  
  shard number Required
  
  node string Required
  
  accept_data_loss boolean Required
  
  If a node which has a copy of the data rejoins the cluster later on, that data will be deleted. To ensure that these implications are well-understood, this command requires the flag accept_data_loss to be explicitly set to true
- allocate_empty_primary object
  Hide allocate_empty_primary attributes Show allocate_empty_primary attributes object
  
  index string Required
  
  shard number Required
  
  node string Required
  
  accept_data_loss boolean Required
  
  If a node which has a copy of the data rejoins the cluster later on, that data will be deleted. To ensure that these implications are well-understood, this command requires the flag accept_data_loss to be explicitly set to true

Responses

200 application/json
Hide response attributes Show response attributes object
- acknowledged boolean Required
- explanations array[object]
  
  Hide explanations attributes Show explanations attributes object
  
  command string Required
  
  decisions array[object] Required
  
  Hide decisions attributes Show decisions attributes object
  
  decider string Required
  
  decision string Required
  
  explanation string Required
  
  parameters object Required
  
  Hide parameters attributes Show parameters attributes object
  
  allow_primary boolean Required
  
  index string Required
  
  node string Required
  
  shard number Required
  
  from_node string
  
  to_node string
- state object
  
  There aren't any guarantees on the output/structure of the raw cluster state. Here you will find the internal representation of the cluster, which can differ from the external representation.

POST /_cluster/reroute

POST /_cluster/reroute?metric=none
{
  "commands": [
    {
      "move": {
        "index": "test", "shard": 0,
        "from_node": "node1", "to_node": "node2"
      }
    },
    {
      "allocate_replica": {
        "index": "test", "shard": 1,
        "node": "node3"
      }
    }
  ]
}

curl \
 --request POST 'http://api.example.com/_cluster/reroute' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '"{\n  \"commands\": [\n    {\n      \"move\": {\n        \"index\": \"test\", \"shard\": 0,\n        \"from_node\": \"node1\", \"to_node\": \"node2\"\n      }\n    },\n    {\n      \"allocate_replica\": {\n        \"index\": \"test\", \"shard\": 1,\n        \"node\": \"node3\"\n      }\n    }\n  ]\n}"'

Request example

Run `POST /_cluster/reroute?metric=none` to changes the allocation of shards in a cluster.

{
  "commands": [
    {
      "move": {
        "index": "test", "shard": 0,
        "from_node": "node1", "to_node": "node2"
      }
    },
    {
      "allocate_replica": {
        "index": "test", "shard": 1,
        "node": "node3"
      }
    }
  ]
}

Get the cluster state Added in 1.3.0

GET /_cluster/state/{metric}

Api key auth Basic auth Bearer auth

Get comprehensive information about the state of the cluster.

The cluster state is an internal data structure which keeps track of a variety of information needed by every node, including the identity and attributes of the other nodes in the cluster; cluster-wide settings; index metadata, including the mapping and settings for each index; the location and status of every shard copy in the cluster.

The elected master node ensures that every node in the cluster has a copy of the same cluster state. This API lets you retrieve a representation of this internal state for debugging or diagnostic purposes. You may need to consult the Elasticsearch source code to determine the precise meaning of the response.

By default the API will route requests to the elected master node since this node is the authoritative source of cluster states. You can also retrieve the cluster state held on the node handling the API request by adding the ?local=true query parameter.

Elasticsearch may need to expend significant effort to compute a response to this API in larger clusters, and the response may comprise a very large quantity of data. If you use this API repeatedly, your cluster may become unstable.

WARNING: The response is a representation of an internal data structure. Its format is not subject to the same compatibility guarantees as other more stable APIs and may change from version to version. Do not query this API using external monitoring tools. Instead, obtain the information you require using other more stable cluster APIs.

Path parameters

metric string | array[string] Required

Limit the information returned to the specified metrics

Query parameters

allow_no_indices boolean

Whether to ignore if a wildcard indices expression resolves into no concrete indices. (This includes _all string or when no indices have been specified)
expand_wildcards string | array[string]
Whether to expand wildcard expression to concrete indices that are open, closed or both.

Supported values include:
- all: Match any data stream or index, including hidden ones.
- open: Match open, non-hidden indices. Also matches any non-hidden data stream.
- closed: Match closed, non-hidden indices. Also matches any non-hidden data stream. Data streams cannot be closed.
- hidden: Match hidden data streams and hidden indices. Must be combined with open, closed, or both.
- none: Wildcard expressions are not accepted.
Values are all, open, closed, hidden, or none.
flat_settings boolean

Return settings in flat format (default: false)
ignore_unavailable boolean

Whether specified concrete indices should be ignored when unavailable (missing or closed)
local boolean

Return local information, do not retrieve the state from master node (default: false)
master_timeout string

Specify timeout for connection to master

Values are -1 or 0.
wait_for_metadata_version number

Wait for the metadata version to be equal or greater than the specified metadata version
wait_for_timeout string

The maximum time to wait for wait_for_metadata_version before timing out

Values are -1 or 0.

Responses

200 application/json

GET /_cluster/state/{metric}

curl \
 --request GET 'http://api.example.com/_cluster/state/{metric}' \
 --header "Authorization: $API_KEY"

Get the cluster state Added in 1.3.0

GET /_cluster/state/{metric}/{index}

Api key auth Basic auth Bearer auth

Get comprehensive information about the state of the cluster.

The cluster state is an internal data structure which keeps track of a variety of information needed by every node, including the identity and attributes of the other nodes in the cluster; cluster-wide settings; index metadata, including the mapping and settings for each index; the location and status of every shard copy in the cluster.

The elected master node ensures that every node in the cluster has a copy of the same cluster state. This API lets you retrieve a representation of this internal state for debugging or diagnostic purposes. You may need to consult the Elasticsearch source code to determine the precise meaning of the response.

By default the API will route requests to the elected master node since this node is the authoritative source of cluster states. You can also retrieve the cluster state held on the node handling the API request by adding the ?local=true query parameter.

Elasticsearch may need to expend significant effort to compute a response to this API in larger clusters, and the response may comprise a very large quantity of data. If you use this API repeatedly, your cluster may become unstable.

WARNING: The response is a representation of an internal data structure. Its format is not subject to the same compatibility guarantees as other more stable APIs and may change from version to version. Do not query this API using external monitoring tools. Instead, obtain the information you require using other more stable cluster APIs.

Path parameters

metric string | array[string] Required

Limit the information returned to the specified metrics
index string | array[string] Required

A comma-separated list of index names; use _all or empty string to perform the operation on all indices

Query parameters

allow_no_indices boolean

Whether to ignore if a wildcard indices expression resolves into no concrete indices. (This includes _all string or when no indices have been specified)
expand_wildcards string | array[string]
Whether to expand wildcard expression to concrete indices that are open, closed or both.

Supported values include:
- all: Match any data stream or index, including hidden ones.
- open: Match open, non-hidden indices. Also matches any non-hidden data stream.
- closed: Match closed, non-hidden indices. Also matches any non-hidden data stream. Data streams cannot be closed.
- hidden: Match hidden data streams and hidden indices. Must be combined with open, closed, or both.
- none: Wildcard expressions are not accepted.
Values are all, open, closed, hidden, or none.
flat_settings boolean

Return settings in flat format (default: false)
ignore_unavailable boolean

Whether specified concrete indices should be ignored when unavailable (missing or closed)
local boolean

Return local information, do not retrieve the state from master node (default: false)
master_timeout string

Specify timeout for connection to master

Values are -1 or 0.
wait_for_metadata_version number

Wait for the metadata version to be equal or greater than the specified metadata version
wait_for_timeout string

The maximum time to wait for wait_for_metadata_version before timing out

Values are -1 or 0.

Responses

200 application/json

GET /_cluster/state/{metric}/{index}

curl \
 --request GET 'http://api.example.com/_cluster/state/{metric}/{index}' \
 --header "Authorization: $API_KEY"

Activate the connector draft filter Technical preview

PUT /_connector/{connector_id}/_filtering/_activate

Api key auth Basic auth Bearer auth

Activates the valid draft filtering for a connector.

Path parameters

connector_id string Required

The unique identifier of the connector to be updated

Responses

200 application/json
Hide response attribute Show response attribute object
- result string Required
  
  Values are created, updated, deleted, not_found, or noop.

PUT /_connector/{connector_id}/_filtering/_activate

curl \
 --request PUT 'http://api.example.com/_connector/{connector_id}/_filtering/_activate' \
 --header "Authorization: $API_KEY"

Update the connector draft filtering validation Technical preview

PUT /_connector/{connector_id}/_filtering/_validation

Api key auth Basic auth Bearer auth

Update the draft filtering validation info for a connector.

Path parameters

connector_id string Required

The unique identifier of the connector to be updated

application/json

Body Required

validation object Required
Hide validation attributes Show validation attributes object
- errors array[object] Required
  Hide errors attributes Show errors attributes object
  
  ids array[string] Required
  
  messages array[string] Required
- state string Required
  
  Values are edited, invalid, or valid.

Responses

200 application/json
Hide response attribute Show response attribute object
- result string Required
  
  Values are created, updated, deleted, not_found, or noop.

PUT /_connector/{connector_id}/_filtering/_validation

curl \
 --request PUT 'http://api.example.com/_connector/{connector_id}/_filtering/_validation' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"validation":{"errors":[{"ids":["string"],"messages":["string"]}],"state":"edited"}}'

Update the connector is_native flag Beta

PUT /_connector/{connector_id}/_native

Api key auth Basic auth Bearer auth

Path parameters

connector_id string Required

The unique identifier of the connector to be updated

application/json

Body Required

is_native boolean Required

Responses

200 application/json
Hide response attribute Show response attribute object
- result string Required
  
  Values are created, updated, deleted, not_found, or noop.

PUT /_connector/{connector_id}/_native

curl \
 --request PUT 'http://api.example.com/_connector/{connector_id}/_native' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"is_native":true}'

Downsample an index Technical preview

POST /{index}/_downsample/{target_index}

Api key auth Basic auth Bearer auth

Aggregate a time series (TSDS) index and store pre-computed statistical summaries (min, max, sum, value_count and avg) for each metric field grouped by a configured time interval. For example, a TSDS index that contains metrics sampled every 10 seconds can be downsampled to an hourly index. All documents within an hour interval are summarized and stored as a single document in the downsample index.

NOTE: Only indices in a time series data stream are supported. Neither field nor document level security can be defined on the source index. The source index must be read only (index.blocks.write: true).

Path parameters

index string Required

Name of the time series index to downsample.
target_index string Required

Name of the index to create.

application/json

Body Required

fixed_interval string Required

A date histogram interval. Similar to Duration with additional units: w (week), M (month), q (quarter) and y (year)

Responses

200 application/json

POST /{index}/_downsample/{target_index}

POST /my-time-series-index/_downsample/my-downsampled-time-series-index
{
  "fixed_interval": "1d"
}

curl \
 --request POST 'http://api.example.com/{index}/_downsample/{target_index}' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '"{\n  \"fixed_interval\": \"1d\"\n}"'

Request example

{
  "fixed_interval": "1d"
}

Create a new document in the index Added in 5.0.0

PUT /{index}/_create/{id}

Api key auth Basic auth Bearer auth

You can index a new JSON document with the /<target>/_doc/ or /<target>/_create/<_id> APIs Using _create guarantees that the document is indexed only if it does not already exist. It returns a 409 response when a document with a same ID already exists in the index. To update an existing document, you must use the /<target>/_doc/ API.

If the Elasticsearch security features are enabled, you must have the following index privileges for the target data stream, index, or index alias:

To add a document using the PUT /<target>/_create/<_id> or POST /<target>/_create/<_id> request formats, you must have the create_doc, create, index, or write index privilege.
To automatically create a data stream or index with this API request, you must have the auto_configure, create_index, or manage index privilege.

Automatic data stream creation requires a matching index template with data stream enabled.

Automatically create data streams and indices

If the request's target doesn't exist and matches an index template with a data_stream definition, the index operation automatically creates the data stream.

If the target doesn't exist and doesn't match a data stream template, the operation automatically creates the index and applies any matching index templates.

NOTE: Elasticsearch includes several built-in index templates. To avoid naming collisions with these templates, refer to index pattern documentation.

If no mapping exists, the index operation creates a dynamic mapping. By default, new fields and objects are automatically added to the mapping if needed.

Automatic index creation is controlled by the action.auto_create_index setting. If it is true, any index can be created automatically. You can modify this setting to explicitly allow or block automatic creation of indices that match specified patterns or set it to false to turn off automatic index creation entirely. Specify a comma-separated list of patterns you want to allow or prefix each pattern with + or - to indicate whether it should be allowed or blocked. When a list is specified, the default behaviour is to disallow.

NOTE: The action.auto_create_index setting affects the automatic creation of indices only. It does not affect the creation of data streams.

Routing

By default, shard placement — or routing — is controlled by using a hash of the document's ID value. For more explicit control, the value fed into the hash function used by the router can be directly specified on a per-operation basis using the routing parameter.

When setting up explicit mapping, you can also use the _routing field to direct the index operation to extract the routing value from the document itself. This does come at the (very minimal) cost of an additional document parsing pass. If the _routing mapping is defined and set to be required, the index operation will fail if no routing value is provided or extracted.

NOTE: Data streams do not support custom routing unless they were created with the allow_custom_routing setting enabled in the template.

Distributed

The index operation is directed to the primary shard based on its route and performed on the actual node containing this shard. After the primary shard completes the operation, if needed, the update is distributed to applicable replicas.

Active shards

To improve the resiliency of writes to the system, indexing operations can be configured to wait for a certain number of active shard copies before proceeding with the operation. If the requisite number of active shard copies are not available, then the write operation must wait and retry, until either the requisite shard copies have started or a timeout occurs. By default, write operations only wait for the primary shards to be active before proceeding (that is to say wait_for_active_shards is 1). This default can be overridden in the index settings dynamically by setting index.write.wait_for_active_shards. To alter this behavior per operation, use the wait_for_active_shards request parameter.

Valid values are all or any positive integer up to the total number of configured copies per shard in the index (which is number_of_replicas+1). Specifying a negative value or a number greater than the number of shard copies will throw an error.

For example, suppose you have a cluster of three nodes, A, B, and C and you create an index index with the number of replicas set to 3 (resulting in 4 shard copies, one more copy than there are nodes). If you attempt an indexing operation, by default the operation will only ensure the primary copy of each shard is available before proceeding. This means that even if B and C went down and A hosted the primary shard copies, the indexing operation would still proceed with only one copy of the data. If wait_for_active_shards is set on the request to 3 (and all three nodes are up), the indexing operation will require 3 active shard copies before proceeding. This requirement should be met because there are 3 active nodes in the cluster, each one holding a copy of the shard. However, if you set wait_for_active_shards to all (or to 4, which is the same in this situation), the indexing operation will not proceed as you do not have all 4 copies of each shard active in the index. The operation will timeout unless a new node is brought up in the cluster to host the fourth copy of the shard.

It is important to note that this setting greatly reduces the chances of the write operation not writing to the requisite number of shard copies, but it does not completely eliminate the possibility, because this check occurs before the write operation starts. After the write operation is underway, it is still possible for replication to fail on any number of shard copies but still succeed on the primary. The _shards section of the API response reveals the number of shard copies on which replication succeeded and failed.

External documentation

Path parameters

index string Required

The name of the data stream or index to target. If the target doesn't exist and matches the name or wildcard (*) pattern of an index template with a data_stream definition, this request creates the data stream. If the target doesn't exist and doesn’t match a data stream template, this request creates the index.
id string Required

A unique identifier for the document. To automatically generate a document ID, use the POST /<target>/_doc/ request format.

Query parameters

if_primary_term number

Only perform the operation if the document has this primary term.
if_seq_no number

Only perform the operation if the document has this sequence number.
include_source_on_error boolean

True or false if to include the document source in the error message in case of parsing errors.
op_type string
Set to create to only index the document if it does not already exist (put if absent). If a document with the specified _id already exists, the indexing operation will fail. The behavior is the same as using the <index>/_create endpoint. If a document ID is specified, this paramater defaults to index. Otherwise, it defaults to create. If the request targets a data stream, an op_type of create is required.

Supported values include:
- index: Overwrite any documents that already exist.
- create: Only index documents that do not already exist.
Values are index or create.
pipeline string

The ID of the pipeline to use to preprocess incoming documents. If the index has a default ingest pipeline specified, setting the value to _none turns off the default ingest pipeline for this request. If a final pipeline is configured, it will always run regardless of the value of this parameter.
refresh string

If true, Elasticsearch refreshes the affected shards to make this operation visible to search. If wait_for, it waits for a refresh to make this operation visible to search. If false, it does nothing with refreshes.

Values are true, false, or wait_for.
require_alias boolean

If true, the destination must be an index alias.
require_data_stream boolean

If true, the request's actions must target a data stream (existing or to be created).
routing string

A custom value that is used to route operations to a specific shard.
timeout string

The period the request waits for the following operations: automatic index creation, dynamic mapping updates, waiting for active shards. Elasticsearch waits for at least the specified timeout period before failing. The actual wait time could be longer, particularly when multiple waits occur.

This parameter is useful for situations where the primary shard assigned to perform the operation might not be available when the operation runs. Some reasons for this might be that the primary shard is currently recovering from a gateway or undergoing relocation. By default, the operation will wait on the primary shard to become available for at least 1 minute before failing and responding with an error. The actual wait time could be longer, particularly when multiple waits occur.

Values are -1 or 0.
version number

The explicit version number for concurrency control. It must be a non-negative long number.
version_type string
The version type.

Supported values include:
- internal: Use internal versioning that starts at 1 and increments with each update or delete.
- external: Only index the document if the specified version is strictly higher than the version of the stored document or if there is no existing document.
- external_gte: Only index the document if the specified version is equal or higher than the version of the stored document or if there is no existing document. NOTE: The external_gte version type is meant for special use cases and should be used with care. If used incorrectly, it can result in loss of data.
- force: This option is deprecated because it can cause primary and replica shards to diverge.
Values are internal, external, external_gte, or force.
wait_for_active_shards number | string

The number of shard copies that must be active before proceeding with the operation. You can set it to all or any positive integer up to the total number of shards in the index (number_of_replicas+1). The default value of 1 means it waits for each primary shard to be active.

Values are all or index-setting.

application/json

Body Required

object

Responses

200 application/json
Hide response attributes Show response attributes object
- _id string Required
- _index string Required
- _primary_term number
  
  The primary term assigned to the document for the indexing operation.
- result string Required
  
  Values are created, updated, deleted, not_found, or noop.
- _seq_no number
- _shards object Required
  
  Hide _shards attributes Show _shards attributes object
  
  failed number Required
  
  successful number Required
  
  total number Required
  
  failures array[object]
  
  Hide failures attributes Show failures attributes object
  
  index string
  
  node string
  
  reason object Required
  
  Hide reason attributes Show reason attributes object
  
  type string Required
  
  The type of error
  
  reason string | null
  
  A human-readable explanation of the error, in English.
  
  One of:
  string-1 string string-2 string | null
  
  stack_trace string
  
  The server stack trace. Present only if the error_trace=true parameter was sent with the request.
  
  caused_by object
  
  root_cause array[object]
  
  suppressed array[object]
  
  shard number Required
  
  status string
  
  skipped number
- _version number Required
- forced_refresh boolean

PUT /{index}/_create/{id}

PUT my-index-000001/_create/1
{
  "@timestamp": "2099-11-15T13:12:00",
  "message": "GET /search HTTP/1.1 200 1070000",
  "user": {
    "id": "kimchy"
  }
}

curl \
 --request PUT 'http://api.example.com/{index}/_create/{id}' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '"{\n  \"@timestamp\": \"2099-11-15T13:12:00\",\n  \"message\": \"GET /search HTTP/1.1 200 1070000\",\n  \"user\": {\n    \"id\": \"kimchy\"\n  }\n}"'

Request example

Run `PUT my-index-000001/_create/1` to index a document into the `my-index-000001` index if no document with that ID exists.

{
  "@timestamp": "2099-11-15T13:12:00",
  "message": "GET /search HTTP/1.1 200 1070000",
  "user": {
    "id": "kimchy"
  }
}

Create a new document in the index Added in 5.0.0

POST /{index}/_create/{id}

Api key auth Basic auth Bearer auth

You can index a new JSON document with the /<target>/_doc/ or /<target>/_create/<_id> APIs Using _create guarantees that the document is indexed only if it does not already exist. It returns a 409 response when a document with a same ID already exists in the index. To update an existing document, you must use the /<target>/_doc/ API.

If the Elasticsearch security features are enabled, you must have the following index privileges for the target data stream, index, or index alias:

To add a document using the PUT /<target>/_create/<_id> or POST /<target>/_create/<_id> request formats, you must have the create_doc, create, index, or write index privilege.
To automatically create a data stream or index with this API request, you must have the auto_configure, create_index, or manage index privilege.

Automatic data stream creation requires a matching index template with data stream enabled.

Automatically create data streams and indices

If the request's target doesn't exist and matches an index template with a data_stream definition, the index operation automatically creates the data stream.

If the target doesn't exist and doesn't match a data stream template, the operation automatically creates the index and applies any matching index templates.

NOTE: Elasticsearch includes several built-in index templates. To avoid naming collisions with these templates, refer to index pattern documentation.

If no mapping exists, the index operation creates a dynamic mapping. By default, new fields and objects are automatically added to the mapping if needed.

Automatic index creation is controlled by the action.auto_create_index setting. If it is true, any index can be created automatically. You can modify this setting to explicitly allow or block automatic creation of indices that match specified patterns or set it to false to turn off automatic index creation entirely. Specify a comma-separated list of patterns you want to allow or prefix each pattern with + or - to indicate whether it should be allowed or blocked. When a list is specified, the default behaviour is to disallow.

NOTE: The action.auto_create_index setting affects the automatic creation of indices only. It does not affect the creation of data streams.

Routing

By default, shard placement — or routing — is controlled by using a hash of the document's ID value. For more explicit control, the value fed into the hash function used by the router can be directly specified on a per-operation basis using the routing parameter.

When setting up explicit mapping, you can also use the _routing field to direct the index operation to extract the routing value from the document itself. This does come at the (very minimal) cost of an additional document parsing pass. If the _routing mapping is defined and set to be required, the index operation will fail if no routing value is provided or extracted.

NOTE: Data streams do not support custom routing unless they were created with the allow_custom_routing setting enabled in the template.

Distributed

The index operation is directed to the primary shard based on its route and performed on the actual node containing this shard. After the primary shard completes the operation, if needed, the update is distributed to applicable replicas.

Active shards

To improve the resiliency of writes to the system, indexing operations can be configured to wait for a certain number of active shard copies before proceeding with the operation. If the requisite number of active shard copies are not available, then the write operation must wait and retry, until either the requisite shard copies have started or a timeout occurs. By default, write operations only wait for the primary shards to be active before proceeding (that is to say wait_for_active_shards is 1). This default can be overridden in the index settings dynamically by setting index.write.wait_for_active_shards. To alter this behavior per operation, use the wait_for_active_shards request parameter.

Valid values are all or any positive integer up to the total number of configured copies per shard in the index (which is number_of_replicas+1). Specifying a negative value or a number greater than the number of shard copies will throw an error.

For example, suppose you have a cluster of three nodes, A, B, and C and you create an index index with the number of replicas set to 3 (resulting in 4 shard copies, one more copy than there are nodes). If you attempt an indexing operation, by default the operation will only ensure the primary copy of each shard is available before proceeding. This means that even if B and C went down and A hosted the primary shard copies, the indexing operation would still proceed with only one copy of the data. If wait_for_active_shards is set on the request to 3 (and all three nodes are up), the indexing operation will require 3 active shard copies before proceeding. This requirement should be met because there are 3 active nodes in the cluster, each one holding a copy of the shard. However, if you set wait_for_active_shards to all (or to 4, which is the same in this situation), the indexing operation will not proceed as you do not have all 4 copies of each shard active in the index. The operation will timeout unless a new node is brought up in the cluster to host the fourth copy of the shard.

It is important to note that this setting greatly reduces the chances of the write operation not writing to the requisite number of shard copies, but it does not completely eliminate the possibility, because this check occurs before the write operation starts. After the write operation is underway, it is still possible for replication to fail on any number of shard copies but still succeed on the primary. The _shards section of the API response reveals the number of shard copies on which replication succeeded and failed.

External documentation

Path parameters

index string Required

The name of the data stream or index to target. If the target doesn't exist and matches the name or wildcard (*) pattern of an index template with a data_stream definition, this request creates the data stream. If the target doesn't exist and doesn’t match a data stream template, this request creates the index.
id string Required

A unique identifier for the document. To automatically generate a document ID, use the POST /<target>/_doc/ request format.

Query parameters

if_primary_term number

Only perform the operation if the document has this primary term.
if_seq_no number

Only perform the operation if the document has this sequence number.
include_source_on_error boolean

True or false if to include the document source in the error message in case of parsing errors.
op_type string
Set to create to only index the document if it does not already exist (put if absent). If a document with the specified _id already exists, the indexing operation will fail. The behavior is the same as using the <index>/_create endpoint. If a document ID is specified, this paramater defaults to index. Otherwise, it defaults to create. If the request targets a data stream, an op_type of create is required.

Supported values include:
- index: Overwrite any documents that already exist.
- create: Only index documents that do not already exist.
Values are index or create.
pipeline string

The ID of the pipeline to use to preprocess incoming documents. If the index has a default ingest pipeline specified, setting the value to _none turns off the default ingest pipeline for this request. If a final pipeline is configured, it will always run regardless of the value of this parameter.
refresh string

If true, Elasticsearch refreshes the affected shards to make this operation visible to search. If wait_for, it waits for a refresh to make this operation visible to search. If false, it does nothing with refreshes.

Values are true, false, or wait_for.
require_alias boolean

If true, the destination must be an index alias.
require_data_stream boolean

If true, the request's actions must target a data stream (existing or to be created).
routing string

A custom value that is used to route operations to a specific shard.
timeout string

The period the request waits for the following operations: automatic index creation, dynamic mapping updates, waiting for active shards. Elasticsearch waits for at least the specified timeout period before failing. The actual wait time could be longer, particularly when multiple waits occur.

This parameter is useful for situations where the primary shard assigned to perform the operation might not be available when the operation runs. Some reasons for this might be that the primary shard is currently recovering from a gateway or undergoing relocation. By default, the operation will wait on the primary shard to become available for at least 1 minute before failing and responding with an error. The actual wait time could be longer, particularly when multiple waits occur.

Values are -1 or 0.
version number

The explicit version number for concurrency control. It must be a non-negative long number.
version_type string
The version type.

Supported values include:
- internal: Use internal versioning that starts at 1 and increments with each update or delete.
- external: Only index the document if the specified version is strictly higher than the version of the stored document or if there is no existing document.
- external_gte: Only index the document if the specified version is equal or higher than the version of the stored document or if there is no existing document. NOTE: The external_gte version type is meant for special use cases and should be used with care. If used incorrectly, it can result in loss of data.
- force: This option is deprecated because it can cause primary and replica shards to diverge.
Values are internal, external, external_gte, or force.
wait_for_active_shards number | string

The number of shard copies that must be active before proceeding with the operation. You can set it to all or any positive integer up to the total number of shards in the index (number_of_replicas+1). The default value of 1 means it waits for each primary shard to be active.

Values are all or index-setting.

application/json

Body Required

object

Responses

200 application/json
Hide response attributes Show response attributes object
- _id string Required
- _index string Required
- _primary_term number
  
  The primary term assigned to the document for the indexing operation.
- result string Required
  
  Values are created, updated, deleted, not_found, or noop.
- _seq_no number
- _shards object Required
  
  Hide _shards attributes Show _shards attributes object
  
  failed number Required
  
  successful number Required
  
  total number Required
  
  failures array[object]
  
  Hide failures attributes Show failures attributes object
  
  index string
  
  node string
  
  reason object Required
  
  Hide reason attributes Show reason attributes object
  
  type string Required
  
  The type of error
  
  reason string | null
  
  A human-readable explanation of the error, in English.
  
  One of:
  string-1 string string-2 string | null
  
  stack_trace string
  
  The server stack trace. Present only if the error_trace=true parameter was sent with the request.
  
  caused_by object
  
  root_cause array[object]
  
  suppressed array[object]
  
  shard number Required
  
  status string
  
  skipped number
- _version number Required
- forced_refresh boolean

POST /{index}/_create/{id}

PUT my-index-000001/_create/1
{
  "@timestamp": "2099-11-15T13:12:00",
  "message": "GET /search HTTP/1.1 200 1070000",
  "user": {
    "id": "kimchy"
  }
}

curl \
 --request POST 'http://api.example.com/{index}/_create/{id}' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '"{\n  \"@timestamp\": \"2099-11-15T13:12:00\",\n  \"message\": \"GET /search HTTP/1.1 200 1070000\",\n  \"user\": {\n    \"id\": \"kimchy\"\n  }\n}"'

Request example

Run `PUT my-index-000001/_create/1` to index a document into the `my-index-000001` index if no document with that ID exists.

{
  "@timestamp": "2099-11-15T13:12:00",
  "message": "GET /search HTTP/1.1 200 1070000",
  "user": {
    "id": "kimchy"
  }
}

Delete a document

DELETE /{index}/_doc/{id}

Api key auth Basic auth Bearer auth

Remove a JSON document from the specified index.

NOTE: You cannot send deletion requests directly to a data stream. To delete a document in a data stream, you must target the backing index containing the document.

Optimistic concurrency control

Delete operations can be made conditional and only be performed if the last modification to the document was assigned the sequence number and primary term specified by the if_seq_no and if_primary_term parameters. If a mismatch is detected, the operation will result in a VersionConflictException and a status code of 409.

Versioning

Each document indexed is versioned. When deleting a document, the version can be specified to make sure the relevant document you are trying to delete is actually being deleted and it has not changed in the meantime. Every write operation run on a document, deletes included, causes its version to be incremented. The version number of a deleted document remains available for a short time after deletion to allow for control of concurrent operations. The length of time for which a deleted document's version remains available is determined by the index.gc_deletes index setting.

Routing

If routing is used during indexing, the routing value also needs to be specified to delete a document.

If the _routing mapping is set to required and no routing value is specified, the delete API throws a RoutingMissingException and rejects the request.

For example:

DELETE /my-index-000001/_doc/1?routing=shard-1

This request deletes the document with ID 1, but it is routed based on the user. The document is not deleted if the correct routing is not specified.

Distributed

The delete operation gets hashed into a specific shard ID. It then gets redirected into the primary shard within that ID group and replicated (if needed) to shard replicas within that ID group.

Path parameters

index string Required

The name of the target index.
id string Required

A unique identifier for the document.

Query parameters

if_primary_term number

Only perform the operation if the document has this primary term.
if_seq_no number

Only perform the operation if the document has this sequence number.
refresh string

If true, Elasticsearch refreshes the affected shards to make this operation visible to search. If wait_for, it waits for a refresh to make this operation visible to search. If false, it does nothing with refreshes.

Values are true, false, or wait_for.
routing string

A custom value used to route operations to a specific shard.
timeout string

The period to wait for active shards.

This parameter is useful for situations where the primary shard assigned to perform the delete operation might not be available when the delete operation runs. Some reasons for this might be that the primary shard is currently recovering from a store or undergoing relocation. By default, the delete operation will wait on the primary shard to become available for up to 1 minute before failing and responding with an error.

Values are -1 or 0.
version number

An explicit version number for concurrency control. It must match the current version of the document for the request to succeed.
version_type string
The version type.

Supported values include:
- internal: Use internal versioning that starts at 1 and increments with each update or delete.
- external: Only index the document if the specified version is strictly higher than the version of the stored document or if there is no existing document.
- external_gte: Only index the document if the specified version is equal or higher than the version of the stored document or if there is no existing document. NOTE: The external_gte version type is meant for special use cases and should be used with care. If used incorrectly, it can result in loss of data.
- force: This option is deprecated because it can cause primary and replica shards to diverge.
Values are internal, external, external_gte, or force.
wait_for_active_shards number | string

The minimum number of shard copies that must be active before proceeding with the operation. You can set it to all or any positive integer up to the total number of shards in the index (number_of_replicas+1). The default value of 1 means it waits for each primary shard to be active.

Values are all or index-setting.

Responses

200 application/json
Hide response attributes Show response attributes object
- _id string Required
- _index string Required
- _primary_term number
  
  The primary term assigned to the document for the indexing operation.
- result string Required
  
  Values are created, updated, deleted, not_found, or noop.
- _seq_no number
- _shards object Required
  
  Hide _shards attributes Show _shards attributes object
  
  failed number Required
  
  successful number Required
  
  total number Required
  
  failures array[object]
  
  Hide failures attributes Show failures attributes object
  
  index string
  
  node string
  
  reason object Required
  
  Hide reason attributes Show reason attributes object
  
  type string Required
  
  The type of error
  
  reason string | null
  
  A human-readable explanation of the error, in English.
  
  One of:
  string-1 string string-2 string | null
  
  stack_trace string
  
  The server stack trace. Present only if the error_trace=true parameter was sent with the request.
  
  caused_by object
  
  root_cause array[object]
  
  suppressed array[object]
  
  shard number Required
  
  status string
  
  skipped number
- _version number Required
- forced_refresh boolean

DELETE /{index}/_doc/{id}

DELETE /my-index-000001/_doc/1

curl \
 --request DELETE 'http://api.example.com/{index}/_doc/{id}' \
 --header "Authorization: $API_KEY"

Response examples (200)

A successful response from `DELETE /my-index-000001/_doc/1`, which deletes the JSON document 1 from the `my-index-000001` index.

{
  "_shards": {
    "total": 2,
    "failed": 0,
    "successful": 2
  },
  "_index": "my-index-000001",
  "_id": "1",
  "_version": 2,
  "_primary_term": 1,
  "_seq_no": 5,
  "result": "deleted"
}

Get the async EQL status Added in 7.9.0

GET /_eql/search/status/{id}

Api key auth Basic auth Bearer auth

Get the current status for an async EQL search or a stored synchronous EQL search without returning results.

Path parameters

id string Required

Identifier for the search.

Responses

200 application/json
Hide response attributes Show response attributes object
- id string Required
- is_partial boolean Required
  
  If true, the search request is still executing. If false, the search is completed.
- is_running boolean Required
  
  If true, the response does not contain complete search results. This could be because either the search is still running (is_running status is false), or because it is already completed (is_running status is true) and results are partial due to failures or timeouts.
- start_time_in_millis number
  
  Time unit for milliseconds
- expiration_time_in_millis number
  
  Time unit for milliseconds
- completion_status number
  
  For a completed search shows the http status code of the completed search.

GET /_eql/search/status/{id}

curl \
 --request GET 'http://api.example.com/_eql/search/status/{id}' \
 --header "Authorization: $API_KEY"

Response examples (200)

A successful response for getting status information for an async EQL search.

{
  "id": "FmNJRUZ1YWZCU3dHY1BIOUhaenVSRkEaaXFlZ3h4c1RTWFNocDdnY2FSaERnUTozNDE=",
  "is_running" : true,
  "is_partial" : true,
  "start_time_in_millis" : 1611690235000,
  "expiration_time_in_millis" : 1611690295000
}

Get the features Added in 7.12.0

GET /_features

Api key auth Basic auth Bearer auth

Get a list of features that can be included in snapshots using the feature_states field when creating a snapshot. You can use this API to determine which feature states to include when taking a snapshot. By default, all feature states are included in a snapshot if that snapshot includes the global state, or none if it does not.

A feature state includes one or more system indices necessary for a given feature to function. In order to ensure data integrity, all system indices that comprise a feature state are snapshotted and restored together.

The features listed by this API are a combination of built-in features and features defined by plugins. In order for a feature state to be listed in this API and recognized as a valid feature state by the create snapshot API, the plugin that defines that feature must be installed on the master node.

External documentation

Query parameters

master_timeout string

Period to wait for a connection to the master node.

Values are -1 or 0.

Responses

200 application/json
Hide response attribute Show response attribute object
- features array[object] Required
  
  Hide features attributes Show features attributes object
  
  name string Required
  
  description string Required

GET /_features

curl \
 --request GET 'http://api.example.com/_features' \
 --header "Authorization: $API_KEY"

Response examples (200)

A successful response for retrieving a list of feature states that can be included when taking a snapshot.

{
  "features": [
    {
      "name": "tasks",
      "description": "Manages task results"
    },
    {
      "name": "kibana",
      "description": "Manages Kibana configuration and reports"
    }
  ]
}

Run multiple Fleet searches Technical preview

POST /_fleet/_fleet_msearch

Api key auth Basic auth Bearer auth

Run several Fleet searches with a single API request. The API follows the same structure as the multi search API. However, similar to the Fleet search API, it supports the wait_for_checkpoints parameter.

Query parameters

allow_no_indices boolean

If false, the request returns an error if any wildcard expression, index alias, or _all value targets only missing or closed indices. This behavior applies even if the request targets other open indices. For example, a request targeting foo*,bar* returns an error if an index starts with foo but no index starts with bar.
ccs_minimize_roundtrips boolean

If true, network roundtrips between the coordinating node and remote clusters are minimized for cross-cluster search requests.
expand_wildcards string | array[string]
Type of index that wildcard expressions can match. If the request can target data streams, this argument determines whether wildcard expressions match hidden data streams.

Supported values include:
- all: Match any data stream or index, including hidden ones.
- open: Match open, non-hidden indices. Also matches any non-hidden data stream.
- closed: Match closed, non-hidden indices. Also matches any non-hidden data stream. Data streams cannot be closed.
- hidden: Match hidden data streams and hidden indices. Must be combined with open, closed, or both.
- none: Wildcard expressions are not accepted.
Values are all, open, closed, hidden, or none.
ignore_throttled boolean

If true, concrete, expanded or aliased indices are ignored when frozen.
ignore_unavailable boolean

If true, missing or closed indices are not included in the response.
max_concurrent_searches number

Maximum number of concurrent searches the multi search API can execute.
max_concurrent_shard_requests number

Maximum number of concurrent shard requests that each sub-search request executes per node.
pre_filter_shard_size number

Defines a threshold that enforces a pre-filter roundtrip to prefilter search shards based on query rewriting if the number of shards the search request expands to exceeds the threshold. This filter roundtrip can limit the number of shards significantly if for instance a shard can not match any documents based on its rewrite method i.e., if date filters are mandatory to match but the shard bounds and the query are disjoint.
search_type string
Indicates whether global term and document frequencies should be used when scoring returned documents.

Supported values include:
- query_then_fetch: Documents are scored using local term and document frequencies for the shard. This is usually faster but less accurate.
- dfs_query_then_fetch: Documents are scored using global term and document frequencies across all shards. This is usually slower but more accurate.
Values are query_then_fetch or dfs_query_then_fetch.
rest_total_hits_as_int boolean

If true, hits.total are returned as an integer in the response. Defaults to false, which returns an object.
typed_keys boolean

Specifies whether aggregation and suggester names should be prefixed by their respective types in the response.
wait_for_checkpoints array[number]

A comma separated list of checkpoints. When configured, the search API will only be executed on a shard after the relevant checkpoint has become visible for search. Defaults to an empty list which will cause Elasticsearch to immediately execute the search.
allow_partial_search_results boolean

If true, returns partial results if there are shard request timeouts or shard failures. If false, returns an error with no partial results. Defaults to the configured cluster setting search.default_allow_partial_results, which is true by default.

application/json

Body object Required

allow_no_indices boolean
expand_wildcards string | array[string]
ignore_unavailable boolean
index string | array[string]
preference string
request_cache boolean
routing string
search_type string

Values are query_then_fetch or dfs_query_then_fetch.
ccs_minimize_roundtrips boolean
allow_partial_search_results boolean
ignore_throttled boolean

aggregations object

Defines the aggregations that are run as part of the search request.

External documentation
collapse object
External documentation
explain boolean

If true, the request returns detailed information about score computation as part of a hit.
ext object

Configuration of search extensions defined by Elasticsearch plugins.
Hide ext attribute Show ext attribute object
- * object Additional properties
from number

The starting document offset, which must be non-negative. By default, you cannot page through more than 10,000 hits using the from and size parameters. To page through more hits, use the search_after parameter.
highlight object
Hide highlight attributes Show highlight attributes object
- type string
 
 Any of:
 HighlighterType string HighlighterType string
 
 Values are plain, fvh, or unified.
- boundary_chars string
 
 A string that contains each boundary character.
- boundary_max_scan number
 
 How far to scan for boundary characters.
- boundary_scanner string
 
 Values are chars, sentence, or word.
- boundary_scanner_locale string
 
 Controls which locale is used to search for sentence and word boundaries. This parameter takes a form of a language tag, for example: "en-US", "fr-FR", "ja-JP".
- force_source boolean Deprecated
- fragmenter string
 
 Values are simple or span.
- fragment_size number
 
 The size of the highlighted fragment in characters.
- highlight_filter boolean
- highlight_query object
 
 An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
 
 External documentation
- max_fragment_length number
- max_analyzed_offset number
 
 If set to a non-negative value, highlighting stops at this defined maximum limit. The rest of the text is not processed, thus not highlighted and no error is returned The max_analyzed_offset query setting does not override the index.highlight.max_analyzed_offset setting, which prevails when it’s set to lower value than the query setting.
- no_match_size number
 
 The amount of text you want to return from the beginning of the field if there are no matching fragments to highlight.
- number_of_fragments number
 
 The maximum number of fragments to return. If the number of fragments is set to 0, no fragments are returned. Instead, the entire field contents are highlighted and returned. This can be handy when you need to highlight short texts such as a title or address, but fragmentation is not required. If number_of_fragments is 0, fragment_size is ignored.
- options object
 Hide options attribute Show options attribute object
 
 * object Additional properties
- order string
 
 Value is score.
- phrase_limit number
 
 Controls the number of matching phrases in a document that are considered. Prevents the fvh highlighter from analyzing too many phrases and consuming too much memory. When using matched_fields, phrase_limit phrases per matched field are considered. Raising the limit increases query time and consumes more memory. Only supported by the fvh highlighter.
- post_tags array[string]
 
 Use in conjunction with pre_tags to define the HTML tags to use for the highlighted text. By default, highlighted text is wrapped in  and  tags.
- pre_tags array[string]
 
 Use in conjunction with post_tags to define the HTML tags to use for the highlighted text. By default, highlighted text is wrapped in  and  tags.
- require_field_match boolean
 
 By default, only fields that contains a query match are highlighted. Set to false to highlight all fields.
- tags_schema string
 
 Value is styled.
- encoder string
 
 Values are default or html.
- fields object | array[object] Required
 
 One of:
 object-1 object array-2 array[object]
track_total_hits boolean | number

Number of hits matching the query to count accurately. If true, the exact number of hits is returned at the cost of some performance. If false, the response does not include the total number of hits matching the query. Defaults to 10,000 hits.
indices_boost array[object]

Boost the _score of documents from specified indices. The boost value is the factor by which scores are multiplied. A boost value greater than 1.0 increases the score. A boost value between 0 and 1.0 decreases the score.

External documentation
Hide indices_boost attribute Show indices_boost attribute object
- * number Additional properties
docvalue_fields array[object]

An array of wildcard (*) field patterns. The request returns doc values for field names matching these patterns in the hits.fields property of the response.

External documentation
Hide docvalue_fields attributes Show docvalue_fields attributes object
- field string Required
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
- format string
  
  The format in which the values are returned.
- include_unmapped boolean
knn object | array[object]

The approximate kNN search to run.
One of:
KnnSearch object array-2 array[object]
Hide attributes Show attributes

field string Required

Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.

query_vector array[number]

query_vector_builder object

Hide query_vector_builder attribute Show query_vector_builder attribute object

text_embedding object

Hide text_embedding attributes Show text_embedding attributes object

model_id string Required

model_text string Required

k number

The final number of nearest neighbors to return as top hits

num_candidates number

The number of nearest neighbor candidates to consider per shard

boost number

Boost value to apply to kNN scores

filter object | array[object]

Filters for the kNN search query

One of:
QueryContainer object array-2 array[object]

An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.

External documentation

similarity number

The minimum similarity for a vector to be considered a match

inner_hits object

Hide inner_hits attributes Show inner_hits attributes object

name string

size number

The maximum number of hits to return per inner_hits.

from number

Inner hit starting document offset.

collapse object
External documentation

docvalue_fields array[object]

explain boolean

highlight object

ignore_unmapped boolean

script_fields object

Hide script_fields attribute Show script_fields attribute object

* object Additional properties

seq_no_primary_term boolean

fields array[string]

Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.

sort array[string | object]

_source boolean | object

Defines how to fetch a source. Fetching can be disabled entirely, or the source can be filtered.

One of:
SourceConfig boolean SourceFilter object

stored_fields string | array[string]

track_scores boolean

version boolean

rescore_vector object

Hide rescore_vector attribute Show rescore_vector attribute object

oversample number Required

Applies the specified oversample factor to k on the approximate kNN search
External documentation
Hide attributes Show attributes object

field string Required

Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.

query_vector array[number]

query_vector_builder object

Hide query_vector_builder attribute Show query_vector_builder attribute object

text_embedding object

k number

The final number of nearest neighbors to return as top hits

num_candidates number

The number of nearest neighbor candidates to consider per shard

boost number

Boost value to apply to kNN scores

filter object | array[object]

Filters for the kNN search query

One of:
QueryContainer object array-2 array[object]

An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.

similarity number

The minimum similarity for a vector to be considered a match

inner_hits object

Hide inner_hits attributes Show inner_hits attributes object

name string

size number

The maximum number of hits to return per inner_hits.

from number

Inner hit starting document offset.

collapse object

docvalue_fields array[object]

explain boolean

highlight

ignore_unmapped boolean

script_fields object

seq_no_primary_term boolean

fields array[string]

Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.

sort

_source

stored_fields string | array[string]

track_scores boolean

version boolean

rescore_vector object

Hide rescore_vector attribute Show rescore_vector attribute object

oversample number Required

Applies the specified oversample factor to k on the approximate kNN search
rank object
Hide rank attribute Show rank attribute object
- rrf object
  Hide rrf attributes Show rrf attributes object
  
  rank_constant number
  
  How much influence documents in individual result sets per query have over the final ranked result set
  
  rank_window_size number
  
  Size of the individual result sets per query
min_score number

The minimum _score for matching documents. Documents with a lower _score are not included in search results or results collected by aggregations.
post_filter object

An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.

External documentation
profile boolean

Set to true to return detailed timing information about the execution of individual components in a search request. NOTE: This is a debugging tool and adds significant overhead to search execution.
query object

An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.

External documentation
rescore object | array[object]

Can be used to improve precision by reordering just the top (for example 100 - 500) documents returned by the query and post_filter phases.
One of:
Rescore object array-2 array[object]
Hide attributes Show attributes

window_size number

query object

Hide query attributes Show query attributes object

rescore_query object Required

An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.

query_weight number

Relative importance of the original query versus the rescore query.

rescore_query_weight number

Relative importance of the rescore query versus the original query.

score_mode string

Values are avg, max, min, multiply, or total.

learning_to_rank object

Hide learning_to_rank attributes Show learning_to_rank attributes object

model_id string Required

The unique identifier of the trained model uploaded to Elasticsearch

params object

Named parameters to be passed to the query templates used for feature
Hide attributes Show attributes object

window_size number

query object

learning_to_rank object
retriever object
Hide retriever attributes Show retriever attributes object
- standard object
  Hide standard attributes Show standard attributes object
  
  filter object | array[object]
  
  Query to filter the documents that can match.
  
  One of:
  QueryContainer object array-2 array[object]
  
  An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
  
  min_score number
  
  Minimum _score for matching documents. Documents with a lower _score are not included in the top documents.
  
  _name string
  
  Retriever name.
  
  query object
  
  An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
  
  External documentation
  
  search_after array[number | string | boolean | null]
  
  A field value.
  
  terminate_after number
  
  Maximum number of documents to collect for each shard.
  
  sort array[string | object]
  
  collapse object
  External documentation
- knn object
  Hide knn attributes Show knn attributes object
  
  filter object | array[object]
  
  Query to filter the documents that can match.
  
  One of:
  QueryContainer object array-2 array[object]
  
  An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
  
  min_score number
  
  Minimum _score for matching documents. Documents with a lower _score are not included in the top documents.
  
  _name string
  
  Retriever name.
  
  field string Required
  
  The name of the vector field to search against.
  
  query_vector array[number]
  
  query_vector_builder object
  
  Hide query_vector_builder attribute Show query_vector_builder attribute object
  
  text_embedding object
  
  k number Required
  
  Number of nearest neighbors to return as top hits.
  
  num_candidates number Required
  
  Number of nearest neighbor candidates to consider per shard.
  
  similarity number
  
  The minimum similarity required for a document to be considered a match.
  
  rescore_vector object
  
  Hide rescore_vector attribute Show rescore_vector attribute object
  
  oversample number Required
  
  Applies the specified oversample factor to k on the approximate kNN search
- rrf object
  Hide rrf attributes Show rrf attributes object
  
  filter object | array[object]
  
  Query to filter the documents that can match.
  
  One of:
  QueryContainer object array-2 array[object]
  
  An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
  
  min_score number
  
  Minimum _score for matching documents. Documents with a lower _score are not included in the top documents.
  
  _name string
  
  Retriever name.
  
  retrievers array[object] Required
  
  A list of child retrievers to specify which sets of returned top documents will have the RRF formula applied to them.
  
  rank_constant number
  
  This value determines how much influence documents in individual result sets per query have over the final ranked result set.
  
  rank_window_size number
  
  This value determines the size of the individual result sets per query.
- text_similarity_reranker object
  Hide text_similarity_reranker attributes Show text_similarity_reranker attributes object
  
  filter object | array[object]
  
  Query to filter the documents that can match.
  
  One of:
  QueryContainer object array-2 array[object]
  
  An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
  
  min_score number
  
  Minimum _score for matching documents. Documents with a lower _score are not included in the top documents.
  
  _name string
  
  Retriever name.
  
  retriever object Required
  
  rank_window_size number
  
  This value determines how many documents we will consider from the nested retriever.
  
  inference_id string
  
  Unique identifier of the inference endpoint created using the inference API.
  
  inference_text string
  
  The text snippet used as the basis for similarity comparison
  
  field string
  
  The document field to be used for text similarity comparisons. This field should contain the text that will be evaluated against the inference_text
- rule object
  Hide rule attributes Show rule attributes object
  
  filter object | array[object]
  
  Query to filter the documents that can match.
  
  One of:
  QueryContainer object array-2 array[object]
  
  An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
  
  min_score number
  
  Minimum _score for matching documents. Documents with a lower _score are not included in the top documents.
  
  _name string
  
  Retriever name.
  
  ruleset_ids string | array[string] Required
  
  The ruleset IDs containing the rules this retriever is evaluating against.
  
  One of:
  Id string array-2 array[string]
  
  match_criteria object Required
  
  The match criteria that will determine if a rule in the provided rulesets should be applied.
  
  retriever object Required
  
  rank_window_size number
  
  This value determines the size of the individual result set.
- rescorer object
  Hide rescorer attributes Show rescorer attributes object
  
  filter object | array[object]
  
  Query to filter the documents that can match.
  
  One of:
  QueryContainer object array-2 array[object]
  
  An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
  
  min_score number
  
  Minimum _score for matching documents. Documents with a lower _score are not included in the top documents.
  
  _name string
  
  Retriever name.
  
  retriever object Required
  
  rescore array[object] Required
- linear object
  Hide linear attributes Show linear attributes object
  
  filter object | array[object]
  
  Query to filter the documents that can match.
  
  One of:
  QueryContainer object array-2 array[object]
  
  An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
  
  min_score number
  
  Minimum _score for matching documents. Documents with a lower _score are not included in the top documents.
  
  _name string
  
  Retriever name.
  
  retrievers array[object]
  
  Inner retrievers.
  
  rank_window_size number Required
- pinned object
  Hide pinned attributes Show pinned attributes object
  
  filter object | array[object]
  
  Query to filter the documents that can match.
  
  One of:
  QueryContainer object array-2 array[object]
  
  An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
  
  min_score number
  
  Minimum _score for matching documents. Documents with a lower _score are not included in the top documents.
  
  _name string
  
  Retriever name.
  
  retriever object Required
  
  ids array[string]
  
  docs array[object]
  
  rank_window_size number Required
script_fields object

Retrieve a script evaluation (based on different fields) for each hit.
Hide script_fields attribute Show script_fields attribute object
- * object Additional properties
  Hide * attributes Show * attributes object
  
  script object Required
  
  Hide script attributes Show script attributes object
  
  source string | object
  
  One of:
  ScriptSource string SearchRequestBody object
  
  id string
  
  params object
  
  Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
  
  Hide params attribute Show params attribute object
  
  * object Additional properties
  
  lang string
  
  Any of:
  ScriptLanguage string ScriptLanguage string
  
  Values are painless, expression, mustache, or java.
  
  options object
  
  Hide options attribute Show options attribute object
  
  * string Additional properties
  
  ignore_failure boolean
search_after array[number | string | boolean | null]

A field value.
size number

The number of hits to return, which must not be negative. By default, you cannot page through more than 10,000 hits using the from and size parameters. To page through more hits, use the search_after property.
slice object
Hide slice attributes Show slice attributes object
- field string
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
- id string Required
- max number Required
sort string | object | array[string | object]
One of:
Field string SortOptions object Sort array[string | object]

Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
Hide attributes Show attributes

_score object

Hide _score attribute Show _score attribute object

order string

Values are asc or desc.

_doc object

Hide _doc attribute Show _doc attribute object

order string

Values are asc or desc.

_geo_distance object

Hide _geo_distance attributes Show _geo_distance attributes object

mode string

Values are min, max, sum, avg, or median.

distance_type string

Values are arc or plane.

ignore_unmapped boolean

order string

Values are asc or desc.

unit string

Values are in, ft, yd, mi, nmi, km, m, cm, or mm.

nested object

_script object

Hide _script attributes Show _script attributes object

order string

Values are asc or desc.

script object Required

type string

Values are string, number, or version.

mode string

Values are min, max, sum, avg, or median.

nested object
One of:
Field string SortOptions object

Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
_source boolean | object

Defines how to fetch a source. Fetching can be disabled entirely, or the source can be filtered.
One of:
SourceConfig boolean SourceFilter object
Hide attributes Show attributes

excludes string | array[string]

includes string | array[string]
fields array[object]

An array of wildcard (*) field patterns. The request returns values for field names matching these patterns in the hits.fields property of the response.
Hide fields attributes Show fields attributes object
- field string Required
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
- format string
  
  The format in which the values are returned.
- include_unmapped boolean
suggest object
Hide suggest attribute Show suggest attribute object
- text string
  
  Global suggest text, to avoid repetition when the same text is used in several suggesters
terminate_after number

The maximum number of documents to collect for each shard. If a query reaches this limit, Elasticsearch terminates the query early. Elasticsearch collects documents before sorting.

IMPORTANT: Use with caution. Elasticsearch applies this property to each shard handling the request. When possible, let Elasticsearch perform early termination automatically. Avoid specifying this property for requests that target data streams with backing indices across multiple data tiers.

If set to 0 (default), the query does not terminate early.
timeout string

The period of time to wait for a response from each shard. If no response is received before the timeout expires, the request fails and returns an error. Defaults to no timeout.
track_scores boolean

If true, calculate and return document scores, even if the scores are not used for sorting.
version boolean

If true, the request returns the document version as part of a hit.
seq_no_primary_term boolean

If true, the request returns sequence number and primary term of the last modification of each hit.

External documentation
stored_fields string | array[string]
pit object
Hide pit attributes Show pit attributes object
- id string Required
- keep_alive string
  
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
runtime_mappings object
Hide runtime_mappings attribute Show runtime_mappings attribute object
- * object Additional properties
  Hide * attributes Show * attributes object
  
  fields object
  
  For type composite
  
  Hide fields attribute Show fields attribute object
  
  * object Additional properties
  
  Hide * attribute Show * attribute object
  
  type string Required
  
  Values are boolean, composite, date, double, geo_point, geo_shape, ip, keyword, long, or lookup.
  
  fetch_fields array[object]
  
  For type lookup
  
  Hide fetch_fields attributes Show fetch_fields attributes object
  
  field string Required
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
  
  format string
  
  format string
  
  A custom format for date type runtime fields.
  
  input_field string
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
  
  target_field string
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
  
  target_index string
  
  script object
  
  Hide script attributes Show script attributes object
  
  source string | object
  
  One of:
  ScriptSource string SearchRequestBody object
  
  id string
  
  params object
  
  Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
  
  Hide params attribute Show params attribute object
  
  * object Additional properties
  
  lang string
  
  Any of:
  ScriptLanguage string ScriptLanguage string
  
  Values are painless, expression, mustache, or java.
  
  options object
  
  Hide options attribute Show options attribute object
  
  * string Additional properties
  
  type string Required
  
  Values are boolean, composite, date, double, geo_point, geo_shape, ip, keyword, long, or lookup.
stats array[string]

The stats groups to associate with the search. Each group maintains a statistics aggregation for its associated searches. You can retrieve these stats using the indices stats API.

Responses

200 application/json
Hide response attribute Show response attribute object
- docs array[object] Required
  
  One of:
  MultiSearchItem object ErrorResponseBase object
  
  Hide attributes Show attributes
  
  took number Required
  
  The number of milliseconds it took Elasticsearch to run the request. This value is calculated by measuring the time elapsed between receipt of a request on the coordinating node and the time at which the coordinating node is ready to send the response. It includes:
  
  Communication time between the coordinating node and data nodes
  
  Time the request spends in the search thread pool, queued for execution
  
  Actual run time
  
  It does not include:
  
  Time needed to send the request to Elasticsearch
  
  Time needed to serialize the JSON response
  
  Time needed to send the response to a client
  
  timed_out boolean Required
  
  If true, the request timed out before completion; returned results may be partial or empty.
  
  _shards object Required
  
  Hide _shards attributes Show _shards attributes object
  
  failed number Required
  
  successful number Required
  
  total number Required
  
  failures array[object]
  
  skipped number
  
  hits object Required
  
  Hide hits attributes Show hits attributes object
  
  total
  
  hits array[object] Required
  
  max_score
  
  aggregations object
  
  _clusters object
  
  Hide _clusters attributes Show _clusters attributes object
  
  skipped number Required
  
  successful number Required
  
  total number Required
  
  running number Required
  
  partial number Required
  
  failed number Required
  
  details object
  
  fields object
  
  Hide fields attribute Show fields attribute object
  
  * object Additional properties
  
  max_score number
  
  num_reduce_phases number
  
  profile object
  
  Hide profile attribute Show profile attribute object
  
  shards array[object] Required
  
  pit_id string
  
  _scroll_id string
  
  suggest object
  
  Hide suggest attribute Show suggest attribute object
  
  * array[object] Additional properties
  
  terminated_early boolean
  
  status number
  
  Hide attributes Show attributes
  
  error object Required
  
  Hide error attributes Show error attributes object
  
  type string Required
  
  The type of error
  
  reason string | null
  
  A human-readable explanation of the error, in English.
  
  One of:
  string-1 string string-2 string | null
  
  stack_trace string
  
  The server stack trace. Present only if the error_trace=true parameter was sent with the request.
  
  caused_by object
  
  root_cause array[object]
  
  suppressed array[object]
  
  status number Required

POST /_fleet/_fleet_msearch

curl \
 --request POST 'http://api.example.com/_fleet/_fleet_msearch' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '[{"allow_no_indices":true,"expand_wildcards":"string","ignore_unavailable":true,"index":"string","preference":"string","request_cache":true,"routing":"string","search_type":"query_then_fetch","ccs_minimize_roundtrips":true,"allow_partial_search_results":true,"ignore_throttled":true}]'

Create or update a component template Added in 7.8.0

POST /_component_template/{name}

Api key auth Basic auth Bearer auth

Component templates are building blocks for constructing index templates that specify index mappings, settings, and aliases.

An index template can be composed of multiple component templates. To use a component template, specify it in an index template’s composed_of list. Component templates are only applied to new data streams and indices as part of a matching index template.

Settings and mappings specified directly in the index template or the create index request override any settings or mappings specified in a component template.

Component templates are only used during index creation. For data streams, this includes data stream creation and the creation of a stream’s backing indices. Changes to component templates do not affect existing indices, including a stream’s backing indices.

You can use C-style /* *\/ block comments in component templates. You can include comments anywhere in the request body except before the opening curly bracket.

Applying component templates

You cannot directly apply a component template to a data stream or index. To be applied, a component template must be included in an index template's composed_of list.

Path parameters

name string Required

Name of the component template to create. Elasticsearch includes the following built-in component templates: logs-mappings; logs-settings; metrics-mappings; metrics-settings;synthetics-mapping; synthetics-settings. Elastic Agent uses these templates to configure backing indices for its data streams. If you use Elastic Agent and want to overwrite one of these templates, set the version for your replacement template higher than the current version. If you don’t use Elastic Agent and want to disable all built-in component and index templates, set stack.templates.enabled to false using the cluster update settings API.

Query parameters

create boolean

If true, this request cannot replace or update existing component templates.
master_timeout string

Period to wait for a connection to the master node. If no response is received before the timeout expires, the request fails and returns an error.

Values are -1 or 0.

application/json

Body Required

template object Required
Hide template attributes Show template attributes object
- aliases object
  Hide aliases attribute Show aliases attribute object
  
  * object Additional properties
  
  Hide * attributes Show * attributes object
  
  filter object
  
  An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
  
  External documentation
  
  index_routing string
  
  is_hidden boolean
  
  If true, the alias is hidden. All indices for the alias must have the same is_hidden value.
  
  is_write_index boolean
  
  If true, the index is the write index for the alias.
  
  routing string
  
  search_routing string
- mappings object
  Hide mappings attributes Show mappings attributes object
  
  all_field object
  
  Hide all_field attributes Show all_field attributes object
  
  analyzer string Required
  
  enabled boolean Required
  
  omit_norms boolean Required
  
  search_analyzer string Required
  
  similarity string Required
  
  store boolean Required
  
  store_term_vector_offsets boolean Required
  
  store_term_vector_payloads boolean Required
  
  store_term_vector_positions boolean Required
  
  store_term_vectors boolean Required
  
  date_detection boolean
  
  dynamic string
  
  Values are strict, runtime, true, or false.
  
  dynamic_date_formats array[string]
  
  dynamic_templates array[object]
  
  _field_names object
  
  Hide _field_names attribute Show _field_names attribute object
  
  enabled boolean Required
  
  index_field object
  
  Hide index_field attribute Show index_field attribute object
  
  enabled boolean Required
  
  _meta object
  
  Hide _meta attribute Show _meta attribute object
  
  * object Additional properties
  
  numeric_detection boolean
  
  properties object
  
  _routing object
  
  Hide _routing attribute Show _routing attribute object
  
  required boolean Required
  
  _size object
  
  Hide _size attribute Show _size attribute object
  
  enabled boolean Required
  
  _source object
  
  Hide _source attributes Show _source attributes object
  
  compress boolean
  
  compress_threshold string
  
  enabled boolean
  
  excludes array[string]
  
  includes array[string]
  
  mode string
  
  Values are disabled, stored, or synthetic.
  
  runtime object
  
  Hide runtime attribute Show runtime attribute object
  
  * object Additional properties
  
  Hide * attributes Show * attributes object
  
  fields object
  
  For type composite
  
  Hide fields attribute Show fields attribute object
  
  * object Additional properties
  
  Hide * attribute Show * attribute object
  
  type string Required
  
  Values are boolean, composite, date, double, geo_point, geo_shape, ip, keyword, long, or lookup.
  
  fetch_fields array[object]
  
  For type lookup
  
  Hide fetch_fields attributes Show fetch_fields attributes object
  
  field string Required
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
  
  format string
  
  format string
  
  A custom format for date type runtime fields.
  
  input_field string
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
  
  target_field string
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
  
  target_index string
  
  script object
  
  Hide script attributes Show script attributes object
  
  source string | object
  
  One of:
  ScriptSource string SearchRequestBody object
  
  id string
  
  params object
  
  Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
  
  Hide params attribute Show params attribute object
  
  * object Additional properties
  
  lang string
  
  Any of:
  ScriptLanguage string ScriptLanguage string
  
  Values are painless, expression, mustache, or java.
  
  options object
  
  Hide options attribute Show options attribute object
  
  * string Additional properties
  
  type string Required
  
  Values are boolean, composite, date, double, geo_point, geo_shape, ip, keyword, long, or lookup.
  
  enabled boolean
  
  subobjects string
  
  Values are true or false.
  
  _data_stream_timestamp object
  
  Hide _data_stream_timestamp attribute Show _data_stream_timestamp attribute object
  
  enabled boolean Required
- settings object
  Index settings
- defaults object
  Index settings
- data_stream string
- lifecycle object
  Hide lifecycle attributes Show lifecycle attributes object
  
  data_retention string
  
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
  
  downsampling object
  
  Hide downsampling attribute Show downsampling attribute object
  
  rounds array[object] Required
  
  The list of downsampling rounds to execute as part of this downsampling configuration
  
  Hide rounds attributes Show rounds attributes object
  
  after string Required
  
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
  
  config object Required
  
  Hide config attribute Show config attribute object
  
  fixed_interval string Required
  
  A date histogram interval. Similar to Duration with additional units: w (week), M (month), q (quarter) and y (year)
  
  enabled boolean
  
  If defined, it turns data stream lifecycle on/off (true/false) for this data stream. A data stream lifecycle that's disabled (enabled: false) will have no effect on the data stream.
version number
_meta object
Hide _meta attribute Show _meta attribute object
- * object Additional properties
deprecated boolean

Marks this index template as deprecated. When creating or updating a non-deprecated index template that uses deprecated components, Elasticsearch will emit a deprecation warning.

Responses

200 application/json
Hide response attribute Show response attribute object
- acknowledged boolean Required
  
  For a successful response, this value is always true. On failure, an exception is returned instead.

POST /_component_template/{name}

PUT _component_template/template_1
{
  "template": null,
  "settings": {
    "number_of_shards": 1
  },
  "mappings": {
    "_source": {
      "enabled": false
    },
    "properties": {
      "host_name": {
        "type": "keyword"
      },
      "created_at": {
        "type": "date",
        "format": "EEE MMM dd HH:mm:ss Z yyyy"
      }
    }
  }
}

curl \
 --request POST 'http://api.example.com/_component_template/{name}' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '"{\n  \"template\": null,\n  \"settings\": {\n    \"number_of_shards\": 1\n  },\n  \"mappings\": {\n    \"_source\": {\n      \"enabled\": false\n    },\n    \"properties\": {\n      \"host_name\": {\n        \"type\": \"keyword\"\n      },\n      \"created_at\": {\n        \"type\": \"date\",\n        \"format\": \"EEE MMM dd HH:mm:ss Z yyyy\"\n      }\n    }\n  }\n}"'

Request examples

{
  "template": null,
  "settings": {
    "number_of_shards": 1
  },
  "mappings": {
    "_source": {
      "enabled": false
    },
    "properties": {
      "host_name": {
        "type": "keyword"
      },
      "created_at": {
        "type": "date",
        "format": "EEE MMM dd HH:mm:ss Z yyyy"
      }
    }
  }
}

You can include index aliases in a component template. During index creation, the `{index}` placeholder in the alias name will be replaced with the actual index name that the template gets applied to.

{
  "template": null,
  "settings": {
    "number_of_shards": 1
  },
  "aliases": {
    "alias1": {},
    "alias2": {
      "filter": {
        "term": {
          "user.id": "kimchy"
        }
      },
      "routing": "shard-1"
    },
    "{index}-alias": {}
  }
}

Get tokens from text analysis

GET /_analyze

Api key auth Basic auth Bearer auth

The analyze API performs analysis on a text string and returns the resulting tokens.

Generating excessive amount of tokens may cause a node to run out of memory. The index.analyze.max_token_count setting enables you to limit the number of tokens that can be produced. If more than this limit of tokens gets generated, an error occurs. The _analyze endpoint without a specified index will always use 10000 as its limit.

External documentation

Query parameters

index string

Index used to derive the analyzer. If specified, the analyzer or field parameter overrides this value. If no index is specified or the index does not have a default analyzer, the analyze API uses the standard analyzer.

application/json

Body

analyzer string

The name of the analyzer that should be applied to the provided text. This could be a built-in analyzer, or an analyzer that’s been configured in the index.
attributes array[string]

Array of token attributes used to filter the output of the explain parameter.
char_filter array

Array of character filters used to preprocess characters before the tokenizer.

External documentation
explain boolean

If true, the response includes token attributes and additional details.
field string

Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
filter array

Array of token filters used to apply after the tokenizer.

External documentation
normalizer string

Normalizer to use to convert text into a single token.
text string | array[string]

One of:
TextToAnalyze string TextToAnalyze array[string]

Responses

200 application/json
Hide response attributes Show response attributes object
- detail object
  
  Hide detail attributes Show detail attributes object
  
  analyzer object
  
  Hide analyzer attributes Show analyzer attributes object
  
  name string Required
  
  tokens array[object] Required
  
  Hide tokens attributes Show tokens attributes object
  
  bytes string Required
  
  end_offset number Required
  
  keyword boolean
  
  position number Required
  
  positionLength number Required
  
  start_offset number Required
  
  termFrequency number Required
  
  token string Required
  
  type string Required
  
  charfilters array[object]
  
  Hide charfilters attributes Show charfilters attributes object
  
  filtered_text array[string] Required
  
  name string Required
  
  custom_analyzer boolean Required
  
  tokenfilters array[object]
  
  Hide tokenfilters attributes Show tokenfilters attributes object
  
  name string Required
  
  tokens array[object] Required
  
  Hide tokens attributes Show tokens attributes object
  
  bytes string Required
  
  end_offset number Required
  
  keyword boolean
  
  position number Required
  
  positionLength number Required
  
  start_offset number Required
  
  termFrequency number Required
  
  token string Required
  
  type string Required
  
  tokenizer object
  
  Hide tokenizer attributes Show tokenizer attributes object
  
  name string Required
  
  tokens array[object] Required
  
  Hide tokens attributes Show tokens attributes object
  
  bytes string Required
  
  end_offset number Required
  
  keyword boolean
  
  position number Required
  
  positionLength number Required
  
  start_offset number Required
  
  termFrequency number Required
  
  token string Required
  
  type string Required
- tokens array[object]
  
  Hide tokens attributes Show tokens attributes object
  
  end_offset number Required
  
  position number Required
  
  positionLength number
  
  start_offset number Required
  
  token string Required
  
  type string Required

GET /_analyze

GET /_analyze
{
  "analyzer": "standard",
  "text": "this is a test"
}

curl \
 --request GET 'http://api.example.com/_analyze' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '"{\n  \"analyzer\": \"standard\",\n  \"text\": \"this is a test\"\n}"'

Request examples

You can apply any of the built-in analyzers to the text string without specifying an index.

{
  "analyzer": "standard",
  "text": "this is a test"
}

If the text parameter is provided as array of strings, it is analyzed as a multi-value field.

{
  "analyzer": "standard",
  "text": [
    "this is a test",
    "the second text"
  ]
}

You can test a custom transient analyzer built from tokenizers, token filters, and char filters. Token filters use the filter parameter.

{
  "tokenizer": "keyword",
  "filter": [
    "lowercase"
  ],
  "char_filter": [
    "html_strip"
  ],
  "text": "this is a <b>test</b>"
}

Custom tokenizers, token filters, and character filters can be specified in the request body.

{
  "tokenizer": "whitespace",
  "filter": [
    "lowercase",
    {
      "type": "stop",
      "stopwords": [
        "a",
        "is",
        "this"
      ]
    }
  ],
  "text": "this is a test"
}

Run `GET /analyze_sample/_analyze` to run an analysis on the text using the default index analyzer associated with the `analyze_sample` index. Alternatively, the analyzer can be derived based on a field mapping.

{
  "field": "obj1.field1",
  "text": "this is a test"
}

Run `GET /analyze_sample/_analyze` and supply a normalizer for a keyword field if there is a normalizer associated with the specified index.

{
  "normalizer": "my_normalizer",
  "text": "BaR"
}

If you want to get more advanced details, set `explain` to `true`. It will output all token attributes for each token. You can filter token attributes you want to output by setting the `attributes` option. NOTE: The format of the additional detail information is labelled as experimental in Lucene and it may change in the future.

{
  "tokenizer": "standard",
  "filter": [
    "snowball"
  ],
  "text": "detailed output",
  "explain": true,
  "attributes": [
    "keyword"
  ]
}

Response examples (200)

A successful response for an analysis with `explain` set to `true`.

{
  "detail": {
    "custom_analyzer": true,
    "charfilters": [],
    "tokenizer": {
      "name": "standard",
      "tokens": [
        {
          "token": "detailed",
          "start_offset": 0,
          "end_offset": 8,
          "type": "<ALPHANUM>",
          "position": 0
        },
        {
          "token": "output",
          "start_offset": 9,
          "end_offset": 15,
          "type": "<ALPHANUM>",
          "position": 1
        }
      ]
    },
    "tokenfilters": [
      {
        "name": "snowball",
        "tokens": [
          {
            "token": "detail",
            "start_offset": 0,
            "end_offset": 8,
            "type": "<ALPHANUM>",
            "position": 0,
            "keyword": false
          },
          {
            "token": "output",
            "start_offset": 9,
            "end_offset": 15,
            "type": "<ALPHANUM>",
            "position": 1,
            "keyword": false
          }
        ]
      }
    ]
  }
}

Get index templates Added in 7.9.0

GET /_index_template/{name}

Api key auth Basic auth Bearer auth

Get information about one or more index templates.

Path parameters

name string Required

Comma-separated list of index template names used to limit the request. Wildcard (*) expressions are supported.

Query parameters

local boolean

If true, the request retrieves information from the local node only. Defaults to false, which means information is retrieved from the master node.
flat_settings boolean

If true, returns settings in flat format.
master_timeout string

Period to wait for a connection to the master node. If no response is received before the timeout expires, the request fails and returns an error.

Values are -1 or 0.
include_defaults boolean

If true, returns all relevant default configurations for the index template.

Responses

200 application/json
Hide response attribute Show response attribute object
- index_templates array[object] Required
  
  Hide index_templates attributes Show index_templates attributes object
  
  name string Required
  
  index_template object Required
  
  Hide index_template attributes Show index_template attributes object
  
  index_patterns string | array[string] Required
  
  composed_of array[string] Required
  
  An ordered list of component template names. Component templates are merged in the order specified, meaning that the last component template specified has the highest precedence.
  
  template object
  
  Hide template attributes Show template attributes object
  
  aliases object
  
  Aliases to add. If the index template includes a data_stream object, these are data stream aliases. Otherwise, these are index aliases. Data stream aliases ignore the index_routing, routing, and search_routing options.
  
  Hide aliases attribute Show aliases attribute object
  
  * object Additional properties
  
  mappings object
  
  Hide mappings attributes Show mappings attributes object
  
  all_field object
  
  date_detection boolean
  
  dynamic string
  
  Values are strict, runtime, true, or false.
  
  dynamic_date_formats array[string]
  
  dynamic_templates array[object]
  
  _field_names object
  
  index_field object
  
  _meta object
  
  numeric_detection boolean
  
  properties object
  
  _routing object
  
  _size object
  
  _source object
  
  runtime object
  
  enabled boolean
  
  subobjects string
  
  Values are true or false.
  
  _data_stream_timestamp object
  
  settings object
  Index settings
  
  lifecycle object
  
  data_stream_options object | string | null
  
  One of:
  DataStreamOptionsTemplate object string-2 string | null
  
  version number
  
  priority number
  
  Priority to determine index template precedence when a new data stream or index is created. The index template with the highest priority is chosen. If no priority is specified the template is treated as though it is of priority 0 (lowest priority). This number is not automatically generated by Elasticsearch.
  
  _meta object
  
  Hide _meta attribute Show _meta attribute object
  
  * object Additional properties
  
  allow_auto_create boolean
  
  data_stream object
  
  Hide data_stream attributes Show data_stream attributes object
  
  hidden boolean
  
  If true, the data stream is hidden.
  
  allow_custom_routing boolean
  
  If true, the data stream supports custom routing.
  
  deprecated boolean
  
  Marks this index template as deprecated. When creating or updating a non-deprecated index template that uses deprecated components, Elasticsearch will emit a deprecation warning.
  
  ignore_missing_component_templates string | array[string]

GET /_index_template/{name}

curl \
 --request GET 'http://api.example.com/_index_template/{name}' \
 --header "Authorization: $API_KEY"

Get mapping definitions

GET /_mapping

Api key auth Basic auth Bearer auth

For data streams, the API retrieves mappings for the stream’s backing indices.

Query parameters

allow_no_indices boolean

If false, the request returns an error if any wildcard expression, index alias, or _all value targets only missing or closed indices. This behavior applies even if the request targets other open indices.
expand_wildcards string | array[string]
Type of index that wildcard patterns can match. If the request can target data streams, this argument determines whether wildcard expressions match hidden data streams. Supports comma-separated values, such as open,hidden. Valid values are: all, open, closed, hidden, none.

Supported values include:
- all: Match any data stream or index, including hidden ones.
- open: Match open, non-hidden indices. Also matches any non-hidden data stream.
- closed: Match closed, non-hidden indices. Also matches any non-hidden data stream. Data streams cannot be closed.
- hidden: Match hidden data streams and hidden indices. Must be combined with open, closed, or both.
- none: Wildcard expressions are not accepted.
Values are all, open, closed, hidden, or none.
ignore_unavailable boolean

If false, the request returns an error if it targets a missing or closed index.
local boolean Deprecated

If true, the request retrieves information from the local node only.
master_timeout string

Period to wait for a connection to the master node. If no response is received before the timeout expires, the request fails and returns an error.

Values are -1 or 0.

Responses

200 application/json
Hide response attribute Show response attribute object
- * object Additional properties
  
  Hide * attributes Show * attributes object
  
  item object
  
  Hide item attributes Show item attributes object
  
  all_field object
  
  Hide all_field attributes Show all_field attributes object
  
  analyzer string Required
  
  enabled boolean Required
  
  omit_norms boolean Required
  
  search_analyzer string Required
  
  similarity string Required
  
  store boolean Required
  
  store_term_vector_offsets boolean Required
  
  store_term_vector_payloads boolean Required
  
  store_term_vector_positions boolean Required
  
  store_term_vectors boolean Required
  
  date_detection boolean
  
  dynamic string
  
  Values are strict, runtime, true, or false.
  
  dynamic_date_formats array[string]
  
  dynamic_templates array[object]
  
  _field_names object
  
  Hide _field_names attribute Show _field_names attribute object
  
  enabled boolean Required
  
  index_field object
  
  Hide index_field attribute Show index_field attribute object
  
  enabled boolean Required
  
  _meta object
  
  Hide _meta attribute Show _meta attribute object
  
  * object Additional properties
  
  numeric_detection boolean
  
  properties object
  
  _routing object
  
  Hide _routing attribute Show _routing attribute object
  
  required boolean Required
  
  _size object
  
  Hide _size attribute Show _size attribute object
  
  enabled boolean Required
  
  _source object
  
  Hide _source attributes Show _source attributes object
  
  compress boolean
  
  compress_threshold string
  
  enabled boolean
  
  excludes array[string]
  
  includes array[string]
  
  mode string
  
  Values are disabled, stored, or synthetic.
  
  runtime object
  
  Hide runtime attribute Show runtime attribute object
  
  * object Additional properties
  
  Hide * attributes Show * attributes object
  
  fields object
  
  For type composite
  
  Hide fields attribute Show fields attribute object
  
  * object Additional properties
  
  fetch_fields array[object]
  
  For type lookup
  
  format string
  
  A custom format for date type runtime fields.
  
  input_field string
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
  
  target_field string
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
  
  target_index string
  
  script object
  
  Hide script attributes Show script attributes object
  
  source
  
  id string
  
  params object
  
  Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
  
  lang
  
  options object
  
  type string Required
  
  Values are boolean, composite, date, double, geo_point, geo_shape, ip, keyword, long, or lookup.
  
  enabled boolean
  
  subobjects string
  
  Values are true or false.
  
  _data_stream_timestamp object
  
  Hide _data_stream_timestamp attribute Show _data_stream_timestamp attribute object
  
  enabled boolean Required
  
  mappings object Required
  
  Hide mappings attributes Show mappings attributes object
  
  all_field object
  
  Hide all_field attributes Show all_field attributes object
  
  analyzer string Required
  
  enabled boolean Required
  
  omit_norms boolean Required
  
  search_analyzer string Required
  
  similarity string Required
  
  store boolean Required
  
  store_term_vector_offsets boolean Required
  
  store_term_vector_payloads boolean Required
  
  store_term_vector_positions boolean Required
  
  store_term_vectors boolean Required
  
  date_detection boolean
  
  dynamic string
  
  Values are strict, runtime, true, or false.
  
  dynamic_date_formats array[string]
  
  dynamic_templates array[object]
  
  _field_names object
  
  Hide _field_names attribute Show _field_names attribute object
  
  enabled boolean Required
  
  index_field object
  
  Hide index_field attribute Show index_field attribute object
  
  enabled boolean Required
  
  _meta object
  
  Hide _meta attribute Show _meta attribute object
  
  * object Additional properties
  
  numeric_detection boolean
  
  properties object
  
  _routing object
  
  Hide _routing attribute Show _routing attribute object
  
  required boolean Required
  
  _size object
  
  Hide _size attribute Show _size attribute object
  
  enabled boolean Required
  
  _source object
  
  Hide _source attributes Show _source attributes object
  
  compress boolean
  
  compress_threshold string
  
  enabled boolean
  
  excludes array[string]
  
  includes array[string]
  
  mode string
  
  Values are disabled, stored, or synthetic.
  
  runtime object
  
  Hide runtime attribute Show runtime attribute object
  
  * object Additional properties
  
  Hide * attributes Show * attributes object
  
  fields object
  
  For type composite
  
  Hide fields attribute Show fields attribute object
  
  * object Additional properties
  
  fetch_fields array[object]
  
  For type lookup
  
  format string
  
  A custom format for date type runtime fields.
  
  input_field string
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
  
  target_field string
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
  
  target_index string
  
  script object
  
  Hide script attributes Show script attributes object
  
  source
  
  id string
  
  params object
  
  Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
  
  lang
  
  options object
  
  type string Required
  
  Values are boolean, composite, date, double, geo_point, geo_shape, ip, keyword, long, or lookup.
  
  enabled boolean
  
  subobjects string
  
  Values are true or false.
  
  _data_stream_timestamp object
  
  Hide _data_stream_timestamp attribute Show _data_stream_timestamp attribute object
  
  enabled boolean Required

GET /_mapping

curl \
 --request GET 'http://api.example.com/_mapping' \
 --header "Authorization: $API_KEY"

Get mapping definitions

GET /{index}/_mapping

Api key auth Basic auth Bearer auth

For data streams, the API retrieves mappings for the stream’s backing indices.

Path parameters

index string | array[string] Required

Comma-separated list of data streams, indices, and aliases used to limit the request. Supports wildcards (*). To target all data streams and indices, omit this parameter or use * or _all.

Query parameters

allow_no_indices boolean

If false, the request returns an error if any wildcard expression, index alias, or _all value targets only missing or closed indices. This behavior applies even if the request targets other open indices.
expand_wildcards string | array[string]
Type of index that wildcard patterns can match. If the request can target data streams, this argument determines whether wildcard expressions match hidden data streams. Supports comma-separated values, such as open,hidden. Valid values are: all, open, closed, hidden, none.

Supported values include:
- all: Match any data stream or index, including hidden ones.
- open: Match open, non-hidden indices. Also matches any non-hidden data stream.
- closed: Match closed, non-hidden indices. Also matches any non-hidden data stream. Data streams cannot be closed.
- hidden: Match hidden data streams and hidden indices. Must be combined with open, closed, or both.
- none: Wildcard expressions are not accepted.
Values are all, open, closed, hidden, or none.
ignore_unavailable boolean

If false, the request returns an error if it targets a missing or closed index.
local boolean Deprecated

If true, the request retrieves information from the local node only.
master_timeout string

Period to wait for a connection to the master node. If no response is received before the timeout expires, the request fails and returns an error.

Values are -1 or 0.

Responses

200 application/json
Hide response attribute Show response attribute object
- * object Additional properties
  
  Hide * attributes Show * attributes object
  
  item object
  
  Hide item attributes Show item attributes object
  
  all_field object
  
  Hide all_field attributes Show all_field attributes object
  
  analyzer string Required
  
  enabled boolean Required
  
  omit_norms boolean Required
  
  search_analyzer string Required
  
  similarity string Required
  
  store boolean Required
  
  store_term_vector_offsets boolean Required
  
  store_term_vector_payloads boolean Required
  
  store_term_vector_positions boolean Required
  
  store_term_vectors boolean Required
  
  date_detection boolean
  
  dynamic string
  
  Values are strict, runtime, true, or false.
  
  dynamic_date_formats array[string]
  
  dynamic_templates array[object]
  
  _field_names object
  
  Hide _field_names attribute Show _field_names attribute object
  
  enabled boolean Required
  
  index_field object
  
  Hide index_field attribute Show index_field attribute object
  
  enabled boolean Required
  
  _meta object
  
  Hide _meta attribute Show _meta attribute object
  
  * object Additional properties
  
  numeric_detection boolean
  
  properties object
  
  _routing object
  
  Hide _routing attribute Show _routing attribute object
  
  required boolean Required
  
  _size object
  
  Hide _size attribute Show _size attribute object
  
  enabled boolean Required
  
  _source object
  
  Hide _source attributes Show _source attributes object
  
  compress boolean
  
  compress_threshold string
  
  enabled boolean
  
  excludes array[string]
  
  includes array[string]
  
  mode string
  
  Values are disabled, stored, or synthetic.
  
  runtime object
  
  Hide runtime attribute Show runtime attribute object
  
  * object Additional properties
  
  Hide * attributes Show * attributes object
  
  fields object
  
  For type composite
  
  Hide fields attribute Show fields attribute object
  
  * object Additional properties
  
  fetch_fields array[object]
  
  For type lookup
  
  format string
  
  A custom format for date type runtime fields.
  
  input_field string
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
  
  target_field string
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
  
  target_index string
  
  script object
  
  Hide script attributes Show script attributes object
  
  source
  
  id string
  
  params object
  
  Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
  
  lang
  
  options object
  
  type string Required
  
  Values are boolean, composite, date, double, geo_point, geo_shape, ip, keyword, long, or lookup.
  
  enabled boolean
  
  subobjects string
  
  Values are true or false.
  
  _data_stream_timestamp object
  
  Hide _data_stream_timestamp attribute Show _data_stream_timestamp attribute object
  
  enabled boolean Required
  
  mappings object Required
  
  Hide mappings attributes Show mappings attributes object
  
  all_field object
  
  Hide all_field attributes Show all_field attributes object
  
  analyzer string Required
  
  enabled boolean Required
  
  omit_norms boolean Required
  
  search_analyzer string Required
  
  similarity string Required
  
  store boolean Required
  
  store_term_vector_offsets boolean Required
  
  store_term_vector_payloads boolean Required
  
  store_term_vector_positions boolean Required
  
  store_term_vectors boolean Required
  
  date_detection boolean
  
  dynamic string
  
  Values are strict, runtime, true, or false.
  
  dynamic_date_formats array[string]
  
  dynamic_templates array[object]
  
  _field_names object
  
  Hide _field_names attribute Show _field_names attribute object
  
  enabled boolean Required
  
  index_field object
  
  Hide index_field attribute Show index_field attribute object
  
  enabled boolean Required
  
  _meta object
  
  Hide _meta attribute Show _meta attribute object
  
  * object Additional properties
  
  numeric_detection boolean
  
  properties object
  
  _routing object
  
  Hide _routing attribute Show _routing attribute object
  
  required boolean Required
  
  _size object
  
  Hide _size attribute Show _size attribute object
  
  enabled boolean Required
  
  _source object
  
  Hide _source attributes Show _source attributes object
  
  compress boolean
  
  compress_threshold string
  
  enabled boolean
  
  excludes array[string]
  
  includes array[string]
  
  mode string
  
  Values are disabled, stored, or synthetic.
  
  runtime object
  
  Hide runtime attribute Show runtime attribute object
  
  * object Additional properties
  
  Hide * attributes Show * attributes object
  
  fields object
  
  For type composite
  
  Hide fields attribute Show fields attribute object
  
  * object Additional properties
  
  fetch_fields array[object]
  
  For type lookup
  
  format string
  
  A custom format for date type runtime fields.
  
  input_field string
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
  
  target_field string
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
  
  target_index string
  
  script object
  
  Hide script attributes Show script attributes object
  
  source
  
  id string
  
  params object
  
  Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
  
  lang
  
  options object
  
  type string Required
  
  Values are boolean, composite, date, double, geo_point, geo_shape, ip, keyword, long, or lookup.
  
  enabled boolean
  
  subobjects string
  
  Values are true or false.
  
  _data_stream_timestamp object
  
  Hide _data_stream_timestamp attribute Show _data_stream_timestamp attribute object
  
  enabled boolean Required

GET /{index}/_mapping

curl \
 --request GET 'http://api.example.com/{index}/_mapping' \
 --header "Authorization: $API_KEY"

Update index settings

PUT /_settings

Api key auth Basic auth Bearer auth

Changes dynamic index settings in real time. For data streams, index setting changes are applied to all backing indices by default.

To revert a setting to the default value, use a null value. The list of per-index settings that can be updated dynamically on live indices can be found in index settings documentation. To preserve existing settings from being updated, set the preserve_existing parameter to true.

There are multiple valid ways to represent index settings in the request body. You can specify only the setting, for example:

{
  "number_of_replicas": 1
}

Or you can use an index setting object:

{
  "index": {
    "number_of_replicas": 1
  }
}

Or you can use dot annotation:

{
  "index.number_of_replicas": 1
}

Or you can embed any of the aforementioned options in a settings object. For example:

{
  "settings": {
    "index": {
      "number_of_replicas": 1
    }
  }
}

NOTE: You can only define new analyzers on closed indices. To add an analyzer, you must close the index, define the analyzer, and reopen the index. You cannot close the write index of a data stream. To update the analyzer for a data stream's write index and future backing indices, update the analyzer in the index template used by the stream. Then roll over the data stream to apply the new analyzer to the stream's write index and future backing indices. This affects searches and any new data added to the stream after the rollover. However, it does not affect the data stream's backing indices or their existing data. To change the analyzer for existing backing indices, you must create a new data stream and reindex your data into it.

External documentation

Query parameters

allow_no_indices boolean

If false, the request returns an error if any wildcard expression, index alias, or _all value targets only missing or closed indices. This behavior applies even if the request targets other open indices. For example, a request targeting foo*,bar* returns an error if an index starts with foo but no index starts with bar.
expand_wildcards string | array[string]
Type of index that wildcard patterns can match. If the request can target data streams, this argument determines whether wildcard expressions match hidden data streams. Supports comma-separated values, such as open,hidden.

Supported values include:
- all: Match any data stream or index, including hidden ones.
- open: Match open, non-hidden indices. Also matches any non-hidden data stream.
- closed: Match closed, non-hidden indices. Also matches any non-hidden data stream. Data streams cannot be closed.
- hidden: Match hidden data streams and hidden indices. Must be combined with open, closed, or both.
- none: Wildcard expressions are not accepted.
Values are all, open, closed, hidden, or none.
flat_settings boolean

If true, returns settings in flat format.
ignore_unavailable boolean

If true, returns settings in flat format.
master_timeout string

Period to wait for a connection to the master node. If no response is received before the timeout expires, the request fails and returns an error.

Values are -1 or 0.
preserve_existing boolean

If true, existing index settings remain unchanged.
reopen boolean

Whether to close and reopen the index to apply non-dynamic settings. If set to true the indices to which the settings are being applied will be closed temporarily and then reopened in order to apply the changes.
timeout string

Period to wait for a response. If no response is received before the timeout expires, the request fails and returns an error.

Values are -1 or 0.

application/json

Body Required

object

Index settings

Responses

200 application/json
Hide response attribute Show response attribute object
- acknowledged boolean Required
  
  For a successful response, this value is always true. On failure, an exception is returned instead.

PUT /_settings

PUT /my-index-000001/_settings
{
  "index" : {
    "number_of_replicas" : 2
  }
}

curl \
 --request PUT 'http://api.example.com/_settings' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '"{\n  \"index\" : {\n    \"number_of_replicas\" : 2\n  }\n}"'

Request examples

{
  "index" : {
    "number_of_replicas" : 2
  }
}

To revert a setting to the default value, use `null`.

{
  "index" : {
    "refresh_interval" : null
  }
}

To add an analyzer, you must close the index, define the analyzer, then reopen the index.

{
  "analysis" : {
    "analyzer":{
      "content":{
        "type":"custom",
        "tokenizer":"whitespace"
      }
    }
  }
}

POST /my-index-000001/_open

Get index shard stores

GET /{index}/_shard_stores

Api key auth Basic auth Bearer auth

Get store information about replica shards in one or more indices. For data streams, the API retrieves store information for the stream's backing indices.

The index shard stores API returns the following information:

The node on which each replica shard exists.
The allocation ID for each replica shard.
A unique ID for each replica shard.
Any errors encountered while opening the shard index or from an earlier failure.

By default, the API returns store information only for primary shards that are unassigned or have one or more unassigned replica shards.

Path parameters

index string | array[string] Required

List of data streams, indices, and aliases used to limit the request.

Query parameters

allow_no_indices boolean

If false, the request returns an error if any wildcard expression, index alias, or _all value targets only missing or closed indices. This behavior applies even if the request targets other open indices.
expand_wildcards string | array[string]
Type of index that wildcard patterns can match. If the request can target data streams, this argument determines whether wildcard expressions match hidden data streams.

Supported values include:
- all: Match any data stream or index, including hidden ones.
- open: Match open, non-hidden indices. Also matches any non-hidden data stream.
- closed: Match closed, non-hidden indices. Also matches any non-hidden data stream. Data streams cannot be closed.
- hidden: Match hidden data streams and hidden indices. Must be combined with open, closed, or both.
- none: Wildcard expressions are not accepted.
Values are all, open, closed, hidden, or none.
ignore_unavailable boolean

If true, missing or closed indices are not included in the response.
status string | array[string]
List of shard health statuses used to limit the request.

Supported values include:
- green: The primary shard and all replica shards are assigned.
- yellow: One or more replica shards are unassigned.
- red: The primary shard is unassigned.
- all: Return all shards, regardless of health status.
Values are green, yellow, red, or all.

Responses

200 application/json
Hide response attribute Show response attribute object
- indices object Required
  
  Hide indices attribute Show indices attribute object
  
  * object Additional properties
  
  Hide * attribute Show * attribute object
  
  shards object Required
  
  Hide shards attribute Show shards attribute object
  
  * object Additional properties
  
  Hide * attribute Show * attribute object
  
  stores array[object] Required

GET /{index}/_shard_stores

GET /_shard_stores?status=green

curl \
 --request GET 'http://api.example.com/{index}/_shard_stores' \
 --header "Authorization: $API_KEY"

Response examples (200)

An abbreviated response from `GET /_shard_stores?status=green`.

{
  "indices": {
    "my-index-000001": {
      "shards": {
        "0": {
          "stores": [
            {
              "sPa3OgxLSYGvQ4oPs-Tajw": {
                "name": "node_t0",
                "ephemeral_id": "9NlXRFGCT1m8tkvYCMK-8A",
                "transport_address": "local[1]",
                "external_id": "node_t0",
                "attributes": {},
                "roles": [],
                "version": "8.10.0",
                "min_index_version": 7000099,
                "max_index_version": 8100099
              },
              "allocation_id": "2iNySv_OQVePRX-yaRH_lQ",
              "allocation": "primary",
              "store_exception": {}
            }
          ]
        }
      }
    }
  }
}

Simulate an index Added in 7.9.0

POST /_index_template/_simulate_index/{name}

Api key auth Basic auth Bearer auth

Get the index configuration that would be applied to the specified index from an existing index template.

Path parameters

name string Required

Name of the index to simulate

Query parameters

create boolean

Whether the index template we optionally defined in the body should only be dry-run added if new or can also replace an existing one
cause string

User defined reason for dry-run creating the new template for simulation purposes
master_timeout string

Period to wait for a connection to the master node. If no response is received before the timeout expires, the request fails and returns an error.

Values are -1 or 0.
include_defaults boolean

If true, returns all relevant default configurations for the index template.

Responses

200 application/json
Hide response attributes Show response attributes object
- overlapping array[object]
  
  Hide overlapping attributes Show overlapping attributes object
  
  name string Required
  
  index_patterns array[string] Required
- template object Required
  
  Hide template attributes Show template attributes object
  
  aliases object Required
  
  Hide aliases attribute Show aliases attribute object
  
  * object Additional properties
  
  Hide * attributes Show * attributes object
  
  filter object
  
  An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
  
  External documentation
  
  index_routing string
  
  is_hidden boolean
  
  If true, the alias is hidden. All indices for the alias must have the same is_hidden value.
  
  is_write_index boolean
  
  If true, the index is the write index for the alias.
  
  routing string
  
  search_routing string
  
  mappings object Required
  
  Hide mappings attributes Show mappings attributes object
  
  all_field object
  
  Hide all_field attributes Show all_field attributes object
  
  analyzer string Required
  
  enabled boolean Required
  
  omit_norms boolean Required
  
  search_analyzer string Required
  
  similarity string Required
  
  store boolean Required
  
  store_term_vector_offsets boolean Required
  
  store_term_vector_payloads boolean Required
  
  store_term_vector_positions boolean Required
  
  store_term_vectors boolean Required
  
  date_detection boolean
  
  dynamic string
  
  Values are strict, runtime, true, or false.
  
  dynamic_date_formats array[string]
  
  dynamic_templates array[object]
  
  _field_names object
  
  Hide _field_names attribute Show _field_names attribute object
  
  enabled boolean Required
  
  index_field object
  
  Hide index_field attribute Show index_field attribute object
  
  enabled boolean Required
  
  _meta object
  
  Hide _meta attribute Show _meta attribute object
  
  * object Additional properties
  
  numeric_detection boolean
  
  properties object
  
  _routing object
  
  Hide _routing attribute Show _routing attribute object
  
  required boolean Required
  
  _size object
  
  Hide _size attribute Show _size attribute object
  
  enabled boolean Required
  
  _source object
  
  Hide _source attributes Show _source attributes object
  
  compress boolean
  
  compress_threshold string
  
  enabled boolean
  
  excludes array[string]
  
  includes array[string]
  
  mode string
  
  Values are disabled, stored, or synthetic.
  
  runtime object
  
  Hide runtime attribute Show runtime attribute object
  
  * object Additional properties
  
  Hide * attributes Show * attributes object
  
  fields object
  
  For type composite
  
  Hide fields attribute Show fields attribute object
  
  * object Additional properties
  
  fetch_fields array[object]
  
  For type lookup
  
  format string
  
  A custom format for date type runtime fields.
  
  input_field string
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
  
  target_field string
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
  
  target_index string
  
  script object
  
  Hide script attributes Show script attributes object
  
  source
  
  id string
  
  params object
  
  Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
  
  lang
  
  options object
  
  type string Required
  
  Values are boolean, composite, date, double, geo_point, geo_shape, ip, keyword, long, or lookup.
  
  enabled boolean
  
  subobjects string
  
  Values are true or false.
  
  _data_stream_timestamp object
  
  Hide _data_stream_timestamp attribute Show _data_stream_timestamp attribute object
  
  enabled boolean Required
  
  settings object Required
  Index settings

POST /_index_template/_simulate_index/{name}

POST /_index_template/_simulate_index/my-index-000001

curl \
 --request POST 'http://api.example.com/_index_template/_simulate_index/{name}' \
 --header "Authorization: $API_KEY"

Response examples (200)

A successful response from `POST /_index_template/_simulate_index/my-index-000001`.

{
  "template" : {
    "settings" : {
      "index" : {
        "number_of_shards" : "2",
        "number_of_replicas" : "0",
        "routing" : {
          "allocation" : {
            "include" : {
              "_tier_preference" : "data_content"
            }
          }
        }
      }
    },
    "mappings" : {
      "properties" : {
        "@timestamp" : {
          "type" : "date"
        }
      }
    },
    "aliases" : { }
  },
  "overlapping" : [
    {
      "name" : "template_1",
      "index_patterns" : [
        "my-index-*"
      ]
    }
  ]
}

Validate a query Added in 1.3.0

POST /_validate/query

Api key auth Basic auth Bearer auth

Validates a query without running it.

Query parameters

allow_no_indices boolean

If false, the request returns an error if any wildcard expression, index alias, or _all value targets only missing or closed indices. This behavior applies even if the request targets other open indices.
all_shards boolean

If true, the validation is executed on all shards instead of one random shard per index.
analyzer string

Analyzer to use for the query string. This parameter can only be used when the q query string parameter is specified.
analyze_wildcard boolean

If true, wildcard and prefix queries are analyzed.
default_operator string

The default operator for query string query: AND or OR.

Values are and, AND, or, or OR.
df string

Field to use as default where no field prefix is given in the query string. This parameter can only be used when the q query string parameter is specified.
expand_wildcards string | array[string]
Type of index that wildcard patterns can match. If the request can target data streams, this argument determines whether wildcard expressions match hidden data streams. Supports comma-separated values, such as open,hidden. Valid values are: all, open, closed, hidden, none.

Supported values include:
- all: Match any data stream or index, including hidden ones.
- open: Match open, non-hidden indices. Also matches any non-hidden data stream.
- closed: Match closed, non-hidden indices. Also matches any non-hidden data stream. Data streams cannot be closed.
- hidden: Match hidden data streams and hidden indices. Must be combined with open, closed, or both.
- none: Wildcard expressions are not accepted.
Values are all, open, closed, hidden, or none.
explain boolean

If true, the response returns detailed information if an error has occurred.
ignore_unavailable boolean

If false, the request returns an error if it targets a missing or closed index.
lenient boolean

If true, format-based query failures (such as providing text to a numeric field) in the query string will be ignored.
rewrite boolean

If true, returns a more detailed explanation showing the actual Lucene query that will be executed.
q string

Query in the Lucene query string syntax.

application/json

Body

query object

An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.

External documentation

Responses

200 application/json
Hide response attributes Show response attributes object
- explanations array[object]
  
  Hide explanations attributes Show explanations attributes object
  
  error string
  
  explanation string
  
  index string Required
  
  valid boolean Required
- _shards object
  
  Hide _shards attributes Show _shards attributes object
  
  failed number Required
  
  successful number Required
  
  total number Required
  
  failures array[object]
  
  Hide failures attributes Show failures attributes object
  
  index string
  
  node string
  
  reason object Required
  
  Hide reason attributes Show reason attributes object
  
  type string Required
  
  The type of error
  
  reason string | null
  
  A human-readable explanation of the error, in English.
  
  One of:
  string-1 string string-2 string | null
  
  stack_trace string
  
  The server stack trace. Present only if the error_trace=true parameter was sent with the request.
  
  caused_by object
  
  root_cause array[object]
  
  suppressed array[object]
  
  shard number Required
  
  status string
  
  skipped number
- valid boolean Required
- error string

POST /_validate/query

curl \
 --request POST 'http://api.example.com/_validate/query' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"query":{}}'

Validate a query Added in 1.3.0

POST /{index}/_validate/query

Api key auth Basic auth Bearer auth

Validates a query without running it.

Path parameters

index string | array[string] Required

Comma-separated list of data streams, indices, and aliases to search. Supports wildcards (*). To search all data streams or indices, omit this parameter or use * or _all.

Query parameters

allow_no_indices boolean

If false, the request returns an error if any wildcard expression, index alias, or _all value targets only missing or closed indices. This behavior applies even if the request targets other open indices.
all_shards boolean

If true, the validation is executed on all shards instead of one random shard per index.
analyzer string

Analyzer to use for the query string. This parameter can only be used when the q query string parameter is specified.
analyze_wildcard boolean

If true, wildcard and prefix queries are analyzed.
default_operator string

The default operator for query string query: AND or OR.

Values are and, AND, or, or OR.
df string

Field to use as default where no field prefix is given in the query string. This parameter can only be used when the q query string parameter is specified.
expand_wildcards string | array[string]
Type of index that wildcard patterns can match. If the request can target data streams, this argument determines whether wildcard expressions match hidden data streams. Supports comma-separated values, such as open,hidden. Valid values are: all, open, closed, hidden, none.

Supported values include:
- all: Match any data stream or index, including hidden ones.
- open: Match open, non-hidden indices. Also matches any non-hidden data stream.
- closed: Match closed, non-hidden indices. Also matches any non-hidden data stream. Data streams cannot be closed.
- hidden: Match hidden data streams and hidden indices. Must be combined with open, closed, or both.
- none: Wildcard expressions are not accepted.
Values are all, open, closed, hidden, or none.
explain boolean

If true, the response returns detailed information if an error has occurred.
ignore_unavailable boolean

If false, the request returns an error if it targets a missing or closed index.
lenient boolean

If true, format-based query failures (such as providing text to a numeric field) in the query string will be ignored.
rewrite boolean

If true, returns a more detailed explanation showing the actual Lucene query that will be executed.
q string

Query in the Lucene query string syntax.

application/json

Body

query object

An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.

External documentation

Responses

200 application/json
Hide response attributes Show response attributes object
- explanations array[object]
  
  Hide explanations attributes Show explanations attributes object
  
  error string
  
  explanation string
  
  index string Required
  
  valid boolean Required
- _shards object
  
  Hide _shards attributes Show _shards attributes object
  
  failed number Required
  
  successful number Required
  
  total number Required
  
  failures array[object]
  
  Hide failures attributes Show failures attributes object
  
  index string
  
  node string
  
  reason object Required
  
  Hide reason attributes Show reason attributes object
  
  type string Required
  
  The type of error
  
  reason string | null
  
  A human-readable explanation of the error, in English.
  
  One of:
  string-1 string string-2 string | null
  
  stack_trace string
  
  The server stack trace. Present only if the error_trace=true parameter was sent with the request.
  
  caused_by object
  
  root_cause array[object]
  
  suppressed array[object]
  
  shard number Required
  
  status string
  
  skipped number
- valid boolean Required
- error string

POST /{index}/_validate/query

curl \
 --request POST 'http://api.example.com/{index}/_validate/query' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"query":{}}'

Migrate to data tiers routing Added in 7.14.0

POST /_ilm/migrate_to_data_tiers

Api key auth Basic auth Bearer auth

Switch the indices, ILM policies, and legacy, composable, and component templates from using custom node attributes and attribute-based allocation filters to using data tiers. Optionally, delete one legacy index template. Using node roles enables ILM to automatically move the indices between data tiers.

Migrating away from custom node attributes routing can be manually performed. This API provides an automated way of performing three out of the four manual steps listed in the migration guide:

Stop setting the custom hot attribute on new indices.
Remove custom allocation settings from existing ILM policies.
Replace custom allocation settings from existing indices with the corresponding tier preference.

ILM must be stopped before performing the migration. Use the stop ILM and get ILM status APIs to wait until the reported operation mode is STOPPED.

External documentation

Query parameters

dry_run boolean

If true, simulates the migration from node attributes based allocation filters to data tiers, but does not perform the migration. This provides a way to retrieve the indices and ILM policies that need to be migrated.
master_timeout string

The period to wait for a connection to the master node. If no response is received before the timeout expires, the request fails and returns an error. It can also be set to -1 to indicate that the request should never timeout.

Values are -1 or 0.

application/json

Body

legacy_template_to_delete string
node_attribute string

Responses

200 application/json
Hide response attributes Show response attributes object
- dry_run boolean Required
- removed_legacy_template string Required
  
  The name of the legacy index template that was deleted. This information is missing if no legacy index templates were deleted.
- migrated_ilm_policies array[string] Required
  
  The ILM policies that were updated.
- migrated_indices string | array[string] Required
- migrated_legacy_templates array[string] Required
  
  The legacy index templates that were updated to not contain custom routing settings for the provided data attribute.
- migrated_composable_templates array[string] Required
  
  The composable index templates that were updated to not contain custom routing settings for the provided data attribute.
- migrated_component_templates array[string] Required
  
  The component templates that were updated to not contain custom routing settings for the provided data attribute.

POST /_ilm/migrate_to_data_tiers

POST /_ilm/migrate_to_data_tiers
{
  "legacy_template_to_delete": "global-template",
  "node_attribute": "custom_attribute_name"
}

curl \
 --request POST 'http://api.example.com/_ilm/migrate_to_data_tiers' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '"{\n  \"legacy_template_to_delete\": \"global-template\",\n  \"node_attribute\": \"custom_attribute_name\"\n}"'

Request example

Run `POST /_ilm/migrate_to_data_tiers` to migrate the indices, ILM policies, legacy templates, composable, and component templates away from defining custom allocation filtering using the `custom_attribute_name` node attribute. It also deletes the legacy template with name `global-template` if it exists in the system.

{
  "legacy_template_to_delete": "global-template",
  "node_attribute": "custom_attribute_name"
}

Response examples (200)

A successful response when migrating indices, ILMs, and templates from custom node attributes to data tiers.

{
  "dry_run": false,
  "removed_legacy_template":"global-template",
  "migrated_ilm_policies":["policy_with_allocate_action"],
  "migrated_indices":["warm-index-to-migrate-000001"],
  "migrated_legacy_templates":["a-legacy-template"],
  "migrated_composable_templates":["a-composable-template"],
  "migrated_component_templates":["a-component-template"]
}

Start the ILM plugin Added in 6.6.0

POST /_ilm/start

Api key auth Basic auth Bearer auth

Start the index lifecycle management plugin if it is currently stopped. ILM is started automatically when the cluster is formed. Restarting ILM is necessary only when it has been stopped using the stop ILM API.

Query parameters

master_timeout string

Period to wait for a connection to the master node. If no response is received before the timeout expires, the request fails and returns an error.

Values are -1 or 0.
timeout string

Period to wait for a response. If no response is received before the timeout expires, the request fails and returns an error.

Values are -1 or 0.

Responses

200 application/json
Hide response attribute Show response attribute object
- acknowledged boolean Required
  
  For a successful response, this value is always true. On failure, an exception is returned instead.

POST /_ilm/start

curl \
 --request POST 'http://api.example.com/_ilm/start' \
 --header "Authorization: $API_KEY"

Response examples (200)

A successful response when stating the ILM plugin.

{
  "acknowledged": true
}

Perform inference on the service Added in 8.11.0

POST /_inference/{inference_id}

Api key auth Basic auth Bearer auth

This API enables you to use machine learning models to perform specific tasks on data that you provide as an input. It returns a response with the results of the tasks. The inference endpoint you use can perform one specific task that has been defined when the endpoint was created with the create inference API.

For details about using this API with a service, such as Amazon Bedrock, Anthropic, or HuggingFace, refer to the service-specific documentation.

The inference APIs enable you to use certain services, such as built-in machine learning models (ELSER, E5), models uploaded through Eland, Cohere, OpenAI, Azure, Google AI Studio, Google Vertex AI, Anthropic, Watsonx.ai, or Hugging Face. For built-in models and models uploaded through Eland, the inference APIs offer an alternative way to use and manage trained models. However, if you do not plan to use the inference APIs to use these models or if you want to use non-NLP models, use the machine learning trained model APIs.

Path parameters

inference_id string Required

The unique identifier for the inference endpoint.

Query parameters

timeout string

The amount of time to wait for the inference request to complete.

Values are -1 or 0.

application/json

Body

query string

The query input, which is required only for the rerank task. It is not required for other tasks.
input string | array[string] Required

The text on which you want to perform the inference task. It can be a single string or an array.

Inference endpoints for the completion task type currently only support a single string as input.

One of:
string-1 string array-2 array[string]
task_settings object

Responses

200 application/json
Hide response attributes Show response attributes object
- text_embedding_bytes array[object]
  
  Hide text_embedding_bytes attribute Show text_embedding_bytes attribute object
  
  embedding array[number] Required
  
  Text Embedding results containing bytes are represented as Dense Vectors of bytes.
- text_embedding_bits array[object]
  
  Hide text_embedding_bits attribute Show text_embedding_bits attribute object
  
  embedding array[number] Required
  
  Text Embedding results containing bytes are represented as Dense Vectors of bytes.
- text_embedding array[object]
  
  Hide text_embedding attribute Show text_embedding attribute object
  
  embedding array[number] Required
  
  Text Embedding results are represented as Dense Vectors of floats.
- sparse_embedding array[object]
  
  Hide sparse_embedding attribute Show sparse_embedding attribute object
  
  embedding object Required
  
  Sparse Embedding tokens are represented as a dictionary of string to double.
  
  Hide embedding attribute Show embedding attribute object
  
  * number Additional properties
- completion array[object]
  
  Hide completion attribute Show completion attribute object
  
  result string Required
- rerank array[object]
  
  Hide rerank attributes Show rerank attributes object
  
  index number Required
  
  relevance_score number Required
  
  text string

POST /_inference/{inference_id}

curl \
 --request POST 'http://api.example.com/_inference/{inference_id}' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"query":"string","input":"string","task_settings":{}}'

Perform inference on the service Added in 8.11.0

POST /_inference/{task_type}/{inference_id}

Api key auth Basic auth Bearer auth

This API enables you to use machine learning models to perform specific tasks on data that you provide as an input. It returns a response with the results of the tasks. The inference endpoint you use can perform one specific task that has been defined when the endpoint was created with the create inference API.

For details about using this API with a service, such as Amazon Bedrock, Anthropic, or HuggingFace, refer to the service-specific documentation.

The inference APIs enable you to use certain services, such as built-in machine learning models (ELSER, E5), models uploaded through Eland, Cohere, OpenAI, Azure, Google AI Studio, Google Vertex AI, Anthropic, Watsonx.ai, or Hugging Face. For built-in models and models uploaded through Eland, the inference APIs offer an alternative way to use and manage trained models. However, if you do not plan to use the inference APIs to use these models or if you want to use non-NLP models, use the machine learning trained model APIs.

Path parameters

task_type string Required

The type of inference task that the model performs.

Values are sparse_embedding, text_embedding, rerank, completion, or chat_completion.
inference_id string Required

The unique identifier for the inference endpoint.

Query parameters

timeout string

The amount of time to wait for the inference request to complete.

Values are -1 or 0.

application/json

Body

query string

The query input, which is required only for the rerank task. It is not required for other tasks.
input string | array[string] Required

The text on which you want to perform the inference task. It can be a single string or an array.

Inference endpoints for the completion task type currently only support a single string as input.

One of:
string-1 string array-2 array[string]
task_settings object

Responses

200 application/json
Hide response attributes Show response attributes object
- text_embedding_bytes array[object]
  
  Hide text_embedding_bytes attribute Show text_embedding_bytes attribute object
  
  embedding array[number] Required
  
  Text Embedding results containing bytes are represented as Dense Vectors of bytes.
- text_embedding_bits array[object]
  
  Hide text_embedding_bits attribute Show text_embedding_bits attribute object
  
  embedding array[number] Required
  
  Text Embedding results containing bytes are represented as Dense Vectors of bytes.
- text_embedding array[object]
  
  Hide text_embedding attribute Show text_embedding attribute object
  
  embedding array[number] Required
  
  Text Embedding results are represented as Dense Vectors of floats.
- sparse_embedding array[object]
  
  Hide sparse_embedding attribute Show sparse_embedding attribute object
  
  embedding object Required
  
  Sparse Embedding tokens are represented as a dictionary of string to double.
  
  Hide embedding attribute Show embedding attribute object
  
  * number Additional properties
- completion array[object]
  
  Hide completion attribute Show completion attribute object
  
  result string Required
- rerank array[object]
  
  Hide rerank attributes Show rerank attributes object
  
  index number Required
  
  relevance_score number Required
  
  text string

POST /_inference/{task_type}/{inference_id}

curl \
 --request POST 'http://api.example.com/_inference/{task_type}/{inference_id}' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"query":"string","input":"string","task_settings":{}}'

Create an Azure OpenAI inference endpoint Added in 8.14.0

PUT /_inference/{task_type}/{azureopenai_inference_id}

Api key auth Basic auth Bearer auth

Create an inference endpoint to perform an inference task with the azureopenai service.

The list of chat completion models that you can choose from in your Azure OpenAI deployment include:

The list of embeddings models that you can choose from in your deployment can be found in the Azure models documentation.

Path parameters

task_type string Required

The type of the inference task that the model will perform. NOTE: The chat_completion task type only supports streaming and only through the _stream API.

Values are completion or text_embedding.
azureopenai_inference_id string Required

The unique identifier of the inference endpoint.

application/json

Body

chunking_settings object
Hide chunking_settings attributes Show chunking_settings attributes object
- max_chunk_size number
  
  The maximum size of a chunk in words. This value cannot be higher than 300 or lower than 20 (for sentence strategy) or 10 (for word strategy).
- overlap number
  
  The number of overlapping words for chunks. It is applicable only to a word chunking strategy. This value cannot be higher than half the max_chunk_size value.
- sentence_overlap number
  
  The number of overlapping sentences for chunks. It is applicable only for a sentence chunking strategy. It can be either 1 or 0.
- strategy string
  
  The chunking strategy: sentence or word.
service string Required

Value is azureopenai.
service_settings object Required
Hide service_settings attributes Show service_settings attributes object
- api_key string
  
  A valid API key for your Azure OpenAI account. You must specify either api_key or entra_id. If you do not provide either or you provide both, you will receive an error when you try to create your model.
  
  IMPORTANT: You need to provide the API key only once, during the inference model creation. The get inference endpoint API does not retrieve your API key. After creating the inference model, you cannot change the associated API key. If you want to use a different API key, delete the inference model and recreate it with the same name and the updated API key.
  
  External documentation
- api_version string Required
  
  The Azure API version ID to use. It is recommended to use the latest supported non-preview version.
- deployment_id string Required
  
  The deployment name of your deployed models. Your Azure OpenAI deployments can be found though the Azure OpenAI Studio portal that is linked to your subscription.
  
  External documentation
- entra_id string
  
  A valid Microsoft Entra token. You must specify either api_key or entra_id. If you do not provide either or you provide both, you will receive an error when you try to create your model.
  
  External documentation
- rate_limit object
  Hide rate_limit attribute Show rate_limit attribute object
  
  requests_per_minute number
  
  The number of requests allowed per minute.
- resource_name string Required
  
  The name of your Azure OpenAI resource. You can find this from the list of resources in the Azure Portal for your subscription.
  
  External documentation
task_settings object
Hide task_settings attribute Show task_settings attribute object
- user string
  
  For a completion or text_embedding task, specify the user issuing the request. This information can be used for abuse detection.

Responses

200 application/json
Hide response attributes Show response attributes object
- chunking_settings object
  
  Hide chunking_settings attributes Show chunking_settings attributes object
  
  max_chunk_size number
  
  The maximum size of a chunk in words. This value cannot be higher than 300 or lower than 20 (for sentence strategy) or 10 (for word strategy).
  
  overlap number
  
  The number of overlapping words for chunks. It is applicable only to a word chunking strategy. This value cannot be higher than half the max_chunk_size value.
  
  sentence_overlap number
  
  The number of overlapping sentences for chunks. It is applicable only for a sentence chunking strategy. It can be either 1 or 0.
  
  strategy string
  
  The chunking strategy: sentence or word.
- service string Required
  
  The service type
- service_settings object Required
- task_settings object
- inference_id string Required
  
  The inference Id
- task_type string Required
  
  Values are text_embedding or completion.

PUT /_inference/{task_type}/{azureopenai_inference_id}

PUT _inference/text_embedding/azure_openai_embeddings
{
    "service": "azureopenai",
    "service_settings": {
        "api_key": "Api-Key",
        "resource_name": "Resource-name",
        "deployment_id": "Deployment-id",
        "api_version": "2024-02-01"
    }
}

curl \
 --request PUT 'http://api.example.com/_inference/{task_type}/{azureopenai_inference_id}' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '"{\n    \"service\": \"azureopenai\",\n    \"service_settings\": {\n        \"api_key\": \"Api-Key\",\n        \"resource_name\": \"Resource-name\",\n        \"deployment_id\": \"Deployment-id\",\n        \"api_version\": \"2024-02-01\"\n    }\n}"'

Request examples

Run `PUT _inference/text_embedding/azure_openai_embeddings` to create an inference endpoint that performs a `text_embedding` task. You do not specify a model, as it is defined already in the Azure OpenAI deployment.

{
    "service": "azureopenai",
    "service_settings": {
        "api_key": "Api-Key",
        "resource_name": "Resource-name",
        "deployment_id": "Deployment-id",
        "api_version": "2024-02-01"
    }
}

Run `PUT _inference/completion/azure_openai_completion` to create an inference endpoint that performs a `completion` task.

{
    "service": "azureopenai",
    "service_settings": {
        "api_key": "Api-Key",
        "resource_name": "Resource-name",
        "deployment_id": "Deployment-id",
        "api_version": "2024-02-01"
    }
}

Create a Mistral inference endpoint Added in 8.15.0

PUT /_inference/{task_type}/{mistral_inference_id}

Api key auth Basic auth Bearer auth

Creates an inference endpoint to perform an inference task with the mistral service.

Path parameters

task_type string Required

The task type. The only valid task type for the model to perform is text_embedding.

Value is text_embedding.
mistral_inference_id string Required

The unique identifier of the inference endpoint.

application/json

Body

chunking_settings object
Hide chunking_settings attributes Show chunking_settings attributes object
- max_chunk_size number
  
  The maximum size of a chunk in words. This value cannot be higher than 300 or lower than 20 (for sentence strategy) or 10 (for word strategy).
- overlap number
  
  The number of overlapping words for chunks. It is applicable only to a word chunking strategy. This value cannot be higher than half the max_chunk_size value.
- sentence_overlap number
  
  The number of overlapping sentences for chunks. It is applicable only for a sentence chunking strategy. It can be either 1 or 0.
- strategy string
  
  The chunking strategy: sentence or word.
service string Required

Value is mistral.
service_settings object Required
Hide service_settings attributes Show service_settings attributes object
- api_key string Required
  
  A valid API key of your Mistral account. You can find your Mistral API keys or you can create a new one on the API Keys page.
  
  IMPORTANT: You need to provide the API key only once, during the inference model creation. The get inference endpoint API does not retrieve your API key. After creating the inference model, you cannot change the associated API key. If you want to use a different API key, delete the inference model and recreate it with the same name and the updated API key.
  
  External documentation
- max_input_tokens number
  
  The maximum number of tokens per input before chunking occurs.
- model string Required
  
  The name of the model to use for the inference task. Refer to the Mistral models documentation for the list of available text embedding models.
  
  External documentation
- rate_limit object
  Hide rate_limit attribute Show rate_limit attribute object
  
  requests_per_minute number
  
  The number of requests allowed per minute.

Responses

200 application/json
Hide response attributes Show response attributes object
- chunking_settings object
  
  Hide chunking_settings attributes Show chunking_settings attributes object
  
  max_chunk_size number
  
  The maximum size of a chunk in words. This value cannot be higher than 300 or lower than 20 (for sentence strategy) or 10 (for word strategy).
  
  overlap number
  
  The number of overlapping words for chunks. It is applicable only to a word chunking strategy. This value cannot be higher than half the max_chunk_size value.
  
  sentence_overlap number
  
  The number of overlapping sentences for chunks. It is applicable only for a sentence chunking strategy. It can be either 1 or 0.
  
  strategy string
  
  The chunking strategy: sentence or word.
- service string Required
  
  The service type
- service_settings object Required
- task_settings object
- inference_id string Required
  
  The inference Id
- task_type string Required
  
  Value is text_embedding.

PUT /_inference/{task_type}/{mistral_inference_id}

PUT _inference/text_embedding/mistral-embeddings-test
{
  "service": "mistral",
  "service_settings": {
    "api_key": "Mistral-API-Key",
    "model": "mistral-embed" 
  }
}

curl \
 --request PUT 'http://api.example.com/_inference/{task_type}/{mistral_inference_id}' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '"{\n  \"service\": \"mistral\",\n  \"service_settings\": {\n    \"api_key\": \"Mistral-API-Key\",\n    \"model\": \"mistral-embed\" \n  }\n}"'

Request example

Run `PUT _inference/text_embedding/mistral-embeddings-test` to create a Mistral inference endpoint that performs a text embedding task.

{
  "service": "mistral",
  "service_settings": {
    "api_key": "Mistral-API-Key",
    "model": "mistral-embed" 
  }
}

Get GeoIP database configurations Added in 8.15.0

GET /_ingest/geoip/database/{id}

Api key auth Basic auth Bearer auth

Get information about one or more IP geolocation database configurations.

Path parameters

id string | array[string] Required

A comma-separated list of database configuration IDs to retrieve. Wildcard (*) expressions are supported. To get all database configurations, omit this parameter or use *.

Responses

200 application/json
Hide response attribute Show response attribute object
- databases array[object] Required
  
  Hide databases attributes Show databases attributes object
  
  id string Required
  
  version number Required
  
  modified_date_millis number
  
  Time unit for milliseconds
  
  database object
  
  The configuration necessary to identify which IP geolocation provider to use to download a database, as well as any provider-specific configuration necessary for such downloading. At present, the only supported providers are maxmind and ipinfo, and the maxmind provider requires that an account_id (string) is configured. A provider (either maxmind or ipinfo) must be specified. The web and local providers can be returned as read only configurations.
  
  Hide database attributes Show database attributes object
  
  name string Required
  
  maxmind object
  
  Hide maxmind attribute Show maxmind attribute object
  
  account_id string Required
  
  ipinfo object

GET /_ingest/geoip/database/{id}

curl \
 --request GET 'http://api.example.com/_ingest/geoip/database/{id}' \
 --header "Authorization: $API_KEY"

Create or update a pipeline Added in 5.0.0

PUT /_ingest/pipeline/{id}

Api key auth Basic auth Bearer auth

Changes made using this API take effect immediately.

External documentation

Path parameters

id string Required

ID of the ingest pipeline to create or update.

Query parameters

master_timeout string

Period to wait for a connection to the master node. If no response is received before the timeout expires, the request fails and returns an error.

Values are -1 or 0.
timeout string

Period to wait for a response. If no response is received before the timeout expires, the request fails and returns an error.

Values are -1 or 0.
if_version number

Required version for optimistic concurrency control for pipeline updates

application/json

Body Required

_meta object
Hide _meta attribute Show _meta attribute object
- * object Additional properties
description string

Description of the ingest pipeline.
on_failure array[object]

Processors to run immediately after a processor failure. Each processor supports a processor-level on_failure value. If a processor without an on_failure value fails, Elasticsearch uses this pipeline-level parameter as a fallback. The processors in this parameter run sequentially in the order specified. Elasticsearch will not attempt to run the pipeline's remaining processors.
Hide on_failure attributes Show on_failure attributes object
- append object
 Hide append attributes Show append attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 Hide if attributes Show if attributes object
 
 source string | object
 
 One of:
 ScriptSource string SearchRequestBody object
 
 id string
 
 params object
 
 Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
 
 Hide params attribute Show params attribute object
 
 * object Additional properties
 
 lang string
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
 
 options object
 
 Hide options attribute Show options attribute object
 
 * string Additional properties
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 value object | array[object] Required
 
 The value to be appended. Supports template snippets.
 
 One of:
 object-1 object array-2 array[object]
 
 allow_duplicates boolean
 
 If false, the processor does not append values already present in the field.
- attachment object
 Hide attachment attributes Show attachment attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 Hide if attributes Show if attributes object
 
 source string | object
 
 One of:
 ScriptSource string SearchRequestBody object
 
 id string
 
 params object
 
 Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
 
 Hide params attribute Show params attribute object
 
 * object Additional properties
 
 lang string
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
 
 options object
 
 Hide options attribute Show options attribute object
 
 * string Additional properties
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 ignore_missing boolean
 
 If true and field does not exist, the processor quietly exits without modifying the document.
 
 indexed_chars number
 
 The number of chars being used for extraction to prevent huge fields. Use -1 for no limit.
 
 indexed_chars_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 properties array[string]
 
 Array of properties to select to be stored. Can be content, title, name, author, keywords, date, content_type, content_length, language.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 remove_binary boolean
 
 If true, the binary field will be removed from the document
 
 resource_name string
 
 Field containing the name of the resource to decode. If specified, the processor passes this resource name to the underlying Tika library to enable Resource Name Based Detection.
- bytes object
 Hide bytes attributes Show bytes attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 Hide if attributes Show if attributes object
 
 source string | object
 
 One of:
 ScriptSource string SearchRequestBody object
 
 id string
 
 params object
 
 Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
 
 Hide params attribute Show params attribute object
 
 * object Additional properties
 
 lang string
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
 
 options object
 
 Hide options attribute Show options attribute object
 
 * string Additional properties
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 ignore_missing boolean
 
 If true and field does not exist or is null, the processor quietly exits without modifying the document.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
- circle object
 Hide circle attributes Show circle attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 Hide if attributes Show if attributes object
 
 source string | object
 
 One of:
 ScriptSource string SearchRequestBody object
 
 id string
 
 params object
 
 Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
 
 Hide params attribute Show params attribute object
 
 * object Additional properties
 
 lang string
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
 
 options object
 
 Hide options attribute Show options attribute object
 
 * string Additional properties
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 error_distance number Required
 
 The difference between the resulting inscribed distance from center to side and the circle’s radius (measured in meters for geo_shape, unit-less for shape).
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 ignore_missing boolean
 
 If true and field does not exist, the processor quietly exits without modifying the document.
 
 shape_type string Required
 
 Values are geo_shape or shape.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
- community_id object
 Hide community_id attributes Show community_id attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 Hide if attributes Show if attributes object
 
 source string | object
 
 One of:
 ScriptSource string SearchRequestBody object
 
 id string
 
 params object
 
 Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
 
 Hide params attribute Show params attribute object
 
 * object Additional properties
 
 lang string
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
 
 options object
 
 Hide options attribute Show options attribute object
 
 * string Additional properties
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 source_ip string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 source_port string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 destination_ip string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 destination_port string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 iana_number string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 icmp_type string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 icmp_code string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 transport string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 seed number
 
 Seed for the community ID hash. Must be between 0 and 65535 (inclusive). The seed can prevent hash collisions between network domains, such as a staging and production network that use the same addressing scheme.
 
 ignore_missing boolean
 
 If true and any required fields are missing, the processor quietly exits without modifying the document.
- convert object
 Hide convert attributes Show convert attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 Hide if attributes Show if attributes object
 
 source string | object
 
 One of:
 ScriptSource string SearchRequestBody object
 
 id string
 
 params object
 
 Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
 
 Hide params attribute Show params attribute object
 
 * object Additional properties
 
 lang string
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
 
 options object
 
 Hide options attribute Show options attribute object
 
 * string Additional properties
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 ignore_missing boolean
 
 If true and field does not exist or is null, the processor quietly exits without modifying the document.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 type string Required
 
 Values are integer, long, double, float, boolean, ip, string, or auto.
- csv object
 Hide csv attributes Show csv attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 Hide if attributes Show if attributes object
 
 source string | object
 
 One of:
 ScriptSource string SearchRequestBody object
 
 id string
 
 params object
 
 Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
 
 Hide params attribute Show params attribute object
 
 * object Additional properties
 
 lang string
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
 
 options object
 
 Hide options attribute Show options attribute object
 
 * string Additional properties
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 empty_value object
 
 Value used to fill empty fields. Empty fields are skipped if this is not provided. An empty field is one with no value (2 consecutive separators) or empty quotes ("").
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 ignore_missing boolean
 
 If true and field does not exist, the processor quietly exits without modifying the document.
 
 quote string
 
 Quote used in CSV, has to be single character string.
 
 separator string
 
 Separator used in CSV, has to be single character string.
 
 target_fields string | array[string] Required
 
 trim boolean
 
 Trim whitespaces in unquoted fields.
- date object
 Hide date attributes Show date attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 Hide if attributes Show if attributes object
 
 source string | object
 
 One of:
 ScriptSource string SearchRequestBody object
 
 id string
 
 params object
 
 Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
 
 Hide params attribute Show params attribute object
 
 * object Additional properties
 
 lang string
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
 
 options object
 
 Hide options attribute Show options attribute object
 
 * string Additional properties
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 formats array[string] Required
 
 An array of the expected date formats. Can be a java time pattern or one of the following formats: ISO8601, UNIX, UNIX_MS, or TAI64N.
 
 locale string
 
 The locale to use when parsing the date, relevant when parsing month names or week days. Supports template snippets.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 timezone string
 
 The timezone to use when parsing the date. Supports template snippets.
 
 output_format string
 
 The format to use when writing the date to target_field. Must be a valid java time pattern.
- date_index_name object
 Hide date_index_name attributes Show date_index_name attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 Hide if attributes Show if attributes object
 
 source string | object
 
 One of:
 ScriptSource string SearchRequestBody object
 
 id string
 
 params object
 
 Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
 
 Hide params attribute Show params attribute object
 
 * object Additional properties
 
 lang string
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
 
 options object
 
 Hide options attribute Show options attribute object
 
 * string Additional properties
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 date_formats array[string]
 
 An array of the expected date formats for parsing dates / timestamps in the document being preprocessed. Can be a java time pattern or one of the following formats: ISO8601, UNIX, UNIX_MS, or TAI64N.
 
 date_rounding string Required
 
 How to round the date when formatting the date into the index name. Valid values are: y (year), M (month), w (week), d (day), h (hour), m (minute) and s (second). Supports template snippets.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 index_name_format string
 
 The format to be used when printing the parsed date into the index name. A valid java time pattern is expected here. Supports template snippets.
 
 index_name_prefix string
 
 A prefix of the index name to be prepended before the printed date. Supports template snippets.
 
 locale string
 
 The locale to use when parsing the date from the document being preprocessed, relevant when parsing month names or week days.
 
 timezone string
 
 The timezone to use when parsing the date and when date math index supports resolves expressions into concrete index names.
- dissect object
 Hide dissect attributes Show dissect attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 Hide if attributes Show if attributes object
 
 source string | object
 
 One of:
 ScriptSource string SearchRequestBody object
 
 id string
 
 params object
 
 Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
 
 Hide params attribute Show params attribute object
 
 * object Additional properties
 
 lang string
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
 
 options object
 
 Hide options attribute Show options attribute object
 
 * string Additional properties
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 append_separator string
 
 The character(s) that separate the appended fields.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 ignore_missing boolean
 
 If true and field does not exist or is null, the processor quietly exits without modifying the document.
 
 pattern string Required
 
 The pattern to apply to the field.
- dot_expander object
 Hide dot_expander attributes Show dot_expander attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 Hide if attributes Show if attributes object
 
 source string | object
 
 One of:
 ScriptSource string SearchRequestBody object
 
 id string
 
 params object
 
 Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
 
 Hide params attribute Show params attribute object
 
 * object Additional properties
 
 lang string
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
 
 options object
 
 Hide options attribute Show options attribute object
 
 * string Additional properties
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 override boolean
 
 Controls the behavior when there is already an existing nested object that conflicts with the expanded field. When false, the processor will merge conflicts by combining the old and the new values into an array. When true, the value from the expanded field will overwrite the existing value.
 
 path string
 
 The field that contains the field to expand. Only required if the field to expand is part another object field, because the field option can only understand leaf fields.
- drop object
 Hide drop attributes Show drop attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 Hide if attributes Show if attributes object
 
 source string | object
 
 One of:
 ScriptSource string SearchRequestBody object
 
 id string
 
 params object
 
 Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
 
 Hide params attribute Show params attribute object
 
 * object Additional properties
 
 lang string
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
 
 options object
 
 Hide options attribute Show options attribute object
 
 * string Additional properties
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
- enrich object
 Hide enrich attributes Show enrich attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 Hide if attributes Show if attributes object
 
 source string | object
 
 One of:
 ScriptSource string SearchRequestBody object
 
 id string
 
 params object
 
 Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
 
 Hide params attribute Show params attribute object
 
 * object Additional properties
 
 lang string
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
 
 options object
 
 Hide options attribute Show options attribute object
 
 * string Additional properties
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 ignore_missing boolean
 
 If true and field does not exist, the processor quietly exits without modifying the document.
 
 max_matches number
 
 The maximum number of matched documents to include under the configured target field. The target_field will be turned into a json array if max_matches is higher than 1, otherwise target_field will become a json object. In order to avoid documents getting too large, the maximum allowed value is 128.
 
 override boolean
 
 If processor will update fields with pre-existing non-null-valued field. When set to false, such fields will not be touched.
 
 policy_name string Required
 
 The name of the enrich policy to use.
 
 shape_relation string
 
 Values are intersects, disjoint, within, or contains.
 
 target_field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
- fail object
 Hide fail attributes Show fail attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 Hide if attributes Show if attributes object
 
 source string | object
 
 One of:
 ScriptSource string SearchRequestBody object
 
 id string
 
 params object
 
 Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
 
 Hide params attribute Show params attribute object
 
 * object Additional properties
 
 lang string
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
 
 options object
 
 Hide options attribute Show options attribute object
 
 * string Additional properties
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 message string Required
 
 The error message thrown by the processor. Supports template snippets.
- fingerprint object
 Hide fingerprint attributes Show fingerprint attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 Hide if attributes Show if attributes object
 
 source string | object
 
 One of:
 ScriptSource string SearchRequestBody object
 
 id string
 
 params object
 
 Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
 
 Hide params attribute Show params attribute object
 
 * object Additional properties
 
 lang string
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
 
 options object
 
 Hide options attribute Show options attribute object
 
 * string Additional properties
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 fields string | array[string] Required
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 salt string
 
 Salt value for the hash function.
 
 method string
 
 Values are MD5, SHA-1, SHA-256, SHA-512, or MurmurHash3.
 
 ignore_missing boolean
 
 If true, the processor ignores any missing fields. If all fields are missing, the processor silently exits without modifying the document.
- foreach object
 Hide foreach attributes Show foreach attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 Hide if attributes Show if attributes object
 
 source string | object
 
 One of:
 ScriptSource string SearchRequestBody object
 
 id string
 
 params object
 
 Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
 
 Hide params attribute Show params attribute object
 
 * object Additional properties
 
 lang string
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
 
 options object
 
 Hide options attribute Show options attribute object
 
 * string Additional properties
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 ignore_missing boolean
 
 If true, the processor silently exits without changing the document if the field is null or missing.
 
 processor object Required
- ip_location object
 Hide ip_location attributes Show ip_location attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 Hide if attributes Show if attributes object
 
 source string | object
 
 One of:
 ScriptSource string SearchRequestBody object
 
 id string
 
 params object
 
 Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
 
 Hide params attribute Show params attribute object
 
 * object Additional properties
 
 lang string
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
 
 options object
 
 Hide options attribute Show options attribute object
 
 * string Additional properties
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 database_file string
 
 The database filename referring to a database the module ships with (GeoLite2-City.mmdb, GeoLite2-Country.mmdb, or GeoLite2-ASN.mmdb) or a custom database in the ingest-geoip config directory.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 first_only boolean
 
 If true, only the first found IP location data will be returned, even if the field contains an array.
 
 ignore_missing boolean
 
 If true and field does not exist, the processor quietly exits without modifying the document.
 
 properties array[string]
 
 Controls what properties are added to the target_field based on the IP location lookup.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 download_database_on_pipeline_creation boolean
 
 If true (and if ingest.geoip.downloader.eager.download is false), the missing database is downloaded when the pipeline is created. Else, the download is triggered by when the pipeline is used as the default_pipeline or final_pipeline in an index.
- geo_grid object
 Hide geo_grid attributes Show geo_grid attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 Hide if attributes Show if attributes object
 
 source string | object
 
 One of:
 ScriptSource string SearchRequestBody object
 
 id string
 
 params object
 
 Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
 
 Hide params attribute Show params attribute object
 
 * object Additional properties
 
 lang string
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
 
 options object
 
 Hide options attribute Show options attribute object
 
 * string Additional properties
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 The field to interpret as a geo-tile.= The field format is determined by the tile_type.
 
 tile_type string Required
 
 Values are geotile, geohex, or geohash.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 parent_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 children_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 non_children_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 precision_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 ignore_missing boolean
 
 If true and field does not exist, the processor quietly exits without modifying the document.
 
 target_format string
 
 Values are geojson or wkt.
- geoip object
 Hide geoip attributes Show geoip attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 Hide if attributes Show if attributes object
 
 source string | object
 
 One of:
 ScriptSource string SearchRequestBody object
 
 id string
 
 params object
 
 Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
 
 Hide params attribute Show params attribute object
 
 * object Additional properties
 
 lang string
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
 
 options object
 
 Hide options attribute Show options attribute object
 
 * string Additional properties
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 database_file string
 
 The database filename referring to a database the module ships with (GeoLite2-City.mmdb, GeoLite2-Country.mmdb, or GeoLite2-ASN.mmdb) or a custom database in the ingest-geoip config directory.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 first_only boolean
 
 If true, only the first found geoip data will be returned, even if the field contains an array.
 
 ignore_missing boolean
 
 If true and field does not exist, the processor quietly exits without modifying the document.
 
 properties array[string]
 
 Controls what properties are added to the target_field based on the geoip lookup.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 download_database_on_pipeline_creation boolean
 
 If true (and if ingest.geoip.downloader.eager.download is false), the missing database is downloaded when the pipeline is created. Else, the download is triggered by when the pipeline is used as the default_pipeline or final_pipeline in an index.
- grok object
 Hide grok attributes Show grok attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 Hide if attributes Show if attributes object
 
 source string | object
 
 One of:
 ScriptSource string SearchRequestBody object
 
 id string
 
 params object
 
 Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
 
 Hide params attribute Show params attribute object
 
 * object Additional properties
 
 lang string
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
 
 options object
 
 Hide options attribute Show options attribute object
 
 * string Additional properties
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 ecs_compatibility string
 
 Must be disabled or v1. If v1, the processor uses patterns with Elastic Common Schema (ECS) field names.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 ignore_missing boolean
 
 If true and field does not exist or is null, the processor quietly exits without modifying the document.
 
 pattern_definitions object
 
 A map of pattern-name and pattern tuples defining custom patterns to be used by the current processor. Patterns matching existing names will override the pre-existing definition.
 
 Hide pattern_definitions attribute Show pattern_definitions attribute object
 
 * string Additional properties
 
 patterns array[string] Required
 
 An ordered list of grok expression to match and extract named captures with. Returns on the first expression in the list that matches.
 
 trace_match boolean
 
 When true, _ingest._grok_match_index will be inserted into your matched document’s metadata with the index into the pattern found in patterns that matched.
- gsub object
 Hide gsub attributes Show gsub attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 Hide if attributes Show if attributes object
 
 source string | object
 
 One of:
 ScriptSource string SearchRequestBody object
 
 id string
 
 params object
 
 Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
 
 Hide params attribute Show params attribute object
 
 * object Additional properties
 
 lang string
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
 
 options object
 
 Hide options attribute Show options attribute object
 
 * string Additional properties
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 ignore_missing boolean
 
 If true and field does not exist or is null, the processor quietly exits without modifying the document.
 
 pattern string Required
 
 The pattern to be replaced.
 
 replacement string Required
 
 The string to replace the matching patterns with.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
- html_strip object
 Hide html_strip attributes Show html_strip attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 Hide if attributes Show if attributes object
 
 source string | object
 
 One of:
 ScriptSource string SearchRequestBody object
 
 id string
 
 params object
 
 Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
 
 Hide params attribute Show params attribute object
 
 * object Additional properties
 
 lang string
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
 
 options object
 
 Hide options attribute Show options attribute object
 
 * string Additional properties
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 ignore_missing boolean
 
 If true and field does not exist or is null, the processor quietly exits without modifying the document,
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
- inference object
 Hide inference attributes Show inference attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 Hide if attributes Show if attributes object
 
 source string | object
 
 One of:
 ScriptSource string SearchRequestBody object
 
 id string
 
 params object
 
 Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
 
 Hide params attribute Show params attribute object
 
 * object Additional properties
 
 lang string
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
 
 options object
 
 Hide options attribute Show options attribute object
 
 * string Additional properties
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 model_id string Required
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 field_map object
 
 Maps the document field names to the known field names of the model. This mapping takes precedence over any default mappings provided in the model configuration.
 
 Hide field_map attribute Show field_map attribute object
 
 * object Additional properties
 
 inference_config object
 
 Hide inference_config attributes Show inference_config attributes object
 
 regression object
 
 Hide regression attributes Show regression attributes object
 
 results_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 num_top_feature_importance_values number
 
 Specifies the maximum number of feature importance values per document.
 
 classification object
 
 Hide classification attributes Show classification attributes object
 
 num_top_classes number
 
 Specifies the number of top class predictions to return.
 
 num_top_feature_importance_values number
 
 Specifies the maximum number of feature importance values per document.
 
 results_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 top_classes_results_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 prediction_field_type string
 
 Specifies the type of the predicted field to write. Valid values are: string, number, boolean.
 
 input_output object | array[object]
 
 Input fields for inference and output (destination) fields for the inference results. This option is incompatible with the target_field and field_map options.
 
 One of:
 InputConfig object array-2 array[object]
 
 Hide attributes Show attributes
 
 input_field string Required
 
 output_field string Required
 
 ignore_missing boolean
 
 If true and any of the input fields defined in input_ouput are missing then those missing fields are quietly ignored, otherwise a missing field causes a failure. Only applies when using input_output configurations to explicitly list the input fields.
- join object
 Hide join attributes Show join attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 Hide if attributes Show if attributes object
 
 source string | object
 
 One of:
 ScriptSource string SearchRequestBody object
 
 id string
 
 params object
 
 Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
 
 Hide params attribute Show params attribute object
 
 * object Additional properties
 
 lang string
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
 
 options object
 
 Hide options attribute Show options attribute object
 
 * string Additional properties
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 separator string Required
 
 The separator character.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
- json object
 Hide json attributes Show json attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 Hide if attributes Show if attributes object
 
 source string | object
 
 One of:
 ScriptSource string SearchRequestBody object
 
 id string
 
 params object
 
 Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
 
 Hide params attribute Show params attribute object
 
 * object Additional properties
 
 lang string
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
 
 options object
 
 Hide options attribute Show options attribute object
 
 * string Additional properties
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 add_to_root boolean
 
 Flag that forces the parsed JSON to be added at the top level of the document. target_field must not be set when this option is chosen.
 
 add_to_root_conflict_strategy string
 
 Values are replace or merge.
 
 allow_duplicate_keys boolean
 
 When set to true, the JSON parser will not fail if the JSON contains duplicate keys. Instead, the last encountered value for any duplicate key wins.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
- kv object
 Hide kv attributes Show kv attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 Hide if attributes Show if attributes object
 
 source string | object
 
 One of:
 ScriptSource string SearchRequestBody object
 
 id string
 
 params object
 
 Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
 
 Hide params attribute Show params attribute object
 
 * object Additional properties
 
 lang string
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
 
 options object
 
 Hide options attribute Show options attribute object
 
 * string Additional properties
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 exclude_keys array[string]
 
 List of keys to exclude from document.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 field_split string Required
 
 Regex pattern to use for splitting key-value pairs.
 
 ignore_missing boolean
 
 If true and field does not exist or is null, the processor quietly exits without modifying the document.
 
 include_keys array[string]
 
 List of keys to filter and insert into document. Defaults to including all keys.
 
 prefix string
 
 Prefix to be added to extracted keys.
 
 strip_brackets boolean
 
 If true. strip brackets (), <>, [] as well as quotes ' and " from extracted values.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 trim_key string
 
 String of characters to trim from extracted keys.
 
 trim_value string
 
 String of characters to trim from extracted values.
 
 value_split string Required
 
 Regex pattern to use for splitting the key from the value within a key-value pair.
- lowercase object
 Hide lowercase attributes Show lowercase attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 Hide if attributes Show if attributes object
 
 source string | object
 
 One of:
 ScriptSource string SearchRequestBody object
 
 id string
 
 params object
 
 Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
 
 Hide params attribute Show params attribute object
 
 * object Additional properties
 
 lang string
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
 
 options object
 
 Hide options attribute Show options attribute object
 
 * string Additional properties
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 ignore_missing boolean
 
 If true and field does not exist or is null, the processor quietly exits without modifying the document.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
- network_direction object
 Hide network_direction attributes Show network_direction attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 Hide if attributes Show if attributes object
 
 source string | object
 
 One of:
 ScriptSource string SearchRequestBody object
 
 id string
 
 params object
 
 Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
 
 Hide params attribute Show params attribute object
 
 * object Additional properties
 
 lang string
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
 
 options object
 
 Hide options attribute Show options attribute object
 
 * string Additional properties
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 source_ip string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 destination_ip string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 internal_networks array[string]
 
 List of internal networks. Supports IPv4 and IPv6 addresses and ranges in CIDR notation. Also supports the named ranges listed below. These may be constructed with template snippets. Must specify only one of internal_networks or internal_networks_field.
 
 internal_networks_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 ignore_missing boolean
 
 If true and any required fields are missing, the processor quietly exits without modifying the document.
- pipeline object
 Hide pipeline attributes Show pipeline attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 Hide if attributes Show if attributes object
 
 source string | object
 
 One of:
 ScriptSource string SearchRequestBody object
 
 id string
 
 params object
 
 Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
 
 Hide params attribute Show params attribute object
 
 * object Additional properties
 
 lang string
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
 
 options object
 
 Hide options attribute Show options attribute object
 
 * string Additional properties
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 name string Required
 
 ignore_missing_pipeline boolean
 
 Whether to ignore missing pipelines instead of failing.
- redact object
 Hide redact attributes Show redact attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 Hide if attributes Show if attributes object
 
 source string | object
 
 One of:
 ScriptSource string SearchRequestBody object
 
 id string
 
 params object
 
 Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
 
 Hide params attribute Show params attribute object
 
 * object Additional properties
 
 lang string
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
 
 options object
 
 Hide options attribute Show options attribute object
 
 * string Additional properties
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 patterns array[string] Required
 
 A list of grok expressions to match and redact named captures with
 
 pattern_definitions object
 
 Hide pattern_definitions attribute Show pattern_definitions attribute object
 
 * string Additional properties
 
 prefix string
 
 Start a redacted section with this token
 
 suffix string
 
 End a redacted section with this token
 
 ignore_missing boolean
 
 If true and field does not exist or is null, the processor quietly exits without modifying the document.
 
 skip_if_unlicensed boolean
 
 If true and the current license does not support running redact processors, then the processor quietly exits without modifying the document
 
 trace_redact boolean
 
 If true then ingest metadata _ingest._redact._is_redacted is set to true if the document has been redacted
- registered_domain object
 Hide registered_domain attributes Show registered_domain attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 Hide if attributes Show if attributes object
 
 source string | object
 
 One of:
 ScriptSource string SearchRequestBody object
 
 id string
 
 params object
 
 Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
 
 Hide params attribute Show params attribute object
 
 * object Additional properties
 
 lang string
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
 
 options object
 
 Hide options attribute Show options attribute object
 
 * string Additional properties
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 ignore_missing boolean
 
 If true and any required fields are missing, the processor quietly exits without modifying the document.
- remove object
 Hide remove attributes Show remove attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 Hide if attributes Show if attributes object
 
 source string | object
 
 One of:
 ScriptSource string SearchRequestBody object
 
 id string
 
 params object
 
 Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
 
 Hide params attribute Show params attribute object
 
 * object Additional properties
 
 lang string
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
 
 options object
 
 Hide options attribute Show options attribute object
 
 * string Additional properties
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string | array[string] Required
 
 keep string | array[string]
 
 ignore_missing boolean
 
 If true and field does not exist or is null, the processor quietly exits without modifying the document.
- rename object
 Hide rename attributes Show rename attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 Hide if attributes Show if attributes object
 
 source string | object
 
 One of:
 ScriptSource string SearchRequestBody object
 
 id string
 
 params object
 
 Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
 
 Hide params attribute Show params attribute object
 
 * object Additional properties
 
 lang string
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
 
 options object
 
 Hide options attribute Show options attribute object
 
 * string Additional properties
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 ignore_missing boolean
 
 If true and field does not exist, the processor quietly exits without modifying the document.
 
 target_field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
- reroute object
 Hide reroute attributes Show reroute attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 Hide if attributes Show if attributes object
 
 source string | object
 
 One of:
 ScriptSource string SearchRequestBody object
 
 id string
 
 params object
 
 Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
 
 Hide params attribute Show params attribute object
 
 * object Additional properties
 
 lang string
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
 
 options object
 
 Hide options attribute Show options attribute object
 
 * string Additional properties
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 destination string
 
 A static value for the target. Can’t be set when the dataset or namespace option is set.
 
 dataset string | array[string]
 
 Field references or a static value for the dataset part of the data stream name. In addition to the criteria for index names, cannot contain - and must be no longer than 100 characters. Example values are nginx.access and nginx.error.
 
 Supports field references with a mustache-like syntax (denoted as {{double}} or {{{triple}}} curly braces). When resolving field references, the processor replaces invalid characters with _. Uses the part of the index name as a fallback if all field references resolve to a null, missing, or non-string value.
 
 default {{data_stream.dataset}}
 
 One of:
 string-1 string array-2 array[string]
 
 namespace string | array[string]
 
 Field references or a static value for the namespace part of the data stream name. See the criteria for index names for allowed characters. Must be no longer than 100 characters.
 
 Supports field references with a mustache-like syntax (denoted as {{double}} or {{{triple}}} curly braces). When resolving field references, the processor replaces invalid characters with _. Uses the part of the index name as a fallback if all field references resolve to a null, missing, or non-string value.
 
 default {{data_stream.namespace}}
 
 One of:
 string-1 string array-2 array[string]
- script object
 Hide script attributes Show script attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 Hide if attributes Show if attributes object
 
 source string | object
 
 One of:
 ScriptSource string SearchRequestBody object
 
 id string
 
 params object
 
 Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
 
 Hide params attribute Show params attribute object
 
 * object Additional properties
 
 lang string
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
 
 options object
 
 Hide options attribute Show options attribute object
 
 * string Additional properties
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 id string
 
 lang string
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
 
 params object
 
 Object containing parameters for the script.
 
 Hide params attribute Show params attribute object
 
 * object Additional properties
 
 source string | object
 
 One of:
 ScriptSource string SearchRequestBody object
 
 Hide attributes Show attributes
 
 aggregations object
 
 Defines the aggregations that are run as part of the search request.
 
 collapse object
 
 explain boolean
 
 If true, the request returns detailed information about score computation as part of a hit.
 
 ext object
 
 Configuration of search extensions defined by Elasticsearch plugins.
 
 from number
 
 The starting document offset, which must be non-negative. By default, you cannot page through more than 10,000 hits using the from and size parameters. To page through more hits, use the search_after parameter.
 
 highlight
 
 track_total_hits boolean | number
 
 Number of hits matching the query to count accurately. If true, the exact number of hits is returned at the cost of some performance. If false, the response does not include the total number of hits matching the query. Defaults to 10,000 hits.
 
 indices_boost array[object]
 
 Boost the _score of documents from specified indices. The boost value is the factor by which scores are multiplied. A boost value greater than 1.0 increases the score. A boost value between 0 and 1.0 decreases the score.
 
 docvalue_fields array[object]
 
 An array of wildcard (*) field patterns. The request returns doc values for field names matching these patterns in the hits.fields property of the response.
 
 knn
 
 rank object
 
 min_score number
 
 The minimum _score for matching documents. Documents with a lower _score are not included in search results or results collected by aggregations.
 
 post_filter object
 
 An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
 
 profile boolean
 
 Set to true to return detailed timing information about the execution of individual components in a search request. NOTE: This is a debugging tool and adds significant overhead to search execution.
 
 query object
 
 An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
 
 rescore
 
 retriever object
 
 script_fields object
 
 Retrieve a script evaluation (based on different fields) for each hit.
 
 search_after array[number | string | boolean | null]
 
 A field value.
 
 size number
 
 The number of hits to return, which must not be negative. By default, you cannot page through more than 10,000 hits using the from and size parameters. To page through more hits, use the search_after property.
 
 slice object
 
 sort
 
 _source
 
 fields array[object]
 
 An array of wildcard (*) field patterns. The request returns values for field names matching these patterns in the hits.fields property of the response.
 
 suggest object
 
 terminate_after number
 
 The maximum number of documents to collect for each shard. If a query reaches this limit, Elasticsearch terminates the query early. Elasticsearch collects documents before sorting.
 
 IMPORTANT: Use with caution. Elasticsearch applies this property to each shard handling the request. When possible, let Elasticsearch perform early termination automatically. Avoid specifying this property for requests that target data streams with backing indices across multiple data tiers.
 
 If set to 0 (default), the query does not terminate early.
 
 timeout string
 
 The period of time to wait for a response from each shard. If no response is received before the timeout expires, the request fails and returns an error. Defaults to no timeout.
 
 track_scores boolean
 
 If true, calculate and return document scores, even if the scores are not used for sorting.
 
 version boolean
 
 If true, the request returns the document version as part of a hit.
 
 seq_no_primary_term boolean
 
 If true, the request returns sequence number and primary term of the last modification of each hit.
 
 stored_fields string | array[string]
 
 pit object
 
 runtime_mappings object
 
 stats array[string]
 
 The stats groups to associate with the search. Each group maintains a statistics aggregation for its associated searches. You can retrieve these stats using the indices stats API.
- set object
 Hide set attributes Show set attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 Hide if attributes Show if attributes object
 
 source string | object
 
 One of:
 ScriptSource string SearchRequestBody object
 
 id string
 
 params object
 
 Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
 
 Hide params attribute Show params attribute object
 
 * object Additional properties
 
 lang string
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
 
 options object
 
 Hide options attribute Show options attribute object
 
 * string Additional properties
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 copy_from string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 ignore_empty_value boolean
 
 If true and value is a template snippet that evaluates to null or the empty string, the processor quietly exits without modifying the document.
 
 media_type string
 
 The media type for encoding value. Applies only when value is a template snippet. Must be one of application/json, text/plain, or application/x-www-form-urlencoded.
 
 override boolean
 
 If true processor will update fields with pre-existing non-null-valued field. When set to false, such fields will not be touched.
 
 value object
 
 The value to be set for the field. Supports template snippets. May specify only one of value or copy_from.
- set_security_user object
 Hide set_security_user attributes Show set_security_user attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 Hide if attributes Show if attributes object
 
 source string | object
 
 One of:
 ScriptSource string SearchRequestBody object
 
 id string
 
 params object
 
 Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
 
 Hide params attribute Show params attribute object
 
 * object Additional properties
 
 lang string
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
 
 options object
 
 Hide options attribute Show options attribute object
 
 * string Additional properties
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 properties array[string]
 
 Controls what user related properties are added to the field.
- sort object
 Hide sort attributes Show sort attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 Hide if attributes Show if attributes object
 
 source string | object
 
 One of:
 ScriptSource string SearchRequestBody object
 
 id string
 
 params object
 
 Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
 
 Hide params attribute Show params attribute object
 
 * object Additional properties
 
 lang string
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
 
 options object
 
 Hide options attribute Show options attribute object
 
 * string Additional properties
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 order string
 
 Values are asc or desc.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
- split object
 Hide split attributes Show split attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 Hide if attributes Show if attributes object
 
 source string | object
 
 One of:
 ScriptSource string SearchRequestBody object
 
 id string
 
 params object
 
 Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
 
 Hide params attribute Show params attribute object
 
 * object Additional properties
 
 lang string
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
 
 options object
 
 Hide options attribute Show options attribute object
 
 * string Additional properties
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 ignore_missing boolean
 
 If true and field does not exist, the processor quietly exits without modifying the document.
 
 preserve_trailing boolean
 
 Preserves empty trailing fields, if any.
 
 separator string Required
 
 A regex which matches the separator, for example, , or \s+.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
- terminate object
 Hide terminate attributes Show terminate attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 Hide if attributes Show if attributes object
 
 source string | object
 
 One of:
 ScriptSource string SearchRequestBody object
 
 id string
 
 params object
 
 Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
 
 Hide params attribute Show params attribute object
 
 * object Additional properties
 
 lang string
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
 
 options object
 
 Hide options attribute Show options attribute object
 
 * string Additional properties
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
- trim object
 Hide trim attributes Show trim attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 Hide if attributes Show if attributes object
 
 source string | object
 
 One of:
 ScriptSource string SearchRequestBody object
 
 id string
 
 params object
 
 Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
 
 Hide params attribute Show params attribute object
 
 * object Additional properties
 
 lang string
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
 
 options object
 
 Hide options attribute Show options attribute object
 
 * string Additional properties
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 ignore_missing boolean
 
 If true and field does not exist, the processor quietly exits without modifying the document.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
- uppercase object
 Hide uppercase attributes Show uppercase attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 Hide if attributes Show if attributes object
 
 source string | object
 
 One of:
 ScriptSource string SearchRequestBody object
 
 id string
 
 params object
 
 Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
 
 Hide params attribute Show params attribute object
 
 * object Additional properties
 
 lang string
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
 
 options object
 
 Hide options attribute Show options attribute object
 
 * string Additional properties
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 ignore_missing boolean
 
 If true and field does not exist or is null, the processor quietly exits without modifying the document.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
- urldecode object
 Hide urldecode attributes Show urldecode attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 Hide if attributes Show if attributes object
 
 source string | object
 
 One of:
 ScriptSource string SearchRequestBody object
 
 id string
 
 params object
 
 Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
 
 Hide params attribute Show params attribute object
 
 * object Additional properties
 
 lang string
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
 
 options object
 
 Hide options attribute Show options attribute object
 
 * string Additional properties
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 ignore_missing boolean
 
 If true and field does not exist or is null, the processor quietly exits without modifying the document.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
- uri_parts object
 Hide uri_parts attributes Show uri_parts attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 Hide if attributes Show if attributes object
 
 source string | object
 
 One of:
 ScriptSource string SearchRequestBody object
 
 id string
 
 params object
 
 Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
 
 Hide params attribute Show params attribute object
 
 * object Additional properties
 
 lang string
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
 
 options object
 
 Hide options attribute Show options attribute object
 
 * string Additional properties
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 ignore_missing boolean
 
 If true and field does not exist, the processor quietly exits without modifying the document.
 
 keep_original boolean
 
 If true, the processor copies the unparsed URI to <target_field>.original.
 
 remove_if_successful boolean
 
 If true, the processor removes the field after parsing the URI string. If parsing fails, the processor does not remove the field.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
- user_agent object
 Hide user_agent attributes Show user_agent attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 Hide if attributes Show if attributes object
 
 source string | object
 
 One of:
 ScriptSource string SearchRequestBody object
 
 id string
 
 params object
 
 Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
 
 Hide params attribute Show params attribute object
 
 * object Additional properties
 
 lang string
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
 
 options object
 
 Hide options attribute Show options attribute object
 
 * string Additional properties
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 ignore_missing boolean
 
 If true and field does not exist, the processor quietly exits without modifying the document.
 
 regex_file string
 
 The name of the file in the config/ingest-user-agent directory containing the regular expressions for parsing the user agent string. Both the directory and the file have to be created before starting Elasticsearch. If not specified, ingest-user-agent will use the regexes.yaml from uap-core it ships with.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 properties array[string]
 
 Controls what properties are added to target_field.
 
 Values are name, os, device, original, or version.
 
 extract_device_type boolean Beta
 
 Extracts device type from the user agent string on a best-effort basis.
processors array[object]

Processors used to perform transformations on documents before indexing. Processors run sequentially in the order specified.
Hide processors attributes Show processors attributes object
- append object
 Hide append attributes Show append attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 Hide if attributes Show if attributes object
 
 source string | object
 
 One of:
 ScriptSource string SearchRequestBody object
 
 id string
 
 params object
 
 Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
 
 Hide params attribute Show params attribute object
 
 * object Additional properties
 
 lang string
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
 
 options object
 
 Hide options attribute Show options attribute object
 
 * string Additional properties
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 value object | array[object] Required
 
 The value to be appended. Supports template snippets.
 
 One of:
 object-1 object array-2 array[object]
 
 allow_duplicates boolean
 
 If false, the processor does not append values already present in the field.
- attachment object
 Hide attachment attributes Show attachment attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 Hide if attributes Show if attributes object
 
 source string | object
 
 One of:
 ScriptSource string SearchRequestBody object
 
 id string
 
 params object
 
 Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
 
 Hide params attribute Show params attribute object
 
 * object Additional properties
 
 lang string
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
 
 options object
 
 Hide options attribute Show options attribute object
 
 * string Additional properties
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 ignore_missing boolean
 
 If true and field does not exist, the processor quietly exits without modifying the document.
 
 indexed_chars number
 
 The number of chars being used for extraction to prevent huge fields. Use -1 for no limit.
 
 indexed_chars_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 properties array[string]
 
 Array of properties to select to be stored. Can be content, title, name, author, keywords, date, content_type, content_length, language.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 remove_binary boolean
 
 If true, the binary field will be removed from the document
 
 resource_name string
 
 Field containing the name of the resource to decode. If specified, the processor passes this resource name to the underlying Tika library to enable Resource Name Based Detection.
- bytes object
 Hide bytes attributes Show bytes attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 Hide if attributes Show if attributes object
 
 source string | object
 
 One of:
 ScriptSource string SearchRequestBody object
 
 id string
 
 params object
 
 Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
 
 Hide params attribute Show params attribute object
 
 * object Additional properties
 
 lang string
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
 
 options object
 
 Hide options attribute Show options attribute object
 
 * string Additional properties
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 ignore_missing boolean
 
 If true and field does not exist or is null, the processor quietly exits without modifying the document.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
- circle object
 Hide circle attributes Show circle attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 Hide if attributes Show if attributes object
 
 source string | object
 
 One of:
 ScriptSource string SearchRequestBody object
 
 id string
 
 params object
 
 Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
 
 Hide params attribute Show params attribute object
 
 * object Additional properties
 
 lang string
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
 
 options object
 
 Hide options attribute Show options attribute object
 
 * string Additional properties
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 error_distance number Required
 
 The difference between the resulting inscribed distance from center to side and the circle’s radius (measured in meters for geo_shape, unit-less for shape).
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 ignore_missing boolean
 
 If true and field does not exist, the processor quietly exits without modifying the document.
 
 shape_type string Required
 
 Values are geo_shape or shape.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
- community_id object
 Hide community_id attributes Show community_id attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 Hide if attributes Show if attributes object
 
 source string | object
 
 One of:
 ScriptSource string SearchRequestBody object
 
 id string
 
 params object
 
 Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
 
 Hide params attribute Show params attribute object
 
 * object Additional properties
 
 lang string
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
 
 options object
 
 Hide options attribute Show options attribute object
 
 * string Additional properties
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 source_ip string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 source_port string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 destination_ip string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 destination_port string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 iana_number string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 icmp_type string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 icmp_code string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 transport string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 seed number
 
 Seed for the community ID hash. Must be between 0 and 65535 (inclusive). The seed can prevent hash collisions between network domains, such as a staging and production network that use the same addressing scheme.
 
 ignore_missing boolean
 
 If true and any required fields are missing, the processor quietly exits without modifying the document.
- convert object
 Hide convert attributes Show convert attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 Hide if attributes Show if attributes object
 
 source string | object
 
 One of:
 ScriptSource string SearchRequestBody object
 
 id string
 
 params object
 
 Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
 
 Hide params attribute Show params attribute object
 
 * object Additional properties
 
 lang string
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
 
 options object
 
 Hide options attribute Show options attribute object
 
 * string Additional properties
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 ignore_missing boolean
 
 If true and field does not exist or is null, the processor quietly exits without modifying the document.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 type string Required
 
 Values are integer, long, double, float, boolean, ip, string, or auto.
- csv object
 Hide csv attributes Show csv attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 Hide if attributes Show if attributes object
 
 source string | object
 
 One of:
 ScriptSource string SearchRequestBody object
 
 id string
 
 params object
 
 Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
 
 Hide params attribute Show params attribute object
 
 * object Additional properties
 
 lang string
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
 
 options object
 
 Hide options attribute Show options attribute object
 
 * string Additional properties
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 empty_value object
 
 Value used to fill empty fields. Empty fields are skipped if this is not provided. An empty field is one with no value (2 consecutive separators) or empty quotes ("").
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 ignore_missing boolean
 
 If true and field does not exist, the processor quietly exits without modifying the document.
 
 quote string
 
 Quote used in CSV, has to be single character string.
 
 separator string
 
 Separator used in CSV, has to be single character string.
 
 target_fields string | array[string] Required
 
 trim boolean
 
 Trim whitespaces in unquoted fields.
- date object
 Hide date attributes Show date attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 Hide if attributes Show if attributes object
 
 source string | object
 
 One of:
 ScriptSource string SearchRequestBody object
 
 id string
 
 params object
 
 Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
 
 Hide params attribute Show params attribute object
 
 * object Additional properties
 
 lang string
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
 
 options object
 
 Hide options attribute Show options attribute object
 
 * string Additional properties
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 formats array[string] Required
 
 An array of the expected date formats. Can be a java time pattern or one of the following formats: ISO8601, UNIX, UNIX_MS, or TAI64N.
 
 locale string
 
 The locale to use when parsing the date, relevant when parsing month names or week days. Supports template snippets.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 timezone string
 
 The timezone to use when parsing the date. Supports template snippets.
 
 output_format string
 
 The format to use when writing the date to target_field. Must be a valid java time pattern.
- date_index_name object
 Hide date_index_name attributes Show date_index_name attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 Hide if attributes Show if attributes object
 
 source string | object
 
 One of:
 ScriptSource string SearchRequestBody object
 
 id string
 
 params object
 
 Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
 
 Hide params attribute Show params attribute object
 
 * object Additional properties
 
 lang string
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
 
 options object
 
 Hide options attribute Show options attribute object
 
 * string Additional properties
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 date_formats array[string]
 
 An array of the expected date formats for parsing dates / timestamps in the document being preprocessed. Can be a java time pattern or one of the following formats: ISO8601, UNIX, UNIX_MS, or TAI64N.
 
 date_rounding string Required
 
 How to round the date when formatting the date into the index name. Valid values are: y (year), M (month), w (week), d (day), h (hour), m (minute) and s (second). Supports template snippets.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 index_name_format string
 
 The format to be used when printing the parsed date into the index name. A valid java time pattern is expected here. Supports template snippets.
 
 index_name_prefix string
 
 A prefix of the index name to be prepended before the printed date. Supports template snippets.
 
 locale string
 
 The locale to use when parsing the date from the document being preprocessed, relevant when parsing month names or week days.
 
 timezone string
 
 The timezone to use when parsing the date and when date math index supports resolves expressions into concrete index names.
- dissect object
 Hide dissect attributes Show dissect attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 Hide if attributes Show if attributes object
 
 source string | object
 
 One of:
 ScriptSource string SearchRequestBody object
 
 id string
 
 params object
 
 Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
 
 Hide params attribute Show params attribute object
 
 * object Additional properties
 
 lang string
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
 
 options object
 
 Hide options attribute Show options attribute object
 
 * string Additional properties
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 append_separator string
 
 The character(s) that separate the appended fields.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 ignore_missing boolean
 
 If true and field does not exist or is null, the processor quietly exits without modifying the document.
 
 pattern string Required
 
 The pattern to apply to the field.
- dot_expander object
 Hide dot_expander attributes Show dot_expander attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 Hide if attributes Show if attributes object
 
 source string | object
 
 One of:
 ScriptSource string SearchRequestBody object
 
 id string
 
 params object
 
 Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
 
 Hide params attribute Show params attribute object
 
 * object Additional properties
 
 lang string
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
 
 options object
 
 Hide options attribute Show options attribute object
 
 * string Additional properties
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 override boolean
 
 Controls the behavior when there is already an existing nested object that conflicts with the expanded field. When false, the processor will merge conflicts by combining the old and the new values into an array. When true, the value from the expanded field will overwrite the existing value.
 
 path string
 
 The field that contains the field to expand. Only required if the field to expand is part another object field, because the field option can only understand leaf fields.
- drop object
 Hide drop attributes Show drop attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 Hide if attributes Show if attributes object
 
 source string | object
 
 One of:
 ScriptSource string SearchRequestBody object
 
 id string
 
 params object
 
 Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
 
 Hide params attribute Show params attribute object
 
 * object Additional properties
 
 lang string
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
 
 options object
 
 Hide options attribute Show options attribute object
 
 * string Additional properties
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
- enrich object
 Hide enrich attributes Show enrich attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 Hide if attributes Show if attributes object
 
 source string | object
 
 One of:
 ScriptSource string SearchRequestBody object
 
 id string
 
 params object
 
 Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
 
 Hide params attribute Show params attribute object
 
 * object Additional properties
 
 lang string
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
 
 options object
 
 Hide options attribute Show options attribute object
 
 * string Additional properties
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 ignore_missing boolean
 
 If true and field does not exist, the processor quietly exits without modifying the document.
 
 max_matches number
 
 The maximum number of matched documents to include under the configured target field. The target_field will be turned into a json array if max_matches is higher than 1, otherwise target_field will become a json object. In order to avoid documents getting too large, the maximum allowed value is 128.
 
 override boolean
 
 If processor will update fields with pre-existing non-null-valued field. When set to false, such fields will not be touched.
 
 policy_name string Required
 
 The name of the enrich policy to use.
 
 shape_relation string
 
 Values are intersects, disjoint, within, or contains.
 
 target_field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
- fail object
 Hide fail attributes Show fail attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 Hide if attributes Show if attributes object
 
 source string | object
 
 One of:
 ScriptSource string SearchRequestBody object
 
 id string
 
 params object
 
 Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
 
 Hide params attribute Show params attribute object
 
 * object Additional properties
 
 lang string
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
 
 options object
 
 Hide options attribute Show options attribute object
 
 * string Additional properties
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 message string Required
 
 The error message thrown by the processor. Supports template snippets.
- fingerprint object
 Hide fingerprint attributes Show fingerprint attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 Hide if attributes Show if attributes object
 
 source string | object
 
 One of:
 ScriptSource string SearchRequestBody object
 
 id string
 
 params object
 
 Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
 
 Hide params attribute Show params attribute object
 
 * object Additional properties
 
 lang string
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
 
 options object
 
 Hide options attribute Show options attribute object
 
 * string Additional properties
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 fields string | array[string] Required
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 salt string
 
 Salt value for the hash function.
 
 method string
 
 Values are MD5, SHA-1, SHA-256, SHA-512, or MurmurHash3.
 
 ignore_missing boolean
 
 If true, the processor ignores any missing fields. If all fields are missing, the processor silently exits without modifying the document.
- foreach object
 Hide foreach attributes Show foreach attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 Hide if attributes Show if attributes object
 
 source string | object
 
 One of:
 ScriptSource string SearchRequestBody object
 
 id string
 
 params object
 
 Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
 
 Hide params attribute Show params attribute object
 
 * object Additional properties
 
 lang string
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
 
 options object
 
 Hide options attribute Show options attribute object
 
 * string Additional properties
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 ignore_missing boolean
 
 If true, the processor silently exits without changing the document if the field is null or missing.
 
 processor object Required
- ip_location object
 Hide ip_location attributes Show ip_location attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 Hide if attributes Show if attributes object
 
 source string | object
 
 One of:
 ScriptSource string SearchRequestBody object
 
 id string
 
 params object
 
 Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
 
 Hide params attribute Show params attribute object
 
 * object Additional properties
 
 lang string
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
 
 options object
 
 Hide options attribute Show options attribute object
 
 * string Additional properties
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 database_file string
 
 The database filename referring to a database the module ships with (GeoLite2-City.mmdb, GeoLite2-Country.mmdb, or GeoLite2-ASN.mmdb) or a custom database in the ingest-geoip config directory.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 first_only boolean
 
 If true, only the first found IP location data will be returned, even if the field contains an array.
 
 ignore_missing boolean
 
 If true and field does not exist, the processor quietly exits without modifying the document.
 
 properties array[string]
 
 Controls what properties are added to the target_field based on the IP location lookup.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 download_database_on_pipeline_creation boolean
 
 If true (and if ingest.geoip.downloader.eager.download is false), the missing database is downloaded when the pipeline is created. Else, the download is triggered by when the pipeline is used as the default_pipeline or final_pipeline in an index.
- geo_grid object
 Hide geo_grid attributes Show geo_grid attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 Hide if attributes Show if attributes object
 
 source string | object
 
 One of:
 ScriptSource string SearchRequestBody object
 
 id string
 
 params object
 
 Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
 
 Hide params attribute Show params attribute object
 
 * object Additional properties
 
 lang string
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
 
 options object
 
 Hide options attribute Show options attribute object
 
 * string Additional properties
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 The field to interpret as a geo-tile.= The field format is determined by the tile_type.
 
 tile_type string Required
 
 Values are geotile, geohex, or geohash.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 parent_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 children_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 non_children_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 precision_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 ignore_missing boolean
 
 If true and field does not exist, the processor quietly exits without modifying the document.
 
 target_format string
 
 Values are geojson or wkt.
- geoip object
 Hide geoip attributes Show geoip attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 Hide if attributes Show if attributes object
 
 source string | object
 
 One of:
 ScriptSource string SearchRequestBody object
 
 id string
 
 params object
 
 Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
 
 Hide params attribute Show params attribute object
 
 * object Additional properties
 
 lang string
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
 
 options object
 
 Hide options attribute Show options attribute object
 
 * string Additional properties
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 database_file string
 
 The database filename referring to a database the module ships with (GeoLite2-City.mmdb, GeoLite2-Country.mmdb, or GeoLite2-ASN.mmdb) or a custom database in the ingest-geoip config directory.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 first_only boolean
 
 If true, only the first found geoip data will be returned, even if the field contains an array.
 
 ignore_missing boolean
 
 If true and field does not exist, the processor quietly exits without modifying the document.
 
 properties array[string]
 
 Controls what properties are added to the target_field based on the geoip lookup.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 download_database_on_pipeline_creation boolean
 
 If true (and if ingest.geoip.downloader.eager.download is false), the missing database is downloaded when the pipeline is created. Else, the download is triggered by when the pipeline is used as the default_pipeline or final_pipeline in an index.
- grok object
 Hide grok attributes Show grok attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 Hide if attributes Show if attributes object
 
 source string | object
 
 One of:
 ScriptSource string SearchRequestBody object
 
 id string
 
 params object
 
 Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
 
 Hide params attribute Show params attribute object
 
 * object Additional properties
 
 lang string
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
 
 options object
 
 Hide options attribute Show options attribute object
 
 * string Additional properties
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 ecs_compatibility string
 
 Must be disabled or v1. If v1, the processor uses patterns with Elastic Common Schema (ECS) field names.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 ignore_missing boolean
 
 If true and field does not exist or is null, the processor quietly exits without modifying the document.
 
 pattern_definitions object
 
 A map of pattern-name and pattern tuples defining custom patterns to be used by the current processor. Patterns matching existing names will override the pre-existing definition.
 
 Hide pattern_definitions attribute Show pattern_definitions attribute object
 
 * string Additional properties
 
 patterns array[string] Required
 
 An ordered list of grok expression to match and extract named captures with. Returns on the first expression in the list that matches.
 
 trace_match boolean
 
 When true, _ingest._grok_match_index will be inserted into your matched document’s metadata with the index into the pattern found in patterns that matched.
- gsub object
 Hide gsub attributes Show gsub attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 Hide if attributes Show if attributes object
 
 source string | object
 
 One of:
 ScriptSource string SearchRequestBody object
 
 id string
 
 params object
 
 Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
 
 Hide params attribute Show params attribute object
 
 * object Additional properties
 
 lang string
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
 
 options object
 
 Hide options attribute Show options attribute object
 
 * string Additional properties
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 ignore_missing boolean
 
 If true and field does not exist or is null, the processor quietly exits without modifying the document.
 
 pattern string Required
 
 The pattern to be replaced.
 
 replacement string Required
 
 The string to replace the matching patterns with.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
- html_strip object
 Hide html_strip attributes Show html_strip attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 Hide if attributes Show if attributes object
 
 source string | object
 
 One of:
 ScriptSource string SearchRequestBody object
 
 id string
 
 params object
 
 Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
 
 Hide params attribute Show params attribute object
 
 * object Additional properties
 
 lang string
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
 
 options object
 
 Hide options attribute Show options attribute object
 
 * string Additional properties
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 ignore_missing boolean
 
 If true and field does not exist or is null, the processor quietly exits without modifying the document,
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
- inference object
 Hide inference attributes Show inference attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 Hide if attributes Show if attributes object
 
 source string | object
 
 One of:
 ScriptSource string SearchRequestBody object
 
 id string
 
 params object
 
 Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
 
 Hide params attribute Show params attribute object
 
 * object Additional properties
 
 lang string
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
 
 options object
 
 Hide options attribute Show options attribute object
 
 * string Additional properties
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 model_id string Required
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 field_map object
 
 Maps the document field names to the known field names of the model. This mapping takes precedence over any default mappings provided in the model configuration.
 
 Hide field_map attribute Show field_map attribute object
 
 * object Additional properties
 
 inference_config object
 
 Hide inference_config attributes Show inference_config attributes object
 
 regression object
 
 Hide regression attributes Show regression attributes object
 
 results_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 num_top_feature_importance_values number
 
 Specifies the maximum number of feature importance values per document.
 
 classification object
 
 Hide classification attributes Show classification attributes object
 
 num_top_classes number
 
 Specifies the number of top class predictions to return.
 
 num_top_feature_importance_values number
 
 Specifies the maximum number of feature importance values per document.
 
 results_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 top_classes_results_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 prediction_field_type string
 
 Specifies the type of the predicted field to write. Valid values are: string, number, boolean.
 
 input_output object | array[object]
 
 Input fields for inference and output (destination) fields for the inference results. This option is incompatible with the target_field and field_map options.
 
 One of:
 InputConfig object array-2 array[object]
 
 Hide attributes Show attributes
 
 input_field string Required
 
 output_field string Required
 
 ignore_missing boolean
 
 If true and any of the input fields defined in input_ouput are missing then those missing fields are quietly ignored, otherwise a missing field causes a failure. Only applies when using input_output configurations to explicitly list the input fields.
- join object
 Hide join attributes Show join attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 Hide if attributes Show if attributes object
 
 source string | object
 
 One of:
 ScriptSource string SearchRequestBody object
 
 id string
 
 params object
 
 Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
 
 Hide params attribute Show params attribute object
 
 * object Additional properties
 
 lang string
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
 
 options object
 
 Hide options attribute Show options attribute object
 
 * string Additional properties
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 separator string Required
 
 The separator character.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
- json object
 Hide json attributes Show json attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 Hide if attributes Show if attributes object
 
 source string | object
 
 One of:
 ScriptSource string SearchRequestBody object
 
 id string
 
 params object
 
 Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
 
 Hide params attribute Show params attribute object
 
 * object Additional properties
 
 lang string
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
 
 options object
 
 Hide options attribute Show options attribute object
 
 * string Additional properties
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 add_to_root boolean
 
 Flag that forces the parsed JSON to be added at the top level of the document. target_field must not be set when this option is chosen.
 
 add_to_root_conflict_strategy string
 
 Values are replace or merge.
 
 allow_duplicate_keys boolean
 
 When set to true, the JSON parser will not fail if the JSON contains duplicate keys. Instead, the last encountered value for any duplicate key wins.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
- kv object
 Hide kv attributes Show kv attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 Hide if attributes Show if attributes object
 
 source string | object
 
 One of:
 ScriptSource string SearchRequestBody object
 
 id string
 
 params object
 
 Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
 
 Hide params attribute Show params attribute object
 
 * object Additional properties
 
 lang string
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
 
 options object
 
 Hide options attribute Show options attribute object
 
 * string Additional properties
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 exclude_keys array[string]
 
 List of keys to exclude from document.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 field_split string Required
 
 Regex pattern to use for splitting key-value pairs.
 
 ignore_missing boolean
 
 If true and field does not exist or is null, the processor quietly exits without modifying the document.
 
 include_keys array[string]
 
 List of keys to filter and insert into document. Defaults to including all keys.
 
 prefix string
 
 Prefix to be added to extracted keys.
 
 strip_brackets boolean
 
 If true. strip brackets (), <>, [] as well as quotes ' and " from extracted values.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 trim_key string
 
 String of characters to trim from extracted keys.
 
 trim_value string
 
 String of characters to trim from extracted values.
 
 value_split string Required
 
 Regex pattern to use for splitting the key from the value within a key-value pair.
- lowercase object
 Hide lowercase attributes Show lowercase attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 Hide if attributes Show if attributes object
 
 source string | object
 
 One of:
 ScriptSource string SearchRequestBody object
 
 id string
 
 params object
 
 Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
 
 Hide params attribute Show params attribute object
 
 * object Additional properties
 
 lang string
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
 
 options object
 
 Hide options attribute Show options attribute object
 
 * string Additional properties
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 ignore_missing boolean
 
 If true and field does not exist or is null, the processor quietly exits without modifying the document.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
- network_direction object
 Hide network_direction attributes Show network_direction attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 Hide if attributes Show if attributes object
 
 source string | object
 
 One of:
 ScriptSource string SearchRequestBody object
 
 id string
 
 params object
 
 Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
 
 Hide params attribute Show params attribute object
 
 * object Additional properties
 
 lang string
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
 
 options object
 
 Hide options attribute Show options attribute object
 
 * string Additional properties
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 source_ip string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 destination_ip string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 internal_networks array[string]
 
 List of internal networks. Supports IPv4 and IPv6 addresses and ranges in CIDR notation. Also supports the named ranges listed below. These may be constructed with template snippets. Must specify only one of internal_networks or internal_networks_field.
 
 internal_networks_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 ignore_missing boolean
 
 If true and any required fields are missing, the processor quietly exits without modifying the document.
- pipeline object
 Hide pipeline attributes Show pipeline attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 Hide if attributes Show if attributes object
 
 source string | object
 
 One of:
 ScriptSource string SearchRequestBody object
 
 id string
 
 params object
 
 Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
 
 Hide params attribute Show params attribute object
 
 * object Additional properties
 
 lang string
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
 
 options object
 
 Hide options attribute Show options attribute object
 
 * string Additional properties
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 name string Required
 
 ignore_missing_pipeline boolean
 
 Whether to ignore missing pipelines instead of failing.
- redact object
 Hide redact attributes Show redact attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 Hide if attributes Show if attributes object
 
 source string | object
 
 One of:
 ScriptSource string SearchRequestBody object
 
 id string
 
 params object
 
 Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
 
 Hide params attribute Show params attribute object
 
 * object Additional properties
 
 lang string
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
 
 options object
 
 Hide options attribute Show options attribute object
 
 * string Additional properties
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 patterns array[string] Required
 
 A list of grok expressions to match and redact named captures with
 
 pattern_definitions object
 
 Hide pattern_definitions attribute Show pattern_definitions attribute object
 
 * string Additional properties
 
 prefix string
 
 Start a redacted section with this token
 
 suffix string
 
 End a redacted section with this token
 
 ignore_missing boolean
 
 If true and field does not exist or is null, the processor quietly exits without modifying the document.
 
 skip_if_unlicensed boolean
 
 If true and the current license does not support running redact processors, then the processor quietly exits without modifying the document
 
 trace_redact boolean
 
 If true then ingest metadata _ingest._redact._is_redacted is set to true if the document has been redacted
- registered_domain object
 Hide registered_domain attributes Show registered_domain attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 Hide if attributes Show if attributes object
 
 source string | object
 
 One of:
 ScriptSource string SearchRequestBody object
 
 id string
 
 params object
 
 Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
 
 Hide params attribute Show params attribute object
 
 * object Additional properties
 
 lang string
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
 
 options object
 
 Hide options attribute Show options attribute object
 
 * string Additional properties
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 ignore_missing boolean
 
 If true and any required fields are missing, the processor quietly exits without modifying the document.
- remove object
 Hide remove attributes Show remove attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 Hide if attributes Show if attributes object
 
 source string | object
 
 One of:
 ScriptSource string SearchRequestBody object
 
 id string
 
 params object
 
 Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
 
 Hide params attribute Show params attribute object
 
 * object Additional properties
 
 lang string
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
 
 options object
 
 Hide options attribute Show options attribute object
 
 * string Additional properties
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string | array[string] Required
 
 keep string | array[string]
 
 ignore_missing boolean
 
 If true and field does not exist or is null, the processor quietly exits without modifying the document.
- rename object
 Hide rename attributes Show rename attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 Hide if attributes Show if attributes object
 
 source string | object
 
 One of:
 ScriptSource string SearchRequestBody object
 
 id string
 
 params object
 
 Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
 
 Hide params attribute Show params attribute object
 
 * object Additional properties
 
 lang string
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
 
 options object
 
 Hide options attribute Show options attribute object
 
 * string Additional properties
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 ignore_missing boolean
 
 If true and field does not exist, the processor quietly exits without modifying the document.
 
 target_field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
- reroute object
 Hide reroute attributes Show reroute attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 Hide if attributes Show if attributes object
 
 source string | object
 
 One of:
 ScriptSource string SearchRequestBody object
 
 id string
 
 params object
 
 Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
 
 Hide params attribute Show params attribute object
 
 * object Additional properties
 
 lang string
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
 
 options object
 
 Hide options attribute Show options attribute object
 
 * string Additional properties
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 destination string
 
 A static value for the target. Can’t be set when the dataset or namespace option is set.
 
 dataset string | array[string]
 
 Field references or a static value for the dataset part of the data stream name. In addition to the criteria for index names, cannot contain - and must be no longer than 100 characters. Example values are nginx.access and nginx.error.
 
 Supports field references with a mustache-like syntax (denoted as {{double}} or {{{triple}}} curly braces). When resolving field references, the processor replaces invalid characters with _. Uses the part of the index name as a fallback if all field references resolve to a null, missing, or non-string value.
 
 default {{data_stream.dataset}}
 
 One of:
 string-1 string array-2 array[string]
 
 namespace string | array[string]
 
 Field references or a static value for the namespace part of the data stream name. See the criteria for index names for allowed characters. Must be no longer than 100 characters.
 
 Supports field references with a mustache-like syntax (denoted as {{double}} or {{{triple}}} curly braces). When resolving field references, the processor replaces invalid characters with _. Uses the part of the index name as a fallback if all field references resolve to a null, missing, or non-string value.
 
 default {{data_stream.namespace}}
 
 One of:
 string-1 string array-2 array[string]
- script object
 Hide script attributes Show script attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 Hide if attributes Show if attributes object
 
 source string | object
 
 One of:
 ScriptSource string SearchRequestBody object
 
 id string
 
 params object
 
 Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
 
 Hide params attribute Show params attribute object
 
 * object Additional properties
 
 lang string
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
 
 options object
 
 Hide options attribute Show options attribute object
 
 * string Additional properties
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 id string
 
 lang string
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
 
 params object
 
 Object containing parameters for the script.
 
 Hide params attribute Show params attribute object
 
 * object Additional properties
 
 source string | object
 
 One of:
 ScriptSource string SearchRequestBody object
 
 Hide attributes Show attributes
 
 aggregations object
 
 Defines the aggregations that are run as part of the search request.
 
 collapse object
 
 explain boolean
 
 If true, the request returns detailed information about score computation as part of a hit.
 
 ext object
 
 Configuration of search extensions defined by Elasticsearch plugins.
 
 from number
 
 The starting document offset, which must be non-negative. By default, you cannot page through more than 10,000 hits using the from and size parameters. To page through more hits, use the search_after parameter.
 
 highlight
 
 track_total_hits boolean | number
 
 Number of hits matching the query to count accurately. If true, the exact number of hits is returned at the cost of some performance. If false, the response does not include the total number of hits matching the query. Defaults to 10,000 hits.
 
 indices_boost array[object]
 
 Boost the _score of documents from specified indices. The boost value is the factor by which scores are multiplied. A boost value greater than 1.0 increases the score. A boost value between 0 and 1.0 decreases the score.
 
 docvalue_fields array[object]
 
 An array of wildcard (*) field patterns. The request returns doc values for field names matching these patterns in the hits.fields property of the response.
 
 knn
 
 rank object
 
 min_score number
 
 The minimum _score for matching documents. Documents with a lower _score are not included in search results or results collected by aggregations.
 
 post_filter object
 
 An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
 
 profile boolean
 
 Set to true to return detailed timing information about the execution of individual components in a search request. NOTE: This is a debugging tool and adds significant overhead to search execution.
 
 query object
 
 An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
 
 rescore
 
 retriever object
 
 script_fields object
 
 Retrieve a script evaluation (based on different fields) for each hit.
 
 search_after array[number | string | boolean | null]
 
 A field value.
 
 size number
 
 The number of hits to return, which must not be negative. By default, you cannot page through more than 10,000 hits using the from and size parameters. To page through more hits, use the search_after property.
 
 slice object
 
 sort
 
 _source
 
 fields array[object]
 
 An array of wildcard (*) field patterns. The request returns values for field names matching these patterns in the hits.fields property of the response.
 
 suggest object
 
 terminate_after number
 
 The maximum number of documents to collect for each shard. If a query reaches this limit, Elasticsearch terminates the query early. Elasticsearch collects documents before sorting.
 
 IMPORTANT: Use with caution. Elasticsearch applies this property to each shard handling the request. When possible, let Elasticsearch perform early termination automatically. Avoid specifying this property for requests that target data streams with backing indices across multiple data tiers.
 
 If set to 0 (default), the query does not terminate early.
 
 timeout string
 
 The period of time to wait for a response from each shard. If no response is received before the timeout expires, the request fails and returns an error. Defaults to no timeout.
 
 track_scores boolean
 
 If true, calculate and return document scores, even if the scores are not used for sorting.
 
 version boolean
 
 If true, the request returns the document version as part of a hit.
 
 seq_no_primary_term boolean
 
 If true, the request returns sequence number and primary term of the last modification of each hit.
 
 stored_fields string | array[string]
 
 pit object
 
 runtime_mappings object
 
 stats array[string]
 
 The stats groups to associate with the search. Each group maintains a statistics aggregation for its associated searches. You can retrieve these stats using the indices stats API.
- set object
 Hide set attributes Show set attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 Hide if attributes Show if attributes object
 
 source string | object
 
 One of:
 ScriptSource string SearchRequestBody object
 
 id string
 
 params object
 
 Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
 
 Hide params attribute Show params attribute object
 
 * object Additional properties
 
 lang string
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
 
 options object
 
 Hide options attribute Show options attribute object
 
 * string Additional properties
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 copy_from string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 ignore_empty_value boolean
 
 If true and value is a template snippet that evaluates to null or the empty string, the processor quietly exits without modifying the document.
 
 media_type string
 
 The media type for encoding value. Applies only when value is a template snippet. Must be one of application/json, text/plain, or application/x-www-form-urlencoded.
 
 override boolean
 
 If true processor will update fields with pre-existing non-null-valued field. When set to false, such fields will not be touched.
 
 value object
 
 The value to be set for the field. Supports template snippets. May specify only one of value or copy_from.
- set_security_user object
 Hide set_security_user attributes Show set_security_user attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 Hide if attributes Show if attributes object
 
 source string | object
 
 One of:
 ScriptSource string SearchRequestBody object
 
 id string
 
 params object
 
 Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
 
 Hide params attribute Show params attribute object
 
 * object Additional properties
 
 lang string
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
 
 options object
 
 Hide options attribute Show options attribute object
 
 * string Additional properties
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 properties array[string]
 
 Controls what user related properties are added to the field.
- sort object
 Hide sort attributes Show sort attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 Hide if attributes Show if attributes object
 
 source string | object
 
 One of:
 ScriptSource string SearchRequestBody object
 
 id string
 
 params object
 
 Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
 
 Hide params attribute Show params attribute object
 
 * object Additional properties
 
 lang string
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
 
 options object
 
 Hide options attribute Show options attribute object
 
 * string Additional properties
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 order string
 
 Values are asc or desc.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
- split object
 Hide split attributes Show split attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 Hide if attributes Show if attributes object
 
 source string | object
 
 One of:
 ScriptSource string SearchRequestBody object
 
 id string
 
 params object
 
 Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
 
 Hide params attribute Show params attribute object
 
 * object Additional properties
 
 lang string
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
 
 options object
 
 Hide options attribute Show options attribute object
 
 * string Additional properties
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 ignore_missing boolean
 
 If true and field does not exist, the processor quietly exits without modifying the document.
 
 preserve_trailing boolean
 
 Preserves empty trailing fields, if any.
 
 separator string Required
 
 A regex which matches the separator, for example, , or \s+.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
- terminate object
 Hide terminate attributes Show terminate attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 Hide if attributes Show if attributes object
 
 source string | object
 
 One of:
 ScriptSource string SearchRequestBody object
 
 id string
 
 params object
 
 Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
 
 Hide params attribute Show params attribute object
 
 * object Additional properties
 
 lang string
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
 
 options object
 
 Hide options attribute Show options attribute object
 
 * string Additional properties
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
- trim object
 Hide trim attributes Show trim attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 Hide if attributes Show if attributes object
 
 source string | object
 
 One of:
 ScriptSource string SearchRequestBody object
 
 id string
 
 params object
 
 Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
 
 Hide params attribute Show params attribute object
 
 * object Additional properties
 
 lang string
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
 
 options object
 
 Hide options attribute Show options attribute object
 
 * string Additional properties
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 ignore_missing boolean
 
 If true and field does not exist, the processor quietly exits without modifying the document.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
- uppercase object
 Hide uppercase attributes Show uppercase attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 Hide if attributes Show if attributes object
 
 source string | object
 
 One of:
 ScriptSource string SearchRequestBody object
 
 id string
 
 params object
 
 Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
 
 Hide params attribute Show params attribute object
 
 * object Additional properties
 
 lang string
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
 
 options object
 
 Hide options attribute Show options attribute object
 
 * string Additional properties
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 ignore_missing boolean
 
 If true and field does not exist or is null, the processor quietly exits without modifying the document.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
- urldecode object
 Hide urldecode attributes Show urldecode attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 Hide if attributes Show if attributes object
 
 source string | object
 
 One of:
 ScriptSource string SearchRequestBody object
 
 id string
 
 params object
 
 Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
 
 Hide params attribute Show params attribute object
 
 * object Additional properties
 
 lang string
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
 
 options object
 
 Hide options attribute Show options attribute object
 
 * string Additional properties
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 ignore_missing boolean
 
 If true and field does not exist or is null, the processor quietly exits without modifying the document.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
- uri_parts object
 Hide uri_parts attributes Show uri_parts attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 Hide if attributes Show if attributes object
 
 source string | object
 
 One of:
 ScriptSource string SearchRequestBody object
 
 id string
 
 params object
 
 Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
 
 Hide params attribute Show params attribute object
 
 * object Additional properties
 
 lang string
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
 
 options object
 
 Hide options attribute Show options attribute object
 
 * string Additional properties
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 ignore_missing boolean
 
 If true and field does not exist, the processor quietly exits without modifying the document.
 
 keep_original boolean
 
 If true, the processor copies the unparsed URI to <target_field>.original.
 
 remove_if_successful boolean
 
 If true, the processor removes the field after parsing the URI string. If parsing fails, the processor does not remove the field.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
- user_agent object
 Hide user_agent attributes Show user_agent attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 Hide if attributes Show if attributes object
 
 source string | object
 
 One of:
 ScriptSource string SearchRequestBody object
 
 id string
 
 params object
 
 Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
 
 Hide params attribute Show params attribute object
 
 * object Additional properties
 
 lang string
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
 
 options object
 
 Hide options attribute Show options attribute object
 
 * string Additional properties
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 ignore_missing boolean
 
 If true and field does not exist, the processor quietly exits without modifying the document.
 
 regex_file string
 
 The name of the file in the config/ingest-user-agent directory containing the regular expressions for parsing the user agent string. Both the directory and the file have to be created before starting Elasticsearch. If not specified, ingest-user-agent will use the regexes.yaml from uap-core it ships with.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 properties array[string]
 
 Controls what properties are added to target_field.
 
 Values are name, os, device, original, or version.
 
 extract_device_type boolean Beta
 
 Extracts device type from the user agent string on a best-effort basis.
version number
deprecated boolean

Marks this ingest pipeline as deprecated. When a deprecated ingest pipeline is referenced as the default or final pipeline when creating or updating a non-deprecated index template, Elasticsearch will emit a deprecation warning.

Responses

200 application/json
Hide response attribute Show response attribute object
- acknowledged boolean Required
  
  For a successful response, this value is always true. On failure, an exception is returned instead.

PUT /_ingest/pipeline/{id}

PUT _ingest/pipeline/my-pipeline-id
{
  "description" : "My optional pipeline description",
  "processors" : [
    {
      "set" : {
        "description" : "My optional processor description",
        "field": "my-keyword-field",
        "value": "foo"
      }
    }
  ]
}

curl \
 --request PUT 'http://api.example.com/_ingest/pipeline/{id}' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '"{\n  \"description\" : \"My optional pipeline description\",\n  \"processors\" : [\n    {\n      \"set\" : {\n        \"description\" : \"My optional processor description\",\n        \"field\": \"my-keyword-field\",\n        \"value\": \"foo\"\n      }\n    }\n  ]\n}"'

Request examples

{
  "description" : "My optional pipeline description",
  "processors" : [
    {
      "set" : {
        "description" : "My optional processor description",
        "field": "my-keyword-field",
        "value": "foo"
      }
    }
  ]
}

You can use the `_meta` parameter to add arbitrary metadata to a pipeline.

{
  "description" : "My optional pipeline description",
  "processors" : [
    {
      "set" : {
        "description" : "My optional processor description",
        "field": "my-keyword-field",
        "value": "foo"
      }
    }
  ],
  "_meta": {
    "reason": "set my-keyword-field to foo",
    "serialization": {
      "class": "MyPipeline",
      "id": 10
    }
  }
}

Get pipelines Added in 5.0.0

GET /_ingest/pipeline

Api key auth Basic auth Bearer auth

Get information about one or more ingest pipelines. This API returns a local reference of the pipeline.

External documentation

Query parameters

master_timeout string

Period to wait for a connection to the master node. If no response is received before the timeout expires, the request fails and returns an error.

Values are -1 or 0.
summary boolean

Return pipelines without their definitions (default: false)

Responses

200 application/json
Hide response attribute Show response attribute object
- * object Additional properties
 
 Hide * attributes Show * attributes object
 
 description string
 
 Description of the ingest pipeline.
 
 on_failure array[object]
 
 Processors to run immediately after a processor failure.
 
 Hide on_failure attributes Show on_failure attributes object
 
 append object
 
 Hide append attributes Show append attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 value
 
 allow_duplicates boolean
 
 If false, the processor does not append values already present in the field.
 
 attachment object
 
 Hide attachment attributes Show attachment attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 ignore_missing boolean
 
 If true and field does not exist, the processor quietly exits without modifying the document.
 
 indexed_chars number
 
 The number of chars being used for extraction to prevent huge fields. Use -1 for no limit.
 
 indexed_chars_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 properties array[string]
 
 Array of properties to select to be stored. Can be content, title, name, author, keywords, date, content_type, content_length, language.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 remove_binary boolean
 
 If true, the binary field will be removed from the document
 
 resource_name string
 
 Field containing the name of the resource to decode. If specified, the processor passes this resource name to the underlying Tika library to enable Resource Name Based Detection.
 
 bytes object
 
 Hide bytes attributes Show bytes attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 ignore_missing boolean
 
 If true and field does not exist or is null, the processor quietly exits without modifying the document.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 circle object
 
 Hide circle attributes Show circle attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 error_distance number Required
 
 The difference between the resulting inscribed distance from center to side and the circle’s radius (measured in meters for geo_shape, unit-less for shape).
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 ignore_missing boolean
 
 If true and field does not exist, the processor quietly exits without modifying the document.
 
 shape_type string Required
 
 Values are geo_shape or shape.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 community_id object
 
 Hide community_id attributes Show community_id attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 source_ip string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 source_port string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 destination_ip string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 destination_port string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 iana_number string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 icmp_type string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 icmp_code string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 transport string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 seed number
 
 Seed for the community ID hash. Must be between 0 and 65535 (inclusive). The seed can prevent hash collisions between network domains, such as a staging and production network that use the same addressing scheme.
 
 ignore_missing boolean
 
 If true and any required fields are missing, the processor quietly exits without modifying the document.
 
 convert object
 
 Hide convert attributes Show convert attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 ignore_missing boolean
 
 If true and field does not exist or is null, the processor quietly exits without modifying the document.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 type string Required
 
 Values are integer, long, double, float, boolean, ip, string, or auto.
 
 csv object
 
 Hide csv attributes Show csv attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 empty_value object
 
 Value used to fill empty fields. Empty fields are skipped if this is not provided. An empty field is one with no value (2 consecutive separators) or empty quotes ("").
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 ignore_missing boolean
 
 If true and field does not exist, the processor quietly exits without modifying the document.
 
 quote string
 
 Quote used in CSV, has to be single character string.
 
 separator string
 
 Separator used in CSV, has to be single character string.
 
 target_fields string | array[string] Required
 
 trim boolean
 
 Trim whitespaces in unquoted fields.
 
 date object
 
 Hide date attributes Show date attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 formats array[string] Required
 
 An array of the expected date formats. Can be a java time pattern or one of the following formats: ISO8601, UNIX, UNIX_MS, or TAI64N.
 
 locale string
 
 The locale to use when parsing the date, relevant when parsing month names or week days. Supports template snippets.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 timezone string
 
 The timezone to use when parsing the date. Supports template snippets.
 
 output_format string
 
 The format to use when writing the date to target_field. Must be a valid java time pattern.
 
 date_index_name object
 
 Hide date_index_name attributes Show date_index_name attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 date_formats array[string]
 
 An array of the expected date formats for parsing dates / timestamps in the document being preprocessed. Can be a java time pattern or one of the following formats: ISO8601, UNIX, UNIX_MS, or TAI64N.
 
 date_rounding string Required
 
 How to round the date when formatting the date into the index name. Valid values are: y (year), M (month), w (week), d (day), h (hour), m (minute) and s (second). Supports template snippets.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 index_name_format string
 
 The format to be used when printing the parsed date into the index name. A valid java time pattern is expected here. Supports template snippets.
 
 index_name_prefix string
 
 A prefix of the index name to be prepended before the printed date. Supports template snippets.
 
 locale string
 
 The locale to use when parsing the date from the document being preprocessed, relevant when parsing month names or week days.
 
 timezone string
 
 The timezone to use when parsing the date and when date math index supports resolves expressions into concrete index names.
 
 dissect object
 
 Hide dissect attributes Show dissect attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 append_separator string
 
 The character(s) that separate the appended fields.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 ignore_missing boolean
 
 If true and field does not exist or is null, the processor quietly exits without modifying the document.
 
 pattern string Required
 
 The pattern to apply to the field.
 
 dot_expander object
 
 Hide dot_expander attributes Show dot_expander attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 override boolean
 
 Controls the behavior when there is already an existing nested object that conflicts with the expanded field. When false, the processor will merge conflicts by combining the old and the new values into an array. When true, the value from the expanded field will overwrite the existing value.
 
 path string
 
 The field that contains the field to expand. Only required if the field to expand is part another object field, because the field option can only understand leaf fields.
 
 drop object
 
 Hide drop attributes Show drop attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 enrich object
 
 Hide enrich attributes Show enrich attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 ignore_missing boolean
 
 If true and field does not exist, the processor quietly exits without modifying the document.
 
 max_matches number
 
 The maximum number of matched documents to include under the configured target field. The target_field will be turned into a json array if max_matches is higher than 1, otherwise target_field will become a json object. In order to avoid documents getting too large, the maximum allowed value is 128.
 
 override boolean
 
 If processor will update fields with pre-existing non-null-valued field. When set to false, such fields will not be touched.
 
 policy_name string Required
 
 The name of the enrich policy to use.
 
 shape_relation string
 
 Values are intersects, disjoint, within, or contains.
 
 target_field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 fail object
 
 Hide fail attributes Show fail attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 message string Required
 
 The error message thrown by the processor. Supports template snippets.
 
 fingerprint object
 
 Hide fingerprint attributes Show fingerprint attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 fields string | array[string] Required
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 salt string
 
 Salt value for the hash function.
 
 method string
 
 Values are MD5, SHA-1, SHA-256, SHA-512, or MurmurHash3.
 
 ignore_missing boolean
 
 If true, the processor ignores any missing fields. If all fields are missing, the processor silently exits without modifying the document.
 
 foreach object
 
 Hide foreach attributes Show foreach attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 ignore_missing boolean
 
 If true, the processor silently exits without changing the document if the field is null or missing.
 
 processor object Required
 
 ip_location object
 
 Hide ip_location attributes Show ip_location attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 database_file string
 
 The database filename referring to a database the module ships with (GeoLite2-City.mmdb, GeoLite2-Country.mmdb, or GeoLite2-ASN.mmdb) or a custom database in the ingest-geoip config directory.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 first_only boolean
 
 If true, only the first found IP location data will be returned, even if the field contains an array.
 
 ignore_missing boolean
 
 If true and field does not exist, the processor quietly exits without modifying the document.
 
 properties array[string]
 
 Controls what properties are added to the target_field based on the IP location lookup.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 download_database_on_pipeline_creation boolean
 
 If true (and if ingest.geoip.downloader.eager.download is false), the missing database is downloaded when the pipeline is created. Else, the download is triggered by when the pipeline is used as the default_pipeline or final_pipeline in an index.
 
 geo_grid object
 
 Hide geo_grid attributes Show geo_grid attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 The field to interpret as a geo-tile.= The field format is determined by the tile_type.
 
 tile_type string Required
 
 Values are geotile, geohex, or geohash.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 parent_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 children_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 non_children_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 precision_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 ignore_missing boolean
 
 If true and field does not exist, the processor quietly exits without modifying the document.
 
 target_format string
 
 Values are geojson or wkt.
 
 geoip object
 
 Hide geoip attributes Show geoip attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 database_file string
 
 The database filename referring to a database the module ships with (GeoLite2-City.mmdb, GeoLite2-Country.mmdb, or GeoLite2-ASN.mmdb) or a custom database in the ingest-geoip config directory.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 first_only boolean
 
 If true, only the first found geoip data will be returned, even if the field contains an array.
 
 ignore_missing boolean
 
 If true and field does not exist, the processor quietly exits without modifying the document.
 
 properties array[string]
 
 Controls what properties are added to the target_field based on the geoip lookup.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 download_database_on_pipeline_creation boolean
 
 If true (and if ingest.geoip.downloader.eager.download is false), the missing database is downloaded when the pipeline is created. Else, the download is triggered by when the pipeline is used as the default_pipeline or final_pipeline in an index.
 
 grok object
 
 Hide grok attributes Show grok attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 ecs_compatibility string
 
 Must be disabled or v1. If v1, the processor uses patterns with Elastic Common Schema (ECS) field names.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 ignore_missing boolean
 
 If true and field does not exist or is null, the processor quietly exits without modifying the document.
 
 pattern_definitions object
 
 A map of pattern-name and pattern tuples defining custom patterns to be used by the current processor. Patterns matching existing names will override the pre-existing definition.
 
 patterns array[string] Required
 
 An ordered list of grok expression to match and extract named captures with. Returns on the first expression in the list that matches.
 
 trace_match boolean
 
 When true, _ingest._grok_match_index will be inserted into your matched document’s metadata with the index into the pattern found in patterns that matched.
 
 gsub object
 
 Hide gsub attributes Show gsub attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 ignore_missing boolean
 
 If true and field does not exist or is null, the processor quietly exits without modifying the document.
 
 pattern string Required
 
 The pattern to be replaced.
 
 replacement string Required
 
 The string to replace the matching patterns with.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 html_strip object
 
 Hide html_strip attributes Show html_strip attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 ignore_missing boolean
 
 If true and field does not exist or is null, the processor quietly exits without modifying the document,
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 inference object
 
 Hide inference attributes Show inference attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 model_id string Required
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 field_map object
 
 Maps the document field names to the known field names of the model. This mapping takes precedence over any default mappings provided in the model configuration.
 
 inference_config object
 
 input_output
 
 ignore_missing boolean
 
 If true and any of the input fields defined in input_ouput are missing then those missing fields are quietly ignored, otherwise a missing field causes a failure. Only applies when using input_output configurations to explicitly list the input fields.
 
 join object
 
 Hide join attributes Show join attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 separator string Required
 
 The separator character.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 json object
 
 Hide json attributes Show json attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 add_to_root boolean
 
 Flag that forces the parsed JSON to be added at the top level of the document. target_field must not be set when this option is chosen.
 
 add_to_root_conflict_strategy string
 
 Values are replace or merge.
 
 allow_duplicate_keys boolean
 
 When set to true, the JSON parser will not fail if the JSON contains duplicate keys. Instead, the last encountered value for any duplicate key wins.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 kv object
 
 Hide kv attributes Show kv attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 exclude_keys array[string]
 
 List of keys to exclude from document.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 field_split string Required
 
 Regex pattern to use for splitting key-value pairs.
 
 ignore_missing boolean
 
 If true and field does not exist or is null, the processor quietly exits without modifying the document.
 
 include_keys array[string]
 
 List of keys to filter and insert into document. Defaults to including all keys.
 
 prefix string
 
 Prefix to be added to extracted keys.
 
 strip_brackets boolean
 
 If true. strip brackets (), <>, [] as well as quotes ' and " from extracted values.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 trim_key string
 
 String of characters to trim from extracted keys.
 
 trim_value string
 
 String of characters to trim from extracted values.
 
 value_split string Required
 
 Regex pattern to use for splitting the key from the value within a key-value pair.
 
 lowercase object
 
 Hide lowercase attributes Show lowercase attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 ignore_missing boolean
 
 If true and field does not exist or is null, the processor quietly exits without modifying the document.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 network_direction object
 
 Hide network_direction attributes Show network_direction attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 source_ip string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 destination_ip string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 internal_networks array[string]
 
 List of internal networks. Supports IPv4 and IPv6 addresses and ranges in CIDR notation. Also supports the named ranges listed below. These may be constructed with template snippets. Must specify only one of internal_networks or internal_networks_field.
 
 internal_networks_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 ignore_missing boolean
 
 If true and any required fields are missing, the processor quietly exits without modifying the document.
 
 pipeline object
 
 Hide pipeline attributes Show pipeline attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 name string Required
 
 ignore_missing_pipeline boolean
 
 Whether to ignore missing pipelines instead of failing.
 
 redact object
 
 Hide redact attributes Show redact attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 patterns array[string] Required
 
 A list of grok expressions to match and redact named captures with
 
 pattern_definitions object
 
 prefix string
 
 Start a redacted section with this token
 
 suffix string
 
 End a redacted section with this token
 
 ignore_missing boolean
 
 If true and field does not exist or is null, the processor quietly exits without modifying the document.
 
 skip_if_unlicensed boolean
 
 If true and the current license does not support running redact processors, then the processor quietly exits without modifying the document
 
 trace_redact boolean
 
 If true then ingest metadata _ingest._redact._is_redacted is set to true if the document has been redacted
 
 registered_domain object
 
 Hide registered_domain attributes Show registered_domain attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 ignore_missing boolean
 
 If true and any required fields are missing, the processor quietly exits without modifying the document.
 
 remove object
 
 Hide remove attributes Show remove attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string | array[string] Required
 
 keep string | array[string]
 
 ignore_missing boolean
 
 If true and field does not exist or is null, the processor quietly exits without modifying the document.
 
 rename object
 
 Hide rename attributes Show rename attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 ignore_missing boolean
 
 If true and field does not exist, the processor quietly exits without modifying the document.
 
 target_field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 reroute object
 
 Hide reroute attributes Show reroute attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 destination string
 
 A static value for the target. Can’t be set when the dataset or namespace option is set.
 
 dataset
 
 namespace
 
 script object
 
 Hide script attributes Show script attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 id string
 
 lang
 
 params object
 
 Object containing parameters for the script.
 
 source
 
 set object
 
 Hide set attributes Show set attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 copy_from string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 ignore_empty_value boolean
 
 If true and value is a template snippet that evaluates to null or the empty string, the processor quietly exits without modifying the document.
 
 media_type string
 
 The media type for encoding value. Applies only when value is a template snippet. Must be one of application/json, text/plain, or application/x-www-form-urlencoded.
 
 override boolean
 
 If true processor will update fields with pre-existing non-null-valued field. When set to false, such fields will not be touched.
 
 value object
 
 The value to be set for the field. Supports template snippets. May specify only one of value or copy_from.
 
 set_security_user object
 
 Hide set_security_user attributes Show set_security_user attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 properties array[string]
 
 Controls what user related properties are added to the field.
 
 sort object
 
 Hide sort attributes Show sort attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 order string
 
 Values are asc or desc.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 split object
 
 Hide split attributes Show split attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 ignore_missing boolean
 
 If true and field does not exist, the processor quietly exits without modifying the document.
 
 preserve_trailing boolean
 
 Preserves empty trailing fields, if any.
 
 separator string Required
 
 A regex which matches the separator, for example, , or \s+.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 terminate object
 
 Hide terminate attributes Show terminate attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 trim object
 
 Hide trim attributes Show trim attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 ignore_missing boolean
 
 If true and field does not exist, the processor quietly exits without modifying the document.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 uppercase object
 
 Hide uppercase attributes Show uppercase attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 ignore_missing boolean
 
 If true and field does not exist or is null, the processor quietly exits without modifying the document.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 urldecode object
 
 Hide urldecode attributes Show urldecode attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 ignore_missing boolean
 
 If true and field does not exist or is null, the processor quietly exits without modifying the document.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 uri_parts object
 
 Hide uri_parts attributes Show uri_parts attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 ignore_missing boolean
 
 If true and field does not exist, the processor quietly exits without modifying the document.
 
 keep_original boolean
 
 If true, the processor copies the unparsed URI to <target_field>.original.
 
 remove_if_successful boolean
 
 If true, the processor removes the field after parsing the URI string. If parsing fails, the processor does not remove the field.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 user_agent object
 
 Hide user_agent attributes Show user_agent attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 ignore_missing boolean
 
 If true and field does not exist, the processor quietly exits without modifying the document.
 
 regex_file string
 
 The name of the file in the config/ingest-user-agent directory containing the regular expressions for parsing the user agent string. Both the directory and the file have to be created before starting Elasticsearch. If not specified, ingest-user-agent will use the regexes.yaml from uap-core it ships with.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 properties array[string]
 
 Controls what properties are added to target_field.
 
 Values are name, os, device, original, or version.
 
 extract_device_type boolean Beta
 
 Extracts device type from the user agent string on a best-effort basis.
 
 processors array[object]
 
 Processors used to perform transformations on documents before indexing. Processors run sequentially in the order specified.
 
 Hide processors attributes Show processors attributes object
 
 append object
 
 Hide append attributes Show append attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 value
 
 allow_duplicates boolean
 
 If false, the processor does not append values already present in the field.
 
 attachment object
 
 Hide attachment attributes Show attachment attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 ignore_missing boolean
 
 If true and field does not exist, the processor quietly exits without modifying the document.
 
 indexed_chars number
 
 The number of chars being used for extraction to prevent huge fields. Use -1 for no limit.
 
 indexed_chars_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 properties array[string]
 
 Array of properties to select to be stored. Can be content, title, name, author, keywords, date, content_type, content_length, language.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 remove_binary boolean
 
 If true, the binary field will be removed from the document
 
 resource_name string
 
 Field containing the name of the resource to decode. If specified, the processor passes this resource name to the underlying Tika library to enable Resource Name Based Detection.
 
 bytes object
 
 Hide bytes attributes Show bytes attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 ignore_missing boolean
 
 If true and field does not exist or is null, the processor quietly exits without modifying the document.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 circle object
 
 Hide circle attributes Show circle attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 error_distance number Required
 
 The difference between the resulting inscribed distance from center to side and the circle’s radius (measured in meters for geo_shape, unit-less for shape).
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 ignore_missing boolean
 
 If true and field does not exist, the processor quietly exits without modifying the document.
 
 shape_type string Required
 
 Values are geo_shape or shape.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 community_id object
 
 Hide community_id attributes Show community_id attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 source_ip string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 source_port string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 destination_ip string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 destination_port string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 iana_number string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 icmp_type string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 icmp_code string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 transport string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 seed number
 
 Seed for the community ID hash. Must be between 0 and 65535 (inclusive). The seed can prevent hash collisions between network domains, such as a staging and production network that use the same addressing scheme.
 
 ignore_missing boolean
 
 If true and any required fields are missing, the processor quietly exits without modifying the document.
 
 convert object
 
 Hide convert attributes Show convert attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 ignore_missing boolean
 
 If true and field does not exist or is null, the processor quietly exits without modifying the document.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 type string Required
 
 Values are integer, long, double, float, boolean, ip, string, or auto.
 
 csv object
 
 Hide csv attributes Show csv attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 empty_value object
 
 Value used to fill empty fields. Empty fields are skipped if this is not provided. An empty field is one with no value (2 consecutive separators) or empty quotes ("").
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 ignore_missing boolean
 
 If true and field does not exist, the processor quietly exits without modifying the document.
 
 quote string
 
 Quote used in CSV, has to be single character string.
 
 separator string
 
 Separator used in CSV, has to be single character string.
 
 target_fields string | array[string] Required
 
 trim boolean
 
 Trim whitespaces in unquoted fields.
 
 date object
 
 Hide date attributes Show date attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 formats array[string] Required
 
 An array of the expected date formats. Can be a java time pattern or one of the following formats: ISO8601, UNIX, UNIX_MS, or TAI64N.
 
 locale string
 
 The locale to use when parsing the date, relevant when parsing month names or week days. Supports template snippets.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 timezone string
 
 The timezone to use when parsing the date. Supports template snippets.
 
 output_format string
 
 The format to use when writing the date to target_field. Must be a valid java time pattern.
 
 date_index_name object
 
 Hide date_index_name attributes Show date_index_name attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 date_formats array[string]
 
 An array of the expected date formats for parsing dates / timestamps in the document being preprocessed. Can be a java time pattern or one of the following formats: ISO8601, UNIX, UNIX_MS, or TAI64N.
 
 date_rounding string Required
 
 How to round the date when formatting the date into the index name. Valid values are: y (year), M (month), w (week), d (day), h (hour), m (minute) and s (second). Supports template snippets.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 index_name_format string
 
 The format to be used when printing the parsed date into the index name. A valid java time pattern is expected here. Supports template snippets.
 
 index_name_prefix string
 
 A prefix of the index name to be prepended before the printed date. Supports template snippets.
 
 locale string
 
 The locale to use when parsing the date from the document being preprocessed, relevant when parsing month names or week days.
 
 timezone string
 
 The timezone to use when parsing the date and when date math index supports resolves expressions into concrete index names.
 
 dissect object
 
 Hide dissect attributes Show dissect attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 append_separator string
 
 The character(s) that separate the appended fields.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 ignore_missing boolean
 
 If true and field does not exist or is null, the processor quietly exits without modifying the document.
 
 pattern string Required
 
 The pattern to apply to the field.
 
 dot_expander object
 
 Hide dot_expander attributes Show dot_expander attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 override boolean
 
 Controls the behavior when there is already an existing nested object that conflicts with the expanded field. When false, the processor will merge conflicts by combining the old and the new values into an array. When true, the value from the expanded field will overwrite the existing value.
 
 path string
 
 The field that contains the field to expand. Only required if the field to expand is part another object field, because the field option can only understand leaf fields.
 
 drop object
 
 Hide drop attributes Show drop attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 enrich object
 
 Hide enrich attributes Show enrich attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 ignore_missing boolean
 
 If true and field does not exist, the processor quietly exits without modifying the document.
 
 max_matches number
 
 The maximum number of matched documents to include under the configured target field. The target_field will be turned into a json array if max_matches is higher than 1, otherwise target_field will become a json object. In order to avoid documents getting too large, the maximum allowed value is 128.
 
 override boolean
 
 If processor will update fields with pre-existing non-null-valued field. When set to false, such fields will not be touched.
 
 policy_name string Required
 
 The name of the enrich policy to use.
 
 shape_relation string
 
 Values are intersects, disjoint, within, or contains.
 
 target_field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 fail object
 
 Hide fail attributes Show fail attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 message string Required
 
 The error message thrown by the processor. Supports template snippets.
 
 fingerprint object
 
 Hide fingerprint attributes Show fingerprint attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 fields string | array[string] Required
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 salt string
 
 Salt value for the hash function.
 
 method string
 
 Values are MD5, SHA-1, SHA-256, SHA-512, or MurmurHash3.
 
 ignore_missing boolean
 
 If true, the processor ignores any missing fields. If all fields are missing, the processor silently exits without modifying the document.
 
 foreach object
 
 Hide foreach attributes Show foreach attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 ignore_missing boolean
 
 If true, the processor silently exits without changing the document if the field is null or missing.
 
 processor object Required
 
 ip_location object
 
 Hide ip_location attributes Show ip_location attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 database_file string
 
 The database filename referring to a database the module ships with (GeoLite2-City.mmdb, GeoLite2-Country.mmdb, or GeoLite2-ASN.mmdb) or a custom database in the ingest-geoip config directory.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 first_only boolean
 
 If true, only the first found IP location data will be returned, even if the field contains an array.
 
 ignore_missing boolean
 
 If true and field does not exist, the processor quietly exits without modifying the document.
 
 properties array[string]
 
 Controls what properties are added to the target_field based on the IP location lookup.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 download_database_on_pipeline_creation boolean
 
 If true (and if ingest.geoip.downloader.eager.download is false), the missing database is downloaded when the pipeline is created. Else, the download is triggered by when the pipeline is used as the default_pipeline or final_pipeline in an index.
 
 geo_grid object
 
 Hide geo_grid attributes Show geo_grid attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 The field to interpret as a geo-tile.= The field format is determined by the tile_type.
 
 tile_type string Required
 
 Values are geotile, geohex, or geohash.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 parent_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 children_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 non_children_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 precision_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 ignore_missing boolean
 
 If true and field does not exist, the processor quietly exits without modifying the document.
 
 target_format string
 
 Values are geojson or wkt.
 
 geoip object
 
 Hide geoip attributes Show geoip attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 database_file string
 
 The database filename referring to a database the module ships with (GeoLite2-City.mmdb, GeoLite2-Country.mmdb, or GeoLite2-ASN.mmdb) or a custom database in the ingest-geoip config directory.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 first_only boolean
 
 If true, only the first found geoip data will be returned, even if the field contains an array.
 
 ignore_missing boolean
 
 If true and field does not exist, the processor quietly exits without modifying the document.
 
 properties array[string]
 
 Controls what properties are added to the target_field based on the geoip lookup.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 download_database_on_pipeline_creation boolean
 
 If true (and if ingest.geoip.downloader.eager.download is false), the missing database is downloaded when the pipeline is created. Else, the download is triggered by when the pipeline is used as the default_pipeline or final_pipeline in an index.
 
 grok object
 
 Hide grok attributes Show grok attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 ecs_compatibility string
 
 Must be disabled or v1. If v1, the processor uses patterns with Elastic Common Schema (ECS) field names.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 ignore_missing boolean
 
 If true and field does not exist or is null, the processor quietly exits without modifying the document.
 
 pattern_definitions object
 
 A map of pattern-name and pattern tuples defining custom patterns to be used by the current processor. Patterns matching existing names will override the pre-existing definition.
 
 patterns array[string] Required
 
 An ordered list of grok expression to match and extract named captures with. Returns on the first expression in the list that matches.
 
 trace_match boolean
 
 When true, _ingest._grok_match_index will be inserted into your matched document’s metadata with the index into the pattern found in patterns that matched.
 
 gsub object
 
 Hide gsub attributes Show gsub attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 ignore_missing boolean
 
 If true and field does not exist or is null, the processor quietly exits without modifying the document.
 
 pattern string Required
 
 The pattern to be replaced.
 
 replacement string Required
 
 The string to replace the matching patterns with.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 html_strip object
 
 Hide html_strip attributes Show html_strip attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 ignore_missing boolean
 
 If true and field does not exist or is null, the processor quietly exits without modifying the document,
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 inference object
 
 Hide inference attributes Show inference attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 model_id string Required
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 field_map object
 
 Maps the document field names to the known field names of the model. This mapping takes precedence over any default mappings provided in the model configuration.
 
 inference_config object
 
 input_output
 
 ignore_missing boolean
 
 If true and any of the input fields defined in input_ouput are missing then those missing fields are quietly ignored, otherwise a missing field causes a failure. Only applies when using input_output configurations to explicitly list the input fields.
 
 join object
 
 Hide join attributes Show join attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 separator string Required
 
 The separator character.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 json object
 
 Hide json attributes Show json attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 add_to_root boolean
 
 Flag that forces the parsed JSON to be added at the top level of the document. target_field must not be set when this option is chosen.
 
 add_to_root_conflict_strategy string
 
 Values are replace or merge.
 
 allow_duplicate_keys boolean
 
 When set to true, the JSON parser will not fail if the JSON contains duplicate keys. Instead, the last encountered value for any duplicate key wins.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 kv object
 
 Hide kv attributes Show kv attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 exclude_keys array[string]
 
 List of keys to exclude from document.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 field_split string Required
 
 Regex pattern to use for splitting key-value pairs.
 
 ignore_missing boolean
 
 If true and field does not exist or is null, the processor quietly exits without modifying the document.
 
 include_keys array[string]
 
 List of keys to filter and insert into document. Defaults to including all keys.
 
 prefix string
 
 Prefix to be added to extracted keys.
 
 strip_brackets boolean
 
 If true. strip brackets (), <>, [] as well as quotes ' and " from extracted values.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 trim_key string
 
 String of characters to trim from extracted keys.
 
 trim_value string
 
 String of characters to trim from extracted values.
 
 value_split string Required
 
 Regex pattern to use for splitting the key from the value within a key-value pair.
 
 lowercase object
 
 Hide lowercase attributes Show lowercase attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 ignore_missing boolean
 
 If true and field does not exist or is null, the processor quietly exits without modifying the document.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 network_direction object
 
 Hide network_direction attributes Show network_direction attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 source_ip string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 destination_ip string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 internal_networks array[string]
 
 List of internal networks. Supports IPv4 and IPv6 addresses and ranges in CIDR notation. Also supports the named ranges listed below. These may be constructed with template snippets. Must specify only one of internal_networks or internal_networks_field.
 
 internal_networks_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 ignore_missing boolean
 
 If true and any required fields are missing, the processor quietly exits without modifying the document.
 
 pipeline object
 
 Hide pipeline attributes Show pipeline attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 name string Required
 
 ignore_missing_pipeline boolean
 
 Whether to ignore missing pipelines instead of failing.
 
 redact object
 
 Hide redact attributes Show redact attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 patterns array[string] Required
 
 A list of grok expressions to match and redact named captures with
 
 pattern_definitions object
 
 prefix string
 
 Start a redacted section with this token
 
 suffix string
 
 End a redacted section with this token
 
 ignore_missing boolean
 
 If true and field does not exist or is null, the processor quietly exits without modifying the document.
 
 skip_if_unlicensed boolean
 
 If true and the current license does not support running redact processors, then the processor quietly exits without modifying the document
 
 trace_redact boolean
 
 If true then ingest metadata _ingest._redact._is_redacted is set to true if the document has been redacted
 
 registered_domain object
 
 Hide registered_domain attributes Show registered_domain attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 ignore_missing boolean
 
 If true and any required fields are missing, the processor quietly exits without modifying the document.
 
 remove object
 
 Hide remove attributes Show remove attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string | array[string] Required
 
 keep string | array[string]
 
 ignore_missing boolean
 
 If true and field does not exist or is null, the processor quietly exits without modifying the document.
 
 rename object
 
 Hide rename attributes Show rename attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 ignore_missing boolean
 
 If true and field does not exist, the processor quietly exits without modifying the document.
 
 target_field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 reroute object
 
 Hide reroute attributes Show reroute attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 destination string
 
 A static value for the target. Can’t be set when the dataset or namespace option is set.
 
 dataset
 
 namespace
 
 script object
 
 Hide script attributes Show script attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 id string
 
 lang
 
 params object
 
 Object containing parameters for the script.
 
 source
 
 set object
 
 Hide set attributes Show set attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 copy_from string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 ignore_empty_value boolean
 
 If true and value is a template snippet that evaluates to null or the empty string, the processor quietly exits without modifying the document.
 
 media_type string
 
 The media type for encoding value. Applies only when value is a template snippet. Must be one of application/json, text/plain, or application/x-www-form-urlencoded.
 
 override boolean
 
 If true processor will update fields with pre-existing non-null-valued field. When set to false, such fields will not be touched.
 
 value object
 
 The value to be set for the field. Supports template snippets. May specify only one of value or copy_from.
 
 set_security_user object
 
 Hide set_security_user attributes Show set_security_user attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 properties array[string]
 
 Controls what user related properties are added to the field.
 
 sort object
 
 Hide sort attributes Show sort attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 order string
 
 Values are asc or desc.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 split object
 
 Hide split attributes Show split attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 ignore_missing boolean
 
 If true and field does not exist, the processor quietly exits without modifying the document.
 
 preserve_trailing boolean
 
 Preserves empty trailing fields, if any.
 
 separator string Required
 
 A regex which matches the separator, for example, , or \s+.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 terminate object
 
 Hide terminate attributes Show terminate attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 trim object
 
 Hide trim attributes Show trim attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 ignore_missing boolean
 
 If true and field does not exist, the processor quietly exits without modifying the document.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 uppercase object
 
 Hide uppercase attributes Show uppercase attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 ignore_missing boolean
 
 If true and field does not exist or is null, the processor quietly exits without modifying the document.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 urldecode object
 
 Hide urldecode attributes Show urldecode attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 ignore_missing boolean
 
 If true and field does not exist or is null, the processor quietly exits without modifying the document.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 uri_parts object
 
 Hide uri_parts attributes Show uri_parts attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 ignore_missing boolean
 
 If true and field does not exist, the processor quietly exits without modifying the document.
 
 keep_original boolean
 
 If true, the processor copies the unparsed URI to <target_field>.original.
 
 remove_if_successful boolean
 
 If true, the processor removes the field after parsing the URI string. If parsing fails, the processor does not remove the field.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 user_agent object
 
 Hide user_agent attributes Show user_agent attributes object
 
 description string
 
 Description of the processor. Useful for describing the purpose of the processor or its configuration.
 
 if object
 
 ignore_failure boolean
 
 Ignore failures for the processor.
 
 on_failure array[object]
 
 Handle failures for the processor.
 
 tag string
 
 Identifier for the processor. Useful for debugging and metrics.
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 ignore_missing boolean
 
 If true and field does not exist, the processor quietly exits without modifying the document.
 
 regex_file string
 
 The name of the file in the config/ingest-user-agent directory containing the regular expressions for parsing the user agent string. Both the directory and the file have to be created before starting Elasticsearch. If not specified, ingest-user-agent will use the regexes.yaml from uap-core it ships with.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 properties array[string]
 
 Controls what properties are added to target_field.
 
 Values are name, os, device, original, or version.
 
 extract_device_type boolean Beta
 
 Extracts device type from the user agent string on a best-effort basis.
 
 version number
 
 deprecated boolean
 
 Marks this ingest pipeline as deprecated. When a deprecated ingest pipeline is referenced as the default or final pipeline when creating or updating a non-deprecated index template, Elasticsearch will emit a deprecation warning.
 
 _meta object
 
 Hide _meta attribute Show _meta attribute object
 
 * object Additional properties

GET /_ingest/pipeline

curl \
 --request GET 'http://api.example.com/_ingest/pipeline' \
 --header "Authorization: $API_KEY"

Response examples (200)

A successful response for retrieving information about an ingest pipeline.

{
  "my-pipeline-id" : {
    "description" : "describe pipeline",
    "version" : 123,
    "processors" : [
      {
        "set" : {
          "field" : "foo",
          "value" : "bar"
        }
      }
    ]
  }
}

Run a grok processor Added in 6.1.0

GET /_ingest/processor/grok

Api key auth Basic auth Bearer auth

Extract structured fields out of a single text field within a document. You must choose which field to extract matched fields from, as well as the grok pattern you expect will match. A grok pattern is like a regular expression that supports aliased expressions that can be reused.

External documentation

Responses

200 application/json
Hide response attribute Show response attribute object
- patterns object Required
  
  Hide patterns attribute Show patterns attribute object
  
  * string Additional properties

GET /_ingest/processor/grok

curl \
 --request GET 'http://api.example.com/_ingest/processor/grok' \
 --header "Authorization: $API_KEY"

Create a calendar Added in 6.2.0

PUT /_ml/calendars/{calendar_id}

Api key auth Basic auth Bearer auth

Path parameters

calendar_id string Required

A string that uniquely identifies a calendar.

application/json

Body

job_ids array[string]

An array of anomaly detection job identifiers.
description string

A description of the calendar.

Responses

200 application/json
Hide response attributes Show response attributes object
- calendar_id string Required
- description string
  
  A description of the calendar.
- job_ids string | array[string] Required
  
  One of:
  Id string Ids array[string]

PUT /_ml/calendars/{calendar_id}

curl \
 --request PUT 'http://api.example.com/_ml/calendars/{calendar_id}' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"job_ids":["string"],"description":"string"}'

Add anomaly detection job to calendar Added in 6.2.0

PUT /_ml/calendars/{calendar_id}/jobs/{job_id}

Api key auth Basic auth Bearer auth

Path parameters

calendar_id string Required

A string that uniquely identifies a calendar.
job_id string | array[string] Required

An identifier for the anomaly detection jobs. It can be a job identifier, a group name, or a comma-separated list of jobs or groups.

Responses

200 application/json
Hide response attributes Show response attributes object
- calendar_id string Required
- description string
  
  A description of the calendar.
- job_ids string | array[string] Required
  
  One of:
  Id string Ids array[string]

PUT /_ml/calendars/{calendar_id}/jobs/{job_id}

curl \
 --request PUT 'http://api.example.com/_ml/calendars/{calendar_id}/jobs/{job_id}' \
 --header "Authorization: $API_KEY"

Get anomaly detection job results for buckets Added in 5.4.0

POST /_ml/anomaly_detectors/{job_id}/results/buckets/{timestamp}

Api key auth Basic auth Bearer auth

The API presents a chronological view of the records, grouped by bucket.

Path parameters

job_id string Required

Identifier for the anomaly detection job.
timestamp string | number Required

The timestamp of a single bucket result. If you do not specify this parameter, the API returns information about all buckets.

Query parameters

anomaly_score number

Returns buckets with anomaly scores greater or equal than this value.
desc boolean

If true, the buckets are sorted in descending order.
end string | number

Returns buckets with timestamps earlier than this time. -1 means it is unset and results are not limited to specific timestamps.
exclude_interim boolean

If true, the output excludes interim results.
expand boolean

If true, the output includes anomaly records.
from number

Skips the specified number of buckets.
size number

Specifies the maximum number of buckets to obtain.
sort string

Specifies the sort field for the requested buckets.
start string | number

Returns buckets with timestamps after this time. -1 means it is unset and results are not limited to specific timestamps.

application/json

Body

anomaly_score number

Refer to the description for the anomaly_score query parameter.
desc boolean

Refer to the description for the desc query parameter.
end string | number

A date and time, either as a string whose format can depend on the context (defaulting to ISO 8601), or a number of milliseconds since the Epoch. Elasticsearch accepts both as input, but will generally output a string representation.

One of:
DateTime string UnitMillis number
exclude_interim boolean

Refer to the description for the exclude_interim query parameter.
expand boolean

Refer to the description for the expand query parameter.
page object
Hide page attributes Show page attributes object
- from number
  
  Skips the specified number of items.
- size number
  
  Specifies the maximum number of items to obtain.
sort string

Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
start string | number

A date and time, either as a string whose format can depend on the context (defaulting to ISO 8601), or a number of milliseconds since the Epoch. Elasticsearch accepts both as input, but will generally output a string representation.

One of:
DateTime string UnitMillis number

Responses

200 application/json
Hide response attributes Show response attributes object
- buckets array[object] Required
  
  Hide buckets attributes Show buckets attributes object
  
  anomaly_score number Required
  
  The maximum anomaly score, between 0-100, for any of the bucket influencers. This is an overall, rate-limited score for the job. All the anomaly records in the bucket contribute to this score. This value might be updated as new data is analyzed.
  
  bucket_influencers array[object] Required
  
  Hide bucket_influencers attributes Show bucket_influencers attributes object
  
  anomaly_score number Required
  
  A normalized score between 0-100, which is calculated for each bucket influencer. This score might be updated as newer data is analyzed.
  
  bucket_span number
  
  Time unit for seconds
  
  influencer_field_name string Required
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
  
  initial_anomaly_score number Required
  
  The score between 0-100 for each bucket influencer. This score is the initial value that was calculated at the time the bucket was processed.
  
  is_interim boolean Required
  
  If true, this is an interim result. In other words, the results are calculated based on partial input data.
  
  job_id string Required
  
  probability number Required
  
  The probability that the bucket has this behavior, in the range 0 to 1. This value can be held to a high precision of over 300 decimal places, so the anomaly_score is provided as a human-readable and friendly interpretation of this.
  
  raw_anomaly_score number Required
  
  Internal.
  
  result_type string Required
  
  Internal. This value is always set to bucket_influencer.
  
  timestamp number
  
  Time unit for milliseconds
  
  timestamp_string string
  
  bucket_span number
  
  Time unit for seconds
  
  event_count number Required
  
  The number of input data records processed in this bucket.
  
  initial_anomaly_score number Required
  
  The maximum anomaly score for any of the bucket influencers. This is the initial value that was calculated at the time the bucket was processed.
  
  is_interim boolean Required
  
  If true, this is an interim result. In other words, the results are calculated based on partial input data.
  
  job_id string Required
  
  processing_time_ms number
  
  Time unit for milliseconds
  
  result_type string Required
  
  Internal. This value is always set to bucket.
  
  timestamp number
  
  Time unit for milliseconds
  
  timestamp_string string | number
  
  A date and time, either as a string whose format can depend on the context (defaulting to ISO 8601), or a number of milliseconds since the Epoch. Elasticsearch accepts both as input, but will generally output a string representation.
  
  One of:
  DateTime string UnitMillis number
- count number Required

POST /_ml/anomaly_detectors/{job_id}/results/buckets/{timestamp}

curl \
 --request POST 'http://api.example.com/_ml/anomaly_detectors/{job_id}/results/buckets/{timestamp}' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"anomaly_score":42.0,"desc":true,"":"string","exclude_interim":true,"expand":true,"page":{"from":42.0,"size":42.0},"sort":"string"}'

Get calendar configuration info Added in 6.2.0

POST /_ml/calendars

Api key auth Basic auth Bearer auth

Query parameters

from number

Skips the specified number of calendars. This parameter is supported only when you omit the calendar identifier.
size number

Specifies the maximum number of calendars to obtain. This parameter is supported only when you omit the calendar identifier.

application/json

Body

page object
Hide page attributes Show page attributes object
- from number
  
  Skips the specified number of items.
- size number
  
  Specifies the maximum number of items to obtain.

Responses

200 application/json
Hide response attributes Show response attributes object
- calendars array[object] Required
  
  Hide calendars attributes Show calendars attributes object
  
  calendar_id string Required
  
  description string
  
  A description of the calendar.
  
  job_ids array[string] Required
  
  An array of anomaly detection job identifiers.
- count number Required

POST /_ml/calendars

curl \
 --request POST 'http://api.example.com/_ml/calendars' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"page":{"from":42.0,"size":42.0}}'

Get anomaly detection job results for categories Added in 5.4.0

GET /_ml/anomaly_detectors/{job_id}/results/categories

Api key auth Basic auth Bearer auth

Path parameters

job_id string Required

Identifier for the anomaly detection job.

Query parameters

from number

Skips the specified number of categories.
partition_field_value string

Only return categories for the specified partition.
size number

Specifies the maximum number of categories to obtain.

application/json

Body

page object
Hide page attributes Show page attributes object
- from number
  
  Skips the specified number of items.
- size number
  
  Specifies the maximum number of items to obtain.

Responses

200 application/json
Hide response attributes Show response attributes object
- categories array[object] Required
  
  Hide categories attributes Show categories attributes object
  
  category_id number Required
  
  examples array[string] Required
  
  A list of examples of actual values that matched the category.
  
  grok_pattern string
  
  job_id string Required
  
  max_matching_length number Required
  
  partition_field_name string
  
  If per-partition categorization is enabled, this property identifies the field used to segment the categorization. It is not present when per-partition categorization is disabled.
  
  partition_field_value string
  
  If per-partition categorization is enabled, this property identifies the value of the partition_field_name for the category. It is not present when per-partition categorization is disabled.
  
  regex string Required
  
  A regular expression that is used to search for values that match the category.
  
  terms string Required
  
  A space separated list of the common tokens that are matched in values of the category.
  
  num_matches number
  
  The number of messages that have been matched by this category. This is only guaranteed to have the latest accurate count after a job _flush or _close
  
  preferred_to_categories array[string]
  
  A list of category_id entries that this current category encompasses. Any new message that is processed by the categorizer will match against this category and not any of the categories in this list. This is only guaranteed to have the latest accurate list of categories after a job _flush or _close
  
  p string
  
  result_type string Required
  
  mlcategory string Required
- count number Required

GET /_ml/anomaly_detectors/{job_id}/results/categories

curl \
 --request GET 'http://api.example.com/_ml/anomaly_detectors/{job_id}/results/categories' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"page":{"from":42.0,"size":42.0}}'

Get anomaly detection job stats Added in 5.5.0

GET /_ml/anomaly_detectors/{job_id}/_stats

Api key auth Basic auth Bearer auth

Path parameters

job_id string Required

Identifier for the anomaly detection job. It can be a job identifier, a group name, a comma-separated list of jobs, or a wildcard expression. If you do not specify one of these options, the API returns information for all anomaly detection jobs.

Query parameters

allow_no_match boolean
Specifies what to do when the request:
1. Contains wildcard expressions and there are no jobs that match.
2. Contains the _all string or no identifiers and there are no matches.
3. Contains wildcard expressions and there are only partial matches.
If true, the API returns an empty jobs array when there are no matches and the subset of results when there are partial matches. If false, the API returns a 404 status code when there are no matches or only partial matches.

Responses

200 application/json
Hide response attributes Show response attributes object
- count number Required
- jobs array[object] Required
  
  Hide jobs attributes Show jobs attributes object
  
  assignment_explanation string
  
  For open anomaly detection jobs only, contains messages relating to the selection of a node to run the job.
  
  data_counts object Required
  
  Hide data_counts attributes Show data_counts attributes object
  
  bucket_count number Required
  
  earliest_record_timestamp number
  
  empty_bucket_count number Required
  
  input_bytes number Required
  
  input_field_count number Required
  
  input_record_count number Required
  
  invalid_date_count number Required
  
  job_id string Required
  
  last_data_time number
  
  latest_empty_bucket_timestamp number
  
  latest_record_timestamp number
  
  latest_sparse_bucket_timestamp number
  
  latest_bucket_timestamp number
  
  log_time number
  
  missing_field_count number Required
  
  out_of_order_timestamp_count number Required
  
  processed_field_count number Required
  
  processed_record_count number Required
  
  sparse_bucket_count number Required
  
  forecasts_stats object Required
  
  Hide forecasts_stats attributes Show forecasts_stats attributes object
  
  memory_bytes object
  
  Hide memory_bytes attributes Show memory_bytes attributes object
  
  avg number Required
  
  max number Required
  
  min number Required
  
  total number Required
  
  processing_time_ms object
  
  Hide processing_time_ms attributes Show processing_time_ms attributes object
  
  avg number Required
  
  max number Required
  
  min number Required
  
  total number Required
  
  records object
  
  Hide records attributes Show records attributes object
  
  avg number Required
  
  max number Required
  
  min number Required
  
  total number Required
  
  status object
  
  Hide status attribute Show status attribute object
  
  * number Additional properties
  
  total number Required
  
  forecasted_jobs number Required
  
  job_id string Required
  
  Identifier for the anomaly detection job.
  
  model_size_stats object Required
  
  Hide model_size_stats attributes Show model_size_stats attributes object
  
  bucket_allocation_failures_count number Required
  
  job_id string Required
  
  log_time string | number Required
  
  A date and time, either as a string whose format can depend on the context (defaulting to ISO 8601), or a number of milliseconds since the Epoch. Elasticsearch accepts both as input, but will generally output a string representation.
  
  One of:
  DateTime string UnitMillis number
  
  memory_status string Required
  
  Values are ok, soft_limit, or hard_limit.
  
  model_bytes number | string Required
  
  One of:
  ByteSize number ByteSize string
  
  model_bytes_exceeded number | string
  
  One of:
  ByteSize number ByteSize string
  
  model_bytes_memory_limit number | string
  
  One of:
  ByteSize number ByteSize string
  
  output_memory_allocator_bytes number | string
  
  One of:
  ByteSize number ByteSize string
  
  peak_model_bytes number | string
  
  One of:
  ByteSize number ByteSize string
  
  assignment_memory_basis string
  
  result_type string Required
  
  total_by_field_count number Required
  
  total_over_field_count number Required
  
  total_partition_field_count number Required
  
  categorization_status string Required
  
  Values are ok or warn.
  
  categorized_doc_count number Required
  
  dead_category_count number Required
  
  failed_category_count number Required
  
  frequent_category_count number Required
  
  rare_category_count number Required
  
  total_category_count number Required
  
  timestamp number
  
  node object
  
  Hide node attributes Show node attributes object
  
  name string Required
  
  ephemeral_id string Required
  
  id string Required
  
  transport_address string Required
  
  attributes object Required
  
  Hide attributes attribute Show attributes attribute object
  
  * string Additional properties
  
  open_time string | number
  
  A date and time, either as a string whose format can depend on the context (defaulting to ISO 8601), or a number of milliseconds since the Epoch. Elasticsearch accepts both as input, but will generally output a string representation.
  
  One of:
  DateTime string UnitMillis number
  
  state string Required
  
  Values are closing, closed, opened, failed, or opening.
  
  timing_stats object Required
  
  Hide timing_stats attributes Show timing_stats attributes object
  
  average_bucket_processing_time_ms number
  
  Time unit for fractional milliseconds
  
  bucket_count number Required
  
  exponential_average_bucket_processing_time_ms number
  
  Time unit for fractional milliseconds
  
  exponential_average_bucket_processing_time_per_hour_ms number
  
  Time unit for fractional milliseconds
  
  job_id string Required
  
  total_bucket_processing_time_ms number
  
  Time unit for fractional milliseconds
  
  maximum_bucket_processing_time_ms number
  
  Time unit for fractional milliseconds
  
  minimum_bucket_processing_time_ms number
  
  Time unit for fractional milliseconds
  
  deleting boolean
  
  Indicates that the process of deleting the job is in progress but not yet completed. It is only reported when true.

GET /_ml/anomaly_detectors/{job_id}/_stats

curl \
 --request GET 'http://api.example.com/_ml/anomaly_detectors/{job_id}/_stats' \
 --header "Authorization: $API_KEY"

Open anomaly detection jobs Added in 5.4.0

POST /_ml/anomaly_detectors/{job_id}/_open

Api key auth Basic auth Bearer auth

An anomaly detection job must be opened to be ready to receive and analyze data. It can be opened and closed multiple times throughout its lifecycle. When you open a new job, it starts with an empty model. When you open an existing job, the most recent model state is automatically loaded. The job is ready to resume its analysis from where it left off, once new data is received.

Path parameters

job_id string Required

Identifier for the anomaly detection job.

Query parameters

timeout string

Controls the time to wait until a job has opened.

Values are -1 or 0.

application/json

Body

timeout string

A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.

Responses

200 application/json
Hide response attributes Show response attributes object
- opened boolean Required
- node string Required

POST /_ml/anomaly_detectors/{job_id}/_open

curl \
 --request POST 'http://api.example.com/_ml/anomaly_detectors/{job_id}/_open' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '"{\n  \"timeout\": \"35m\"\n}"'

Request example

A request to open anomaly detection jobs. The timeout specifies to wait 35 minutes for the job to open.

{
  "timeout": "35m"
}

Response examples (200)

A successful response when opening an anomaly detection job.

{
  "opened": true,
  "node": "node-1"
}

Preview a datafeed Added in 5.4.0

POST /_ml/datafeeds/{datafeed_id}/_preview

Api key auth Basic auth Bearer auth

This API returns the first "page" of search results from a datafeed. You can preview an existing datafeed or provide configuration details for a datafeed and anomaly detection job in the API. The preview shows the structure of the data that will be passed to the anomaly detection engine. IMPORTANT: When Elasticsearch security features are enabled, the preview uses the credentials of the user that called the API. However, when the datafeed starts it uses the roles of the last user that created or updated the datafeed. To get a preview that accurately reflects the behavior of the datafeed, use the appropriate credentials. You can also use secondary authorization headers to supply the credentials.

Path parameters

datafeed_id string Required

A numerical character string that uniquely identifies the datafeed. This identifier can contain lowercase alphanumeric characters (a-z and 0-9), hyphens, and underscores. It must start and end with alphanumeric characters. NOTE: If you use this path parameter, you cannot provide datafeed or anomaly detection job configuration details in the request body.

Query parameters

start string | number

The start time from where the datafeed preview should begin
end string | number

The end time when the datafeed preview should stop

application/json

Body

datafeed_config object
Hide datafeed_config attributes Show datafeed_config attributes object
- aggregations object
  
  If set, the datafeed performs aggregation searches. Support for aggregations is limited and should be used only with low cardinality data.
- chunking_config object
  Hide chunking_config attributes Show chunking_config attributes object
  
  mode string Required
  
  Values are auto, manual, or off.
  
  time_span string
  
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
- datafeed_id string
- delayed_data_check_config object
  Hide delayed_data_check_config attributes Show delayed_data_check_config attributes object
  
  check_window string
  
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
  
  enabled boolean Required
  
  Specifies whether the datafeed periodically checks for delayed data.
- frequency string
  
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
- indices string | array[string]
- indices_options object
  Hide indices_options attributes Show indices_options attributes object
  
  allow_no_indices boolean
  
  If false, the request returns an error if any wildcard expression, index alias, or _all value targets only missing or closed indices. This behavior applies even if the request targets other open indices. For example, a request targeting foo*,bar* returns an error if an index starts with foo but no index starts with bar.
  
  expand_wildcards string | array[string]
  
  ignore_unavailable boolean
  
  If true, missing or closed indices are not included in the response.
  
  ignore_throttled boolean
  
  If true, concrete, expanded or aliased indices are ignored when frozen.
- job_id string
- max_empty_searches number
  
  If a real-time datafeed has never seen any data (including during any initial training period) then it will automatically stop itself and close its associated job after this many real-time searches that return no documents. In other words, it will stop after frequency times max_empty_searches of real-time operation. If not set then a datafeed with no end time that sees no data will remain started until it is explicitly stopped.
- query object
  
  An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
  
  External documentation
- query_delay string
  
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
- runtime_mappings object
  Hide runtime_mappings attribute Show runtime_mappings attribute object
  
  * object Additional properties
  
  Hide * attributes Show * attributes object
  
  fields object
  
  For type composite
  
  Hide fields attribute Show fields attribute object
  
  * object Additional properties
  
  Hide * attribute Show * attribute object
  
  type string Required
  
  Values are boolean, composite, date, double, geo_point, geo_shape, ip, keyword, long, or lookup.
  
  fetch_fields array[object]
  
  For type lookup
  
  Hide fetch_fields attributes Show fetch_fields attributes object
  
  field string Required
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
  
  format string
  
  format string
  
  A custom format for date type runtime fields.
  
  input_field string
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
  
  target_field string
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
  
  target_index string
  
  script object
  
  Hide script attributes Show script attributes object
  
  source string | object
  
  One of:
  ScriptSource string SearchRequestBody object
  
  Hide attributes Show attributes
  
  aggregations object
  
  Defines the aggregations that are run as part of the search request.
  
  collapse object
  
  explain boolean
  
  If true, the request returns detailed information about score computation as part of a hit.
  
  ext object
  
  Configuration of search extensions defined by Elasticsearch plugins.
  
  from number
  
  The starting document offset, which must be non-negative. By default, you cannot page through more than 10,000 hits using the from and size parameters. To page through more hits, use the search_after parameter.
  
  highlight
  
  track_total_hits boolean | number
  
  Number of hits matching the query to count accurately. If true, the exact number of hits is returned at the cost of some performance. If false, the response does not include the total number of hits matching the query. Defaults to 10,000 hits.
  
  indices_boost array[object]
  
  Boost the _score of documents from specified indices. The boost value is the factor by which scores are multiplied. A boost value greater than 1.0 increases the score. A boost value between 0 and 1.0 decreases the score.
  
  docvalue_fields array[object]
  
  An array of wildcard (*) field patterns. The request returns doc values for field names matching these patterns in the hits.fields property of the response.
  
  knn
  
  rank object
  
  min_score number
  
  The minimum _score for matching documents. Documents with a lower _score are not included in search results or results collected by aggregations.
  
  post_filter object
  
  An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
  
  profile boolean
  
  Set to true to return detailed timing information about the execution of individual components in a search request. NOTE: This is a debugging tool and adds significant overhead to search execution.
  
  query object
  
  An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
  
  rescore
  
  retriever object
  
  script_fields object
  
  Retrieve a script evaluation (based on different fields) for each hit.
  
  search_after array[number | string | boolean | null]
  
  A field value.
  
  size number
  
  The number of hits to return, which must not be negative. By default, you cannot page through more than 10,000 hits using the from and size parameters. To page through more hits, use the search_after property.
  
  slice object
  
  sort
  
  _source
  
  fields array[object]
  
  An array of wildcard (*) field patterns. The request returns values for field names matching these patterns in the hits.fields property of the response.
  
  suggest object
  
  terminate_after number
  
  The maximum number of documents to collect for each shard. If a query reaches this limit, Elasticsearch terminates the query early. Elasticsearch collects documents before sorting.
  
  IMPORTANT: Use with caution. Elasticsearch applies this property to each shard handling the request. When possible, let Elasticsearch perform early termination automatically. Avoid specifying this property for requests that target data streams with backing indices across multiple data tiers.
  
  If set to 0 (default), the query does not terminate early.
  
  timeout string
  
  The period of time to wait for a response from each shard. If no response is received before the timeout expires, the request fails and returns an error. Defaults to no timeout.
  
  track_scores boolean
  
  If true, calculate and return document scores, even if the scores are not used for sorting.
  
  version boolean
  
  If true, the request returns the document version as part of a hit.
  
  seq_no_primary_term boolean
  
  If true, the request returns sequence number and primary term of the last modification of each hit.
  
  stored_fields string | array[string]
  
  pit object
  
  runtime_mappings object
  
  stats array[string]
  
  The stats groups to associate with the search. Each group maintains a statistics aggregation for its associated searches. You can retrieve these stats using the indices stats API.
  
  id string
  
  params object
  
  Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
  
  Hide params attribute Show params attribute object
  
  * object Additional properties
  
  lang string
  
  Any of:
  ScriptLanguage string ScriptLanguage string
  
  Values are painless, expression, mustache, or java.
  
  options object
  
  Hide options attribute Show options attribute object
  
  * string Additional properties
  
  type string Required
  
  Values are boolean, composite, date, double, geo_point, geo_shape, ip, keyword, long, or lookup.
- script_fields object
  
  Specifies scripts that evaluate custom expressions and returns script fields to the datafeed. The detector configuration objects in a job can contain functions that use these script fields.
  Hide script_fields attribute Show script_fields attribute object
  
  * object Additional properties
  
  Hide * attributes Show * attributes object
  
  script object Required
  
  Hide script attributes Show script attributes object
  
  source string | object
  
  One of:
  ScriptSource string SearchRequestBody object
  
  Hide attributes Show attributes
  
  aggregations object
  
  Defines the aggregations that are run as part of the search request.
  
  collapse object
  
  explain boolean
  
  If true, the request returns detailed information about score computation as part of a hit.
  
  ext object
  
  Configuration of search extensions defined by Elasticsearch plugins.
  
  from number
  
  The starting document offset, which must be non-negative. By default, you cannot page through more than 10,000 hits using the from and size parameters. To page through more hits, use the search_after parameter.
  
  highlight
  
  track_total_hits boolean | number
  
  Number of hits matching the query to count accurately. If true, the exact number of hits is returned at the cost of some performance. If false, the response does not include the total number of hits matching the query. Defaults to 10,000 hits.
  
  indices_boost array[object]
  
  Boost the _score of documents from specified indices. The boost value is the factor by which scores are multiplied. A boost value greater than 1.0 increases the score. A boost value between 0 and 1.0 decreases the score.
  
  docvalue_fields array[object]
  
  An array of wildcard (*) field patterns. The request returns doc values for field names matching these patterns in the hits.fields property of the response.
  
  knn
  
  rank object
  
  min_score number
  
  The minimum _score for matching documents. Documents with a lower _score are not included in search results or results collected by aggregations.
  
  post_filter object
  
  An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
  
  profile boolean
  
  Set to true to return detailed timing information about the execution of individual components in a search request. NOTE: This is a debugging tool and adds significant overhead to search execution.
  
  query object
  
  An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
  
  rescore
  
  retriever object
  
  script_fields object
  
  Retrieve a script evaluation (based on different fields) for each hit.
  
  search_after array[number | string | boolean | null]
  
  A field value.
  
  size number
  
  The number of hits to return, which must not be negative. By default, you cannot page through more than 10,000 hits using the from and size parameters. To page through more hits, use the search_after property.
  
  slice object
  
  sort
  
  _source
  
  fields array[object]
  
  An array of wildcard (*) field patterns. The request returns values for field names matching these patterns in the hits.fields property of the response.
  
  suggest object
  
  terminate_after number
  
  The maximum number of documents to collect for each shard. If a query reaches this limit, Elasticsearch terminates the query early. Elasticsearch collects documents before sorting.
  
  IMPORTANT: Use with caution. Elasticsearch applies this property to each shard handling the request. When possible, let Elasticsearch perform early termination automatically. Avoid specifying this property for requests that target data streams with backing indices across multiple data tiers.
  
  If set to 0 (default), the query does not terminate early.
  
  timeout string
  
  The period of time to wait for a response from each shard. If no response is received before the timeout expires, the request fails and returns an error. Defaults to no timeout.
  
  track_scores boolean
  
  If true, calculate and return document scores, even if the scores are not used for sorting.
  
  version boolean
  
  If true, the request returns the document version as part of a hit.
  
  seq_no_primary_term boolean
  
  If true, the request returns sequence number and primary term of the last modification of each hit.
  
  stored_fields string | array[string]
  
  pit object
  
  runtime_mappings object
  
  stats array[string]
  
  The stats groups to associate with the search. Each group maintains a statistics aggregation for its associated searches. You can retrieve these stats using the indices stats API.
  
  id string
  
  params object
  
  Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
  
  Hide params attribute Show params attribute object
  
  * object Additional properties
  
  lang string
  
  Any of:
  ScriptLanguage string ScriptLanguage string
  
  Values are painless, expression, mustache, or java.
  
  options object
  
  Hide options attribute Show options attribute object
  
  * string Additional properties
  
  ignore_failure boolean
- scroll_size number
  
  The size parameter that is used in Elasticsearch searches when the datafeed does not use aggregations. The maximum value is the value of index.max_result_window, which is 10,000 by default.
job_config object
Hide job_config attributes Show job_config attributes object
- allow_lazy_open boolean
  
  Advanced configuration option. Specifies whether this job can open when there is insufficient machine learning node capacity for it to be immediately assigned to a node.
- analysis_config object Required
  Hide analysis_config attributes Show analysis_config attributes object
  
  bucket_span string
  
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
  
  categorization_analyzer string | object
  
  One of:
  CategorizationAnalyzer string CategorizationAnalyzerDefinition object
  
  Hide attributes Show attributes
  
  char_filter array
  
  One or more character filters. In addition to the built-in character filters, other plugins can provide more character filters. If this property is not specified, no character filters are applied prior to categorization. If you are customizing some other aspect of the analyzer and you need to achieve the equivalent of categorization_filters (which are not permitted when some other aspect of the analyzer is customized), add them here as pattern replace character filters.
  
  External documentation
  
  filter array
  
  One or more token filters. In addition to the built-in token filters, other plugins can provide more token filters. If this property is not specified, no token filters are applied prior to categorization.
  
  External documentation
  
  tokenizer object | string
  
  The name or definition of the tokenizer to use after character filters are applied. This property is compulsory if categorization_analyzer is specified as an object. Machine learning provides a tokenizer called ml_standard that tokenizes in a way that has been determined to produce good categorization results on a variety of log file formats for logs in English. If you want to use that tokenizer but change the character or token filters, specify "tokenizer": "ml_standard" in your categorization_analyzer. Additionally, the ml_classic tokenizer is available, which tokenizes in the same way as the non-customizable tokenizer in old versions of the product (before 6.2). ml_classic was the default categorization tokenizer in versions 6.2 to 7.13, so if you need categorization identical to the default for jobs created in these versions, specify "tokenizer": "ml_classic" in your categorization_analyzer.
  
  One of:
  object-1 object string-2 string
  
  Tokenizer reference
  
  categorization_field_name string
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
  
  categorization_filters array[string]
  
  If categorization_field_name is specified, you can also define optional filters. This property expects an array of regular expressions. The expressions are used to filter out matching sequences from the categorization field values. You can use this functionality to fine tune the categorization by excluding sequences from consideration when categories are defined. For example, you can exclude SQL statements that appear in your log files. This property cannot be used at the same time as categorization_analyzer. If you only want to define simple regular expression filters that are applied prior to tokenization, setting this property is the easiest method. If you also want to customize the tokenizer or post-tokenization filtering, use the categorization_analyzer property instead and include the filters as pattern_replace character filters. The effect is exactly the same.
  
  detectors array[object] Required
  
  Detector configuration objects specify which data fields a job analyzes. They also specify which analytical functions are used. You can specify multiple detectors for a job. If the detectors array does not contain at least one detector, no analysis can occur and an error is returned.
  
  Hide detectors attributes Show detectors attributes object
  
  by_field_name string
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
  
  custom_rules array[object]
  
  Custom rules enable you to customize the way detectors operate. For example, a rule may dictate conditions under which results should be skipped. Kibana refers to custom rules as job rules.
  
  Hide custom_rules attributes Show custom_rules attributes object
  
  actions array[string]
  
  The set of actions to be triggered when the rule applies. If more than one action is specified the effects of all actions are combined.
  
  Supported values include:
  
  skip_result: The result will not be created. Unless you also specify skip_model_update, the model will be updated as usual with the corresponding series value.
  
  skip_model_update: The value for that series will not be used to update the model. Unless you also specify skip_result, the results will be created as usual. This action is suitable when certain values are expected to be consistently anomalous and they affect the model in a way that negatively impacts the rest of the results.
  
  Values are skip_result or skip_model_update.
  
  conditions array[object]
  
  An array of numeric conditions when the rule applies. A rule must either have a non-empty scope or at least one condition. Multiple conditions are combined together with a logical AND.
  
  scope object
  
  A scope of series where the rule applies. A rule must either have a non-empty scope or at least one condition. By default, the scope includes all series. Scoping is allowed for any of the fields that are also specified in by_field_name, over_field_name, or partition_field_name.
  
  detector_description string
  
  A description of the detector.
  
  detector_index number
  
  A unique identifier for the detector. This identifier is based on the order of the detectors in the analysis_config, starting at zero. If you specify a value for this property, it is ignored.
  
  exclude_frequent string
  
  Values are all, none, by, or over.
  
  field_name string
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
  
  function string
  
  The analysis function that is used. For example, count, rare, mean, min, max, or sum.
  
  over_field_name string
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
  
  partition_field_name string
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
  
  use_null boolean
  
  Defines whether a new series is used as the null series when there is no value for the by or partition fields.
  
  influencers array[string]
  
  A comma separated list of influencer field names. Typically these can be the by, over, or partition fields that are used in the detector configuration. You might also want to use a field name that is not specifically named in a detector, but is available as part of the input data. When you use multiple detectors, the use of influencers is recommended as it aggregates results for each influencer entity.
  
  latency string
  
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
  
  model_prune_window string
  
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
  
  multivariate_by_fields boolean
  
  This functionality is reserved for internal use. It is not supported for use in customer environments and is not subject to the support SLA of official GA features. If set to true, the analysis will automatically find correlations between metrics for a given by field value and report anomalies when those correlations cease to hold. For example, suppose CPU and memory usage on host A is usually highly correlated with the same metrics on host B. Perhaps this correlation occurs because they are running a load-balanced application. If you enable this property, anomalies will be reported when, for example, CPU usage on host A is high and the value of CPU usage on host B is low. That is to say, you’ll see an anomaly when the CPU of host A is unusual given the CPU of host B. To use the multivariate_by_fields property, you must also specify by_field_name in your detector.
  
  per_partition_categorization object
  
  Hide per_partition_categorization attributes Show per_partition_categorization attributes object
  
  enabled boolean
  
  To enable this setting, you must also set the partition_field_name property to the same value in every detector that uses the keyword mlcategory. Otherwise, job creation fails.
  
  stop_on_warn boolean
  
  This setting can be set to true only if per-partition categorization is enabled. If true, both categorization and subsequent anomaly detection stops for partitions where the categorization status changes to warn. This setting makes it viable to have a job where it is expected that categorization works well for some partitions but not others; you do not pay the cost of bad categorization forever in the partitions where it works badly.
  
  summary_count_field_name string
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
- analysis_limits object
  Hide analysis_limits attributes Show analysis_limits attributes object
  
  categorization_examples_limit number
  
  The maximum number of examples stored per category in memory and in the results data store. If you increase this value, more examples are available, however it requires that you have more storage available. If you set this value to 0, no examples are stored. NOTE: The categorization_examples_limit applies only to analysis that uses categorization.
  
  model_memory_limit number | string
  
  One of:
  ByteSize number ByteSize string
- background_persist_interval string
  
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
- custom_settings object
  
  Custom metadata about the job
- daily_model_snapshot_retention_after_days number
  
  Advanced configuration option, which affects the automatic removal of old model snapshots for this job. It specifies a period of time (in days) after which only the first snapshot per day is retained. This period is relative to the timestamp of the most recent snapshot for this job.
- data_description object Required
  Hide data_description attributes Show data_description attributes object
  
  format string
  
  Only JSON format is supported at this time.
  
  time_field string
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
  
  time_format string
  
  The time format, which can be epoch, epoch_ms, or a custom pattern. The value epoch refers to UNIX or Epoch time (the number of seconds since 1 Jan 1970). The value epoch_ms indicates that time is measured in milliseconds since the epoch. The epoch and epoch_ms time formats accept either integer or real values. Custom patterns must conform to the Java DateTimeFormatter class. When you use date-time formatting patterns, it is recommended that you provide the full date, time and time zone. For example: yyyy-MM-dd'T'HH:mm:ssX. If the pattern that you specify is not sufficient to produce a complete timestamp, job creation fails.
  
  field_delimiter string
- datafeed_config object
  Hide datafeed_config attributes Show datafeed_config attributes object
  
  aggregations object
  
  If set, the datafeed performs aggregation searches. Support for aggregations is limited and should be used only with low cardinality data.
  
  chunking_config object
  
  Hide chunking_config attributes Show chunking_config attributes object
  
  mode string Required
  
  Values are auto, manual, or off.
  
  time_span string
  
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
  
  datafeed_id string
  
  delayed_data_check_config object
  
  Hide delayed_data_check_config attributes Show delayed_data_check_config attributes object
  
  check_window string
  
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
  
  enabled boolean Required
  
  Specifies whether the datafeed periodically checks for delayed data.
  
  frequency string
  
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
  
  indices string | array[string]
  
  indices_options object
  
  Hide indices_options attributes Show indices_options attributes object
  
  allow_no_indices boolean
  
  If false, the request returns an error if any wildcard expression, index alias, or _all value targets only missing or closed indices. This behavior applies even if the request targets other open indices. For example, a request targeting foo*,bar* returns an error if an index starts with foo but no index starts with bar.
  
  expand_wildcards string | array[string]
  
  ignore_unavailable boolean
  
  If true, missing or closed indices are not included in the response.
  
  ignore_throttled boolean
  
  If true, concrete, expanded or aliased indices are ignored when frozen.
  
  job_id string
  
  max_empty_searches number
  
  If a real-time datafeed has never seen any data (including during any initial training period) then it will automatically stop itself and close its associated job after this many real-time searches that return no documents. In other words, it will stop after frequency times max_empty_searches of real-time operation. If not set then a datafeed with no end time that sees no data will remain started until it is explicitly stopped.
  
  query object
  
  An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
  
  External documentation
  
  query_delay string
  
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
  
  runtime_mappings object
  
  Hide runtime_mappings attribute Show runtime_mappings attribute object
  
  * object Additional properties
  
  Hide * attributes Show * attributes object
  
  fields object
  
  For type composite
  
  Hide fields attribute Show fields attribute object
  
  * object Additional properties
  
  Hide * attribute Show * attribute object
  
  type string Required
  
  Values are boolean, composite, date, double, geo_point, geo_shape, ip, keyword, long, or lookup.
  
  fetch_fields array[object]
  
  For type lookup
  
  Hide fetch_fields attributes Show fetch_fields attributes object
  
  field string Required
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
  
  format string
  
  format string
  
  A custom format for date type runtime fields.
  
  input_field string
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
  
  target_field string
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
  
  target_index string
  
  script object
  
  Hide script attributes Show script attributes object
  
  source string | object
  
  One of:
  ScriptSource string SearchRequestBody object
  
  id string
  
  params object
  
  Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
  
  Hide params attribute Show params attribute object
  
  * object Additional properties
  
  lang string
  
  Any of:
  ScriptLanguage string ScriptLanguage string
  
  Values are painless, expression, mustache, or java.
  
  options object
  
  Hide options attribute Show options attribute object
  
  * string Additional properties
  
  type string Required
  
  Values are boolean, composite, date, double, geo_point, geo_shape, ip, keyword, long, or lookup.
  
  script_fields object
  
  Specifies scripts that evaluate custom expressions and returns script fields to the datafeed. The detector configuration objects in a job can contain functions that use these script fields.
  
  Hide script_fields attribute Show script_fields attribute object
  
  * object Additional properties
  
  Hide * attributes Show * attributes object
  
  script object Required
  
  Hide script attributes Show script attributes object
  
  source string | object
  
  One of:
  ScriptSource string SearchRequestBody object
  
  id string
  
  params object
  
  Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
  
  Hide params attribute Show params attribute object
  
  * object Additional properties
  
  lang string
  
  Any of:
  ScriptLanguage string ScriptLanguage string
  
  Values are painless, expression, mustache, or java.
  
  options object
  
  Hide options attribute Show options attribute object
  
  * string Additional properties
  
  ignore_failure boolean
  
  scroll_size number
  
  The size parameter that is used in Elasticsearch searches when the datafeed does not use aggregations. The maximum value is the value of index.max_result_window, which is 10,000 by default.
- description string
  
  A description of the job.
- groups array[string]
  
  A list of job groups. A job can belong to no groups or many.
- job_id string
- job_type string
  
  Reserved for future use, currently set to anomaly_detector.
- model_plot_config object
  Hide model_plot_config attributes Show model_plot_config attributes object
  
  annotations_enabled boolean
  
  If true, enables calculation and storage of the model change annotations for each entity that is being analyzed.
  
  enabled boolean
  
  If true, enables calculation and storage of the model bounds for each entity that is being analyzed.
  
  terms string
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
- model_snapshot_retention_days number
  
  Advanced configuration option, which affects the automatic removal of old model snapshots for this job. It specifies the maximum period of time (in days) that snapshots are retained. This period is relative to the timestamp of the most recent snapshot for this job. The default value is 10, which means snapshots ten days older than the newest snapshot are deleted.
- renormalization_window_days number
  
  Advanced configuration option. The period over which adjustments to the score are applied, as new data is seen. The default value is the longer of 30 days or 100 bucket_spans.
- results_index_name string
- results_retention_days number
  
  Advanced configuration option. The period of time (in days) that results are retained. Age is calculated relative to the timestamp of the latest bucket result. If this property has a non-null value, once per day at 00:30 (server time), results that are the specified number of days older than the latest bucket result are deleted from Elasticsearch. The default value is null, which means all results are retained. Annotations generated by the system also count as results for retention purposes; they are deleted after the same number of days as results. Annotations added by users are retained forever.

Responses

200 application/json

POST /_ml/datafeeds/{datafeed_id}/_preview

curl \
 --request POST 'http://api.example.com/_ml/datafeeds/{datafeed_id}/_preview' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"datafeed_config":{"aggregations":{},"chunking_config":{"mode":"auto","time_span":"string"},"datafeed_id":"string","delayed_data_check_config":{"check_window":"string","enabled":true},"frequency":"string","indices":"string","indices_options":{"allow_no_indices":true,"expand_wildcards":"string","ignore_unavailable":true,"ignore_throttled":true},"job_id":"string","max_empty_searches":42.0,"query":{},"query_delay":"string","runtime_mappings":{"additionalProperty1":{"fields":{"additionalProperty1":{"type":"boolean"},"additionalProperty2":{"type":"boolean"}},"fetch_fields":[{"field":"string","format":"string"}],"format":"string","input_field":"string","target_field":"string","target_index":"string","script":{"":"painless","id":"string","params":{"additionalProperty1":{},"additionalProperty2":{}},"options":{"additionalProperty1":"string","additionalProperty2":"string"}},"type":"boolean"},"additionalProperty2":{"fields":{"additionalProperty1":{"type":"boolean"},"additionalProperty2":{"type":"boolean"}},"fetch_fields":[{"field":"string","format":"string"}],"format":"string","input_field":"string","target_field":"string","target_index":"string","script":{"":"painless","id":"string","params":{"additionalProperty1":{},"additionalProperty2":{}},"options":{"additionalProperty1":"string","additionalProperty2":"string"}},"type":"boolean"}},"script_fields":{"additionalProperty1":{"script":{"":"painless","id":"string","params":{"additionalProperty1":{},"additionalProperty2":{}},"options":{"additionalProperty1":"string","additionalProperty2":"string"}},"ignore_failure":true},"additionalProperty2":{"script":{"":"painless","id":"string","params":{"additionalProperty1":{},"additionalProperty2":{}},"options":{"additionalProperty1":"string","additionalProperty2":"string"}},"ignore_failure":true}},"scroll_size":42.0},"job_config":{"allow_lazy_open":true,"analysis_config":{"bucket_span":"string","":"string","categorization_field_name":"string","categorization_filters":["string"],"detectors":[{"by_field_name":"string","custom_rules":[{"actions":["skip_result"],"conditions":[{}],"scope":{}}],"detector_description":"string","detector_index":42.0,"exclude_frequent":"all","field_name":"string","function":"string","over_field_name":"string","partition_field_name":"string","use_null":true}],"influencers":["string"],"latency":"string","model_prune_window":"string","multivariate_by_fields":true,"per_partition_categorization":{"enabled":true,"stop_on_warn":true},"summary_count_field_name":"string"},"analysis_limits":{"categorization_examples_limit":42.0,"":42.0},"background_persist_interval":"string","custom_settings":{},"daily_model_snapshot_retention_after_days":42.0,"data_description":{"format":"string","time_field":"string","time_format":"string","field_delimiter":"string"},"datafeed_config":{"aggregations":{},"chunking_config":{"mode":"auto","time_span":"string"},"datafeed_id":"string","delayed_data_check_config":{"check_window":"string","enabled":true},"frequency":"string","indices":"string","indices_options":{"allow_no_indices":true,"expand_wildcards":"string","ignore_unavailable":true,"ignore_throttled":true},"job_id":"string","max_empty_searches":42.0,"query":{},"query_delay":"string","runtime_mappings":{"additionalProperty1":{"fields":{"additionalProperty1":{"type":"boolean"},"additionalProperty2":{"type":"boolean"}},"fetch_fields":[{"field":"string","format":"string"}],"format":"string","input_field":"string","target_field":"string","target_index":"string","script":{"":"painless","id":"string","params":{"additionalProperty1":{},"additionalProperty2":{}},"options":{"additionalProperty1":"string","additionalProperty2":"string"}},"type":"boolean"},"additionalProperty2":{"fields":{"additionalProperty1":{"type":"boolean"},"additionalProperty2":{"type":"boolean"}},"fetch_fields":[{"field":"string","format":"string"}],"format":"string","input_field":"string","target_field":"string","target_index":"string","script":{"":"painless","id":"string","params":{"additionalProperty1":{},"additionalProperty2":{}},"options":{"additionalProperty1":"string","additionalProperty2":"string"}},"type":"boolean"}},"script_fields":{"additionalProperty1":{"script":{"":"painless","id":"string","params":{"additionalProperty1":{},"additionalProperty2":{}},"options":{"additionalProperty1":"string","additionalProperty2":"string"}},"ignore_failure":true},"additionalProperty2":{"script":{"":"painless","id":"string","params":{"additionalProperty1":{},"additionalProperty2":{}},"options":{"additionalProperty1":"string","additionalProperty2":"string"}},"ignore_failure":true}},"scroll_size":42.0},"description":"string","groups":["string"],"job_id":"string","job_type":"string","model_plot_config":{"annotations_enabled":true,"enabled":true,"terms":"string"},"model_snapshot_retention_days":42.0,"renormalization_window_days":42.0,"results_index_name":"string","results_retention_days":42.0}}'

Revert to a snapshot Added in 5.4.0

POST /_ml/anomaly_detectors/{job_id}/model_snapshots/{snapshot_id}/_revert

Api key auth Basic auth Bearer auth

The machine learning features react quickly to anomalous input, learning new behaviors in data. Highly anomalous input increases the variance in the models whilst the system learns whether this is a new step-change in behavior or a one-off event. In the case where this anomalous input is known to be a one-off, then it might be appropriate to reset the model state to a time before this event. For example, you might consider reverting to a saved snapshot after Black Friday or a critical system failure.

Path parameters

job_id string Required

Identifier for the anomaly detection job.
snapshot_id string Required

You can specify empty as the . Reverting to the empty snapshot means the anomaly detection job starts learning a new model from scratch when it is started.

Query parameters

delete_intervening_results boolean

If true, deletes the results in the time period between the latest results and the time of the reverted snapshot. It also resets the model to accept records for this time period. If you choose not to delete intervening results when reverting a snapshot, the job will not accept input data that is older than the current time. If you want to resend data, then delete the intervening results.

application/json

Body

delete_intervening_results boolean

Refer to the description for the delete_intervening_results query parameter.

Responses

200 application/json
Hide response attribute Show response attribute object
- model object Required
  
  Hide model attributes Show model attributes object
  
  description string
  
  An optional description of the job.
  
  job_id string Required
  
  latest_record_time_stamp number
  
  The timestamp of the latest processed record.
  
  latest_result_time_stamp number
  
  The timestamp of the latest bucket result.
  
  min_version string Required
  
  model_size_stats object
  
  Hide model_size_stats attributes Show model_size_stats attributes object
  
  bucket_allocation_failures_count number Required
  
  job_id string Required
  
  log_time string | number Required
  
  A date and time, either as a string whose format can depend on the context (defaulting to ISO 8601), or a number of milliseconds since the Epoch. Elasticsearch accepts both as input, but will generally output a string representation.
  
  One of:
  DateTime string UnitMillis number
  
  memory_status string Required
  
  Values are ok, soft_limit, or hard_limit.
  
  model_bytes number | string Required
  
  One of:
  ByteSize number ByteSize string
  
  model_bytes_exceeded number | string
  
  One of:
  ByteSize number ByteSize string
  
  model_bytes_memory_limit number | string
  
  One of:
  ByteSize number ByteSize string
  
  output_memory_allocator_bytes number | string
  
  One of:
  ByteSize number ByteSize string
  
  peak_model_bytes number | string
  
  One of:
  ByteSize number ByteSize string
  
  assignment_memory_basis string
  
  result_type string Required
  
  total_by_field_count number Required
  
  total_over_field_count number Required
  
  total_partition_field_count number Required
  
  categorization_status string Required
  
  Values are ok or warn.
  
  categorized_doc_count number Required
  
  dead_category_count number Required
  
  failed_category_count number Required
  
  frequent_category_count number Required
  
  rare_category_count number Required
  
  total_category_count number Required
  
  timestamp number
  
  retain boolean Required
  
  If true, this snapshot will not be deleted during automatic cleanup of snapshots older than model_snapshot_retention_days. However, this snapshot will be deleted when the job is deleted. The default value is false.
  
  snapshot_doc_count number Required
  
  For internal use only.
  
  snapshot_id string Required
  
  timestamp number Required
  
  The creation timestamp for the snapshot.

POST /_ml/anomaly_detectors/{job_id}/model_snapshots/{snapshot_id}/_revert

curl \
 --request POST 'http://api.example.com/_ml/anomaly_detectors/{job_id}/model_snapshots/{snapshot_id}/_revert' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"delete_intervening_results":true}'

Evaluate data frame analytics Added in 7.3.0

POST /_ml/data_frame/_evaluate

Api key auth Basic auth Bearer auth

The API packages together commonly used evaluation metrics for various types of machine learning features. This has been designed for use on indexes created by data frame analytics. Evaluation requires both a ground truth field and an analytics result field to be present.

application/json

Body Required

evaluation object Required
Hide evaluation attributes Show evaluation attributes object
- classification object
  Hide classification attributes Show classification attributes object
  
  actual_field string Required
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
  
  predicted_field string
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
  
  top_classes_field string
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
  
  metrics object
  
  Hide metrics attributes Show metrics attributes object
  
  auc_roc object
  
  Hide auc_roc attributes Show auc_roc attributes object
  
  class_name string
  
  include_curve boolean
  
  Whether or not the curve should be returned in addition to the score. Default value is false.
  
  precision object
  
  Precision of predictions (per-class and average).
  
  Hide precision attribute Show precision attribute object
  
  * object Additional properties
  
  recall object
  
  Recall of predictions (per-class and average).
  
  Hide recall attribute Show recall attribute object
  
  * object Additional properties
  
  accuracy object
  
  Accuracy of predictions (per-class and overall).
  
  Hide accuracy attribute Show accuracy attribute object
  
  * object Additional properties
  
  multiclass_confusion_matrix object
  
  Multiclass confusion matrix.
  
  Hide multiclass_confusion_matrix attribute Show multiclass_confusion_matrix attribute object
  
  * object Additional properties
- outlier_detection object
  Hide outlier_detection attributes Show outlier_detection attributes object
  
  actual_field string Required
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
  
  predicted_probability_field string Required
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
  
  metrics object
  
  Hide metrics attributes Show metrics attributes object
  
  auc_roc object
  
  Hide auc_roc attributes Show auc_roc attributes object
  
  class_name string
  
  include_curve boolean
  
  Whether or not the curve should be returned in addition to the score. Default value is false.
  
  precision object
  
  Precision of predictions (per-class and average).
  
  Hide precision attribute Show precision attribute object
  
  * object Additional properties
  
  recall object
  
  Recall of predictions (per-class and average).
  
  Hide recall attribute Show recall attribute object
  
  * object Additional properties
  
  confusion_matrix object
  
  Accuracy of predictions (per-class and overall).
  
  Hide confusion_matrix attribute Show confusion_matrix attribute object
  
  * object Additional properties
- regression object
  Hide regression attributes Show regression attributes object
  
  actual_field string Required
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
  
  predicted_field string Required
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
  
  metrics object
  
  Hide metrics attributes Show metrics attributes object
  
  mse object
  
  Average squared difference between the predicted values and the actual (ground truth) value. For more information, read this wiki article.
  
  Hide mse attribute Show mse attribute object
  
  * object Additional properties
  
  msle object
  
  Hide msle attribute Show msle attribute object
  
  offset number
  
  Defines the transition point at which you switch from minimizing quadratic error to minimizing quadratic log error. Defaults to 1.
  
  huber object
  
  Hide huber attribute Show huber attribute object
  
  delta number
  
  Approximates 1/2 (prediction - actual)2 for values much less than delta and approximates a straight line with slope delta for values much larger than delta. Defaults to 1. Delta needs to be greater than 0.
  
  r_squared object
  
  Proportion of the variance in the dependent variable that is predictable from the independent variables.
  
  Hide r_squared attribute Show r_squared attribute object
  
  * object Additional properties
index string Required
query object

An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.

External documentation

Responses

200 application/json
Hide response attributes Show response attributes object
- classification object
  
  Hide classification attributes Show classification attributes object
  
  auc_roc object
  
  Hide auc_roc attributes Show auc_roc attributes object
  
  value number Required
  
  curve array[object]
  
  Hide curve attributes Show curve attributes object
  
  tpr number Required
  
  fpr number Required
  
  threshold number Required
  
  accuracy object
  
  Hide accuracy attributes Show accuracy attributes object
  
  classes array[object] Required
  
  Hide classes attributes Show classes attributes object
  
  value number Required
  
  class_name string Required
  
  overall_accuracy number Required
  
  multiclass_confusion_matrix object
  
  Hide multiclass_confusion_matrix attributes Show multiclass_confusion_matrix attributes object
  
  confusion_matrix array[object] Required
  
  Hide confusion_matrix attributes Show confusion_matrix attributes object
  
  actual_class string Required
  
  actual_class_doc_count number Required
  
  predicted_classes array[object] Required
  
  other_predicted_class_doc_count number Required
  
  other_actual_class_count number Required
  
  precision object
  
  Hide precision attributes Show precision attributes object
  
  classes array[object] Required
  
  Hide classes attributes Show classes attributes object
  
  value number Required
  
  class_name string Required
  
  avg_precision number Required
  
  recall object
  
  Hide recall attributes Show recall attributes object
  
  classes array[object] Required
  
  Hide classes attributes Show classes attributes object
  
  value number Required
  
  class_name string Required
  
  avg_recall number Required
- outlier_detection object
  
  Hide outlier_detection attributes Show outlier_detection attributes object
  
  auc_roc object
  
  Hide auc_roc attributes Show auc_roc attributes object
  
  value number Required
  
  curve array[object]
  
  Hide curve attributes Show curve attributes object
  
  tpr number Required
  
  fpr number Required
  
  threshold number Required
  
  precision object
  
  Set the different thresholds of the outlier score at where the metric is calculated.
  
  Hide precision attribute Show precision attribute object
  
  * number Additional properties
  
  recall object
  
  Set the different thresholds of the outlier score at where the metric is calculated.
  
  Hide recall attribute Show recall attribute object
  
  * number Additional properties
  
  confusion_matrix object
  
  Set the different thresholds of the outlier score at where the metrics (tp - true positive, fp - false positive, tn - true negative, fn - false negative) are calculated.
  
  Hide confusion_matrix attribute Show confusion_matrix attribute object
  
  * object Additional properties
  
  Hide * attributes Show * attributes object
  
  tp number Required
  
  True Positive
  
  fp number Required
  
  False Positive
  
  tn number Required
  
  True Negative
  
  fn number Required
  
  False Negative
- regression object
  
  Hide regression attributes Show regression attributes object
  
  huber object
  
  Hide huber attribute Show huber attribute object
  
  value number Required
  
  mse object
  
  Hide mse attribute Show mse attribute object
  
  value number Required
  
  msle object
  
  Hide msle attribute Show msle attribute object
  
  value number Required
  
  r_squared object
  
  Hide r_squared attribute Show r_squared attribute object
  
  value number Required

POST /_ml/data_frame/_evaluate

POST _ml/data_frame/_evaluate
{
  "index": "animal_classification",
  "evaluation": {
    "classification": {
      "actual_field": "animal_class",
      "predicted_field": "ml.animal_class_prediction",
      "metrics": {
        "multiclass_confusion_matrix": {}
      }
    }
  }
}

curl \
 --request POST 'http://api.example.com/_ml/data_frame/_evaluate' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '"{\n  \"index\": \"animal_classification\",\n  \"evaluation\": {\n    \"classification\": {\n      \"actual_field\": \"animal_class\",\n      \"predicted_field\": \"ml.animal_class_prediction\",\n      \"metrics\": {\n        \"multiclass_confusion_matrix\": {}\n      }\n    }\n  }\n}"'

Request examples

Run `POST _ml/data_frame/_evaluate` to evaluate a a classification job for an annotated index. The `actual_field` contains the ground truth for classification. The `predicted_field` contains the predicted value calculated by the classification analysis.

{
  "index": "animal_classification",
  "evaluation": {
    "classification": {
      "actual_field": "animal_class",
      "predicted_field": "ml.animal_class_prediction",
      "metrics": {
        "multiclass_confusion_matrix": {}
      }
    }
  }
}

Run `POST _ml/data_frame/_evaluate` to evaluate a classification job with AUC ROC metrics for an annotated index. The `actual_field` contains the ground truth value for the actual animal classification. This is required in order to evaluate results. The `class_name` specifies the class name that is treated as positive during the evaluation, all the other classes are treated as negative.

{
  "index": "animal_classification",
  "evaluation": {
    "classification": {
      "actual_field": "animal_class",
      "metrics": {
        "auc_roc": {
          "class_name": "dog"
        }
      }
    }
  }
}

Run `POST _ml/data_frame/_evaluate` to evaluate an outlier detection job for an annotated index.

{
  "index": "my_analytics_dest_index",
  "evaluation": {
    "outlier_detection": {
      "actual_field": "is_outlier",
      "predicted_probability_field": "ml.outlier_score"
    }
  }
}

Run `POST _ml/data_frame/_evaluate` to evaluate the testing error of a regression job for an annotated index. The term query in the body limits evaluation to be performed on the test split only. The `actual_field` contains the ground truth for house prices. The `predicted_field` contains the house price calculated by the regression analysis.

{
  "index": "house_price_predictions",
  "query": {
    "bool": {
      "filter": [
        {
          "term": {
            "ml.is_training": false
          }
        }
      ]
    }
  },
  "evaluation": {
    "regression": {
      "actual_field": "price",
      "predicted_field": "ml.price_prediction",
      "metrics": {
        "r_squared": {},
        "mse": {},
        "msle": {
          "offset": 10
        },
        "huber": {
          "delta": 1.5
        }
      }
    }
  }
}

Run `POST _ml/data_frame/_evaluate` to evaluate the training error of a regression job for an annotated index. The term query in the body limits evaluation to be performed on the training split only. The `actual_field` contains the ground truth for house prices. The `predicted_field` contains the house price calculated by the regression analysis.

{
  "index": "house_price_predictions",
  "query": {
    "term": {
      "ml.is_training": {
        "value": true
      }
    }
  },
  "evaluation": {
    "regression": {
      "actual_field": "price",
      "predicted_field": "ml.price_prediction",
      "metrics": {
        "r_squared": {},
        "mse": {},
        "msle": {},
        "huber": {}
      }
    }
  }
}

Response examples (200)

A succesful response from `POST _ml/data_frame/_evaluate` to evaluate a classification analysis job for an annotated index. The `actual_class` contains the name of the class the analysis tried to predict. The `actual_class_doc_count` is the number of documents in the index belonging to the `actual_class`. The `predicted_classes` object contains the list of the predicted classes and the number of predictions associated with the class.

{
  "classification": {
    "multiclass_confusion_matrix": {
      "confusion_matrix": [
        {
          "actual_class": "cat",
          "actual_class_doc_count": 12,
          "predicted_classes": [
            {
              "predicted_class": "cat",
              "count": 12
            },
            {
              "predicted_class": "dog",
              "count": 0
            }
          ],
          "other_predicted_class_doc_count": 0
        },
        {
          "actual_class": "dog",
          "actual_class_doc_count": 11,
          "predicted_classes": [
            {
              "predicted_class": "dog",
              "count": 7
            },
            {
              "predicted_class": "cat",
              "count": 4
            }
          ],
          "other_predicted_class_doc_count": 0
        }
      ],
      "other_actual_class_count": 0
    }
  }
}

A succesful response from `POST _ml/data_frame/_evaluate` to evaluate a classification analysis job with the AUC ROC metrics for an annotated index.

{
  "classification": {
    "auc_roc": {
      "value": 0.8941788639536681
    }
  }
}

A successful response from `POST _ml/data_frame/_evaluate` to evaluate an outlier detection job.

{
  "outlier_detection": {
    "auc_roc": {
      "value": 0.9258475774641445
    },
    "confusion_matrix": {
      "0.25": {
        "tp": 5,
        "fp": 9,
        "tn": 204,
        "fn": 5
      },
      "0.5": {
        "tp": 1,
        "fp": 5,
        "tn": 208,
        "fn": 9
      },
      "0.75": {
        "tp": 0,
        "fp": 4,
        "tn": 209,
        "fn": 10
      }
    },
    "precision": {
      "0.25": 0.35714285714285715,
      "0.5": 0.16666666666666666,
      "0.75": 0
    },
    "recall": {
      "0.25": 0.5,
      "0.5": 0.1,
      "0.75": 0
    }
  }
}

Preview features used by data frame analytics Added in 7.13.0

GET /_ml/data_frame/analytics/{id}/_preview

Api key auth Basic auth Bearer auth

Preview the extracted features used by a data frame analytics config.

Path parameters

id string Required

Identifier for the data frame analytics job.

application/json

Body

config object
Hide config attributes Show config attributes object
- source object Required
  Hide source attributes Show source attributes object
  
  index string | array[string] Required
  
  runtime_mappings object
  
  Hide runtime_mappings attribute Show runtime_mappings attribute object
  
  * object Additional properties
  
  Hide * attributes Show * attributes object
  
  fields object
  
  For type composite
  
  Hide fields attribute Show fields attribute object
  
  * object Additional properties
  
  Hide * attribute Show * attribute object
  
  type string Required
  
  Values are boolean, composite, date, double, geo_point, geo_shape, ip, keyword, long, or lookup.
  
  fetch_fields array[object]
  
  For type lookup
  
  Hide fetch_fields attributes Show fetch_fields attributes object
  
  field string Required
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
  
  format string
  
  format string
  
  A custom format for date type runtime fields.
  
  input_field string
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
  
  target_field string
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
  
  target_index string
  
  script object
  
  Hide script attributes Show script attributes object
  
  source string | object
  
  One of:
  ScriptSource string SearchRequestBody object
  
  id string
  
  params object
  
  Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
  
  Hide params attribute Show params attribute object
  
  * object Additional properties
  
  lang string
  
  Any of:
  ScriptLanguage string ScriptLanguage string
  
  Values are painless, expression, mustache, or java.
  
  options object
  
  Hide options attribute Show options attribute object
  
  * string Additional properties
  
  type string Required
  
  Values are boolean, composite, date, double, geo_point, geo_shape, ip, keyword, long, or lookup.
  
  _source object
  
  Hide _source attributes Show _source attributes object
  
  includes array[string]
  
  An array of strings that defines the fields that will be excluded from the analysis. You do not need to add fields with unsupported data types to excludes, these fields are excluded from the analysis automatically.
  
  excludes array[string]
  
  An array of strings that defines the fields that will be included in the analysis.
  
  query object
  
  The Elasticsearch query domain-specific language (DSL). This value corresponds to the query object in an Elasticsearch search POST body. All the options that are supported by Elasticsearch can be used, as this object is passed verbatim to Elasticsearch. By default, this property has the following value: {"match_all": {}}.
  
  Query DSL
- analysis object Required
  Hide analysis attributes Show analysis attributes object
  
  classification object
  
  Hide classification attributes Show classification attributes object
  
  alpha number
  
  Advanced configuration option. Machine learning uses loss guided tree growing, which means that the decision trees grow where the regularized loss decreases most quickly. This parameter affects loss calculations by acting as a multiplier of the tree depth. Higher alpha values result in shallower trees and faster training times. By default, this value is calculated during hyperparameter optimization. It must be greater than or equal to zero.
  
  dependent_variable string Required
  
  Defines which field of the document is to be predicted. It must match one of the fields in the index being used to train. If this field is missing from a document, then that document will not be used for training, but a prediction with the trained model will be generated for it. It is also known as continuous target variable. For classification analysis, the data type of the field must be numeric (integer, short, long, byte), categorical (ip or keyword), or boolean. There must be no more than 30 different values in this field. For regression analysis, the data type of the field must be numeric.
  
  downsample_factor number
  
  Advanced configuration option. Controls the fraction of data that is used to compute the derivatives of the loss function for tree training. A small value results in the use of a small fraction of the data. If this value is set to be less than 1, accuracy typically improves. However, too small a value may result in poor convergence for the ensemble and so require more trees. By default, this value is calculated during hyperparameter optimization. It must be greater than zero and less than or equal to 1.
  
  early_stopping_enabled boolean
  
  Advanced configuration option. Specifies whether the training process should finish if it is not finding any better performing models. If disabled, the training process can take significantly longer and the chance of finding a better performing model is unremarkable.
  
  eta number
  
  Advanced configuration option. The shrinkage applied to the weights. Smaller values result in larger forests which have a better generalization error. However, larger forests cause slower training. By default, this value is calculated during hyperparameter optimization. It must be a value between 0.001 and 1.
  
  eta_growth_rate_per_tree number
  
  Advanced configuration option. Specifies the rate at which eta increases for each new tree that is added to the forest. For example, a rate of 1.05 increases eta by 5% for each extra tree. By default, this value is calculated during hyperparameter optimization. It must be between 0.5 and 2.
  
  feature_bag_fraction number
  
  Advanced configuration option. Defines the fraction of features that will be used when selecting a random bag for each candidate split. By default, this value is calculated during hyperparameter optimization.
  
  feature_processors array[object]
  
  Advanced configuration option. A collection of feature preprocessors that modify one or more included fields. The analysis uses the resulting one or more features instead of the original document field. However, these features are ephemeral; they are not stored in the destination index. Multiple feature_processors entries can refer to the same document fields. Automatic categorical feature encoding still occurs for the fields that are unprocessed by a custom processor or that have categorical values. Use this property only if you want to override the automatic feature encoding of the specified fields.
  
  Hide feature_processors attributes Show feature_processors attributes object
  
  frequency_encoding object
  
  multi_encoding object
  
  n_gram_encoding object
  
  one_hot_encoding object
  
  target_mean_encoding object
  
  gamma number
  
  Advanced configuration option. Regularization parameter to prevent overfitting on the training data set. Multiplies a linear penalty associated with the size of individual trees in the forest. A high gamma value causes training to prefer small trees. A small gamma value results in larger individual trees and slower training. By default, this value is calculated during hyperparameter optimization. It must be a nonnegative value.
  
  lambda number
  
  Advanced configuration option. Regularization parameter to prevent overfitting on the training data set. Multiplies an L2 regularization term which applies to leaf weights of the individual trees in the forest. A high lambda value causes training to favor small leaf weights. This behavior makes the prediction function smoother at the expense of potentially not being able to capture relevant relationships between the features and the dependent variable. A small lambda value results in large individual trees and slower training. By default, this value is calculated during hyperparameter optimization. It must be a nonnegative value.
  
  max_optimization_rounds_per_hyperparameter number
  
  Advanced configuration option. A multiplier responsible for determining the maximum number of hyperparameter optimization steps in the Bayesian optimization procedure. The maximum number of steps is determined based on the number of undefined hyperparameters times the maximum optimization rounds per hyperparameter. By default, this value is calculated during hyperparameter optimization.
  
  max_trees number
  
  Advanced configuration option. Defines the maximum number of decision trees in the forest. The maximum value is 2000. By default, this value is calculated during hyperparameter optimization.
  
  num_top_feature_importance_values number
  
  Advanced configuration option. Specifies the maximum number of feature importance values per document to return. By default, no feature importance calculation occurs.
  
  prediction_field_name string
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
  
  randomize_seed number
  
  Defines the seed for the random generator that is used to pick training data. By default, it is randomly generated. Set it to a specific value to use the same training data each time you start a job (assuming other related parameters such as source and analyzed_fields are the same).
  
  soft_tree_depth_limit number
  
  Advanced configuration option. Machine learning uses loss guided tree growing, which means that the decision trees grow where the regularized loss decreases most quickly. This soft limit combines with the soft_tree_depth_tolerance to penalize trees that exceed the specified depth; the regularized loss increases quickly beyond this depth. By default, this value is calculated during hyperparameter optimization. It must be greater than or equal to 0.
  
  soft_tree_depth_tolerance number
  
  Advanced configuration option. This option controls how quickly the regularized loss increases when the tree depth exceeds soft_tree_depth_limit. By default, this value is calculated during hyperparameter optimization. It must be greater than or equal to 0.01.
  
  training_percent string | number
  
  One of:
  Percentage string Percentage number
  
  class_assignment_objective string
  
  num_top_classes number
  
  Defines the number of categories for which the predicted probabilities are reported. It must be non-negative or -1. If it is -1 or greater than the total number of categories, probabilities are reported for all categories; if you have a large number of categories, there could be a significant effect on the size of your destination index. NOTE: To use the AUC ROC evaluation method, num_top_classes must be set to -1 or a value greater than or equal to the total number of categories.
  
  outlier_detection object
  
  Hide outlier_detection attributes Show outlier_detection attributes object
  
  compute_feature_influence boolean
  
  Specifies whether the feature influence calculation is enabled.
  
  feature_influence_threshold number
  
  The minimum outlier score that a document needs to have in order to calculate its feature influence score. Value range: 0-1.
  
  method string
  
  The method that outlier detection uses. Available methods are lof, ldof, distance_kth_nn, distance_knn, and ensemble. The default value is ensemble, which means that outlier detection uses an ensemble of different methods and normalises and combines their individual outlier scores to obtain the overall outlier score.
  
  n_neighbors number
  
  Defines the value for how many nearest neighbors each method of outlier detection uses to calculate its outlier score. When the value is not set, different values are used for different ensemble members. This default behavior helps improve the diversity in the ensemble; only override it if you are confident that the value you choose is appropriate for the data set.
  
  outlier_fraction number
  
  The proportion of the data set that is assumed to be outlying prior to outlier detection. For example, 0.05 means it is assumed that 5% of values are real outliers and 95% are inliers.
  
  standardization_enabled boolean
  
  If true, the following operation is performed on the columns before computing outlier scores: (x_i - mean(x_i)) / sd(x_i).
  
  regression object
  
  Hide regression attributes Show regression attributes object
  
  alpha number
  
  Advanced configuration option. Machine learning uses loss guided tree growing, which means that the decision trees grow where the regularized loss decreases most quickly. This parameter affects loss calculations by acting as a multiplier of the tree depth. Higher alpha values result in shallower trees and faster training times. By default, this value is calculated during hyperparameter optimization. It must be greater than or equal to zero.
  
  dependent_variable string Required
  
  Defines which field of the document is to be predicted. It must match one of the fields in the index being used to train. If this field is missing from a document, then that document will not be used for training, but a prediction with the trained model will be generated for it. It is also known as continuous target variable. For classification analysis, the data type of the field must be numeric (integer, short, long, byte), categorical (ip or keyword), or boolean. There must be no more than 30 different values in this field. For regression analysis, the data type of the field must be numeric.
  
  downsample_factor number
  
  Advanced configuration option. Controls the fraction of data that is used to compute the derivatives of the loss function for tree training. A small value results in the use of a small fraction of the data. If this value is set to be less than 1, accuracy typically improves. However, too small a value may result in poor convergence for the ensemble and so require more trees. By default, this value is calculated during hyperparameter optimization. It must be greater than zero and less than or equal to 1.
  
  early_stopping_enabled boolean
  
  Advanced configuration option. Specifies whether the training process should finish if it is not finding any better performing models. If disabled, the training process can take significantly longer and the chance of finding a better performing model is unremarkable.
  
  eta number
  
  Advanced configuration option. The shrinkage applied to the weights. Smaller values result in larger forests which have a better generalization error. However, larger forests cause slower training. By default, this value is calculated during hyperparameter optimization. It must be a value between 0.001 and 1.
  
  eta_growth_rate_per_tree number
  
  Advanced configuration option. Specifies the rate at which eta increases for each new tree that is added to the forest. For example, a rate of 1.05 increases eta by 5% for each extra tree. By default, this value is calculated during hyperparameter optimization. It must be between 0.5 and 2.
  
  feature_bag_fraction number
  
  Advanced configuration option. Defines the fraction of features that will be used when selecting a random bag for each candidate split. By default, this value is calculated during hyperparameter optimization.
  
  feature_processors array[object]
  
  Advanced configuration option. A collection of feature preprocessors that modify one or more included fields. The analysis uses the resulting one or more features instead of the original document field. However, these features are ephemeral; they are not stored in the destination index. Multiple feature_processors entries can refer to the same document fields. Automatic categorical feature encoding still occurs for the fields that are unprocessed by a custom processor or that have categorical values. Use this property only if you want to override the automatic feature encoding of the specified fields.
  
  Hide feature_processors attributes Show feature_processors attributes object
  
  frequency_encoding object
  
  multi_encoding object
  
  n_gram_encoding object
  
  one_hot_encoding object
  
  target_mean_encoding object
  
  gamma number
  
  Advanced configuration option. Regularization parameter to prevent overfitting on the training data set. Multiplies a linear penalty associated with the size of individual trees in the forest. A high gamma value causes training to prefer small trees. A small gamma value results in larger individual trees and slower training. By default, this value is calculated during hyperparameter optimization. It must be a nonnegative value.
  
  lambda number
  
  Advanced configuration option. Regularization parameter to prevent overfitting on the training data set. Multiplies an L2 regularization term which applies to leaf weights of the individual trees in the forest. A high lambda value causes training to favor small leaf weights. This behavior makes the prediction function smoother at the expense of potentially not being able to capture relevant relationships between the features and the dependent variable. A small lambda value results in large individual trees and slower training. By default, this value is calculated during hyperparameter optimization. It must be a nonnegative value.
  
  max_optimization_rounds_per_hyperparameter number
  
  Advanced configuration option. A multiplier responsible for determining the maximum number of hyperparameter optimization steps in the Bayesian optimization procedure. The maximum number of steps is determined based on the number of undefined hyperparameters times the maximum optimization rounds per hyperparameter. By default, this value is calculated during hyperparameter optimization.
  
  max_trees number
  
  Advanced configuration option. Defines the maximum number of decision trees in the forest. The maximum value is 2000. By default, this value is calculated during hyperparameter optimization.
  
  num_top_feature_importance_values number
  
  Advanced configuration option. Specifies the maximum number of feature importance values per document to return. By default, no feature importance calculation occurs.
  
  prediction_field_name string
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
  
  randomize_seed number
  
  Defines the seed for the random generator that is used to pick training data. By default, it is randomly generated. Set it to a specific value to use the same training data each time you start a job (assuming other related parameters such as source and analyzed_fields are the same).
  
  soft_tree_depth_limit number
  
  Advanced configuration option. Machine learning uses loss guided tree growing, which means that the decision trees grow where the regularized loss decreases most quickly. This soft limit combines with the soft_tree_depth_tolerance to penalize trees that exceed the specified depth; the regularized loss increases quickly beyond this depth. By default, this value is calculated during hyperparameter optimization. It must be greater than or equal to 0.
  
  soft_tree_depth_tolerance number
  
  Advanced configuration option. This option controls how quickly the regularized loss increases when the tree depth exceeds soft_tree_depth_limit. By default, this value is calculated during hyperparameter optimization. It must be greater than or equal to 0.01.
  
  training_percent string | number
  
  One of:
  Percentage string Percentage number
  
  loss_function string
  
  The loss function used during regression. Available options are mse (mean squared error), msle (mean squared logarithmic error), huber (Pseudo-Huber loss).
  
  loss_function_parameter number
  
  A positive number that is used as a parameter to the loss_function.
- model_memory_limit string
- max_num_threads number
- analyzed_fields object
  Hide analyzed_fields attributes Show analyzed_fields attributes object
  
  includes array[string]
  
  An array of strings that defines the fields that will be excluded from the analysis. You do not need to add fields with unsupported data types to excludes, these fields are excluded from the analysis automatically.
  
  excludes array[string]
  
  An array of strings that defines the fields that will be included in the analysis.

Responses

200 application/json
Hide response attribute Show response attribute object
- feature_values array[object] Required
  
  An array of objects that contain feature name and value pairs. The features have been processed and indicate what will be sent to the model for training.
  
  Hide feature_values attribute Show feature_values attribute object
  
  * string Additional properties

GET /_ml/data_frame/analytics/{id}/_preview

curl \
 --request GET 'http://api.example.com/_ml/data_frame/analytics/{id}/_preview' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"config":{"source":{"index":"string","runtime_mappings":{"additionalProperty1":{"fields":{"additionalProperty1":{"type":"boolean"},"additionalProperty2":{"type":"boolean"}},"fetch_fields":[{"field":"string","format":"string"}],"format":"string","input_field":"string","target_field":"string","target_index":"string","script":{"":"painless","id":"string","params":{"additionalProperty1":{},"additionalProperty2":{}},"options":{"additionalProperty1":"string","additionalProperty2":"string"}},"type":"boolean"},"additionalProperty2":{"fields":{"additionalProperty1":{"type":"boolean"},"additionalProperty2":{"type":"boolean"}},"fetch_fields":[{"field":"string","format":"string"}],"format":"string","input_field":"string","target_field":"string","target_index":"string","script":{"":"painless","id":"string","params":{"additionalProperty1":{},"additionalProperty2":{}},"options":{"additionalProperty1":"string","additionalProperty2":"string"}},"type":"boolean"}},"_source":{"includes":["string"],"excludes":["string"]},"query":{}},"analysis":{"classification":{"alpha":42.0,"dependent_variable":"string","downsample_factor":42.0,"early_stopping_enabled":true,"eta":42.0,"eta_growth_rate_per_tree":42.0,"feature_bag_fraction":42.0,"feature_processors":[{"frequency_encoding":{},"multi_encoding":{},"n_gram_encoding":{},"one_hot_encoding":{},"target_mean_encoding":{}}],"gamma":42.0,"lambda":42.0,"max_optimization_rounds_per_hyperparameter":42.0,"max_trees":42.0,"num_top_feature_importance_values":42.0,"prediction_field_name":"string","randomize_seed":42.0,"soft_tree_depth_limit":42.0,"soft_tree_depth_tolerance":42.0,"":"string","class_assignment_objective":"string","num_top_classes":42.0},"outlier_detection":{"compute_feature_influence":true,"feature_influence_threshold":42.0,"method":"string","n_neighbors":42.0,"outlier_fraction":42.0,"standardization_enabled":true},"regression":{"alpha":42.0,"dependent_variable":"string","downsample_factor":42.0,"early_stopping_enabled":true,"eta":42.0,"eta_growth_rate_per_tree":42.0,"feature_bag_fraction":42.0,"feature_processors":[{"frequency_encoding":{},"multi_encoding":{},"n_gram_encoding":{},"one_hot_encoding":{},"target_mean_encoding":{}}],"gamma":42.0,"lambda":42.0,"max_optimization_rounds_per_hyperparameter":42.0,"max_trees":42.0,"num_top_feature_importance_values":42.0,"prediction_field_name":"string","randomize_seed":42.0,"soft_tree_depth_limit":42.0,"soft_tree_depth_tolerance":42.0,"":"string","loss_function":"string","loss_function_parameter":42.0}},"model_memory_limit":"string","max_num_threads":42.0,"analyzed_fields":{"includes":["string"],"excludes":["string"]}}}'

Create part of a trained model definition Added in 8.0.0

PUT /_ml/trained_models/{model_id}/definition/{part}

Api key auth Basic auth Bearer auth

Path parameters

model_id string Required

The unique identifier of the trained model.
part number Required

The definition part number. When the definition is loaded for inference the definition parts are streamed in the order of their part number. The first part must be 0 and the final part must be total_parts - 1.

application/json

Body Required

definition string Required

The definition part for the model. Must be a base64 encoded string.
total_definition_length number Required

The total uncompressed definition length in bytes. Not base64 encoded.
total_parts number Required

The total number of parts that will be uploaded. Must be greater than 0.

Responses

200 application/json
Hide response attribute Show response attribute object
- acknowledged boolean Required
  
  For a successful response, this value is always true. On failure, an exception is returned instead.

PUT /_ml/trained_models/{model_id}/definition/{part}

curl \
 --request PUT 'http://api.example.com/_ml/trained_models/{model_id}/definition/{part}' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"definition":"string","total_definition_length":42.0,"total_parts":42.0}'

Create a trained model vocabulary Added in 8.0.0

PUT /_ml/trained_models/{model_id}/vocabulary

Api key auth Basic auth Bearer auth

This API is supported only for natural language processing (NLP) models. The vocabulary is stored in the index as described in inference_config.*.vocabulary of the trained model definition.

Path parameters

model_id string Required

The unique identifier of the trained model.

application/json

Body Required

vocabulary array[string] Required

The model vocabulary, which must not be empty.
merges array[string]

The optional model merges if required by the tokenizer.
scores array[number]

The optional vocabulary value scores if required by the tokenizer.

Responses

200 application/json
Hide response attribute Show response attribute object
- acknowledged boolean Required
  
  For a successful response, this value is always true. On failure, an exception is returned instead.

PUT /_ml/trained_models/{model_id}/vocabulary

curl \
 --request PUT 'http://api.example.com/_ml/trained_models/{model_id}/vocabulary' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"vocabulary":["string"],"merges":["string"],"scores":[42.0]}'

Get the shutdown status Added in 7.13.0

GET /_nodes/shutdown

Api key auth Basic auth Bearer auth

Get information about nodes that are ready to be shut down, have shut down preparations still in progress, or have stalled. The API returns status information for each part of the shut down process.

NOTE: This feature is designed for indirect use by Elasticsearch Service, Elastic Cloud Enterprise, and Elastic Cloud on Kubernetes. Direct use is not supported.

If the operator privileges feature is enabled, you must be an operator to use this API.

Query parameters

master_timeout string

Period to wait for a connection to the master node. If no response is received before the timeout expires, the request fails and returns an error.

Values are nanos, micros, ms, s, m, h, or d.

Responses

200 application/json
Hide response attribute Show response attribute object
- nodes array[object] Required
  
  Hide nodes attributes Show nodes attributes object
  
  node_id string Required
  
  type string Required
  
  Values are remove or restart.
  
  reason string Required
  
  shutdown_startedmillis number
  
  Time unit for milliseconds
  
  status string Required
  
  Values are not_started, in_progress, stalled, or complete.
  
  shard_migration object Required
  
  Hide shard_migration attribute Show shard_migration attribute object
  
  status string Required
  
  Values are not_started, in_progress, stalled, or complete.
  
  persistent_tasks object Required
  
  Hide persistent_tasks attribute Show persistent_tasks attribute object
  
  status string Required
  
  Values are not_started, in_progress, stalled, or complete.
  
  plugins object Required
  
  Hide plugins attribute Show plugins attribute object
  
  status string Required
  
  Values are not_started, in_progress, stalled, or complete.

GET /_nodes/shutdown

GET /_nodes/USpTGYaBSIKbgSUJR2Z9lg/shutdown

curl \
 --request GET 'http://api.example.com/_nodes/shutdown' \
 --header "Authorization: $API_KEY"

Response examples (200)

Get the status of shutdown preparations with `GET /_nodes/USpTGYaBSIKbgSUJR2Z9lg/shutdown`. The response shows information about the shutdown preparations, including the status of shard migration, task migration, and plugin cleanup

{
    "nodes": [
        {
            "node_id": "USpTGYaBSIKbgSUJR2Z9lg",
            "type": "RESTART",
            "reason": "Demonstrating how the node shutdown API works",
            "shutdown_startedmillis": 1624406108685,
            "allocation_delay": "10m",
            "status": "COMPLETE",
            "shard_migration": {
                "status": "COMPLETE",
                "shard_migrations_remaining": 0,
                "explanation": "no shard relocation is necessary for a node restart"
            },
            "persistent_tasks": {
                "status": "COMPLETE"
            },
            "plugins": {
                "status": "COMPLETE"
            }
        }
    ]
}

Create or update a query ruleset Added in 8.10.0

PUT /_query_rules/{ruleset_id}

Api key auth Basic auth Bearer auth

There is a limit of 100 rules per ruleset. This limit can be increased by using the xpack.applications.rules.max_rules_per_ruleset cluster setting.

IMPORTANT: Due to limitations within pinned queries, you can only select documents using ids or docs, but cannot use both in single rule. It is advised to use one or the other in query rulesets, to avoid errors. Additionally, pinned queries have a maximum limit of 100 pinned hits. If multiple matching rules pin more than 100 documents, only the first 100 documents are pinned in the order they are specified in the ruleset.

External documentation

Path parameters

ruleset_id string Required

The unique identifier of the query ruleset to be created or updated.

application/json

Body Required

rules object | array[object]
One of:
QueryRule object array-2 array[object]
Hide attributes Show attributes

rule_id string Required

type string Required

Values are pinned or exclude.

criteria object | array[object] Required

The criteria that must be met for the rule to be applied. If multiple criteria are specified for a rule, all criteria must be met for the rule to be applied.

One of:
QueryRuleCriteria object array-2 array[object]

Hide attributes Show attributes

type string Required

Values are global, exact, exact_fuzzy, fuzzy, prefix, suffix, contains, lt, lte, gt, gte, or always.

metadata string

The metadata field to match against. This metadata will be used to match against match_criteria sent in the rule. It is required for all criteria types except always.

values array[object]

The values to match against the metadata field. Only one value must match for the criteria to be met. It is required for all criteria types except always.

Hide attributes Show attributes object

type string Required

Values are global, exact, exact_fuzzy, fuzzy, prefix, suffix, contains, lt, lte, gt, gte, or always.

metadata string

The metadata field to match against. This metadata will be used to match against match_criteria sent in the rule. It is required for all criteria types except always.

values array[object]

The values to match against the metadata field. Only one value must match for the criteria to be met. It is required for all criteria types except always.

actions object Required

Hide actions attributes Show actions attributes object

ids array[string]

The unique document IDs of the documents to apply the rule to. Only one of ids or docs may be specified and at least one must be specified.

docs array[object]

The documents to apply the rule to. Only one of ids or docs may be specified and at least one must be specified. There is a maximum value of 100 documents in a rule. You can specify the following attributes for each document:

_index: The index of the document to pin.

_id: The unique document ID.

Hide docs attributes Show docs attributes object

_id string Required

_index string

priority number
Hide attributes Show attributes object

rule_id string Required

type string Required

Values are pinned or exclude.

criteria object | array[object]

The criteria that must be met for the rule to be applied. If multiple criteria are specified for a rule, all criteria must be met for the rule to be applied.

One of:
QueryRuleCriteria object array-2 array[object]

Hide attributes Show attributes

type string Required

Values are global, exact, exact_fuzzy, fuzzy, prefix, suffix, contains, lt, lte, gt, gte, or always.

metadata string

The metadata field to match against. This metadata will be used to match against match_criteria sent in the rule. It is required for all criteria types except always.

values array[object]

The values to match against the metadata field. Only one value must match for the criteria to be met. It is required for all criteria types except always.

Hide attributes Show attributes object

type string Required

Values are global, exact, exact_fuzzy, fuzzy, prefix, suffix, contains, lt, lte, gt, gte, or always.

metadata string

The metadata field to match against. This metadata will be used to match against match_criteria sent in the rule. It is required for all criteria types except always.

values array[object]

The values to match against the metadata field. Only one value must match for the criteria to be met. It is required for all criteria types except always.

actions object Required

Hide actions attributes Show actions attributes object

ids array[string]

The unique document IDs of the documents to apply the rule to. Only one of ids or docs may be specified and at least one must be specified.

docs array[object]

The documents to apply the rule to. Only one of ids or docs may be specified and at least one must be specified. There is a maximum value of 100 documents in a rule. You can specify the following attributes for each document:

_index: The index of the document to pin.

_id: The unique document ID.

Hide docs attributes Show docs attributes object

_id string Required

_index string

priority number

Responses

200 application/json
Hide response attribute Show response attribute object
- result string Required
  
  Values are created, updated, deleted, not_found, or noop.

PUT /_query_rules/{ruleset_id}

PUT _query_rules/my-ruleset
{
    "rules": [
        {
            "rule_id": "my-rule1",
            "type": "pinned",
            "criteria": [
                {
                    "type": "contains",
                    "metadata": "user_query",
                    "values": [ "pugs", "puggles" ]
                },
                {
                    "type": "exact",
                    "metadata": "user_country",
                    "values": [ "us" ]
                }
            ],
            "actions": {
                "ids": [
                    "id1",
                    "id2"
                ]
            }
        },
        {
            "rule_id": "my-rule2",
            "type": "pinned",
            "criteria": [
                {
                    "type": "fuzzy",
                    "metadata": "user_query",
                    "values": [ "rescue dogs" ]
                }
            ],
            "actions": {
                "docs": [
                    {
                        "_index": "index1",
                        "_id": "id3"
                    },
                    {
                        "_index": "index2",
                        "_id": "id4"
                    }
                ]
            }
        }
    ]
}

curl \
 --request PUT 'http://api.example.com/_query_rules/{ruleset_id}' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '"{\n    \"rules\": [\n        {\n            \"rule_id\": \"my-rule1\",\n            \"type\": \"pinned\",\n            \"criteria\": [\n                {\n                    \"type\": \"contains\",\n                    \"metadata\": \"user_query\",\n                    \"values\": [ \"pugs\", \"puggles\" ]\n                },\n                {\n                    \"type\": \"exact\",\n                    \"metadata\": \"user_country\",\n                    \"values\": [ \"us\" ]\n                }\n            ],\n            \"actions\": {\n                \"ids\": [\n                    \"id1\",\n                    \"id2\"\n                ]\n            }\n        },\n        {\n            \"rule_id\": \"my-rule2\",\n            \"type\": \"pinned\",\n            \"criteria\": [\n                {\n                    \"type\": \"fuzzy\",\n                    \"metadata\": \"user_query\",\n                    \"values\": [ \"rescue dogs\" ]\n                }\n            ],\n            \"actions\": {\n                \"docs\": [\n                    {\n                        \"_index\": \"index1\",\n                        \"_id\": \"id3\"\n                    },\n                    {\n                        \"_index\": \"index2\",\n                        \"_id\": \"id4\"\n                    }\n                ]\n            }\n        }\n    ]\n}"'

Request example

Run `PUT _query_rules/my-ruleset` to create a new query ruleset. Two rules are associated with `my-ruleset`. `my-rule1` will pin documents with IDs `id1` and `id2` when `user_query` contains `pugs` or `puggles` and `user_country` exactly matches `us`. `my-rule2` will exclude documents from different specified indices with IDs `id3` and `id4` when the `query_string` fuzzily matches `rescue dogs`.

{
    "rules": [
        {
            "rule_id": "my-rule1",
            "type": "pinned",
            "criteria": [
                {
                    "type": "contains",
                    "metadata": "user_query",
                    "values": [ "pugs", "puggles" ]
                },
                {
                    "type": "exact",
                    "metadata": "user_country",
                    "values": [ "us" ]
                }
            ],
            "actions": {
                "ids": [
                    "id1",
                    "id2"
                ]
            }
        },
        {
            "rule_id": "my-rule2",
            "type": "pinned",
            "criteria": [
                {
                    "type": "fuzzy",
                    "metadata": "user_query",
                    "values": [ "rescue dogs" ]
                }
            ],
            "actions": {
                "docs": [
                    {
                        "_index": "index1",
                        "_id": "id3"
                    },
                    {
                        "_index": "index2",
                        "_id": "id4"
                    }
                ]
            }
        }
    ]
}

Get rollup job information Deprecated Technical preview

GET /_rollup/job

Api key auth Basic auth Bearer auth

Get the configuration, stats, and status of rollup jobs.

NOTE: This API returns only active (both STARTED and STOPPED) jobs. If a job was created, ran for a while, then was deleted, the API does not return any details about it. For details about a historical rollup job, the rollup capabilities API may be more useful.

Responses

200 application/json
Hide response attribute Show response attribute object
- jobs array[object] Required
  
  Hide jobs attributes Show jobs attributes object
  
  config object Required
  
  Hide config attributes Show config attributes object
  
  cron string Required
  
  groups object Required
  
  Hide groups attributes Show groups attributes object
  
  date_histogram object
  
  Hide date_histogram attributes Show date_histogram attributes object
  
  delay string
  
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
  
  field string Required
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
  
  format string
  
  interval string
  
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
  
  calendar_interval string
  
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
  
  fixed_interval string
  
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
  
  time_zone string
  
  histogram object
  
  Hide histogram attributes Show histogram attributes object
  
  fields string | array[string] Required
  
  interval number Required
  
  The interval of histogram buckets to be generated when rolling up. For example, a value of 5 creates buckets that are five units wide (0-5, 5-10, etc). Note that only one interval can be specified in the histogram group, meaning that all fields being grouped via the histogram must share the same interval.
  
  terms object
  
  Hide terms attribute Show terms attribute object
  
  fields string | array[string] Required
  
  id string Required
  
  index_pattern string Required
  
  metrics array[object] Required
  
  Hide metrics attributes Show metrics attributes object
  
  field string Required
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
  
  metrics array[string] Required
  
  An array of metrics to collect for the field. At least one metric must be configured.
  
  Values are min, max, sum, avg, or value_count.
  
  page_size number Required
  
  rollup_index string Required
  
  timeout string Required
  
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
  
  stats object Required
  
  Hide stats attributes Show stats attributes object
  
  documents_processed number Required
  
  index_failures number Required
  
  index_time_in_ms number
  
  Time unit for milliseconds
  
  index_total number Required
  
  pages_processed number Required
  
  rollups_indexed number Required
  
  search_failures number Required
  
  search_time_in_ms number
  
  Time unit for milliseconds
  
  search_total number Required
  
  trigger_count number Required
  
  processing_time_in_ms number
  
  Time unit for milliseconds
  
  processing_total number Required
  
  status object Required
  
  Hide status attributes Show status attributes object
  
  current_position object
  
  Hide current_position attribute Show current_position attribute object
  
  * object Additional properties
  
  job_state string Required
  
  Values are started, indexing, stopping, stopped, or aborting.
  
  upgraded_doc_id boolean

GET /_rollup/job

GET _rollup/job/sensor

curl \
 --request GET 'http://api.example.com/_rollup/job' \
 --header "Authorization: $API_KEY"

Response examples (200)

A successful response from `GET _rollup/job/sensor`.

{
  "jobs": [
    {
      "config": {
        "id": "sensor",
        "index_pattern": "sensor-*",
        "rollup_index": "sensor_rollup",
        "cron": "*/30 * * * * ?",
        "groups": {
          "date_histogram": {
            "fixed_interval": "1h",
            "delay": "7d",
            "field": "timestamp",
            "time_zone": "UTC"
          },
          "terms": {
            "fields": [
              "node"
            ]
          }
        },
        "metrics": [
          {
            "field": "temperature",
            "metrics": [
              "min",
              "max",
              "sum"
            ]
          },
          {
            "field": "voltage",
            "metrics": [
              "avg"
            ]
          }
        ],
        "timeout": "20s",
        "page_size": 1000
      },
      "status": {
        "job_state": "stopped"
      },
      "stats": {
        "pages_processed": 0,
        "documents_processed": 0,
        "rollups_indexed": 0,
        "trigger_count": 0,
        "index_failures": 0,
        "index_time_in_ms": 0,
        "index_total": 0,
        "search_failures": 0,
        "search_time_in_ms": 0,
        "search_total": 0,
        "processing_time_in_ms": 0,
        "processing_total": 0
      }
    }
  ]
}

Search rolled-up data Deprecated Technical preview

POST /{index}/_rollup_search

Api key auth Basic auth Bearer auth

The rollup search endpoint is needed because, internally, rolled-up documents utilize a different document structure than the original data. It rewrites standard Query DSL into a format that matches the rollup documents then takes the response and rewrites it back to what a client would expect given the original query.

The request body supports a subset of features from the regular search API. The following functionality is not available:

size: Because rollups work on pre-aggregated data, no search hits can be returned and so size must be set to zero or omitted entirely. highlighter, suggestors, post_filter, profile, explain: These are similarly disallowed.

Searching both historical rollup and non-rollup data

The rollup search API has the capability to search across both "live" non-rollup data and the aggregated rollup data. This is done by simply adding the live indices to the URI. For example:

GET sensor-1,sensor_rollup/_rollup_search
{
  "size": 0,
  "aggregations": {
     "max_temperature": {
      "max": {
        "field": "temperature"
      }
    }
  }
}

The rollup search endpoint does two things when the search runs:

The original request is sent to the non-rollup index unaltered.
A rewritten version of the original request is sent to the rollup index.

When the two responses are received, the endpoint rewrites the rollup response and merges the two together. During the merging process, if there is any overlap in buckets between the two responses, the buckets from the non-rollup index are used.

Path parameters

index string | array[string] Required
A comma-separated list of data streams and indices used to limit the request. This parameter has the following rules:
- At least one data stream, index, or wildcard expression must be specified. This target can include a rollup or non-rollup index. For data streams, the stream's backing indices can only serve as non-rollup indices. Omitting the parameter or using _all are not permitted.
- Multiple non-rollup indices may be specified.
- Only one rollup index may be specified. If more than one are supplied, an exception occurs.
- Wildcard expressions (*) may be used. If they match more than one rollup index, an exception occurs. However, you can use an expression to match multiple non-rollup indices or data streams.

Query parameters

rest_total_hits_as_int boolean

Indicates whether hits.total should be rendered as an integer or an object in the rest search response
typed_keys boolean

Specify whether aggregation and suggester names should be prefixed by their respective types in the response

application/json

Body Required

aggregations object

Specifies aggregations.

External documentation
query object

An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.

External documentation
size number

Must be zero if set, as rollups work on pre-aggregated data.

Responses

200 application/json
Hide response attributes Show response attributes object
- took number Required
- timed_out boolean Required
- terminated_early boolean
- _shards object Required
  
  Hide _shards attributes Show _shards attributes object
  
  failed number Required
  
  successful number Required
  
  total number Required
  
  failures array[object]
  
  Hide failures attributes Show failures attributes object
  
  index string
  
  node string
  
  reason object Required
  
  Hide reason attributes Show reason attributes object
  
  type string Required
  
  The type of error
  
  reason string | null
  
  A human-readable explanation of the error, in English.
  
  One of:
  string-1 string string-2 string | null
  
  stack_trace string
  
  The server stack trace. Present only if the error_trace=true parameter was sent with the request.
  
  caused_by object
  
  root_cause array[object]
  
  suppressed array[object]
  
  shard number Required
  
  status string
  
  skipped number
- hits object Required
  
  Hide hits attributes Show hits attributes object
  
  total object | number
  
  Total hit count information, present only if track_total_hits wasn't false in the search request.
  
  One of:
  TotalHits object number-2 number
  
  Hide attributes Show attributes
  
  relation string Required
  
  Values are eq or gte.
  
  value number Required
  
  hits array[object] Required
  
  Hide hits attributes Show hits attributes object
  
  _index string Required
  
  _id string
  
  _score number | string | null
  
  One of:
  number-1 number string-2 string | null
  
  _explanation object
  
  Hide _explanation attributes Show _explanation attributes object
  
  description string Required
  
  details array[object] Required
  
  value number Required
  
  fields object
  
  Hide fields attribute Show fields attribute object
  
  * object Additional properties
  
  highlight object
  
  Hide highlight attribute Show highlight attribute object
  
  * array[string] Additional properties
  
  inner_hits object
  
  Hide inner_hits attribute Show inner_hits attribute object
  
  * object Additional properties
  
  Hide * attribute Show * attribute object
  
  hits object Required
  
  matched_queries array[string] | object
  
  One of:
  array-1 array[string] object-2 object
  
  _nested object
  
  Hide _nested attributes Show _nested attributes object
  
  field string Required
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
  
  offset number Required
  
  _nested object
  
  _ignored array[string]
  
  ignored_field_values object
  
  Hide ignored_field_values attribute Show ignored_field_values attribute object
  
  * array[object] Additional properties
  
  _shard string
  
  _node string
  
  _routing string
  
  _source object
  
  _rank number
  
  _seq_no number
  
  _primary_term number
  
  _version number
  
  sort array[number | string | boolean | null]
  
  A field value.
  
  max_score number | string | null
  
  One of:
  number-1 number string-2 string | null
- aggregations object

POST /{index}/_rollup_search

GET /sensor_rollup/_rollup_search
{
  "size": 0,
  "aggregations": {
    "max_temperature": {
      "max": {
        "field": "temperature"
      }
    }
  }
}

curl \
 --request POST 'http://api.example.com/{index}/_rollup_search' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '"{\n  \"size\": 0,\n  \"aggregations\": {\n    \"max_temperature\": {\n      \"max\": {\n        \"field\": \"temperature\"\n      }\n    }\n  }\n}"'

Request example

Search rolled up data stored in `sensor_rollup` with `GET /sensor_rollup/_rollup_search`

{
  "size": 0,
  "aggregations": {
    "max_temperature": {
      "max": {
        "field": "temperature"
      }
    }
  }
}

Response examples (200)

An abbreviated response from `GET /sensor_rollup/_rollup_search` with a `max` aggregation on a `temperature` field. The response provides some metadata about the request (`took`, `_shards`), the search hits (which is always empty for rollup searches), and the aggregation response.

{
  "took" : 102,
  "timed_out" : false,
  "terminated_early" : false,
  "_shards" : {} ,
  "hits" : {
    "total" : {
        "value": 0,
        "relation": "eq"
    },
    "max_score" : 0.0,
    "hits" : [ ]
  },
  "aggregations" : {
    "max_temperature" : {
      "value" : 202.0
    }
  }
}

Create or update a script or search template

PUT /_scripts/{id}

Api key auth Basic auth Bearer auth

Creates or updates a stored script or search template.

External documentation

Path parameters

id string Required

The identifier for the stored script or search template. It must be unique within the cluster.

Query parameters

context string

The context in which the script or search template should run. To prevent errors, the API immediately compiles the script or template in this context. If you specify both this and the <context> path parameter, the API uses the request path parameter.
master_timeout string

The period to wait for a connection to the master node. If no response is received before the timeout expires, the request fails and returns an error. It can also be set to -1 to indicate that the request should never timeout.

Values are -1 or 0.
timeout string

The period to wait for a response. If no response is received before the timeout expires, the request fails and returns an error. It can also be set to -1 to indicate that the request should never timeout.

Values are -1 or 0.

application/json

Body Required

script object Required
Hide script attributes Show script attributes object
- lang string Required
 
 Any of:
 ScriptLanguage string ScriptLanguage string
 
 Values are painless, expression, mustache, or java.
- options object
 Hide options attribute Show options attribute object
 
 * string Additional properties
- source string | object Required
 
 One of:
 ScriptSource string SearchRequestBody object
 
 Hide attributes Show attributes
 
 aggregations object
 
 Defines the aggregations that are run as part of the search request.
 
 External documentation
 
 collapse object
 External documentation
 
 explain boolean
 
 If true, the request returns detailed information about score computation as part of a hit.
 
 ext object
 
 Configuration of search extensions defined by Elasticsearch plugins.
 
 Hide ext attribute Show ext attribute object
 
 * object Additional properties
 
 from number
 
 The starting document offset, which must be non-negative. By default, you cannot page through more than 10,000 hits using the from and size parameters. To page through more hits, use the search_after parameter.
 
 highlight object
 
 Hide highlight attributes Show highlight attributes object
 
 type string
 
 Any of:
 HighlighterType string HighlighterType string
 
 Values are plain, fvh, or unified.
 
 boundary_chars string
 
 A string that contains each boundary character.
 
 boundary_max_scan number
 
 How far to scan for boundary characters.
 
 boundary_scanner string
 
 Values are chars, sentence, or word.
 
 boundary_scanner_locale string
 
 Controls which locale is used to search for sentence and word boundaries. This parameter takes a form of a language tag, for example: "en-US", "fr-FR", "ja-JP".
 
 force_source boolean Deprecated
 
 fragmenter string
 
 Values are simple or span.
 
 fragment_size number
 
 The size of the highlighted fragment in characters.
 
 highlight_filter boolean
 
 highlight_query object
 
 An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
 
 External documentation
 
 max_fragment_length number
 
 max_analyzed_offset number
 
 If set to a non-negative value, highlighting stops at this defined maximum limit. The rest of the text is not processed, thus not highlighted and no error is returned The max_analyzed_offset query setting does not override the index.highlight.max_analyzed_offset setting, which prevails when it’s set to lower value than the query setting.
 
 no_match_size number
 
 The amount of text you want to return from the beginning of the field if there are no matching fragments to highlight.
 
 number_of_fragments number
 
 The maximum number of fragments to return. If the number of fragments is set to 0, no fragments are returned. Instead, the entire field contents are highlighted and returned. This can be handy when you need to highlight short texts such as a title or address, but fragmentation is not required. If number_of_fragments is 0, fragment_size is ignored.
 
 options object
 
 Hide options attribute Show options attribute object
 
 * object Additional properties
 
 order string
 
 Value is score.
 
 phrase_limit number
 
 Controls the number of matching phrases in a document that are considered. Prevents the fvh highlighter from analyzing too many phrases and consuming too much memory. When using matched_fields, phrase_limit phrases per matched field are considered. Raising the limit increases query time and consumes more memory. Only supported by the fvh highlighter.
 
 post_tags array[string]
 
 Use in conjunction with pre_tags to define the HTML tags to use for the highlighted text. By default, highlighted text is wrapped in  and  tags.
 
 pre_tags array[string]
 
 Use in conjunction with post_tags to define the HTML tags to use for the highlighted text. By default, highlighted text is wrapped in  and  tags.
 
 require_field_match boolean
 
 By default, only fields that contains a query match are highlighted. Set to false to highlight all fields.
 
 tags_schema string
 
 Value is styled.
 
 encoder string
 
 Values are default or html.
 
 fields object | array[object] Required
 
 One of:
 object-1 object array-2 array[object]
 
 track_total_hits boolean | number
 
 Number of hits matching the query to count accurately. If true, the exact number of hits is returned at the cost of some performance. If false, the response does not include the total number of hits matching the query. Defaults to 10,000 hits.
 
 indices_boost array[object]
 
 Boost the _score of documents from specified indices. The boost value is the factor by which scores are multiplied. A boost value greater than 1.0 increases the score. A boost value between 0 and 1.0 decreases the score.
 
 External documentation
 
 Hide indices_boost attribute Show indices_boost attribute object
 
 * number Additional properties
 
 docvalue_fields array[object]
 
 An array of wildcard (*) field patterns. The request returns doc values for field names matching these patterns in the hits.fields property of the response.
 
 External documentation
 
 Hide docvalue_fields attributes Show docvalue_fields attributes object
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 format string
 
 The format in which the values are returned.
 
 include_unmapped boolean
 
 knn object | array[object]
 
 The approximate kNN search to run.
 
 One of:
 KnnSearch object array-2 array[object]
 
 Hide attributes Show attributes
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 query_vector array[number]
 
 query_vector_builder object
 
 Hide query_vector_builder attribute Show query_vector_builder attribute object
 
 text_embedding object
 
 k number
 
 The final number of nearest neighbors to return as top hits
 
 num_candidates number
 
 The number of nearest neighbor candidates to consider per shard
 
 boost number
 
 Boost value to apply to kNN scores
 
 filter object | array[object]
 
 Filters for the kNN search query
 
 One of:
 QueryContainer object array-2 array[object]
 
 An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
 
 similarity number
 
 The minimum similarity for a vector to be considered a match
 
 inner_hits object
 
 Hide inner_hits attributes Show inner_hits attributes object
 
 name string
 
 size number
 
 The maximum number of hits to return per inner_hits.
 
 from number
 
 Inner hit starting document offset.
 
 collapse object
 
 docvalue_fields array[object]
 
 explain boolean
 
 highlight
 
 ignore_unmapped boolean
 
 script_fields object
 
 seq_no_primary_term boolean
 
 fields array[string]
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 sort
 
 _source
 
 stored_fields string | array[string]
 
 track_scores boolean
 
 version boolean
 
 rescore_vector object
 
 Hide rescore_vector attribute Show rescore_vector attribute object
 
 oversample number Required
 
 Applies the specified oversample factor to k on the approximate kNN search
 
 External documentation
 
 Hide attributes Show attributes object
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 query_vector array[number]
 
 query_vector_builder object
 
 k number
 
 The final number of nearest neighbors to return as top hits
 
 num_candidates number
 
 The number of nearest neighbor candidates to consider per shard
 
 boost number
 
 Boost value to apply to kNN scores
 
 filter
 
 similarity number
 
 The minimum similarity for a vector to be considered a match
 
 inner_hits object
 
 rescore_vector object
 
 rank object
 
 Hide rank attribute Show rank attribute object
 
 rrf object
 
 Hide rrf attributes Show rrf attributes object
 
 rank_constant number
 
 How much influence documents in individual result sets per query have over the final ranked result set
 
 rank_window_size number
 
 Size of the individual result sets per query
 
 min_score number
 
 The minimum _score for matching documents. Documents with a lower _score are not included in search results or results collected by aggregations.
 
 post_filter object
 
 An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
 
 External documentation
 
 profile boolean
 
 Set to true to return detailed timing information about the execution of individual components in a search request. NOTE: This is a debugging tool and adds significant overhead to search execution.
 
 query object
 
 An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
 
 External documentation
 
 rescore object | array[object]
 
 Can be used to improve precision by reordering just the top (for example 100 - 500) documents returned by the query and post_filter phases.
 
 One of:
 Rescore object array-2 array[object]
 
 Hide attributes Show attributes
 
 window_size number
 
 query object
 
 learning_to_rank object
 
 retriever object
 
 Hide retriever attributes Show retriever attributes object
 
 standard object
 
 Hide standard attributes Show standard attributes object
 
 filter
 
 min_score number
 
 Minimum _score for matching documents. Documents with a lower _score are not included in the top documents.
 
 _name string
 
 Retriever name.
 
 query object
 
 An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
 
 search_after array[number | string | boolean | null]
 
 A field value.
 
 terminate_after number
 
 Maximum number of documents to collect for each shard.
 
 sort
 
 collapse object
 
 knn object
 
 Hide knn attributes Show knn attributes object
 
 filter
 
 min_score number
 
 Minimum _score for matching documents. Documents with a lower _score are not included in the top documents.
 
 _name string
 
 Retriever name.
 
 field string Required
 
 The name of the vector field to search against.
 
 query_vector array[number]
 
 query_vector_builder object
 
 k number Required
 
 Number of nearest neighbors to return as top hits.
 
 num_candidates number Required
 
 Number of nearest neighbor candidates to consider per shard.
 
 similarity number
 
 The minimum similarity required for a document to be considered a match.
 
 rescore_vector object
 
 rrf object
 
 Hide rrf attributes Show rrf attributes object
 
 filter
 
 min_score number
 
 Minimum _score for matching documents. Documents with a lower _score are not included in the top documents.
 
 _name string
 
 Retriever name.
 
 retrievers array[object] Required
 
 A list of child retrievers to specify which sets of returned top documents will have the RRF formula applied to them.
 
 rank_constant number
 
 This value determines how much influence documents in individual result sets per query have over the final ranked result set.
 
 rank_window_size number
 
 This value determines the size of the individual result sets per query.
 
 text_similarity_reranker object
 
 Hide text_similarity_reranker attributes Show text_similarity_reranker attributes object
 
 filter
 
 min_score number
 
 Minimum _score for matching documents. Documents with a lower _score are not included in the top documents.
 
 _name string
 
 Retriever name.
 
 retriever object Required
 
 rank_window_size number
 
 This value determines how many documents we will consider from the nested retriever.
 
 inference_id string
 
 Unique identifier of the inference endpoint created using the inference API.
 
 inference_text string
 
 The text snippet used as the basis for similarity comparison
 
 field string
 
 The document field to be used for text similarity comparisons. This field should contain the text that will be evaluated against the inference_text
 
 rule object
 
 Hide rule attributes Show rule attributes object
 
 filter
 
 min_score number
 
 Minimum _score for matching documents. Documents with a lower _score are not included in the top documents.
 
 _name string
 
 Retriever name.
 
 ruleset_ids
 
 match_criteria object Required
 
 The match criteria that will determine if a rule in the provided rulesets should be applied.
 
 retriever object Required
 
 rank_window_size number
 
 This value determines the size of the individual result set.
 
 rescorer object
 
 Hide rescorer attributes Show rescorer attributes object
 
 filter
 
 min_score number
 
 Minimum _score for matching documents. Documents with a lower _score are not included in the top documents.
 
 _name string
 
 Retriever name.
 
 retriever object Required
 
 rescore
 
 linear object
 
 Hide linear attributes Show linear attributes object
 
 filter
 
 min_score number
 
 Minimum _score for matching documents. Documents with a lower _score are not included in the top documents.
 
 _name string
 
 Retriever name.
 
 retrievers array[object]
 
 Inner retrievers.
 
 rank_window_size number Required
 
 pinned object
 
 Hide pinned attributes Show pinned attributes object
 
 filter
 
 min_score number
 
 Minimum _score for matching documents. Documents with a lower _score are not included in the top documents.
 
 _name string
 
 Retriever name.
 
 retriever object Required
 
 ids array[string]
 
 docs array[object]
 
 rank_window_size number Required
 
 script_fields object
 
 Retrieve a script evaluation (based on different fields) for each hit.
 
 Hide script_fields attribute Show script_fields attribute object
 
 * object Additional properties
 
 Hide * attributes Show * attributes object
 
 script object Required
 
 Hide script attributes Show script attributes object
 
 source
 
 id string
 
 params object
 
 Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
 
 lang
 
 options object
 
 ignore_failure boolean
 
 search_after array[number | string | boolean | null]
 
 A field value.
 
 size number
 
 The number of hits to return, which must not be negative. By default, you cannot page through more than 10,000 hits using the from and size parameters. To page through more hits, use the search_after property.
 
 slice object
 
 Hide slice attributes Show slice attributes object
 
 field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 id string Required
 
 max number Required
 
 sort string | object | array[string | object]
 
 One of:
 Field string SortOptions object Sort array[string | object]
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 _source boolean | object
 
 Defines how to fetch a source. Fetching can be disabled entirely, or the source can be filtered.
 
 One of:
 SourceConfig boolean SourceFilter object
 
 fields array[object]
 
 An array of wildcard (*) field patterns. The request returns values for field names matching these patterns in the hits.fields property of the response.
 
 Hide fields attributes Show fields attributes object
 
 field string Required
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 format string
 
 The format in which the values are returned.
 
 include_unmapped boolean
 
 suggest object
 
 Hide suggest attribute Show suggest attribute object
 
 text string
 
 Global suggest text, to avoid repetition when the same text is used in several suggesters
 
 terminate_after number
 
 The maximum number of documents to collect for each shard. If a query reaches this limit, Elasticsearch terminates the query early. Elasticsearch collects documents before sorting.
 
 IMPORTANT: Use with caution. Elasticsearch applies this property to each shard handling the request. When possible, let Elasticsearch perform early termination automatically. Avoid specifying this property for requests that target data streams with backing indices across multiple data tiers.
 
 If set to 0 (default), the query does not terminate early.
 
 timeout string
 
 The period of time to wait for a response from each shard. If no response is received before the timeout expires, the request fails and returns an error. Defaults to no timeout.
 
 track_scores boolean
 
 If true, calculate and return document scores, even if the scores are not used for sorting.
 
 version boolean
 
 If true, the request returns the document version as part of a hit.
 
 seq_no_primary_term boolean
 
 If true, the request returns sequence number and primary term of the last modification of each hit.
 
 External documentation
 
 stored_fields string | array[string]
 
 pit object
 
 Hide pit attributes Show pit attributes object
 
 id string Required
 
 keep_alive string
 
 A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
 
 runtime_mappings object
 
 Hide runtime_mappings attribute Show runtime_mappings attribute object
 
 * object Additional properties
 
 Hide * attributes Show * attributes object
 
 fields object
 
 For type composite
 
 Hide fields attribute Show fields attribute object
 
 * object Additional properties
 
 fetch_fields array[object]
 
 For type lookup
 
 format string
 
 A custom format for date type runtime fields.
 
 input_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 target_field string
 
 Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
 
 target_index string
 
 script object
 
 Hide script attributes Show script attributes object
 
 source
 
 id string
 
 params object
 
 Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
 
 lang
 
 options object
 
 type string Required
 
 Values are boolean, composite, date, double, geo_point, geo_shape, ip, keyword, long, or lookup.
 
 stats array[string]
 
 The stats groups to associate with the search. Each group maintains a statistics aggregation for its associated searches. You can retrieve these stats using the indices stats API.

Responses

200 application/json
Hide response attribute Show response attribute object
- acknowledged boolean Required
  
  For a successful response, this value is always true. On failure, an exception is returned instead.

PUT /_scripts/{id}

PUT _scripts/my-search-template
{
  "script": {
    "lang": "mustache",
    "source": {
      "query": {
        "match": {
          "message": "{{query_string}}"
        }
      },
      "from": "{{from}}",
      "size": "{{size}}"
    }
  }
}

curl \
 --request PUT 'http://api.example.com/_scripts/{id}' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '"{\n  \"script\": {\n    \"lang\": \"mustache\",\n    \"source\": {\n      \"query\": {\n        \"match\": {\n          \"message\": \"{{query_string}}\"\n        }\n      },\n      \"from\": \"{{from}}\",\n      \"size\": \"{{size}}\"\n    }\n  }\n}"'

Request examples

Run `PUT _scripts/my-search-template` to create a search template.

{
  "script": {
    "lang": "mustache",
    "source": {
      "query": {
        "match": {
          "message": "{{query_string}}"
        }
      },
      "from": "{{from}}",
      "size": "{{size}}"
    }
  }
}

Run `PUT _scripts/my-stored-script` to create a stored script.

{
  "script": {
    "lang": "painless",
    "source": "Math.log(_score * 2) + params['my_modifier']"
  }
}

Delete an async search Added in 7.7.0

DELETE /_async_search/{id}

Api key auth Basic auth Bearer auth

If the asynchronous search is still running, it is cancelled. Otherwise, the saved search results are deleted. If the Elasticsearch security features are enabled, the deletion of a specific async search is restricted to: the authenticated user that submitted the original search request; users that have the cancel_task cluster privilege.

Path parameters

id string Required

A unique identifier for the async search.

Responses

200 application/json
Hide response attribute Show response attribute object
- acknowledged boolean Required
  
  For a successful response, this value is always true. On failure, an exception is returned instead.

DELETE /_async_search/{id}

curl \
 --request DELETE 'http://api.example.com/_async_search/{id}' \
 --header "Authorization: $API_KEY"

Close a point in time Added in 7.10.0

DELETE /_pit

Api key auth Basic auth Bearer auth

A point in time must be opened explicitly before being used in search requests. The keep_alive parameter tells Elasticsearch how long it should persist. A point in time is automatically closed when the keep_alive period has elapsed. However, keeping points in time has a cost; close them as soon as they are no longer required for search requests.

application/json

Body

id string Required

Responses

200 application/json
Hide response attributes Show response attributes object
- succeeded boolean Required
  
  If true, all search contexts associated with the point-in-time ID were successfully closed.
- num_freed number Required
  
  The number of search contexts that were successfully closed.

DELETE /_pit

DELETE /_pit
{
  "id": "46ToAwMDaWR5BXV1aWQyKwZub2RlXzMAAAAAAAAAACoBYwADaWR4BXV1aWQxAgZub2RlXzEAAAAAAAAAAAEBYQADaWR5BXV1aWQyKgZub2RlXzIAAAAAAAAAAAwBYgACBXV1aWQyAAAFdXVpZDEAAQltYXRjaF9hbGw_gAAAAA=="
}

curl \
 --request DELETE 'http://api.example.com/_pit' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '"{\n  \"id\": \"46ToAwMDaWR5BXV1aWQyKwZub2RlXzMAAAAAAAAAACoBYwADaWR4BXV1aWQxAgZub2RlXzEAAAAAAAAAAAEBYQADaWR5BXV1aWQyKgZub2RlXzIAAAAAAAAAAAwBYgACBXV1aWQyAAAFdXVpZDEAAQltYXRjaF9hbGw_gAAAAA==\"\n}"'

Request example

Run `DELETE /_pit` to close a point-in-time.

{
  "id": "46ToAwMDaWR5BXV1aWQyKwZub2RlXzMAAAAAAAAAACoBYwADaWR4BXV1aWQxAgZub2RlXzEAAAAAAAAAAAEBYQADaWR5BXV1aWQyKgZub2RlXzIAAAAAAAAAAAwBYgACBXV1aWQyAAAFdXVpZDEAAQltYXRjaF9hbGw_gAAAAA=="
}

Response examples (200)

A successful response from `DELETE /_pit`.

{
  "succeeded": true, 
  "num_freed": 3     
}

Evaluate ranked search results Added in 6.2.0

GET /{index}/_rank_eval

Api key auth Basic auth Bearer auth

Evaluate the quality of ranked search results over a set of typical search queries.

Path parameters

index string | array[string] Required

A comma-separated list of data streams, indices, and index aliases used to limit the request. Wildcard (*) expressions are supported. To target all data streams and indices in a cluster, omit this parameter or use _all or *.

Query parameters

allow_no_indices boolean

If false, the request returns an error if any wildcard expression, index alias, or _all value targets only missing or closed indices. This behavior applies even if the request targets other open indices. For example, a request targeting foo*,bar* returns an error if an index starts with foo but no index starts with bar.
expand_wildcards string | array[string]
Whether to expand wildcard expression to concrete indices that are open, closed or both.

Supported values include:
- all: Match any data stream or index, including hidden ones.
- open: Match open, non-hidden indices. Also matches any non-hidden data stream.
- closed: Match closed, non-hidden indices. Also matches any non-hidden data stream. Data streams cannot be closed.
- hidden: Match hidden data streams and hidden indices. Must be combined with open, closed, or both.
- none: Wildcard expressions are not accepted.
Values are all, open, closed, hidden, or none.
ignore_unavailable boolean

If true, missing or closed indices are not included in the response.
search_type string

Search operation type

application/json

Body Required

requests array[object] Required

A set of typical search requests, together with their provided ratings.
Hide requests attributes Show requests attributes object
- id string Required
- request object
  Hide request attributes Show request attributes object
  
  query object Required
  
  An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
  
  External documentation
  
  size number
- ratings array[object] Required
  
  List of document ratings
  Hide ratings attributes Show ratings attributes object
  
  _id string Required
  
  _index string Required
  
  rating number Required
  
  The document’s relevance with regard to this search request.
- template_id string
- params object
  
  The search template parameters.
  Hide params attribute Show params attribute object
  
  * object Additional properties
metric object
Hide metric attributes Show metric attributes object
- precision object
  Hide precision attributes Show precision attributes object
  
  k number
  
  Sets the maximum number of documents retrieved per query. This value will act in place of the usual size parameter in the query.
  
  relevant_rating_threshold number
  
  Sets the rating threshold above which documents are considered to be "relevant".
  
  ignore_unlabeled boolean
  
  Controls how unlabeled documents in the search results are counted. If set to true, unlabeled documents are ignored and neither count as relevant or irrelevant. Set to false (the default), they are treated as irrelevant.
- recall object
  Hide recall attributes Show recall attributes object
  
  k number
  
  Sets the maximum number of documents retrieved per query. This value will act in place of the usual size parameter in the query.
  
  relevant_rating_threshold number
  
  Sets the rating threshold above which documents are considered to be "relevant".
- mean_reciprocal_rank object
  Hide mean_reciprocal_rank attributes Show mean_reciprocal_rank attributes object
  
  k number
  
  Sets the maximum number of documents retrieved per query. This value will act in place of the usual size parameter in the query.
  
  relevant_rating_threshold number
  
  Sets the rating threshold above which documents are considered to be "relevant".
- dcg object
  Hide dcg attributes Show dcg attributes object
  
  k number
  
  Sets the maximum number of documents retrieved per query. This value will act in place of the usual size parameter in the query.
  
  normalize boolean
  
  If set to true, this metric will calculate the Normalized DCG.
- expected_reciprocal_rank object
  Hide expected_reciprocal_rank attributes Show expected_reciprocal_rank attributes object
  
  k number
  
  Sets the maximum number of documents retrieved per query. This value will act in place of the usual size parameter in the query.
  
  maximum_relevance number Required
  
  The highest relevance grade used in the user-supplied relevance judgments.

Responses

200 application/json
Hide response attributes Show response attributes object
- metric_score number Required
  
  The overall evaluation quality calculated by the defined metric
- details object Required
  
  The details section contains one entry for every query in the original requests section, keyed by the search request id
  
  Hide details attribute Show details attribute object
  
  * object Additional properties
  
  Hide * attributes Show * attributes object
  
  metric_score number Required
  
  The metric_score in the details section shows the contribution of this query to the global quality metric score
  
  unrated_docs array[object] Required
  
  The unrated_docs section contains an _index and _id entry for each document in the search result for this query that didn’t have a ratings value. This can be used to ask the user to supply ratings for these documents
  
  Hide unrated_docs attributes Show unrated_docs attributes object
  
  _id string Required
  
  _index string Required
  
  hits array[object] Required
  
  The hits section shows a grouping of the search results with their supplied ratings
  
  Hide hits attributes Show hits attributes object
  
  hit object Required
  
  Hide hit attributes Show hit attributes object
  
  _id string Required
  
  _index string Required
  
  _score number Required
  
  rating number | string | null
  
  One of:
  number-1 number string-2 string | null
  
  metric_details object Required
  
  The metric_details give additional information about the calculated quality metric (e.g. how many of the retrieved documents were relevant). The content varies for each metric but allows for better interpretation of the results
  
  Hide metric_details attribute Show metric_details attribute object
  
  * object Additional properties
  
  Hide * attribute Show * attribute object
  
  * object Additional properties
- failures object Required
  
  Hide failures attribute Show failures attribute object
  
  * object Additional properties

GET /{index}/_rank_eval

curl \
 --request GET 'http://api.example.com/{index}/_rank_eval' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"requests":[{"id":"string","request":{"query":{},"size":42.0},"ratings":[{"_id":"string","_index":"string","rating":42.0}],"template_id":"string","params":{"additionalProperty1":{},"additionalProperty2":{}}}],"metric":{"precision":{"k":42.0,"relevant_rating_threshold":42.0,"ignore_unlabeled":true},"recall":{"k":42.0,"relevant_rating_threshold":42.0},"mean_reciprocal_rank":{"k":42.0,"relevant_rating_threshold":42.0},"dcg":{"k":42.0,"normalize":true},"expected_reciprocal_rank":{"k":42.0,"maximum_relevance":42.0}}}'

Run a search

POST /_search

Api key auth Basic auth Bearer auth

Get search hits that match the query defined in the request. You can provide search queries using the q query string parameter or the request body. If both are specified, only the query parameter is used.

If the Elasticsearch security features are enabled, you must have the read index privilege for the target data stream, index, or alias. For cross-cluster search, refer to the documentation about configuring CCS privileges. To search a point in time (PIT) for an alias, you must have the read index privilege for the alias's data streams or indices.

Search slicing

When paging through a large number of documents, it can be helpful to split the search into multiple slices to consume them independently with the slice and pit properties. By default the splitting is done first on the shards, then locally on each shard. The local splitting partitions the shard into contiguous ranges based on Lucene document IDs.

For instance if the number of shards is equal to 2 and you request 4 slices, the slices 0 and 2 are assigned to the first shard and the slices 1 and 3 are assigned to the second shard.

IMPORTANT: The same point-in-time ID should be used for all slices. If different PIT IDs are used, slices can overlap and miss documents. This situation can occur because the splitting criterion is based on Lucene document IDs, which are not stable across changes to the index.

External documentation

Query parameters

allow_no_indices boolean

If false, the request returns an error if any wildcard expression, index alias, or _all value targets only missing or closed indices. This behavior applies even if the request targets other open indices. For example, a request targeting foo*,bar* returns an error if an index starts with foo but no index starts with bar.
allow_partial_search_results boolean

If true and there are shard request timeouts or shard failures, the request returns partial results. If false, it returns an error with no partial results.

To override the default behavior, you can set the search.default_allow_partial_results cluster setting to false.
analyzer string

The analyzer to use for the query string. This parameter can be used only when the q query string parameter is specified.
analyze_wildcard boolean

If true, wildcard and prefix queries are analyzed. This parameter can be used only when the q query string parameter is specified.
batched_reduce_size number

The number of shard results that should be reduced at once on the coordinating node. If the potential number of shards in the request can be large, this value should be used as a protection mechanism to reduce the memory overhead per search request.
ccs_minimize_roundtrips boolean

If true, network round-trips between the coordinating node and the remote clusters are minimized when running cross-cluster search (CCS) requests.
default_operator string

The default operator for the query string query: AND or OR. This parameter can be used only when the q query string parameter is specified.

Values are and, AND, or, or OR.
df string

The field to use as a default when no field prefix is given in the query string. This parameter can be used only when the q query string parameter is specified.
docvalue_fields string | array[string]

A comma-separated list of fields to return as the docvalue representation of a field for each hit.
expand_wildcards string | array[string]
The type of index that wildcard patterns can match. If the request can target data streams, this argument determines whether wildcard expressions match hidden data streams. It supports comma-separated values such as open,hidden.

Supported values include:
- all: Match any data stream or index, including hidden ones.
- open: Match open, non-hidden indices. Also matches any non-hidden data stream.
- closed: Match closed, non-hidden indices. Also matches any non-hidden data stream. Data streams cannot be closed.
- hidden: Match hidden data streams and hidden indices. Must be combined with open, closed, or both.
- none: Wildcard expressions are not accepted.
Values are all, open, closed, hidden, or none.
explain boolean

If true, the request returns detailed information about score computation as part of a hit.
ignore_throttled boolean Deprecated

If true, concrete, expanded or aliased indices will be ignored when frozen.
ignore_unavailable boolean

If false, the request returns an error if it targets a missing or closed index.
include_named_queries_score boolean

If true, the response includes the score contribution from any named queries.

This functionality reruns each named query on every hit in a search response. Typically, this adds a small overhead to a request. However, using computationally expensive named queries on a large number of hits may add significant overhead.
lenient boolean

If true, format-based query failures (such as providing text to a numeric field) in the query string will be ignored. This parameter can be used only when the q query string parameter is specified.
max_concurrent_shard_requests number

The number of concurrent shard requests per node that the search runs concurrently. This value should be used to limit the impact of the search on the cluster in order to limit the number of concurrent shard requests.
preference string
The nodes and shards used for the search. By default, Elasticsearch selects from eligible nodes and shards using adaptive replica selection, accounting for allocation awareness. Valid values are:
- _only_local to run the search only on shards on the local node.
- _local to, if possible, run the search on shards on the local node, or if not, select shards using the default method.
- _only_nodes:<node-id>,<node-id> to run the search on only the specified nodes IDs. If suitable shards exist on more than one selected node, use shards on those nodes using the default method. If none of the specified nodes are available, select shards from any available node using the default method.
- _prefer_nodes:<node-id>,<node-id> to if possible, run the search on the specified nodes IDs. If not, select shards using the default method.
- _shards:<shard>,<shard> to run the search only on the specified shards. You can combine this value with other preference values. However, the _shards value must come first. For example: _shards:2,3|_local.
- <custom-string> (any string that does not start with _) to route searches with the same <custom-string> to the same shards in the same order.
pre_filter_shard_size number
A threshold that enforces a pre-filter roundtrip to prefilter search shards based on query rewriting if the number of shards the search request expands to exceeds the threshold. This filter roundtrip can limit the number of shards significantly if for instance a shard can not match any documents based on its rewrite method (if date filters are mandatory to match but the shard bounds and the query are disjoint). When unspecified, the pre-filter phase is executed if any of these conditions is met:
- The request targets more than 128 shards.
- The request targets one or more read-only index.
- The primary sort of the query targets an indexed field.
request_cache boolean

If true, the caching of search results is enabled for requests where size is 0. It defaults to index level settings.
routing string

A custom value that is used to route operations to a specific shard.
scroll string

The period to retain the search context for scrolling. By default, this value cannot exceed 1d (24 hours). You can change this limit by using the search.max_keep_alive cluster-level setting.

Values are -1 or 0.
search_type string
Indicates how distributed term frequencies are calculated for relevance scoring.

Supported values include:
- query_then_fetch: Documents are scored using local term and document frequencies for the shard. This is usually faster but less accurate.
- dfs_query_then_fetch: Documents are scored using global term and document frequencies across all shards. This is usually slower but more accurate.
Values are query_then_fetch or dfs_query_then_fetch.
stats array[string]

Specific tag of the request for logging and statistical purposes.
stored_fields string | array[string]

A comma-separated list of stored fields to return as part of a hit. If no fields are specified, no stored fields are included in the response. If this field is specified, the _source parameter defaults to false. You can pass _source: true to return both source fields and stored fields in the search response.
suggest_field string

The field to use for suggestions.
suggest_mode string
The suggest mode. This parameter can be used only when the suggest_field and suggest_text query string parameters are specified.

Supported values include:
- missing: Only generate suggestions for terms that are not in the shard.
- popular: Only suggest terms that occur in more docs on the shard than the original term.
- always: Suggest any matching suggestions based on terms in the suggest text.
Values are missing, popular, or always.
suggest_size number

The number of suggestions to return. This parameter can be used only when the suggest_field and suggest_text query string parameters are specified.
suggest_text string

The source text for which the suggestions should be returned. This parameter can be used only when the suggest_field and suggest_text query string parameters are specified.
terminate_after number

The maximum number of documents to collect for each shard. If a query reaches this limit, Elasticsearch terminates the query early. Elasticsearch collects documents before sorting.

IMPORTANT: Use with caution. Elasticsearch applies this parameter to each shard handling the request. When possible, let Elasticsearch perform early termination automatically. Avoid specifying this parameter for requests that target data streams with backing indices across multiple data tiers. If set to 0 (default), the query does not terminate early.
timeout string

The period of time to wait for a response from each shard. If no response is received before the timeout expires, the request fails and returns an error. It defaults to no timeout.

Values are -1 or 0.
track_total_hits boolean | number

The number of hits matching the query to count accurately. If true, the exact number of hits is returned at the cost of some performance. If false, the response does not include the total number of hits matching the query.
track_scores boolean

If true, the request calculates and returns document scores, even if the scores are not used for sorting.
typed_keys boolean

If true, aggregation and suggester names are be prefixed by their respective types in the response.
rest_total_hits_as_int boolean

Indicates whether hits.total should be rendered as an integer or an object in the rest search response.
version boolean

If true, the request returns the document version as part of a hit.
_source boolean | string | array[string]
The source fields that are returned for matching documents. These fields are returned in the hits._source property of the search response. Valid values are:
- true to return the entire document source.
- false to not return the document source.
- <string> to return the source fields that are specified as a comma-separated list that supports wildcard (*) patterns.
_source_excludes string | array[string]

A comma-separated list of source fields to exclude from the response. You can also use this parameter to exclude fields from the subset specified in _source_includes query parameter. If the _source parameter is false, this parameter is ignored.
_source_includes string | array[string]

A comma-separated list of source fields to include in the response. If this parameter is specified, only these source fields are returned. You can exclude fields from this subset using the _source_excludes query parameter. If the _source parameter is false, this parameter is ignored.
seq_no_primary_term boolean

If true, the request returns the sequence number and primary term of the last modification of each hit.
q string

A query in the Lucene query string syntax. Query parameter searches do not support the full Elasticsearch Query DSL but are handy for testing.

IMPORTANT: This parameter overrides the query parameter in the request body. If both parameters are specified, documents matching the query request body parameter are not returned.
size number

The number of hits to return. By default, you cannot page through more than 10,000 hits using the from and size parameters. To page through more hits, use the search_after parameter.
from number

The starting document offset, which must be non-negative. By default, you cannot page through more than 10,000 hits using the from and size parameters. To page through more hits, use the search_after parameter.
sort string | array[string]

A comma-separated list of <field>:<direction> pairs.

application/json

Body

aggregations object

Defines the aggregations that are run as part of the search request.

External documentation
collapse object
External documentation
explain boolean

If true, the request returns detailed information about score computation as part of a hit.
ext object

Configuration of search extensions defined by Elasticsearch plugins.
Hide ext attribute Show ext attribute object
- * object Additional properties
from number

The starting document offset, which must be non-negative. By default, you cannot page through more than 10,000 hits using the from and size parameters. To page through more hits, use the search_after parameter.
highlight object
Hide highlight attributes Show highlight attributes object
- type string
 
 Any of:
 HighlighterType string HighlighterType string
 
 Values are plain, fvh, or unified.
- boundary_chars string
 
 A string that contains each boundary character.
- boundary_max_scan number
 
 How far to scan for boundary characters.
- boundary_scanner string
 
 Values are chars, sentence, or word.
- boundary_scanner_locale string
 
 Controls which locale is used to search for sentence and word boundaries. This parameter takes a form of a language tag, for example: "en-US", "fr-FR", "ja-JP".
- force_source boolean Deprecated
- fragmenter string
 
 Values are simple or span.
- fragment_size number
 
 The size of the highlighted fragment in characters.
- highlight_filter boolean
- highlight_query object
 
 An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
 
 External documentation
- max_fragment_length number
- max_analyzed_offset number
 
 If set to a non-negative value, highlighting stops at this defined maximum limit. The rest of the text is not processed, thus not highlighted and no error is returned The max_analyzed_offset query setting does not override the index.highlight.max_analyzed_offset setting, which prevails when it’s set to lower value than the query setting.
- no_match_size number
 
 The amount of text you want to return from the beginning of the field if there are no matching fragments to highlight.
- number_of_fragments number
 
 The maximum number of fragments to return. If the number of fragments is set to 0, no fragments are returned. Instead, the entire field contents are highlighted and returned. This can be handy when you need to highlight short texts such as a title or address, but fragmentation is not required. If number_of_fragments is 0, fragment_size is ignored.
- options object
 Hide options attribute Show options attribute object
 
 * object Additional properties
- order string
 
 Value is score.
- phrase_limit number
 
 Controls the number of matching phrases in a document that are considered. Prevents the fvh highlighter from analyzing too many phrases and consuming too much memory. When using matched_fields, phrase_limit phrases per matched field are considered. Raising the limit increases query time and consumes more memory. Only supported by the fvh highlighter.
- post_tags array[string]
 
 Use in conjunction with pre_tags to define the HTML tags to use for the highlighted text. By default, highlighted text is wrapped in  and  tags.
- pre_tags array[string]
 
 Use in conjunction with post_tags to define the HTML tags to use for the highlighted text. By default, highlighted text is wrapped in  and  tags.
- require_field_match boolean
 
 By default, only fields that contains a query match are highlighted. Set to false to highlight all fields.
- tags_schema string
 
 Value is styled.
- encoder string
 
 Values are default or html.
- fields object | array[object] Required
 
 One of:
 object-1 object array-2 array[object]
track_total_hits boolean | number

Number of hits matching the query to count accurately. If true, the exact number of hits is returned at the cost of some performance. If false, the response does not include the total number of hits matching the query. Defaults to 10,000 hits.
indices_boost array[object]

Boost the _score of documents from specified indices. The boost value is the factor by which scores are multiplied. A boost value greater than 1.0 increases the score. A boost value between 0 and 1.0 decreases the score.

External documentation
Hide indices_boost attribute Show indices_boost attribute object
- * number Additional properties
docvalue_fields array[object]

An array of wildcard (*) field patterns. The request returns doc values for field names matching these patterns in the hits.fields property of the response.

External documentation
Hide docvalue_fields attributes Show docvalue_fields attributes object
- field string Required
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
- format string
  
  The format in which the values are returned.
- include_unmapped boolean
knn object | array[object]

The approximate kNN search to run.
One of:
KnnSearch object array-2 array[object]
Hide attributes Show attributes

field string Required

Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.

query_vector array[number]

query_vector_builder object

Hide query_vector_builder attribute Show query_vector_builder attribute object

text_embedding object

Hide text_embedding attributes Show text_embedding attributes object

model_id string Required

model_text string Required

k number

The final number of nearest neighbors to return as top hits

num_candidates number

The number of nearest neighbor candidates to consider per shard

boost number

Boost value to apply to kNN scores

filter object | array[object]

Filters for the kNN search query

One of:
QueryContainer object array-2 array[object]

An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.

External documentation

similarity number

The minimum similarity for a vector to be considered a match

inner_hits object

Hide inner_hits attributes Show inner_hits attributes object

name string

size number

The maximum number of hits to return per inner_hits.

from number

Inner hit starting document offset.

collapse object
External documentation

docvalue_fields array[object]

Hide docvalue_fields attributes Show docvalue_fields attributes object

field string Required

Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.

format string

The format in which the values are returned.

include_unmapped boolean

explain boolean

highlight object

Hide highlight attributes Show highlight attributes object

type string

Any of:
HighlighterType string HighlighterType string

Values are plain, fvh, or unified.

boundary_chars string

A string that contains each boundary character.

boundary_max_scan number

How far to scan for boundary characters.

boundary_scanner string

Values are chars, sentence, or word.

boundary_scanner_locale string

Controls which locale is used to search for sentence and word boundaries. This parameter takes a form of a language tag, for example: "en-US", "fr-FR", "ja-JP".

force_source boolean Deprecated

fragmenter string

Values are simple or span.

fragment_size number

The size of the highlighted fragment in characters.

highlight_filter boolean

highlight_query object

An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.

External documentation

max_fragment_length number

max_analyzed_offset number

If set to a non-negative value, highlighting stops at this defined maximum limit. The rest of the text is not processed, thus not highlighted and no error is returned The max_analyzed_offset query setting does not override the index.highlight.max_analyzed_offset setting, which prevails when it’s set to lower value than the query setting.

no_match_size number

The amount of text you want to return from the beginning of the field if there are no matching fragments to highlight.

number_of_fragments number

The maximum number of fragments to return. If the number of fragments is set to 0, no fragments are returned. Instead, the entire field contents are highlighted and returned. This can be handy when you need to highlight short texts such as a title or address, but fragmentation is not required. If number_of_fragments is 0, fragment_size is ignored.

options object

Hide options attribute Show options attribute object

* object Additional properties

order string

Value is score.

phrase_limit number

Controls the number of matching phrases in a document that are considered. Prevents the fvh highlighter from analyzing too many phrases and consuming too much memory. When using matched_fields, phrase_limit phrases per matched field are considered. Raising the limit increases query time and consumes more memory. Only supported by the fvh highlighter.

post_tags array[string]

Use in conjunction with pre_tags to define the HTML tags to use for the highlighted text. By default, highlighted text is wrapped in  and  tags.

pre_tags array[string]

Use in conjunction with post_tags to define the HTML tags to use for the highlighted text. By default, highlighted text is wrapped in  and  tags.

require_field_match boolean

By default, only fields that contains a query match are highlighted. Set to false to highlight all fields.

tags_schema string

Value is styled.

encoder string

Values are default or html.

fields object | array[object] Required

One of:
object-1 object array-2 array[object]

ignore_unmapped boolean

script_fields object

Hide script_fields attribute Show script_fields attribute object

* object Additional properties

Hide * attributes Show * attributes object

script object Required

Hide script attributes Show script attributes object

source

id string

params object

Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.

lang

options object

ignore_failure boolean

seq_no_primary_term boolean

fields array[string]

Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.

sort string | object | array[string | object]

One of:
Field string SortOptions object Sort array[string | object]

Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.

_source boolean | object

Defines how to fetch a source. Fetching can be disabled entirely, or the source can be filtered.

One of:
SourceConfig boolean SourceFilter object

stored_fields string | array[string]

track_scores boolean

version boolean

rescore_vector object

Hide rescore_vector attribute Show rescore_vector attribute object

oversample number Required

Applies the specified oversample factor to k on the approximate kNN search
External documentation
Hide attributes Show attributes object

field string Required

Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.

query_vector array[number]

query_vector_builder object

Hide query_vector_builder attribute Show query_vector_builder attribute object

text_embedding object

Hide text_embedding attributes Show text_embedding attributes object

model_id string Required

model_text string Required

k number

The final number of nearest neighbors to return as top hits

num_candidates number

The number of nearest neighbor candidates to consider per shard

boost number

Boost value to apply to kNN scores

filter object | array[object]

Filters for the kNN search query

One of:
QueryContainer object array-2 array[object]

An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.

External documentation

similarity number

The minimum similarity for a vector to be considered a match

inner_hits object

Hide inner_hits attributes Show inner_hits attributes object

name string

size number

The maximum number of hits to return per inner_hits.

from number

Inner hit starting document offset.

collapse object
External documentation

docvalue_fields array[object]

Hide docvalue_fields attributes Show docvalue_fields attributes object

field string Required

Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.

format string

The format in which the values are returned.

include_unmapped boolean

explain boolean

highlight object

Hide highlight attributes Show highlight attributes object

type

boundary_chars string

A string that contains each boundary character.

boundary_max_scan number

How far to scan for boundary characters.

boundary_scanner string

Values are chars, sentence, or word.

boundary_scanner_locale string

Controls which locale is used to search for sentence and word boundaries. This parameter takes a form of a language tag, for example: "en-US", "fr-FR", "ja-JP".

force_source boolean Deprecated

fragmenter string

Values are simple or span.

fragment_size number

The size of the highlighted fragment in characters.

highlight_filter boolean

highlight_query object

An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.

max_fragment_length number

max_analyzed_offset number

If set to a non-negative value, highlighting stops at this defined maximum limit. The rest of the text is not processed, thus not highlighted and no error is returned The max_analyzed_offset query setting does not override the index.highlight.max_analyzed_offset setting, which prevails when it’s set to lower value than the query setting.

no_match_size number

The amount of text you want to return from the beginning of the field if there are no matching fragments to highlight.

number_of_fragments number

The maximum number of fragments to return. If the number of fragments is set to 0, no fragments are returned. Instead, the entire field contents are highlighted and returned. This can be handy when you need to highlight short texts such as a title or address, but fragmentation is not required. If number_of_fragments is 0, fragment_size is ignored.

options object

order string

Value is score.

phrase_limit number

Controls the number of matching phrases in a document that are considered. Prevents the fvh highlighter from analyzing too many phrases and consuming too much memory. When using matched_fields, phrase_limit phrases per matched field are considered. Raising the limit increases query time and consumes more memory. Only supported by the fvh highlighter.

post_tags array[string]

Use in conjunction with pre_tags to define the HTML tags to use for the highlighted text. By default, highlighted text is wrapped in  and  tags.

pre_tags array[string]

Use in conjunction with post_tags to define the HTML tags to use for the highlighted text. By default, highlighted text is wrapped in  and  tags.

require_field_match boolean

By default, only fields that contains a query match are highlighted. Set to false to highlight all fields.

tags_schema string

Value is styled.

encoder string

Values are default or html.

fields

ignore_unmapped boolean

script_fields object

Hide script_fields attribute Show script_fields attribute object

* object Additional properties

Hide * attributes Show * attributes object

script object Required

ignore_failure boolean

seq_no_primary_term boolean

fields array[string]

Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.

sort string | object | array[string | object]

One of:
Field string SortOptions object Sort array[string | object]

Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.

_source boolean | object

Defines how to fetch a source. Fetching can be disabled entirely, or the source can be filtered.

One of:
SourceConfig boolean SourceFilter object

stored_fields string | array[string]

track_scores boolean

version boolean

rescore_vector object

Hide rescore_vector attribute Show rescore_vector attribute object

oversample number Required

Applies the specified oversample factor to k on the approximate kNN search
rank object
Hide rank attribute Show rank attribute object
- rrf object
  Hide rrf attributes Show rrf attributes object
  
  rank_constant number
  
  How much influence documents in individual result sets per query have over the final ranked result set
  
  rank_window_size number
  
  Size of the individual result sets per query
min_score number

The minimum _score for matching documents. Documents with a lower _score are not included in search results and results collected by aggregations.
post_filter object

An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.

External documentation
profile boolean

Set to true to return detailed timing information about the execution of individual components in a search request. NOTE: This is a debugging tool and adds significant overhead to search execution.
query object

An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.

External documentation
rescore object | array[object]

Can be used to improve precision by reordering just the top (for example 100 - 500) documents returned by the query and post_filter phases.
One of:
Rescore object array-2 array[object]
Hide attributes Show attributes

window_size number

query object

Hide query attributes Show query attributes object

rescore_query object Required

An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.

External documentation

query_weight number

Relative importance of the original query versus the rescore query.

rescore_query_weight number

Relative importance of the rescore query versus the original query.

score_mode string

Values are avg, max, min, multiply, or total.

learning_to_rank object

Hide learning_to_rank attributes Show learning_to_rank attributes object

model_id string Required

The unique identifier of the trained model uploaded to Elasticsearch

params object

Named parameters to be passed to the query templates used for feature

Hide params attribute Show params attribute object

* object Additional properties
Hide attributes Show attributes object

window_size number

query object

Hide query attributes Show query attributes object

rescore_query object Required

An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.

External documentation

query_weight number

Relative importance of the original query versus the rescore query.

rescore_query_weight number

Relative importance of the rescore query versus the original query.

score_mode string

Values are avg, max, min, multiply, or total.

learning_to_rank object

Hide learning_to_rank attributes Show learning_to_rank attributes object

model_id string Required

The unique identifier of the trained model uploaded to Elasticsearch

params object

Named parameters to be passed to the query templates used for feature

Hide params attribute Show params attribute object

* object Additional properties
retriever object
Hide retriever attributes Show retriever attributes object
- standard object
  Hide standard attributes Show standard attributes object
  
  filter object | array[object]
  
  Query to filter the documents that can match.
  
  One of:
  QueryContainer object array-2 array[object]
  
  An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
  
  External documentation
  
  min_score number
  
  Minimum _score for matching documents. Documents with a lower _score are not included in the top documents.
  
  _name string
  
  Retriever name.
  
  query object
  
  An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
  
  External documentation
  
  search_after array[number | string | boolean | null]
  
  A field value.
  
  terminate_after number
  
  Maximum number of documents to collect for each shard.
  
  sort string | object | array[string | object]
  
  One of:
  Field string SortOptions object Sort array[string | object]
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
  
  collapse object
  External documentation
- knn object
  Hide knn attributes Show knn attributes object
  
  filter object | array[object]
  
  Query to filter the documents that can match.
  
  One of:
  QueryContainer object array-2 array[object]
  
  An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
  
  External documentation
  
  min_score number
  
  Minimum _score for matching documents. Documents with a lower _score are not included in the top documents.
  
  _name string
  
  Retriever name.
  
  field string Required
  
  The name of the vector field to search against.
  
  query_vector array[number]
  
  query_vector_builder object
  
  Hide query_vector_builder attribute Show query_vector_builder attribute object
  
  text_embedding object
  
  Hide text_embedding attributes Show text_embedding attributes object
  
  model_id string Required
  
  model_text string Required
  
  k number Required
  
  Number of nearest neighbors to return as top hits.
  
  num_candidates number Required
  
  Number of nearest neighbor candidates to consider per shard.
  
  similarity number
  
  The minimum similarity required for a document to be considered a match.
  
  rescore_vector object
  
  Hide rescore_vector attribute Show rescore_vector attribute object
  
  oversample number Required
  
  Applies the specified oversample factor to k on the approximate kNN search
- rrf object
  Hide rrf attributes Show rrf attributes object
  
  filter object | array[object]
  
  Query to filter the documents that can match.
  
  One of:
  QueryContainer object array-2 array[object]
  
  An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
  
  External documentation
  
  min_score number
  
  Minimum _score for matching documents. Documents with a lower _score are not included in the top documents.
  
  _name string
  
  Retriever name.
  
  retrievers array[object] Required
  
  A list of child retrievers to specify which sets of returned top documents will have the RRF formula applied to them.
  
  rank_constant number
  
  This value determines how much influence documents in individual result sets per query have over the final ranked result set.
  
  rank_window_size number
  
  This value determines the size of the individual result sets per query.
- text_similarity_reranker object
  Hide text_similarity_reranker attributes Show text_similarity_reranker attributes object
  
  filter object | array[object]
  
  Query to filter the documents that can match.
  
  One of:
  QueryContainer object array-2 array[object]
  
  An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
  
  External documentation
  
  min_score number
  
  Minimum _score for matching documents. Documents with a lower _score are not included in the top documents.
  
  _name string
  
  Retriever name.
  
  retriever object Required
  
  rank_window_size number
  
  This value determines how many documents we will consider from the nested retriever.
  
  inference_id string
  
  Unique identifier of the inference endpoint created using the inference API.
  
  inference_text string
  
  The text snippet used as the basis for similarity comparison
  
  field string
  
  The document field to be used for text similarity comparisons. This field should contain the text that will be evaluated against the inference_text
- rule object
  Hide rule attributes Show rule attributes object
  
  filter object | array[object]
  
  Query to filter the documents that can match.
  
  One of:
  QueryContainer object array-2 array[object]
  
  An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
  
  External documentation
  
  min_score number
  
  Minimum _score for matching documents. Documents with a lower _score are not included in the top documents.
  
  _name string
  
  Retriever name.
  
  ruleset_ids string | array[string]
  
  The ruleset IDs containing the rules this retriever is evaluating against.
  
  One of:
  Id string array-2 array[string]
  
  match_criteria object Required
  
  The match criteria that will determine if a rule in the provided rulesets should be applied.
  
  retriever object Required
  
  rank_window_size number
  
  This value determines the size of the individual result set.
- rescorer object
  Hide rescorer attributes Show rescorer attributes object
  
  filter object | array[object]
  
  Query to filter the documents that can match.
  
  One of:
  QueryContainer object array-2 array[object]
  
  An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
  
  External documentation
  
  min_score number
  
  Minimum _score for matching documents. Documents with a lower _score are not included in the top documents.
  
  _name string
  
  Retriever name.
  
  retriever object Required
  
  rescore object | array[object]
  
  One of:
  Rescore object array-2 array[object]
  
  Hide attributes Show attributes
  
  window_size number
  
  query object
  
  learning_to_rank object
- linear object
  Hide linear attributes Show linear attributes object
  
  filter object | array[object]
  
  Query to filter the documents that can match.
  
  One of:
  QueryContainer object array-2 array[object]
  
  An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
  
  External documentation
  
  min_score number
  
  Minimum _score for matching documents. Documents with a lower _score are not included in the top documents.
  
  _name string
  
  Retriever name.
  
  retrievers array[object]
  
  Inner retrievers.
  
  Hide retrievers attributes Show retrievers attributes object
  
  retriever object Required
  
  weight number Required
  
  normalizer string Required
  
  Values are none, minmax, or l2_norm.
  
  rank_window_size number Required
- pinned object
  Hide pinned attributes Show pinned attributes object
  
  filter object | array[object]
  
  Query to filter the documents that can match.
  
  One of:
  QueryContainer object array-2 array[object]
  
  An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
  
  External documentation
  
  min_score number
  
  Minimum _score for matching documents. Documents with a lower _score are not included in the top documents.
  
  _name string
  
  Retriever name.
  
  retriever object Required
  
  ids array[string]
  
  docs array[object]
  
  Hide docs attributes Show docs attributes object
  
  index string
  
  id string Required
  
  rank_window_size number Required
script_fields object

Retrieve a script evaluation (based on different fields) for each hit.
Hide script_fields attribute Show script_fields attribute object
- * object Additional properties
  Hide * attributes Show * attributes object
  
  script object Required
  
  Hide script attributes Show script attributes object
  
  source string | object
  
  One of:
  ScriptSource string SearchRequestBody object
  
  Hide attributes Show attributes
  
  aggregations object
  
  Defines the aggregations that are run as part of the search request.
  
  External documentation
  
  collapse object
  External documentation
  
  explain boolean
  
  If true, the request returns detailed information about score computation as part of a hit.
  
  ext object
  
  Configuration of search extensions defined by Elasticsearch plugins.
  
  Hide ext attribute Show ext attribute object
  
  * object Additional properties
  
  from number
  
  The starting document offset, which must be non-negative. By default, you cannot page through more than 10,000 hits using the from and size parameters. To page through more hits, use the search_after parameter.
  
  highlight object
  
  track_total_hits boolean | number
  
  Number of hits matching the query to count accurately. If true, the exact number of hits is returned at the cost of some performance. If false, the response does not include the total number of hits matching the query. Defaults to 10,000 hits.
  
  indices_boost array[object]
  
  Boost the _score of documents from specified indices. The boost value is the factor by which scores are multiplied. A boost value greater than 1.0 increases the score. A boost value between 0 and 1.0 decreases the score.
  
  External documentation
  
  docvalue_fields array[object]
  
  An array of wildcard (*) field patterns. The request returns doc values for field names matching these patterns in the hits.fields property of the response.
  
  External documentation
  
  knn object | array[object]
  
  The approximate kNN search to run.
  
  One of:
  KnnSearch object array-2 array[object]
  
  rank object
  
  Hide rank attribute Show rank attribute object
  
  rrf
  
  min_score number
  
  The minimum _score for matching documents. Documents with a lower _score are not included in search results or results collected by aggregations.
  
  post_filter object
  
  An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
  
  External documentation
  
  profile boolean
  
  Set to true to return detailed timing information about the execution of individual components in a search request. NOTE: This is a debugging tool and adds significant overhead to search execution.
  
  query object
  
  An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
  
  External documentation
  
  rescore array[object]
  
  retriever object
  
  Hide retriever attributes Show retriever attributes object
  
  standard
  
  knn
  
  rrf
  
  text_similarity_reranker
  
  rule
  
  rescorer
  
  linear
  
  pinned
  
  script_fields object
  
  Retrieve a script evaluation (based on different fields) for each hit.
  
  Hide script_fields attribute Show script_fields attribute object
  
  * object Additional properties
  
  search_after array[number | string | boolean | null]
  
  A field value.
  
  size number
  
  The number of hits to return, which must not be negative. By default, you cannot page through more than 10,000 hits using the from and size parameters. To page through more hits, use the search_after property.
  
  slice object
  
  Hide slice attributes Show slice attributes object
  
  field string
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
  
  id string Required
  
  max number Required
  
  sort array[string | object]
  
  _source boolean | object
  
  Defines how to fetch a source. Fetching can be disabled entirely, or the source can be filtered.
  
  One of:
  SourceConfig boolean SourceFilter object
  
  fields array[object]
  
  An array of wildcard (*) field patterns. The request returns values for field names matching these patterns in the hits.fields property of the response.
  
  suggest object
  
  Hide suggest attribute Show suggest attribute object
  
  text string
  
  Global suggest text, to avoid repetition when the same text is used in several suggesters
  
  terminate_after number
  
  The maximum number of documents to collect for each shard. If a query reaches this limit, Elasticsearch terminates the query early. Elasticsearch collects documents before sorting.
  
  IMPORTANT: Use with caution. Elasticsearch applies this property to each shard handling the request. When possible, let Elasticsearch perform early termination automatically. Avoid specifying this property for requests that target data streams with backing indices across multiple data tiers.
  
  If set to 0 (default), the query does not terminate early.
  
  timeout string
  
  The period of time to wait for a response from each shard. If no response is received before the timeout expires, the request fails and returns an error. Defaults to no timeout.
  
  track_scores boolean
  
  If true, calculate and return document scores, even if the scores are not used for sorting.
  
  version boolean
  
  If true, the request returns the document version as part of a hit.
  
  seq_no_primary_term boolean
  
  If true, the request returns sequence number and primary term of the last modification of each hit.
  
  External documentation
  
  stored_fields string | array[string]
  
  pit object
  
  Hide pit attributes Show pit attributes object
  
  id string Required
  
  keep_alive string
  
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
  
  runtime_mappings object
  
  Hide runtime_mappings attribute Show runtime_mappings attribute object
  
  * object Additional properties
  
  stats array[string]
  
  The stats groups to associate with the search. Each group maintains a statistics aggregation for its associated searches. You can retrieve these stats using the indices stats API.
  
  id string
  
  params object
  
  Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
  
  Hide params attribute Show params attribute object
  
  * object Additional properties
  
  lang string
  
  Any of:
  ScriptLanguage string ScriptLanguage string
  
  Values are painless, expression, mustache, or java.
  
  options object
  
  Hide options attribute Show options attribute object
  
  * string Additional properties
  
  ignore_failure boolean
search_after array[number | string | boolean | null]

A field value.
size number

The number of hits to return, which must not be negative. By default, you cannot page through more than 10,000 hits using the from and size parameters. To page through more hits, use the search_after property.
slice object
Hide slice attributes Show slice attributes object
- field string
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
- id string Required
- max number Required
sort string | object | array[string | object]
One of:
Field string SortOptions object Sort array[string | object]

Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
Hide attributes Show attributes

_score object

Hide _score attribute Show _score attribute object

order string

Values are asc or desc.

_doc object

Hide _doc attribute Show _doc attribute object

order string

Values are asc or desc.

_geo_distance object

Hide _geo_distance attributes Show _geo_distance attributes object

mode string

Values are min, max, sum, avg, or median.

distance_type string

Values are arc or plane.

ignore_unmapped boolean

order string

Values are asc or desc.

unit string

Values are in, ft, yd, mi, nmi, km, m, cm, or mm.

nested object

Hide nested attributes Show nested attributes object

filter object

An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.

External documentation

max_children number

nested object

path string Required

Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.

_script object

Hide _script attributes Show _script attributes object

order string

Values are asc or desc.

script object Required

Hide script attributes Show script attributes object

source string | object

One of:
ScriptSource string SearchRequestBody object

id string

params object

Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.

Hide params attribute Show params attribute object

* object Additional properties

lang string

Any of:
ScriptLanguage string ScriptLanguage string

Values are painless, expression, mustache, or java.

options object

Hide options attribute Show options attribute object

* string Additional properties

type string

Values are string, number, or version.

mode string

Values are min, max, sum, avg, or median.

nested object

Hide nested attributes Show nested attributes object

filter object

An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.

External documentation

max_children number

nested object

path string Required

Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
One of:
Field string SortOptions object

Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.

Hide attributes Show attributes

_score object

Hide _score attribute Show _score attribute object

order string

Values are asc or desc.

_doc object

Hide _doc attribute Show _doc attribute object

order string

Values are asc or desc.

_geo_distance object

Hide _geo_distance attributes Show _geo_distance attributes object

mode string

Values are min, max, sum, avg, or median.

distance_type string

Values are arc or plane.

ignore_unmapped boolean

order string

Values are asc or desc.

unit string

Values are in, ft, yd, mi, nmi, km, m, cm, or mm.

nested object

Hide nested attributes Show nested attributes object

filter object

An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.

max_children number

nested object

path string Required

Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.

_script object

Hide _script attributes Show _script attributes object

order string

Values are asc or desc.

script object Required

Hide script attributes Show script attributes object

source

id string

params object

Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.

lang

options object

type string

Values are string, number, or version.

mode string

Values are min, max, sum, avg, or median.

nested object

Hide nested attributes Show nested attributes object

filter object

An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.

max_children number

nested object

path string Required

Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
_source boolean | object

Defines how to fetch a source. Fetching can be disabled entirely, or the source can be filtered.
One of:
SourceConfig boolean SourceFilter object
Hide attributes Show attributes

excludes string | array[string]

includes string | array[string]
fields array[object]

An array of wildcard (*) field patterns. The request returns values for field names matching these patterns in the hits.fields property of the response.
Hide fields attributes Show fields attributes object
- field string Required
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
- format string
  
  The format in which the values are returned.
- include_unmapped boolean
suggest object
Hide suggest attribute Show suggest attribute object
- text string
  
  Global suggest text, to avoid repetition when the same text is used in several suggesters
terminate_after number

The maximum number of documents to collect for each shard. If a query reaches this limit, Elasticsearch terminates the query early. Elasticsearch collects documents before sorting.

IMPORTANT: Use with caution. Elasticsearch applies this property to each shard handling the request. When possible, let Elasticsearch perform early termination automatically. Avoid specifying this property for requests that target data streams with backing indices across multiple data tiers.

If set to 0 (default), the query does not terminate early.
timeout string

The period of time to wait for a response from each shard. If no response is received before the timeout expires, the request fails and returns an error. Defaults to no timeout.
track_scores boolean

If true, calculate and return document scores, even if the scores are not used for sorting.
version boolean

If true, the request returns the document version as part of a hit.
seq_no_primary_term boolean

If true, the request returns sequence number and primary term of the last modification of each hit.

External documentation
stored_fields string | array[string]
pit object
Hide pit attributes Show pit attributes object
- id string Required
- keep_alive string
  
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
runtime_mappings object
Hide runtime_mappings attribute Show runtime_mappings attribute object
- * object Additional properties
  Hide * attributes Show * attributes object
  
  fields object
  
  For type composite
  
  Hide fields attribute Show fields attribute object
  
  * object Additional properties
  
  Hide * attribute Show * attribute object
  
  type string Required
  
  Values are boolean, composite, date, double, geo_point, geo_shape, ip, keyword, long, or lookup.
  
  fetch_fields array[object]
  
  For type lookup
  
  Hide fetch_fields attributes Show fetch_fields attributes object
  
  field string Required
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
  
  format string
  
  format string
  
  A custom format for date type runtime fields.
  
  input_field string
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
  
  target_field string
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
  
  target_index string
  
  script object
  
  Hide script attributes Show script attributes object
  
  source string | object
  
  One of:
  ScriptSource string SearchRequestBody object
  
  Hide attributes Show attributes
  
  aggregations object
  
  Defines the aggregations that are run as part of the search request.
  
  External documentation
  
  collapse object
  External documentation
  
  explain boolean
  
  If true, the request returns detailed information about score computation as part of a hit.
  
  ext object
  
  Configuration of search extensions defined by Elasticsearch plugins.
  
  Hide ext attribute Show ext attribute object
  
  * object Additional properties
  
  from number
  
  The starting document offset, which must be non-negative. By default, you cannot page through more than 10,000 hits using the from and size parameters. To page through more hits, use the search_after parameter.
  
  highlight object
  
  track_total_hits boolean | number
  
  Number of hits matching the query to count accurately. If true, the exact number of hits is returned at the cost of some performance. If false, the response does not include the total number of hits matching the query. Defaults to 10,000 hits.
  
  indices_boost array[object]
  
  Boost the _score of documents from specified indices. The boost value is the factor by which scores are multiplied. A boost value greater than 1.0 increases the score. A boost value between 0 and 1.0 decreases the score.
  
  External documentation
  
  docvalue_fields array[object]
  
  An array of wildcard (*) field patterns. The request returns doc values for field names matching these patterns in the hits.fields property of the response.
  
  External documentation
  
  knn object | array[object]
  
  The approximate kNN search to run.
  
  One of:
  KnnSearch object array-2 array[object]
  
  rank object
  
  Hide rank attribute Show rank attribute object
  
  rrf
  
  min_score number
  
  The minimum _score for matching documents. Documents with a lower _score are not included in search results or results collected by aggregations.
  
  post_filter object
  
  An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
  
  External documentation
  
  profile boolean
  
  Set to true to return detailed timing information about the execution of individual components in a search request. NOTE: This is a debugging tool and adds significant overhead to search execution.
  
  query object
  
  An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
  
  External documentation
  
  rescore array[object]
  
  retriever object
  
  Hide retriever attributes Show retriever attributes object
  
  standard
  
  knn
  
  rrf
  
  text_similarity_reranker
  
  rule
  
  rescorer
  
  linear
  
  pinned
  
  script_fields object
  
  Retrieve a script evaluation (based on different fields) for each hit.
  
  Hide script_fields attribute Show script_fields attribute object
  
  * object Additional properties
  
  search_after array[number | string | boolean | null]
  
  A field value.
  
  size number
  
  The number of hits to return, which must not be negative. By default, you cannot page through more than 10,000 hits using the from and size parameters. To page through more hits, use the search_after property.
  
  slice object
  
  Hide slice attributes Show slice attributes object
  
  field string
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
  
  id string Required
  
  max number Required
  
  sort array[string | object]
  
  _source boolean | object
  
  Defines how to fetch a source. Fetching can be disabled entirely, or the source can be filtered.
  
  One of:
  SourceConfig boolean SourceFilter object
  
  fields array[object]
  
  An array of wildcard (*) field patterns. The request returns values for field names matching these patterns in the hits.fields property of the response.
  
  suggest object
  
  Hide suggest attribute Show suggest attribute object
  
  text string
  
  Global suggest text, to avoid repetition when the same text is used in several suggesters
  
  terminate_after number
  
  The maximum number of documents to collect for each shard. If a query reaches this limit, Elasticsearch terminates the query early. Elasticsearch collects documents before sorting.
  
  IMPORTANT: Use with caution. Elasticsearch applies this property to each shard handling the request. When possible, let Elasticsearch perform early termination automatically. Avoid specifying this property for requests that target data streams with backing indices across multiple data tiers.
  
  If set to 0 (default), the query does not terminate early.
  
  timeout string
  
  The period of time to wait for a response from each shard. If no response is received before the timeout expires, the request fails and returns an error. Defaults to no timeout.
  
  track_scores boolean
  
  If true, calculate and return document scores, even if the scores are not used for sorting.
  
  version boolean
  
  If true, the request returns the document version as part of a hit.
  
  seq_no_primary_term boolean
  
  If true, the request returns sequence number and primary term of the last modification of each hit.
  
  External documentation
  
  stored_fields string | array[string]
  
  pit object
  
  Hide pit attributes Show pit attributes object
  
  id string Required
  
  keep_alive string
  
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
  
  runtime_mappings object
  
  stats array[string]
  
  The stats groups to associate with the search. Each group maintains a statistics aggregation for its associated searches. You can retrieve these stats using the indices stats API.
  
  id string
  
  params object
  
  Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
  
  Hide params attribute Show params attribute object
  
  * object Additional properties
  
  lang string
  
  Any of:
  ScriptLanguage string ScriptLanguage string
  
  Values are painless, expression, mustache, or java.
  
  options object
  
  Hide options attribute Show options attribute object
  
  * string Additional properties
  
  type string Required
  
  Values are boolean, composite, date, double, geo_point, geo_shape, ip, keyword, long, or lookup.
stats array[string]

The stats groups to associate with the search. Each group maintains a statistics aggregation for its associated searches. You can retrieve these stats using the indices stats API.

Responses

200 application/json
Hide response attributes Show response attributes object
- took number Required
  
  The number of milliseconds it took Elasticsearch to run the request. This value is calculated by measuring the time elapsed between receipt of a request on the coordinating node and the time at which the coordinating node is ready to send the response. It includes:
  
  Communication time between the coordinating node and data nodes
  
  Time the request spends in the search thread pool, queued for execution
  
  Actual run time
  
  It does not include:
  
  Time needed to send the request to Elasticsearch
  
  Time needed to serialize the JSON response
  
  Time needed to send the response to a client
- timed_out boolean Required
  
  If true, the request timed out before completion; returned results may be partial or empty.
- _shards object Required
  
  Hide _shards attributes Show _shards attributes object
  
  failed number Required
  
  successful number Required
  
  total number Required
  
  failures array[object]
  
  Hide failures attributes Show failures attributes object
  
  index string
  
  node string
  
  reason object Required
  
  Hide reason attributes Show reason attributes object
  
  type string Required
  
  The type of error
  
  reason string | null
  
  A human-readable explanation of the error, in English.
  
  One of:
  string-1 string string-2 string | null
  
  stack_trace string
  
  The server stack trace. Present only if the error_trace=true parameter was sent with the request.
  
  caused_by object
  
  root_cause array[object]
  
  suppressed array[object]
  
  shard number Required
  
  status string
  
  skipped number
- hits object Required
  
  Hide hits attributes Show hits attributes object
  
  total object | number
  
  Total hit count information, present only if track_total_hits wasn't false in the search request.
  
  One of:
  TotalHits object number-2 number
  
  Hide attributes Show attributes
  
  relation string Required
  
  Values are eq or gte.
  
  value number Required
  
  hits array[object] Required
  
  Hide hits attributes Show hits attributes object
  
  _index string Required
  
  _id string
  
  _score number | string | null
  
  One of:
  number-1 number string-2 string | null
  
  _explanation object
  
  Hide _explanation attributes Show _explanation attributes object
  
  description string Required
  
  details array[object] Required
  
  value number Required
  
  fields object
  
  Hide fields attribute Show fields attribute object
  
  * object Additional properties
  
  highlight object
  
  Hide highlight attribute Show highlight attribute object
  
  * array[string] Additional properties
  
  inner_hits object
  
  Hide inner_hits attribute Show inner_hits attribute object
  
  * object Additional properties
  
  Hide * attribute Show * attribute object
  
  hits object Required
  
  matched_queries array[string] | object
  
  One of:
  array-1 array[string] object-2 object
  
  _nested object
  
  Hide _nested attributes Show _nested attributes object
  
  field string Required
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
  
  offset number Required
  
  _nested object
  
  _ignored array[string]
  
  ignored_field_values object
  
  Hide ignored_field_values attribute Show ignored_field_values attribute object
  
  * array[object] Additional properties
  
  _shard string
  
  _node string
  
  _routing string
  
  _source object
  
  _rank number
  
  _seq_no number
  
  _primary_term number
  
  _version number
  
  sort array[number | string | boolean | null]
  
  A field value.
  
  max_score number | string | null
  
  One of:
  number-1 number string-2 string | null
- aggregations object
- _clusters object
  
  Hide _clusters attributes Show _clusters attributes object
  
  skipped number Required
  
  successful number Required
  
  total number Required
  
  running number Required
  
  partial number Required
  
  failed number Required
  
  details object
  
  Hide details attribute Show details attribute object
  
  * object Additional properties
  
  Hide * attributes Show * attributes object
  
  status string Required
  
  Values are running, successful, partial, skipped, or failed.
  
  indices string Required
  
  took number
  
  Time unit for milliseconds
  
  timed_out boolean Required
  
  _shards object
  
  Hide _shards attributes Show _shards attributes object
  
  failed number Required
  
  successful number Required
  
  total number Required
  
  failures array[object]
  
  skipped number
  
  failures array[object]
  
  Hide failures attributes Show failures attributes object
  
  index string
  
  node string
  
  reason object Required
  
  shard number Required
  
  status string
- fields object
  
  Hide fields attribute Show fields attribute object
  
  * object Additional properties
- max_score number
- num_reduce_phases number
- profile object
  
  Hide profile attribute Show profile attribute object
  
  shards array[object] Required
  
  Hide shards attributes Show shards attributes object
  
  aggregations array[object] Required
  
  Hide aggregations attributes Show aggregations attributes object
  
  breakdown object Required
  
  description string Required
  
  time_in_nanos
  
  type string Required
  
  debug object
  
  children array[object]
  
  cluster string Required
  
  dfs object
  
  Hide dfs attributes Show dfs attributes object
  
  statistics object
  
  Hide statistics attributes Show statistics attributes object
  
  type string Required
  
  description string Required
  
  time string
  
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
  
  time_in_nanos
  
  breakdown object Required
  
  debug object
  
  children array[object]
  
  knn array[object]
  
  fetch object
  
  Hide fetch attributes Show fetch attributes object
  
  type string Required
  
  description string Required
  
  time_in_nanos number
  
  Time unit for nanoseconds
  
  breakdown object Required
  
  Hide breakdown attributes Show breakdown attributes object
  
  load_source number
  
  load_source_count number
  
  load_stored_fields number
  
  load_stored_fields_count number
  
  next_reader number
  
  next_reader_count number
  
  process_count number
  
  process number
  
  debug object
  
  Hide debug attributes Show debug attributes object
  
  stored_fields array[string]
  
  fast_path number
  
  children array[object]
  
  id string Required
  
  index string Required
  
  node_id string Required
  
  searches array[object] Required
  
  Hide searches attributes Show searches attributes object
  
  collector array[object] Required
  
  query array[object] Required
  
  rewrite_time number Required
  
  shard_id number Required
- pit_id string
- _scroll_id string
- suggest object
  
  Hide suggest attribute Show suggest attribute object
  
  * array[object] Additional properties
  
  One of:
  CompletionSuggest object PhraseSuggest object TermSuggest object
  
  Hide attributes Show attributes
  
  length number Required
  
  offset number Required
  
  text string Required
  
  options
- terminated_early boolean

POST /_search

GET /my-index-000001/_search?from=40&size=20
{
  "query": {
    "term": {
      "user.id": "kimchy"
    }
  }
}

curl \
 --request POST 'http://api.example.com/_search' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '"{\n  \"query\": {\n    \"term\": {\n      \"user.id\": \"kimchy\"\n    }\n  }\n}"'

Request examples

Run `GET /my-index-000001/_search?from=40&size=20` to run a search.

{
  "query": {
    "term": {
      "user.id": "kimchy"
    }
  }
}

Run `POST /_search` to run a point in time search. The `id` parameter tells Elasticsearch to run the request using contexts from this open point in time. The `keep_alive` parameter tells Elasticsearch how long it should extend the time to live of the point in time.

{
    "size": 100,  
    "query": {
        "match" : {
            "title" : "elasticsearch"
        }
    },
    "pit": {
      "id":  "46ToAwMDaWR5BXV1aWQyKwZub2RlXzMAAAAAAAAAACoBYwADaWR4BXV1aWQxAgZub2RlXzEAAAAAAAAAAAEBYQADaWR5BXV1aWQyKgZub2RlXzIAAAAAAAAAAAwBYgACBXV1aWQyAAAFdXVpZDEAAQltYXRjaF9hbGw_gAAAAA==", 
      "keep_alive": "1m"  
    }
}

When paging through a large number of documents, it can be helpful to split the search into multiple slices to consume them independently. The result from running the first `GET /_search` request returns documents belonging to the first slice (`id: 0`). If you run a second request with `id` set to `1', it returns documents in the second slice. Since the maximum number of slices is set to `2`, the union of the results is equivalent to the results of a point-in-time search without slicing.

{
  "slice": {
    "id": 0,                      
    "max": 2                      
  },
  "query": {
    "match": {
      "message": "foo"
    }
  },
  "pit": {
    "id": "46ToAwMDaWR5BXV1aWQyKwZub2RlXzMAAAAAAAAAACoBYwADaWR4BXV1aWQxAgZub2RlXzEAAAAAAAAAAAEBYQADaWR5BXV1aWQyKgZub2RlXzIAAAAAAAAAAAwBYgACBXV1aWQyAAAFdXVpZDEAAQltYXRjaF9hbGw_gAAAAA=="
  }
}

Response examples (200)

An abbreviated response from `GET /my-index-000001/_search?from=40&size=20` with a simple term query.

{
  "took": 5,
  "timed_out": false,
  "_shards": {
    "total": 1,
    "successful": 1,
    "skipped": 0,
    "failed": 0
  },
  "hits": {
    "total": {
      "value": 20,
      "relation": "eq"
    },
    "max_score": 1.3862942,
    "hits": [
      {
        "_index": "my-index-000001",
        "_id": "0",
        "_score": 1.3862942,
        "_source": {
          "@timestamp": "2099-11-15T14:12:12",
          "http": {
            "request": {
              "method": "get"
            },
            "response": {
              "status_code": 200,
              "bytes": 1070000
            },
            "version": "1.1"
          },
          "source": {
            "ip": "127.0.0.1"
          },
          "message": "GET /search HTTP/1.1 200 1070000",
          "user": {
            "id": "kimchy"
          }
        }
      }
    ]
  }
}

Get terms in an index Added in 7.14.0

POST /{index}/_terms_enum

Api key auth Basic auth Bearer auth

Discover terms that match a partial string in an index. This API is designed for low-latency look-ups used in auto-complete scenarios.

The terms enum API may return terms from deleted documents. Deleted documents are initially only marked as deleted. It is not until their segments are merged that documents are actually deleted. Until that happens, the terms enum API will return terms from these documents.

Path parameters

index string Required

A comma-separated list of data streams, indices, and index aliases to search. Wildcard (*) expressions are supported. To search all data streams or indices, omit this parameter or use * or _all.

application/json

Body

field string Required

Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
size number

The number of matching terms to return.
timeout string

A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
case_insensitive boolean

When true, the provided search string is matched against index terms without case sensitivity.
index_filter object

An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.

External documentation
string string

The string to match at the start of indexed terms. If it is not provided, all terms in the field are considered.

The prefix string cannot be larger than the largest possible keyword value, which is Lucene's term byte-length limit of 32766.
search_after string

The string after which terms in the index should be returned. It allows for a form of pagination if the last result from one request is passed as the search_after parameter for a subsequent request.

Responses

200 application/json
Hide response attributes Show response attributes object
- _shards object Required
  
  Hide _shards attributes Show _shards attributes object
  
  failed number Required
  
  successful number Required
  
  total number Required
  
  failures array[object]
  
  Hide failures attributes Show failures attributes object
  
  index string
  
  node string
  
  reason object Required
  
  Hide reason attributes Show reason attributes object
  
  type string Required
  
  The type of error
  
  reason string | null
  
  A human-readable explanation of the error, in English.
  
  One of:
  string-1 string string-2 string | null
  
  stack_trace string
  
  The server stack trace. Present only if the error_trace=true parameter was sent with the request.
  
  caused_by object
  
  root_cause array[object]
  
  suppressed array[object]
  
  shard number Required
  
  status string
  
  skipped number
- terms array[string] Required
- complete boolean Required
  
  If false, the returned terms set may be incomplete and should be treated as approximate. This can occur due to a few reasons, such as a request timeout or a node error.

POST /{index}/_terms_enum

POST stackoverflow/_terms_enum
{
    "field" : "tags",
    "string" : "kiba"
}

curl \
 --request POST 'http://api.example.com/{index}/_terms_enum' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '"{\n    \"field\" : \"tags\",\n    \"string\" : \"kiba\"\n}"'

Request example

Run `POST stackoverflow/_terms_enum`.

{
    "field" : "tags",
    "string" : "kiba"
}

Response examples (200)

A successful response from `POST stackoverflow/_terms_enum`.

{
  "_shards": {
    "total": 1,
    "successful": 1,
    "failed": 0
  },
  "terms": [
    "kibana"
  ],
  "complete" : true
}

Get cache statistics Technical preview

GET /_searchable_snapshots/cache/stats

Api key auth Basic auth Bearer auth

Get statistics about the shared cache for partially mounted indices.

External documentation

Query parameters

master_timeout string

A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.

Values are -1 or 0.

Responses

200 application/json
Hide response attribute Show response attribute object
- nodes object Required
  
  Hide nodes attribute Show nodes attribute object
  
  * object Additional properties
  
  Hide * attribute Show * attribute object
  
  shared_cache object Required
  
  Hide shared_cache attributes Show shared_cache attributes object
  
  reads number Required
  
  bytes_read_in_bytes number | string Required
  
  One of:
  ByteSize number ByteSize string
  
  writes number Required
  
  bytes_written_in_bytes number | string Required
  
  One of:
  ByteSize number ByteSize string
  
  evictions number Required
  
  num_regions number Required
  
  size_in_bytes number | string Required
  
  One of:
  ByteSize number ByteSize string
  
  region_size_in_bytes number | string Required
  
  One of:
  ByteSize number ByteSize string

GET /_searchable_snapshots/cache/stats

GET /_searchable_snapshots/cache/stats

curl \
 --request GET 'http://api.example.com/_searchable_snapshots/cache/stats' \
 --header "Authorization: $API_KEY"

Response examples (200)

A successful response from `GET /_searchable_snapshots/cache/stats`.

{
  "nodes" : {
    "eerrtBMtQEisohZzxBLUSw" : {
      "shared_cache" : {
        "reads" : 6051,
        "bytes_read_in_bytes" : 5448829,
        "writes" : 37,
        "bytes_written_in_bytes" : 1208320,
        "evictions" : 5,
        "num_regions" : 65536,
        "size_in_bytes" : 1099511627776,
        "region_size_in_bytes" : 16777216
      }
    }
  }
}

Clear the privileges cache Added in 7.9.0

POST /_security/privilege/{application}/_clear_cache

Api key auth Basic auth Bearer auth

Evict privileges from the native application privilege cache. The cache is also automatically cleared for applications that have their privileges updated.

Path parameters

application string Required

A comma-separated list of applications. To clear all applications, use an asterism (*). It does not support other wildcard patterns.

Responses

200 application/json
Hide response attributes Show response attributes object
- _nodes object Required
  
  Hide _nodes attributes Show _nodes attributes object
  
  failures array[object]
  
  Hide failures attributes Show failures attributes object
  
  type string Required
  
  The type of error
  
  reason string | null
  
  A human-readable explanation of the error, in English.
  
  One of:
  string-1 string string-2 string | null
  
  stack_trace string
  
  The server stack trace. Present only if the error_trace=true parameter was sent with the request.
  
  caused_by object
  
  root_cause array[object]
  
  suppressed array[object]
  
  total number Required
  
  Total number of nodes selected by the request.
  
  successful number Required
  
  Number of nodes that responded successfully to the request.
  
  failed number Required
  
  Number of nodes that rejected the request or failed to respond. If this value is not 0, a reason for the rejection or failure is included in the response.
- cluster_name string Required
- nodes object Required
  
  Hide nodes attribute Show nodes attribute object
  
  * object Additional properties
  
  Hide * attribute Show * attribute object
  
  name string Required

POST /_security/privilege/{application}/_clear_cache

curl \
 --request POST 'http://api.example.com/_security/privilege/{application}/_clear_cache' \
 --header "Authorization: $API_KEY"

Create an API key Added in 6.7.0

PUT /_security/api_key

Api key auth Basic auth Bearer auth

Create an API key for access without requiring basic authentication.

IMPORTANT: If the credential that is used to authenticate this request is an API key, the derived API key cannot have any privileges. If you specify privileges, the API returns an error.

A successful request returns a JSON structure that contains the API key, its unique id, and its name. If applicable, it also returns expiration information for the API key in milliseconds.

NOTE: By default, API keys never expire. You can specify expiration information when you create the API keys.

The API keys are created by the Elasticsearch API key service, which is automatically enabled. To configure or turn off the API key service, refer to API key service setting documentation.

External documentation

Query parameters

refresh string

If true (the default) then refresh the affected shards to make this operation visible to search, if wait_for then wait for a refresh to make this operation visible to search, if false then do nothing with refreshes.

Values are true, false, or wait_for.

application/json

Body Required

expiration string

A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
name string
role_descriptors object

An array of role descriptors for this API key. When it is not specified or it is an empty array, the API key will have a point in time snapshot of permissions of the authenticated user. If you supply role descriptors, the resultant permissions are an intersection of API keys permissions and the authenticated user's permissions thereby limiting the access scope for API keys. The structure of role descriptor is the same as the request for the create role API. For more details, refer to the create or update roles API.

NOTE: Due to the way in which this permission intersection is calculated, it is not possible to create an API key that is a child of another API key, unless the derived key is created without any privileges. In this case, you must explicitly specify a role descriptor with no privileges. The derived API key can be used for authentication; it will not have authority to call Elasticsearch APIs.

External documentation
Hide role_descriptors attribute Show role_descriptors attribute object
- * object Additional properties
  Hide * attributes Show * attributes object
  
  cluster array[string]
  
  A list of cluster privileges. These privileges define the cluster level actions that API keys are able to execute.
  
  indices array[object]
  
  A list of indices permissions entries.
  
  Hide indices attributes Show indices attributes object
  
  field_security object
  
  Hide field_security attributes Show field_security attributes object
  
  except string | array[string]
  
  grant string | array[string]
  
  names string | array[string]
  
  A list of indices (or index name patterns) to which the permissions in this entry apply.
  
  One of:
  IndexName string array-2 array[string]
  
  privileges array[string] Required
  
  The index level privileges that owners of the role have on the specified indices.
  
  query string | object
  
  While creating or updating a role you can provide either a JSON structure or a string to the API. However, the response provided by Elasticsearch will only be string with a json-as-text content.
  
  Since this is embedded in IndicesPrivileges, the same structure is used for clarity in both contexts.
  
  One of:
  IndicesPrivilegesQuery string QueryContainer object RoleTemplateQuery object
  
  allow_restricted_indices boolean
  
  Set to true if using wildcard or regular expressions for patterns that cover restricted indices. Implicitly, restricted indices have limited privileges that can cause pattern tests to fail. If restricted indices are explicitly included in the names list, Elasticsearch checks privileges against these indices regardless of the value set for allow_restricted_indices.
  
  remote_indices array[object]
  
  A list of indices permissions for remote clusters.
  
  Hide remote_indices attributes Show remote_indices attributes object
  
  clusters string | array[string] Required
  
  field_security object
  
  Hide field_security attributes Show field_security attributes object
  
  except string | array[string]
  
  grant string | array[string]
  
  names string | array[string]
  
  A list of indices (or index name patterns) to which the permissions in this entry apply.
  
  One of:
  IndexName string array-2 array[string]
  
  privileges array[string] Required
  
  The index level privileges that owners of the role have on the specified indices.
  
  query string | object
  
  While creating or updating a role you can provide either a JSON structure or a string to the API. However, the response provided by Elasticsearch will only be string with a json-as-text content.
  
  Since this is embedded in IndicesPrivileges, the same structure is used for clarity in both contexts.
  
  One of:
  IndicesPrivilegesQuery string QueryContainer object RoleTemplateQuery object
  
  allow_restricted_indices boolean
  
  Set to true if using wildcard or regular expressions for patterns that cover restricted indices. Implicitly, restricted indices have limited privileges that can cause pattern tests to fail. If restricted indices are explicitly included in the names list, Elasticsearch checks privileges against these indices regardless of the value set for allow_restricted_indices.
  
  remote_cluster array[object]
  
  A list of cluster permissions for remote clusters. NOTE: This is limited a subset of the cluster permissions.
  
  Hide remote_cluster attributes Show remote_cluster attributes object
  
  clusters string | array[string] Required
  
  privileges array[string] Required
  
  The cluster level privileges that owners of the role have on the remote cluster.
  
  Values are monitor_enrich or monitor_stats.
  
  global array[object] | object
  
  An object defining global privileges. A global privilege is a form of cluster privilege that is request-aware. Support for global privileges is currently limited to the management of application privileges.
  
  One of:
  array-1 array[object] GlobalPrivilege object
  
  Hide attribute Show attribute object
  
  application object Required
  
  Hide application attribute Show application attribute object
  
  manage object Required
  
  Hide attribute Show attribute
  
  application object Required
  
  Hide application attribute Show application attribute object
  
  manage object Required
  
  Hide manage attribute Show manage attribute object
  
  applications array[string] Required
  
  applications array[object]
  
  A list of application privilege entries
  
  Hide applications attributes Show applications attributes object
  
  application string Required
  
  The name of the application to which this entry applies.
  
  privileges array[string] Required
  
  A list of strings, where each element is the name of an application privilege or action.
  
  resources array[string] Required
  
  A list resources to which the privileges are applied.
  
  metadata object
  
  Hide metadata attribute Show metadata attribute object
  
  * object Additional properties
  
  run_as array[string]
  
  A list of users that the API keys can impersonate. NOTE: In Elastic Cloud Serverless, the run-as feature is disabled. For API compatibility, you can still specify an empty run_as field, but a non-empty list will be rejected.
  
  description string
  
  Optional description of the role descriptor
  
  restriction object
  
  Hide restriction attribute Show restriction attribute object
  
  workflows array[string] Required
  
  A list of workflows to which the API key is restricted. NOTE: In order to use a role restriction, an API key must be created with a single role descriptor.
  
  transient_metadata object
  
  Hide transient_metadata attribute Show transient_metadata attribute object
  
  * object Additional properties
metadata object
Hide metadata attribute Show metadata attribute object
- * object Additional properties

Responses

200 application/json
Hide response attributes Show response attributes object
- api_key string Required
  
  Generated API key.
- expiration number
  
  Expiration in milliseconds for the API key.
- id string Required
- name string Required
- encoded string Required
  
  API key credentials which is the base64-encoding of the UTF-8 representation of id and api_key joined by a colon (:).

PUT /_security/api_key

POST /_security/api_key
{
  "name": "my-api-key",
  "expiration": "1d",   
  "role_descriptors": { 
    "role-a": {
      "cluster": ["all"],
      "indices": [
        {
          "names": ["index-a*"],
          "privileges": ["read"]
        }
      ]
    },
    "role-b": {
      "cluster": ["all"],
      "indices": [
        {
          "names": ["index-b*"],
          "privileges": ["all"]
        }
      ]
    }
  },
  "metadata": {
    "application": "my-application",
    "environment": {
      "level": 1,
      "trusted": true,
      "tags": ["dev", "staging"]
    }
  }
}

curl \
 --request PUT 'http://api.example.com/_security/api_key' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '"{\n  \"name\": \"my-api-key\",\n  \"expiration\": \"1d\",   \n  \"role_descriptors\": { \n    \"role-a\": {\n      \"cluster\": [\"all\"],\n      \"indices\": [\n        {\n          \"names\": [\"index-a*\"],\n          \"privileges\": [\"read\"]\n        }\n      ]\n    },\n    \"role-b\": {\n      \"cluster\": [\"all\"],\n      \"indices\": [\n        {\n          \"names\": [\"index-b*\"],\n          \"privileges\": [\"all\"]\n        }\n      ]\n    }\n  },\n  \"metadata\": {\n    \"application\": \"my-application\",\n    \"environment\": {\n      \"level\": 1,\n      \"trusted\": true,\n      \"tags\": [\"dev\", \"staging\"]\n    }\n  }\n}"'

Request example

Run `POST /_security/api_key` to create an API key. If `expiration` is not provided, the API keys do not expire. If `role_descriptors` is not provided, the permissions of the authenticated user are applied.

{
  "name": "my-api-key",
  "expiration": "1d",   
  "role_descriptors": { 
    "role-a": {
      "cluster": ["all"],
      "indices": [
        {
          "names": ["index-a*"],
          "privileges": ["read"]
        }
      ]
    },
    "role-b": {
      "cluster": ["all"],
      "indices": [
        {
          "names": ["index-b*"],
          "privileges": ["all"]
        }
      ]
    }
  },
  "metadata": {
    "application": "my-application",
    "environment": {
      "level": 1,
      "trusted": true,
      "tags": ["dev", "staging"]
    }
  }
}

Response examples (200)

A successful response from `POST /_security/api_key`.

{
  "id": "VuaCfGcBCdbkQm-e5aOx",        
  "name": "my-api-key",
  "expiration": 1544068612110,         
  "api_key": "ui2lp2axTNmsyakw9tvNnw", 
  "encoded": "VnVhQ2ZHY0JDZGJrUW0tZTVhT3g6dWkybHAyYXhUTm1zeWFrdzl0dk5udw=="  
}

Get roles

GET /_security/role/{name}

Api key auth Basic auth Bearer auth

Get roles in the native realm. The role management APIs are generally the preferred way to manage roles, rather than using file-based role management. The get roles API cannot retrieve roles that are defined in roles files.

Path parameters

name string | array[string] Required

The name of the role. You can specify multiple roles as a comma-separated list. If you do not specify this parameter, the API returns information about all roles.

Responses

200 application/json
Hide response attribute Show response attribute object
- * object Additional properties
  
  Hide * attributes Show * attributes object
  
  cluster array[string] Required
  
  indices array[object] Required
  
  Hide indices attributes Show indices attributes object
  
  field_security object
  
  Hide field_security attributes Show field_security attributes object
  
  except string | array[string]
  
  grant string | array[string]
  
  names string | array[string]
  
  A list of indices (or index name patterns) to which the permissions in this entry apply.
  
  One of:
  IndexName string array-2 array[string]
  
  privileges array[string] Required
  
  The index level privileges that owners of the role have on the specified indices.
  
  query string | object
  
  While creating or updating a role you can provide either a JSON structure or a string to the API. However, the response provided by Elasticsearch will only be string with a json-as-text content.
  
  Since this is embedded in IndicesPrivileges, the same structure is used for clarity in both contexts.
  
  One of:
  IndicesPrivilegesQuery string QueryContainer object RoleTemplateQuery object
  
  allow_restricted_indices boolean
  
  Set to true if using wildcard or regular expressions for patterns that cover restricted indices. Implicitly, restricted indices have limited privileges that can cause pattern tests to fail. If restricted indices are explicitly included in the names list, Elasticsearch checks privileges against these indices regardless of the value set for allow_restricted_indices.
  
  remote_indices array[object]
  
  Hide remote_indices attributes Show remote_indices attributes object
  
  clusters string | array[string] Required
  
  field_security object
  
  Hide field_security attributes Show field_security attributes object
  
  except string | array[string]
  
  grant string | array[string]
  
  names string | array[string]
  
  A list of indices (or index name patterns) to which the permissions in this entry apply.
  
  One of:
  IndexName string array-2 array[string]
  
  privileges array[string] Required
  
  The index level privileges that owners of the role have on the specified indices.
  
  query string | object
  
  While creating or updating a role you can provide either a JSON structure or a string to the API. However, the response provided by Elasticsearch will only be string with a json-as-text content.
  
  Since this is embedded in IndicesPrivileges, the same structure is used for clarity in both contexts.
  
  One of:
  IndicesPrivilegesQuery string QueryContainer object RoleTemplateQuery object
  
  allow_restricted_indices boolean
  
  Set to true if using wildcard or regular expressions for patterns that cover restricted indices. Implicitly, restricted indices have limited privileges that can cause pattern tests to fail. If restricted indices are explicitly included in the names list, Elasticsearch checks privileges against these indices regardless of the value set for allow_restricted_indices.
  
  remote_cluster array[object]
  
  Hide remote_cluster attributes Show remote_cluster attributes object
  
  clusters string | array[string] Required
  
  privileges array[string] Required
  
  The cluster level privileges that owners of the role have on the remote cluster.
  
  Values are monitor_enrich or monitor_stats.
  
  metadata object Required
  
  Hide metadata attribute Show metadata attribute object
  
  * object Additional properties
  
  description string
  
  run_as array[string]
  
  transient_metadata object
  
  Hide transient_metadata attribute Show transient_metadata attribute object
  
  * object Additional properties
  
  applications array[object] Required
  
  Hide applications attributes Show applications attributes object
  
  application string Required
  
  The name of the application to which this entry applies.
  
  privileges array[string] Required
  
  A list of strings, where each element is the name of an application privilege or action.
  
  resources array[string] Required
  
  A list resources to which the privileges are applied.
  
  role_templates array[object]
  
  Hide role_templates attributes Show role_templates attributes object
  
  format string
  
  Values are string or json.
  
  template object Required
  
  Hide template attributes Show template attributes object
  
  source string | object
  
  One of:
  ScriptSource string SearchRequestBody object
  
  id string
  
  params object
  
  Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
  
  Hide params attribute Show params attribute object
  
  * object Additional properties
  
  lang string
  
  Any of:
  ScriptLanguage string ScriptLanguage string
  
  Values are painless, expression, mustache, or java.
  
  options object
  
  Hide options attribute Show options attribute object
  
  * string Additional properties
  
  global object
  
  Hide global attribute Show global attribute object
  
  * object Additional properties
  
  Hide * attribute Show * attribute object
  
  * object Additional properties
  
  Hide * attribute Show * attribute object
  
  * array[string] Additional properties

GET /_security/role/{name}

GET /_security/role/my_admin_role

curl \
 --request GET 'http://api.example.com/_security/role/{name}' \
 --header "Authorization: $API_KEY"

Response examples (200)

A successful response from `GET /_security/role/my_admin_role`. The response contains information about the `my_admin_role` role in the native realm.

{
  "my_admin_role": {
    "description": "Grants full access to all management features within the cluster.",
    "cluster" : [ "all" ],
    "indices" : [
      {
        "names" : [ "index1", "index2" ],
        "privileges" : [ "all" ],
        "allow_restricted_indices" : false,
        "field_security" : {
          "grant" : [ "title", "body" ]}
      }
    ],
    "applications" : [ ],
    "run_as" : [ "other_user" ],
    "metadata" : {
      "version" : 1
    },
    "transient_metadata": {
      "enabled": true
    }
  }
}

Enroll Kibana Added in 8.0.0

GET /_security/enroll/kibana

Api key auth Basic auth Bearer auth

Enable a Kibana instance to configure itself for communication with a secured Elasticsearch cluster.

NOTE: This API is currently intended for internal use only by Kibana. Kibana uses this API internally to configure itself for communications with an Elasticsearch cluster that already has security features enabled.

Responses

200 application/json
Hide response attributes Show response attributes object
- token object Required
  
  Hide token attributes Show token attributes object
  
  name string Required
  
  The name of the bearer token for the elastic/kibana service account.
  
  value string Required
  
  The value of the bearer token for the elastic/kibana service account. Use this value to authenticate the service account with Elasticsearch.
- http_ca string Required
  
  The CA certificate used to sign the node certificates that Elasticsearch uses for TLS on the HTTP layer. The certificate is returned as a Base64 encoded string of the ASN.1 DER encoding of the certificate.

GET /_security/enroll/kibana

GET /_security/enroll/kibana

curl \
 --request GET 'http://api.example.com/_security/enroll/kibana' \
 --header "Authorization: $API_KEY"

Response examples (200)

A successful response from `GET /_security/enroll/kibana`.

{
  "token" : {
    "name" : "enroll-process-token-1629123923000", 
    "value": "AAEAAWVsYXN0aWM...vZmxlZXQtc2VydmVyL3Rva2VuMTo3TFdaSDZ" 
  },
  "http_ca" : "MIIJlAIBAzVoGCSqGSIb3...vsDfsA3UZBAjEPfhubpQysAICAA=", 
}

Get a user profile Added in 8.2.0

GET /_security/profile/{uid}

Api key auth Basic auth Bearer auth

Get a user's profile using the unique profile ID.

NOTE: The user profile feature is designed only for use by Kibana and Elastic's Observability, Enterprise Search, and Elastic Security solutions. Individual users and external applications should not call this API directly. Elastic reserves the right to change or remove this feature in future releases without prior notice.

Path parameters

uid string | array[string] Required

A unique identifier for the user profile.

Query parameters

data string | array[string]

A comma-separated list of filters for the data field of the profile document. To return all content use data=*. To return a subset of content use data=<key> to retrieve content nested under the specified <key>. By default returns no data content.

Responses

200 application/json
Hide response attributes Show response attributes object
- profiles array[object] Required
  
  A successful call returns the JSON representation of the user profile and its internal versioning numbers. The API returns an empty object if no profile document is found for the provided uid. The content of the data field is not returned by default to avoid deserializing a potential large payload.
  
  Hide profiles attributes Show profiles attributes object
  
  uid string Required
  
  user object Required
  
  Hide user attributes Show user attributes object
  
  email string | null
  
  One of:
  string-1 string string-2 string | null
  
  full_name string | null
  
  One of:
  Name string string-2 string | null
  
  realm_name string Required
  
  realm_domain string
  
  roles array[string] Required
  
  username string Required
  
  data object Required
  
  Hide data attribute Show data attribute object
  
  * object Additional properties
  
  labels object Required
  
  Hide labels attribute Show labels attribute object
  
  * object Additional properties
  
  enabled boolean
  
  last_synchronized number Required
  
  _doc object Required
  
  Hide _doc attributes Show _doc attributes object
  
  _primary_term number Required
  
  _seq_no number Required
- errors object
  
  Hide errors attributes Show errors attributes object
  
  count number Required
  
  details object Required
  
  Hide details attribute Show details attribute object
  
  * object
  
  Hide * attributes Show * attributes object
  
  type string Required
  
  The type of error
  
  reason string | null
  
  A human-readable explanation of the error, in English.
  
  One of:
  string-1 string string-2 string | null
  
  stack_trace string
  
  The server stack trace. Present only if the error_trace=true parameter was sent with the request.
  
  caused_by object
  
  root_cause array[object]
  
  suppressed array[object]

GET /_security/profile/{uid}

GET /_security/profile/u_79HkWkwmnBH5gqFKwoxggWPjEBOur1zLPXQPEl1VBW0_0

curl \
 --request GET 'http://api.example.com/_security/profile/{uid}' \
 --header "Authorization: $API_KEY"

Response examples (200)

A successful response from `GET /_security/profile/u_79HkWkwmnBH5gqFKwoxggWPjEBOur1zLPXQPEl1VBW0_0`. By default, no content is returned in the `data` field.

{
  "profiles": [
    {
      "uid": "u_79HkWkwmnBH5gqFKwoxggWPjEBOur1zLPXQPEl1VBW0_0",
      "enabled": true,
      "last_synchronized": 1642650651037,
      "user": {
        "username": "jacknich",
        "roles": [
          "admin", "other_role1"
        ],
        "realm_name": "native",
        "full_name": "Jack Nicholson",
        "email": "jacknich@example.com"
      },
      "labels": {
        "direction": "north"
      },
      "data": {}, 
      "_doc": {
        "_primary_term": 88,
        "_seq_no": 66
      }
    }
  ]
}

A successful response from `GET /_security/profile/u_79HkWkwmnBH5gqFKwoxggWPjEBOur1zLPXQPEl1VBW0_0?data=app1.key1`.

{
  "profiles": [
    {
      "uid": "u_79HkWkwmnBH5gqFKwoxggWPjEBOur1zLPXQPEl1VBW0_0",
      "enabled": true,
      "last_synchronized": 1642650651037,
      "user": {
        "username": "jacknich",
        "roles": [
          "admin", "other_role1"
        ],
        "realm_name": "native",
        "full_name": "Jack Nicholson",
        "email": "jacknich@example.com"
      },
      "labels": {
        "direction": "north"
      },
      "data": {
        "app1": {
          "key1": "value1"
        }
      },
      "_doc": {
        "_primary_term": 88,
        "_seq_no": 66
      }
    }
  ]
}

A response that contains errors that occurred while retrieving user profiles.

{
  "profiles": [],
  "errors": {
    "count": 1,
    "details": {
      "u_FmxQt3gr1BBH5wpnz9HkouPj3Q710XkOgg1PWkwLPBW_5": {
        "type": "resource_not_found_exception",
        "reason": "profile document not found"
      }
    }
  }
}

Check user privileges Added in 6.4.0

GET /_security/user/_has_privileges

Api key auth Basic auth Bearer auth

Determine whether the specified user has a specified list of privileges. All users can use this API, but only to determine their own privileges. To check the privileges of other users, you must use the run as feature.

External documentation

application/json

Body Required

application array[object]
Hide application attributes Show application attributes object
- application string Required
  
  The name of the application.
- privileges array[string] Required
  
  A list of the privileges that you want to check for the specified resources. It may be either application privilege names or the names of actions that are granted by those privileges
- resources array[string] Required
  
  A list of resource names against which the privileges should be checked.
cluster array[string]

A list of the cluster privileges that you want to check.
index array[object]
Hide index attributes Show index attributes object
- names string | array[string] Required
- privileges array[string] Required
  
  A list of the privileges that you want to check for the specified indices.
- allow_restricted_indices boolean
  
  This needs to be set to true (default is false) if using wildcards or regexps for patterns that cover restricted indices. Implicitly, restricted indices do not match index patterns because restricted indices usually have limited privileges and including them in pattern tests would render most such tests false. If restricted indices are explicitly included in the names list, privileges will be checked against them regardless of the value of allow_restricted_indices.

Responses

200 application/json
Hide response attributes Show response attributes object
- application object Required
  
  Hide application attribute Show application attribute object
  
  * object Additional properties
  
  Hide * attribute Show * attribute object
  
  * object Additional properties
  
  Hide * attribute Show * attribute object
  
  * boolean Additional properties
- cluster object Required
  
  Hide cluster attribute Show cluster attribute object
  
  * boolean Additional properties
- has_all_requested boolean Required
- index object Required
  
  Hide index attribute Show index attribute object
  
  * object Additional properties
  
  Hide * attribute Show * attribute object
  
  * boolean Additional properties
- username string Required

GET /_security/user/_has_privileges

GET /_security/user/_has_privileges
{
  "cluster": [ "monitor", "manage" ],
  "index" : [
    {
      "names": [ "suppliers", "products" ],
      "privileges": [ "read" ]
    },
    {
      "names": [ "inventory" ],
      "privileges" : [ "read", "write" ]
    }
  ],
  "application": [
    {
      "application": "inventory_manager",
      "privileges" : [ "read", "data:write/inventory" ],
      "resources" : [ "product/1852563" ]
    }
  ]
}

curl \
 --request GET 'http://api.example.com/_security/user/_has_privileges' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '"{\n  \"cluster\": [ \"monitor\", \"manage\" ],\n  \"index\" : [\n    {\n      \"names\": [ \"suppliers\", \"products\" ],\n      \"privileges\": [ \"read\" ]\n    },\n    {\n      \"names\": [ \"inventory\" ],\n      \"privileges\" : [ \"read\", \"write\" ]\n    }\n  ],\n  \"application\": [\n    {\n      \"application\": \"inventory_manager\",\n      \"privileges\" : [ \"read\", \"data:write/inventory\" ],\n      \"resources\" : [ \"product/1852563\" ]\n    }\n  ]\n}"'

Request example

Run `GET /_security/user/_has_privileges` to check whether the current user has a specific set of cluster, index, and application privileges.

{
  "cluster": [ "monitor", "manage" ],
  "index" : [
    {
      "names": [ "suppliers", "products" ],
      "privileges": [ "read" ]
    },
    {
      "names": [ "inventory" ],
      "privileges" : [ "read", "write" ]
    }
  ],
  "application": [
    {
      "application": "inventory_manager",
      "privileges" : [ "read", "data:write/inventory" ],
      "resources" : [ "product/1852563" ]
    }
  ]
}

Response examples (200)

A successful response from `GET /_security/user/_has_privileges`, which lists the privileges for the `rdeniro` user.

{
  "username": "rdeniro",
  "has_all_requested" : false,
  "cluster" : {
    "monitor" : true,
    "manage" : false
  },
  "index" : {
    "suppliers" : {
      "read" : true
    },
    "products" : {
      "read" : true
    },
    "inventory" : {
      "read" : true,
      "write" : false
    }
  },
  "application" : {
    "inventory_manager" : {
      "product/1852563" : {
        "read": false,
        "data:write/inventory": false
      }
    }
  }
}

Logout of OpenID Connect

POST /_security/oidc/logout

Api key auth Basic auth Bearer auth

Invalidate an access token and a refresh token that were generated as a response to the /_security/oidc/authenticate API.

If the OpenID Connect authentication realm in Elasticsearch is accordingly configured, the response to this call will contain a URI pointing to the end session endpoint of the OpenID Connect Provider in order to perform single logout.

Elasticsearch exposes all the necessary OpenID Connect related functionality with the OpenID Connect APIs. These APIs are used internally by Kibana in order to provide OpenID Connect based authentication, but can also be used by other, custom web applications or other clients.

application/json

Body Required

token string Required

The access token to be invalidated.
refresh_token string

The refresh token to be invalidated.

Responses

200 application/json
Hide response attribute Show response attribute object
- redirect string Required
  
  A URI that points to the end session endpoint of the OpenID Connect Provider with all the parameters of the logout request as HTTP GET parameters.

POST /_security/oidc/logout

POST /_security/oidc/logout
{
  "token" : "dGhpcyBpcyBub3QgYSByZWFsIHRva2VuIGJ1dCBpdCBpcyBvbmx5IHRlc3QgZGF0YS4gZG8gbm90IHRyeSB0byByZWFkIHRva2VuIQ==",
  "refresh_token": "vLBPvmAB6KvwvJZr27cS"
}

curl \
 --request POST 'http://api.example.com/_security/oidc/logout' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '"{\n  \"token\" : \"dGhpcyBpcyBub3QgYSByZWFsIHRva2VuIGJ1dCBpdCBpcyBvbmx5IHRlc3QgZGF0YS4gZG8gbm90IHRyeSB0byByZWFkIHRva2VuIQ==\",\n  \"refresh_token\": \"vLBPvmAB6KvwvJZr27cS\"\n}"'

Request example

Run `POST /_security/oidc/logout` to perform the logout.

{
  "token" : "dGhpcyBpcyBub3QgYSByZWFsIHRva2VuIGJ1dCBpdCBpcyBvbmx5IHRlc3QgZGF0YS4gZG8gbm90IHRyeSB0byByZWFkIHRva2VuIQ==",
  "refresh_token": "vLBPvmAB6KvwvJZr27cS"
}

Response examples (200)

A successful response from `POST /_security/oidc/logout`, which contains the URI pointing to the End Session Endpoint of the OpenID Connect Provider with all the parameters of the Logout Request as HTTP GET parameters.

{
  "redirect" : "https://op-provider.org/logout?id_token_hint=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c&post_logout_redirect_uri=http%3A%2F%2Foidc-kibana.elastic.co%2Floggedout&state=lGYK0EcSLjqH6pkT5EVZjC6eIW5YCGgywj2sxROO"
}

Update user profile data Added in 8.2.0

PUT /_security/profile/{uid}/_data

Api key auth Basic auth Bearer auth

Update specific data for the user profile that is associated with a unique ID.

NOTE: The user profile feature is designed only for use by Kibana and Elastic's Observability, Enterprise Search, and Elastic Security solutions. Individual users and external applications should not call this API directly. Elastic reserves the right to change or remove this feature in future releases without prior notice.

To use this API, you must have one of the following privileges:

The manage_user_profile cluster privilege.
The update_profile_data global privilege for the namespaces that are referenced in the request.

This API updates the labels and data fields of an existing user profile document with JSON objects. New keys and their values are added to the profile document and conflicting keys are replaced by data that's included in the request.

For both labels and data, content is namespaced by the top-level fields. The update_profile_data global privilege grants privileges for updating only the allowed namespaces.

Path parameters

uid string Required

A unique identifier for the user profile.

Query parameters

if_seq_no number

Only perform the operation if the document has this sequence number.
if_primary_term number

Only perform the operation if the document has this primary term.
refresh string

If 'true', Elasticsearch refreshes the affected shards to make this operation visible to search. If 'wait_for', it waits for a refresh to make this operation visible to search. If 'false', nothing is done with refreshes.

Values are true, false, or wait_for.

application/json

Body Required

labels object

Searchable data that you want to associate with the user profile. This field supports a nested data structure. Within the labels object, top-level keys cannot begin with an underscore (_) or contain a period (.).
Hide labels attribute Show labels attribute object
- * object Additional properties
data object

Non-searchable data that you want to associate with the user profile. This field supports a nested data structure. Within the data object, top-level keys cannot begin with an underscore (_) or contain a period (.). The data object is not searchable, but can be retrieved with the get user profile API.
Hide data attribute Show data attribute object
- * object Additional properties

Responses

200 application/json
Hide response attribute Show response attribute object
- acknowledged boolean Required
  
  For a successful response, this value is always true. On failure, an exception is returned instead.

PUT /_security/profile/{uid}/_data

POST /_security/profile/u_P_0BMHgaOK3p7k-PFWUCbw9dQ-UFjt01oWJ_Dp2PmPc_0/_data
{
  "labels": {
    "direction": "east"
  },
  "data": {
    "app1": {
      "theme": "default"
    }
  }
}

curl \
 --request PUT 'http://api.example.com/_security/profile/{uid}/_data' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '"{\n  \"labels\": {\n    \"direction\": \"east\"\n  },\n  \"data\": {\n    \"app1\": {\n      \"theme\": \"default\"\n    }\n  }\n}"'

Request example

Run `POST /_security/profile/u_P_0BMHgaOK3p7k-PFWUCbw9dQ-UFjt01oWJ_Dp2PmPc_0/_data` to update a profile document for the `u_P_0BMHgaOK3p7k-PFWUCbw9dQ-UFjt01oWJ_Dp2PmPc_0` user profile.

{
  "labels": {
    "direction": "east"
  },
  "data": {
    "app1": {
      "theme": "default"
    }
  }
}

Response examples (200)

A successful response from `POST /_security/profile/u_P_0BMHgaOK3p7k-PFWUCbw9dQ-UFjt01oWJ_Dp2PmPc_0/_data`, which indicates that the request is acknowledged.

{
  "acknowledged": true
}

Create a snapshot Added in 0.0.0

PUT /_snapshot/{repository}/{snapshot}

Api key auth Basic auth Bearer auth

Take a snapshot of a cluster or of data streams and indices.

External documentation

Path parameters

repository string Required

The name of the repository for the snapshot.
snapshot string Required

The name of the snapshot. It supportes date math. It must be unique in the repository.

Query parameters

master_timeout string

The period to wait for a connection to the master node. If no response is received before the timeout expires, the request fails and returns an error.

Values are -1 or 0.
wait_for_completion boolean

If true, the request returns a response when the snapshot is complete. If false, the request returns a response when the snapshot initializes.

application/json

Body

expand_wildcards string | array[string]
feature_states array[string]

The feature states to include in the snapshot. Each feature state includes one or more system indices containing related data. You can view a list of eligible features using the get features API.

If include_global_state is true, all current feature states are included by default. If include_global_state is false, no feature states are included by default.

Note that specifying an empty array will result in the default behavior. To exclude all feature states, regardless of the include_global_state value, specify an array with only the value none (["none"]).
ignore_unavailable boolean

If true, the request ignores data streams and indices in indices that are missing or closed. If false, the request returns an error for any data stream or index that is missing or closed.
include_global_state boolean

If true, the current cluster state is included in the snapshot. The cluster state includes persistent cluster settings, composable index templates, legacy index templates, ingest pipelines, and ILM policies. It also includes data stored in system indices, such as Watches and task records (configurable via feature_states).
indices string | array[string]
metadata object
Hide metadata attribute Show metadata attribute object
- * object Additional properties
partial boolean

If true, it enables you to restore a partial snapshot of indices with unavailable shards. Only shards that were successfully included in the snapshot will be restored. All missing shards will be recreated as empty.

If false, the entire restore operation will fail if one or more indices included in the snapshot do not have all primary shards available.

Responses

200 application/json
Hide response attributes Show response attributes object
- accepted boolean
  
  Equals true if the snapshot was accepted. Present when the request had wait_for_completion set to false
- snapshot object
  
  Hide snapshot attributes Show snapshot attributes object
  
  data_streams array[string] Required
  
  duration string
  
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
  
  duration_in_millis number
  
  Time unit for milliseconds
  
  end_time string | number
  
  A date and time, either as a string whose format can depend on the context (defaulting to ISO 8601), or a number of milliseconds since the Epoch. Elasticsearch accepts both as input, but will generally output a string representation.
  
  One of:
  DateTime string UnitMillis number
  
  end_time_in_millis number
  
  Time unit for milliseconds
  
  failures array[object]
  
  Hide failures attributes Show failures attributes object
  
  index string Required
  
  node_id string
  
  reason string Required
  
  shard_id number Required
  
  index_uuid string Required
  
  status string Required
  
  include_global_state boolean
  
  indices array[string]
  
  index_details object
  
  Hide index_details attribute Show index_details attribute object
  
  * object Additional properties
  
  Hide * attributes Show * attributes object
  
  shard_count number Required
  
  size number | string
  
  One of:
  ByteSize number ByteSize string
  
  size_in_bytes number Required
  
  max_segments_per_shard number Required
  
  metadata object
  
  Hide metadata attribute Show metadata attribute object
  
  * object Additional properties
  
  reason string
  
  repository string
  
  snapshot string Required
  
  shards object
  
  Hide shards attributes Show shards attributes object
  
  failed number Required
  
  successful number Required
  
  total number Required
  
  failures array[object]
  
  Hide failures attributes Show failures attributes object
  
  index string
  
  node string
  
  reason object Required
  
  Hide reason attributes Show reason attributes object
  
  type string Required
  
  The type of error
  
  reason
  
  stack_trace string
  
  The server stack trace. Present only if the error_trace=true parameter was sent with the request.
  
  caused_by object
  
  root_cause array[object]
  
  suppressed array[object]
  
  shard number Required
  
  status string
  
  skipped number
  
  start_time string | number
  
  A date and time, either as a string whose format can depend on the context (defaulting to ISO 8601), or a number of milliseconds since the Epoch. Elasticsearch accepts both as input, but will generally output a string representation.
  
  One of:
  DateTime string UnitMillis number
  
  start_time_in_millis number
  
  Time unit for milliseconds
  
  state string
  
  uuid string Required
  
  version string
  
  version_id number
  
  feature_states array[object]
  
  Hide feature_states attributes Show feature_states attributes object
  
  feature_name string Required
  
  indices string | array[string] Required

PUT /_snapshot/{repository}/{snapshot}

PUT /_snapshot/my_repository/snapshot_2?wait_for_completion=true
{
  "indices": "index_1,index_2",
  "ignore_unavailable": true,
  "include_global_state": false,
  "metadata": {
    "taken_by": "user123",
    "taken_because": "backup before upgrading"
  }
}

curl \
 --request PUT 'http://api.example.com/_snapshot/{repository}/{snapshot}' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '"{\n  \"indices\": \"index_1,index_2\",\n  \"ignore_unavailable\": true,\n  \"include_global_state\": false,\n  \"metadata\": {\n    \"taken_by\": \"user123\",\n    \"taken_because\": \"backup before upgrading\"\n  }\n}"'

Request example

Run `PUT /_snapshot/my_repository/snapshot_2?wait_for_completion=true` to take a snapshot of `index_1` and `index_2`.

{
  "indices": "index_1,index_2",
  "ignore_unavailable": true,
  "include_global_state": false,
  "metadata": {
    "taken_by": "user123",
    "taken_because": "backup before upgrading"
  }
}

Response examples (200)

A successful response from `PUT /_snapshot/my_repository/snapshot_2?wait_for_completion=true`.

{
  "snapshot": {
    "snapshot": "snapshot_2",
    "uuid": "vdRctLCxSketdKb54xw67g",
    "repository": "my_repository",
    "version_id": <version_id>,
    "version": <version>,
    "indices": [],
    "data_streams": [],
    "feature_states": [],
    "include_global_state": false,
    "metadata": {
      "taken_by": "user123",
      "taken_because": "backup before upgrading"
    },
    "state": "SUCCESS",
    "start_time": "2020-06-25T14:00:28.850Z",
    "start_time_in_millis": 1593093628850,
    "end_time": "2020-06-25T14:00:28.850Z",
    "end_time_in_millis": 1593094752018,
    "duration_in_millis": 0,
    "failures": [],
    "shards": {
      "total": 0,
      "failed": 0,
      "successful": 0
    }
  }
}

Verify the repository integrity Technical preview

POST /_snapshot/{repository}/_verify_integrity

Api key auth Basic auth Bearer auth

Verify the integrity of the contents of a snapshot repository.

This API enables you to perform a comprehensive check of the contents of a repository, looking for any anomalies in its data or metadata which might prevent you from restoring snapshots from the repository or which might cause future snapshot create or delete operations to fail.

If you suspect the integrity of the contents of one of your snapshot repositories, cease all write activity to this repository immediately, set its read_only option to true, and use this API to verify its integrity. Until you do so:

It may not be possible to restore some snapshots from this repository.
Searchable snapshots may report errors when searched or may have unassigned shards.
Taking snapshots into this repository may fail or may appear to succeed but have created a snapshot which cannot be restored.
Deleting snapshots from this repository may fail or may appear to succeed but leave the underlying data on disk.
Continuing to write to the repository while it is in an invalid state may causing additional damage to its contents.

If the API finds any problems with the integrity of the contents of your repository, Elasticsearch will not be able to repair the damage. The only way to bring the repository back into a fully working state after its contents have been damaged is by restoring its contents from a repository backup which was taken before the damage occurred. You must also identify what caused the damage and take action to prevent it from happening again.

If you cannot restore a repository backup, register a new repository and use this for all future snapshot operations. In some cases it may be possible to recover some of the contents of a damaged repository, either by restoring as many of its snapshots as needed and taking new snapshots of the restored data, or by using the reindex API to copy data from any searchable snapshots mounted from the damaged repository.

Avoid all operations which write to the repository while the verify repository integrity API is running. If something changes the repository contents while an integrity verification is running then Elasticsearch may incorrectly report having detected some anomalies in its contents due to the concurrent writes. It may also incorrectly fail to report some anomalies that the concurrent writes prevented it from detecting.

NOTE: This API is intended for exploratory use by humans. You should expect the request parameters and the response format to vary in future versions.

NOTE: This API may not work correctly in a mixed-version cluster.

The default values for the parameters of this API are designed to limit the impact of the integrity verification on other activities in your cluster. For instance, by default it will only use at most half of the snapshot_meta threads to verify the integrity of each snapshot, allowing other snapshot operations to use the other half of this thread pool. If you modify these parameters to speed up the verification process, you risk disrupting other snapshot-related operations in your cluster. For large repositories, consider setting up a separate single-node Elasticsearch cluster just for running the integrity verification API.

The response exposes implementation details of the analysis which may change from version to version. The response body format is therefore not considered stable and may be different in newer versions.

Path parameters

repository string | array[string] Required

The name of the snapshot repository.

Query parameters

blob_thread_pool_concurrency number

If verify_blob_contents is true, this parameter specifies how many blobs to verify at once.
index_snapshot_verification_concurrency number

The maximum number of index snapshots to verify concurrently within each index verification.
index_verification_concurrency number

The number of indices to verify concurrently. The default behavior is to use the entire snapshot_meta thread pool.
max_bytes_per_sec string

If verify_blob_contents is true, this parameter specifies the maximum amount of data that Elasticsearch will read from the repository every second.
max_failed_shard_snapshots number

The number of shard snapshot failures to track during integrity verification, in order to avoid excessive resource usage. If your repository contains more than this number of shard snapshot failures, the verification will fail.
meta_thread_pool_concurrency number

The maximum number of snapshot metadata operations to run concurrently. The default behavior is to use at most half of the snapshot_meta thread pool at once.
snapshot_verification_concurrency number

The number of snapshots to verify concurrently. The default behavior is to use at most half of the snapshot_meta thread pool at once.
verify_blob_contents boolean

Indicates whether to verify the checksum of every data blob in the repository. If this feature is enabled, Elasticsearch will read the entire repository contents, which may be extremely slow and expensive.

Responses

200 application/json

POST /_snapshot/{repository}/_verify_integrity

curl \
 --request POST 'http://api.example.com/_snapshot/{repository}/_verify_integrity' \
 --header "Authorization: $API_KEY"

Run a policy Added in 7.4.0

PUT /_slm/policy/{policy_id}/_execute

Api key auth Basic auth Bearer auth

Immediately create a snapshot according to the snapshot lifecycle policy without waiting for the scheduled time. The snapshot policy is normally applied according to its schedule, but you might want to manually run a policy before performing an upgrade or other maintenance.

Path parameters

policy_id string Required

The id of the snapshot lifecycle policy to be executed

Query parameters

master_timeout string

The period to wait for a connection to the master node. If no response is received before the timeout expires, the request fails and returns an error.

Values are -1 or 0.
timeout string

The period to wait for a response. If no response is received before the timeout expires, the request fails and returns an error.

Values are -1 or 0.

Responses

200 application/json
Hide response attribute Show response attribute object
- snapshot_name string Required

PUT /_slm/policy/{policy_id}/_execute

POST /_slm/policy/daily-snapshots/_execute

curl \
 --request PUT 'http://api.example.com/_slm/policy/{policy_id}/_execute' \
 --header "Authorization: $API_KEY"

Response examples (200)

Run `POST /_slm/policy/daily-snapshots/_execute` to take an immediate snapshot according to the `daily-snapshots` policy.

{
  "snapshot_name": "daily-snap-2019.04.24-gwrqoo2xtea3q57vvg0uea"
}

Get the snapshot lifecycle management status Added in 7.6.0

GET /_slm/status

Api key auth Basic auth Bearer auth

Query parameters

master_timeout string

The period to wait for a connection to the master node. If no response is received before the timeout expires, the request fails and returns an error. To indicate that the request should never timeout, set it to -1.

Values are -1 or 0.
timeout string

The period to wait for a response. If no response is received before the timeout expires, the request fails and returns an error. To indicate that the request should never timeout, set it to -1.

Values are -1 or 0.

Responses

200 application/json
Hide response attribute Show response attribute object
- operation_mode string Required
  
  Values are RUNNING, STOPPING, or STOPPED.

GET /_slm/status

GET _slm/status

curl \
 --request GET 'http://api.example.com/_slm/status' \
 --header "Authorization: $API_KEY"

Response examples (200)

A successful response from `GET _slm/status`.

{
  "operation_mode": "RUNNING"
}

Get SQL search results Added in 6.3.0

POST /_sql

Api key auth Basic auth Bearer auth

Run an SQL request.

Query parameters

format string

The format for the response. You can also specify a format using the Accept HTTP header. If you specify both this parameter and the Accept HTTP header, this parameter takes precedence.

Values are csv, json, tsv, txt, yaml, cbor, or smile.

application/json

Body Required

allow_partial_search_results boolean

If true, the response has partial results when there are shard request timeouts or shard failures. If false, the API returns an error with no partial results.
catalog string

The default catalog (cluster) for queries. If unspecified, the queries execute on the data in the local cluster only.
columnar boolean

If true, the results are in a columnar fashion: one row represents all the values of a certain column from the current page of results. The API supports this parameter only for CBOR, JSON, SMILE, and YAML responses.

External documentation
cursor string

The cursor used to retrieve a set of paginated results. If you specify a cursor, the API only uses the columnar and time_zone request body parameters. It ignores other request body parameters.
fetch_size number

The maximum number of rows (or entries) to return in one response.
field_multi_value_leniency boolean

If false, the API returns an exception when encountering multiple values for a field. If true, the API is lenient and returns the first value from the array with no guarantee of consistent results.
filter object

An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.

External documentation
index_using_frozen boolean

If true, the search can run on frozen indices.
keep_alive string

A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
keep_on_completion boolean

If true, Elasticsearch stores synchronous searches if you also specify the wait_for_completion_timeout parameter. If false, Elasticsearch only stores async searches that don't finish before the wait_for_completion_timeout.
page_timeout string

A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
params object

The values for parameters in the query.
Hide params attribute Show params attribute object
- * object Additional properties
query string

The SQL query to run.

External documentation
request_timeout string

A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
runtime_mappings object
Hide runtime_mappings attribute Show runtime_mappings attribute object
- * object Additional properties
  Hide * attributes Show * attributes object
  
  fields object
  
  For type composite
  
  Hide fields attribute Show fields attribute object
  
  * object Additional properties
  
  Hide * attribute Show * attribute object
  
  type string Required
  
  Values are boolean, composite, date, double, geo_point, geo_shape, ip, keyword, long, or lookup.
  
  fetch_fields array[object]
  
  For type lookup
  
  Hide fetch_fields attributes Show fetch_fields attributes object
  
  field string Required
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
  
  format string
  
  format string
  
  A custom format for date type runtime fields.
  
  input_field string
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
  
  target_field string
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
  
  target_index string
  
  script object
  
  Hide script attributes Show script attributes object
  
  source string | object
  
  One of:
  ScriptSource string SearchRequestBody object
  
  Hide attributes Show attributes
  
  aggregations object
  
  Defines the aggregations that are run as part of the search request.
  
  External documentation
  
  collapse object
  External documentation
  
  explain boolean
  
  If true, the request returns detailed information about score computation as part of a hit.
  
  ext object
  
  Configuration of search extensions defined by Elasticsearch plugins.
  
  Hide ext attribute Show ext attribute object
  
  * object Additional properties
  
  from number
  
  The starting document offset, which must be non-negative. By default, you cannot page through more than 10,000 hits using the from and size parameters. To page through more hits, use the search_after parameter.
  
  highlight object
  
  track_total_hits boolean | number
  
  Number of hits matching the query to count accurately. If true, the exact number of hits is returned at the cost of some performance. If false, the response does not include the total number of hits matching the query. Defaults to 10,000 hits.
  
  indices_boost array[object]
  
  Boost the _score of documents from specified indices. The boost value is the factor by which scores are multiplied. A boost value greater than 1.0 increases the score. A boost value between 0 and 1.0 decreases the score.
  
  External documentation
  
  docvalue_fields array[object]
  
  An array of wildcard (*) field patterns. The request returns doc values for field names matching these patterns in the hits.fields property of the response.
  
  External documentation
  
  knn object | array[object]
  
  The approximate kNN search to run.
  
  One of:
  KnnSearch object array-2 array[object]
  
  rank object
  
  Hide rank attribute Show rank attribute object
  
  rrf
  
  min_score number
  
  The minimum _score for matching documents. Documents with a lower _score are not included in search results or results collected by aggregations.
  
  post_filter object
  
  An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
  
  External documentation
  
  profile boolean
  
  Set to true to return detailed timing information about the execution of individual components in a search request. NOTE: This is a debugging tool and adds significant overhead to search execution.
  
  query object
  
  An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
  
  External documentation
  
  rescore array[object]
  
  retriever object
  
  Hide retriever attributes Show retriever attributes object
  
  standard
  
  knn
  
  rrf
  
  text_similarity_reranker
  
  rule
  
  rescorer
  
  linear
  
  pinned
  
  script_fields object
  
  Retrieve a script evaluation (based on different fields) for each hit.
  
  Hide script_fields attribute Show script_fields attribute object
  
  * object Additional properties
  
  search_after array[number | string | boolean | null]
  
  A field value.
  
  size number
  
  The number of hits to return, which must not be negative. By default, you cannot page through more than 10,000 hits using the from and size parameters. To page through more hits, use the search_after property.
  
  slice object
  
  Hide slice attributes Show slice attributes object
  
  field string
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
  
  id string Required
  
  max number Required
  
  sort array[string | object]
  
  _source boolean | object
  
  Defines how to fetch a source. Fetching can be disabled entirely, or the source can be filtered.
  
  One of:
  SourceConfig boolean SourceFilter object
  
  fields array[object]
  
  An array of wildcard (*) field patterns. The request returns values for field names matching these patterns in the hits.fields property of the response.
  
  suggest object
  
  Hide suggest attribute Show suggest attribute object
  
  text string
  
  Global suggest text, to avoid repetition when the same text is used in several suggesters
  
  terminate_after number
  
  The maximum number of documents to collect for each shard. If a query reaches this limit, Elasticsearch terminates the query early. Elasticsearch collects documents before sorting.
  
  IMPORTANT: Use with caution. Elasticsearch applies this property to each shard handling the request. When possible, let Elasticsearch perform early termination automatically. Avoid specifying this property for requests that target data streams with backing indices across multiple data tiers.
  
  If set to 0 (default), the query does not terminate early.
  
  timeout string
  
  The period of time to wait for a response from each shard. If no response is received before the timeout expires, the request fails and returns an error. Defaults to no timeout.
  
  track_scores boolean
  
  If true, calculate and return document scores, even if the scores are not used for sorting.
  
  version boolean
  
  If true, the request returns the document version as part of a hit.
  
  seq_no_primary_term boolean
  
  If true, the request returns sequence number and primary term of the last modification of each hit.
  
  External documentation
  
  stored_fields string | array[string]
  
  pit object
  
  Hide pit attributes Show pit attributes object
  
  id string Required
  
  keep_alive string
  
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
  
  runtime_mappings object
  
  stats array[string]
  
  The stats groups to associate with the search. Each group maintains a statistics aggregation for its associated searches. You can retrieve these stats using the indices stats API.
  
  id string
  
  params object
  
  Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
  
  Hide params attribute Show params attribute object
  
  * object Additional properties
  
  lang string
  
  Any of:
  ScriptLanguage string ScriptLanguage string
  
  Values are painless, expression, mustache, or java.
  
  options object
  
  Hide options attribute Show options attribute object
  
  * string Additional properties
  
  type string Required
  
  Values are boolean, composite, date, double, geo_point, geo_shape, ip, keyword, long, or lookup.
time_zone string
wait_for_completion_timeout string

A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.

Responses

200 application/json
Hide response attributes Show response attributes object
- columns array[object]
  
  Column headings for the search results. Each object is a column.
  
  Hide columns attributes Show columns attributes object
  
  name string Required
  
  type string Required
- cursor string
  
  The cursor for the next set of paginated results. For CSV, TSV, and TXT responses, this value is returned in the Cursor HTTP header.
- id string
- is_running boolean
  
  If true, the search is still running. If false, the search has finished. This value is returned only for async and saved synchronous searches. For CSV, TSV, and TXT responses, this value is returned in the Async-partial HTTP header.
- is_partial boolean
  
  If true, the response does not contain complete search results. If is_partial is true and is_running is true, the search is still running. If is_partial is true but is_running is false, the results are partial due to a failure or timeout. This value is returned only for async and saved synchronous searches. For CSV, TSV, and TXT responses, this value is returned in the Async-partial HTTP header.
- rows array[array] Required
  
  The values for the search results.

POST /_sql

POST _sql?format=txt
{
  "query": "SELECT * FROM library ORDER BY page_count DESC LIMIT 5"
}

curl \
 --request POST 'http://api.example.com/_sql' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '"{\n  \"query\": \"SELECT * FROM library ORDER BY page_count DESC LIMIT 5\"\n}"'

Request example

Run `POST _sql?format=txt` to get results for an SQL search.

{
  "query": "SELECT * FROM library ORDER BY page_count DESC LIMIT 5"
}

Get a synonym rule Added in 8.10.0

GET /_synonyms/{set_id}/{rule_id}

Api key auth Basic auth Bearer auth

Get a synonym rule from a synonym set.

Path parameters

set_id string Required

The ID of the synonym set to retrieve the synonym rule from.
rule_id string Required

The ID of the synonym rule to retrieve.

Responses

200 application/json
Hide response attributes Show response attributes object
- id string Required
- synonyms string Required

GET /_synonyms/{set_id}/{rule_id}

GET _synonyms/my-synonyms-set/test-1

curl \
 --request GET 'http://api.example.com/_synonyms/{set_id}/{rule_id}' \
 --header "Authorization: $API_KEY"

Response examples (200)

A successful response from `GET _synonyms/my-synonyms-set/test-1`.

{
  "id": "test-1",
  "synonyms": "hello, hi"
}

Test a Grok pattern Added in 8.13.0

GET /_text_structure/test_grok_pattern

Api key auth Basic auth Bearer auth

Test a Grok pattern on one or more lines of text. The API indicates whether the lines match the pattern together with the offsets and lengths of the matched substrings.

External documentation

Query parameters

ecs_compatibility string

The mode of compatibility with ECS compliant Grok patterns. Use this parameter to specify whether to use ECS Grok patterns instead of legacy ones when the structure finder creates a Grok pattern. Valid values are disabled and v1.

application/json

Body Required

grok_pattern string Required
text array[string] Required

The lines of text to run the Grok pattern on.

Responses

200 application/json
Hide response attribute Show response attribute object
- matches array[object] Required
  
  Hide matches attributes Show matches attributes object
  
  matched boolean Required
  
  fields object
  
  Hide fields attribute Show fields attribute object
  
  * array[object] Additional properties
  
  Hide * attributes Show * attributes object
  
  match string Required
  
  offset number Required
  
  length number Required

GET /_text_structure/test_grok_pattern

GET _text_structure/test_grok_pattern
{
  "grok_pattern": "Hello %{WORD:first_name} %{WORD:last_name}",
  "text": [
    "Hello John Doe",
    "this does not match"
  ]
}

curl \
 --request GET 'http://api.example.com/_text_structure/test_grok_pattern' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '"{\n  \"grok_pattern\": \"Hello %{WORD:first_name} %{WORD:last_name}\",\n  \"text\": [\n    \"Hello John Doe\",\n    \"this does not match\"\n  ]\n}"'

Request example

Run `GET _text_structure/test_grok_pattern` to test a Grok pattern.

{
  "grok_pattern": "Hello %{WORD:first_name} %{WORD:last_name}",
  "text": [
    "Hello John Doe",
    "this does not match"
  ]
}

Response examples (200)

A successful response from `GET _text_structure/test_grok_pattern`.

{
  "matches": [
    {
      "matched": true,
      "fields": {
        "first_name": [
          {
            "match": "John",
            "offset": 6,
            "length": 4
          }
        ],
        "last_name": [
          {
            "match": "Doe",
            "offset": 11,
            "length": 3
          }
        ]
      }
    },
    {
      "matched": false
    }
  ]
}

Preview a transform Added in 7.2.0

GET /_transform/{transform_id}/_preview

Api key auth Basic auth Bearer auth

Generates a preview of the results that you will get when you create a transform with the same configuration.

It returns a maximum of 100 results. The calculations are based on all the current data in the source index. It also generates a list of mappings and settings for the destination index. These values are determined based on the field types of the source index and the transform aggregations.

Path parameters

transform_id string Required

Identifier for the transform to preview. If you specify this path parameter, you cannot provide transform configuration details in the request body.

Query parameters

timeout string

Period to wait for a response. If no response is received before the timeout expires, the request fails and returns an error.

Values are -1 or 0.

application/json

Body

dest object
Hide dest attributes Show dest attributes object
- index string
- pipeline string
  
  The unique identifier for an ingest pipeline.
description string

Free text description of the transform.
frequency string

A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
pivot object
Hide pivot attributes Show pivot attributes object
- aggregations object
  
  Defines how to aggregate the grouped data. The following aggregations are currently supported: average, bucket script, bucket selector, cardinality, filter, geo bounds, geo centroid, geo line, max, median absolute deviation, min, missing, percentiles, rare terms, scripted metric, stats, sum, terms, top metrics, value count, weighted average.
- group_by object
  
  Defines how to group the data. More than one grouping can be defined per pivot. The following groupings are currently supported: date histogram, geotile grid, histogram, terms.
  Hide group_by attribute Show group_by attribute object
  
  * object Additional properties
  
  Hide * attributes Show * attributes object
  
  date_histogram object
  
  Hide date_histogram attributes Show date_histogram attributes object
  
  calendar_interval string
  
  Values are second, 1s, minute, 1m, hour, 1h, day, 1d, week, 1w, month, 1M, quarter, 1q, year, or 1y.
  
  extended_bounds object
  
  Hide extended_bounds attributes Show extended_bounds attributes object
  
  max
  
  min
  
  hard_bounds object
  
  Hide hard_bounds attributes Show hard_bounds attributes object
  
  max
  
  min
  
  field string
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
  
  fixed_interval string
  
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
  
  format string
  
  The date format used to format key_as_string in the response. If no format is specified, the first date format specified in the field mapping is used.
  
  interval string
  
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
  
  min_doc_count number
  
  Only returns buckets that have min_doc_count number of documents. By default, all buckets between the first bucket that matches documents and the last one are returned.
  
  missing string
  
  offset string
  
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
  
  order object | array[object]
  
  One of:
  AggregateOrder object AggregateOrder array[object]
  
  params object
  
  Hide params attribute Show params attribute object
  
  * object Additional properties
  
  script object
  
  Hide script attributes Show script attributes object
  
  source
  
  id string
  
  params object
  
  Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
  
  lang
  
  options object
  
  time_zone string
  
  keyed boolean
  
  Set to true to associate a unique string key with each bucket and return the ranges as a hash rather than an array.
  
  geotile_grid object
  
  Hide geotile_grid attributes Show geotile_grid attributes object
  
  field string
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
  
  precision number
  
  shard_size number
  
  Allows for more accurate counting of the top cells returned in the final result the aggregation. Defaults to returning max(10,(size x number-of-shards)) buckets from each shard.
  
  size number
  
  The maximum number of buckets to return.
  
  bounds object
  
  A geo bounding box. It can be represented in various ways:
  
  as 4 top/bottom/left/right coordinates
  
  as 2 top_left / bottom_right points
  
  as 2 top_right / bottom_left points
  
  as a WKT bounding box
  
  One of:
  CoordsGeoBounds object TopLeftBottomRightGeoBounds object TopRightBottomLeftGeoBounds object WktGeoBounds object
  
  histogram object
  
  Hide histogram attributes Show histogram attributes object
  
  extended_bounds object
  
  Hide extended_bounds attributes Show extended_bounds attributes object
  
  max number
  
  Maximum value for the bound.
  
  min number
  
  Minimum value for the bound.
  
  hard_bounds object
  
  Hide hard_bounds attributes Show hard_bounds attributes object
  
  max number
  
  Maximum value for the bound.
  
  min number
  
  Minimum value for the bound.
  
  field string
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
  
  interval number
  
  The interval for the buckets. Must be a positive decimal.
  
  min_doc_count number
  
  Only returns buckets that have min_doc_count number of documents. By default, the response will fill gaps in the histogram with empty buckets.
  
  missing number
  
  The value to apply to documents that do not have a value. By default, documents without a value are ignored.
  
  offset number
  
  By default, the bucket keys start with 0 and then continue in even spaced steps of interval. The bucket boundaries can be shifted by using the offset option.
  
  order object | array[object]
  
  One of:
  AggregateOrder object AggregateOrder array[object]
  
  script object
  
  Hide script attributes Show script attributes object
  
  source
  
  id string
  
  params object
  
  Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
  
  lang
  
  options object
  
  format string
  
  keyed boolean
  
  If true, returns buckets as a hash instead of an array, keyed by the bucket keys.
  
  terms
source object
Hide source attributes Show source attributes object
- index string | array[string] Required
- runtime_mappings object
  Hide runtime_mappings attribute Show runtime_mappings attribute object
  
  * object Additional properties
  
  Hide * attributes Show * attributes object
  
  fields object
  
  For type composite
  
  Hide fields attribute Show fields attribute object
  
  * object Additional properties
  
  Hide * attribute Show * attribute object
  
  type string Required
  
  Values are boolean, composite, date, double, geo_point, geo_shape, ip, keyword, long, or lookup.
  
  fetch_fields array[object]
  
  For type lookup
  
  Hide fetch_fields attributes Show fetch_fields attributes object
  
  field string Required
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
  
  format string
  
  format string
  
  A custom format for date type runtime fields.
  
  input_field string
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
  
  target_field string
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
  
  target_index string
  
  script object
  
  Hide script attributes Show script attributes object
  
  source string | object
  
  One of:
  ScriptSource string SearchRequestBody object
  
  Hide attributes Show attributes
  
  aggregations object
  
  Defines the aggregations that are run as part of the search request.
  
  collapse object
  
  explain boolean
  
  If true, the request returns detailed information about score computation as part of a hit.
  
  ext object
  
  Configuration of search extensions defined by Elasticsearch plugins.
  
  from number
  
  The starting document offset, which must be non-negative. By default, you cannot page through more than 10,000 hits using the from and size parameters. To page through more hits, use the search_after parameter.
  
  highlight
  
  track_total_hits boolean | number
  
  Number of hits matching the query to count accurately. If true, the exact number of hits is returned at the cost of some performance. If false, the response does not include the total number of hits matching the query. Defaults to 10,000 hits.
  
  indices_boost array[object]
  
  Boost the _score of documents from specified indices. The boost value is the factor by which scores are multiplied. A boost value greater than 1.0 increases the score. A boost value between 0 and 1.0 decreases the score.
  
  docvalue_fields array[object]
  
  An array of wildcard (*) field patterns. The request returns doc values for field names matching these patterns in the hits.fields property of the response.
  
  knn
  
  rank object
  
  min_score number
  
  The minimum _score for matching documents. Documents with a lower _score are not included in search results or results collected by aggregations.
  
  post_filter object
  
  An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
  
  profile boolean
  
  Set to true to return detailed timing information about the execution of individual components in a search request. NOTE: This is a debugging tool and adds significant overhead to search execution.
  
  query object
  
  An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
  
  rescore
  
  retriever object
  
  script_fields object
  
  Retrieve a script evaluation (based on different fields) for each hit.
  
  search_after array[number | string | boolean | null]
  
  A field value.
  
  size number
  
  The number of hits to return, which must not be negative. By default, you cannot page through more than 10,000 hits using the from and size parameters. To page through more hits, use the search_after property.
  
  slice object
  
  sort
  
  _source
  
  fields array[object]
  
  An array of wildcard (*) field patterns. The request returns values for field names matching these patterns in the hits.fields property of the response.
  
  suggest object
  
  terminate_after number
  
  The maximum number of documents to collect for each shard. If a query reaches this limit, Elasticsearch terminates the query early. Elasticsearch collects documents before sorting.
  
  IMPORTANT: Use with caution. Elasticsearch applies this property to each shard handling the request. When possible, let Elasticsearch perform early termination automatically. Avoid specifying this property for requests that target data streams with backing indices across multiple data tiers.
  
  If set to 0 (default), the query does not terminate early.
  
  timeout string
  
  The period of time to wait for a response from each shard. If no response is received before the timeout expires, the request fails and returns an error. Defaults to no timeout.
  
  track_scores boolean
  
  If true, calculate and return document scores, even if the scores are not used for sorting.
  
  version boolean
  
  If true, the request returns the document version as part of a hit.
  
  seq_no_primary_term boolean
  
  If true, the request returns sequence number and primary term of the last modification of each hit.
  
  stored_fields string | array[string]
  
  pit object
  
  runtime_mappings object
  
  stats array[string]
  
  The stats groups to associate with the search. Each group maintains a statistics aggregation for its associated searches. You can retrieve these stats using the indices stats API.
  
  id string
  
  params object
  
  Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
  
  Hide params attribute Show params attribute object
  
  * object Additional properties
  
  lang string
  
  Any of:
  ScriptLanguage string ScriptLanguage string
  
  Values are painless, expression, mustache, or java.
  
  options object
  
  Hide options attribute Show options attribute object
  
  * string Additional properties
  
  type string Required
  
  Values are boolean, composite, date, double, geo_point, geo_shape, ip, keyword, long, or lookup.
- query object
  
  A query clause that retrieves a subset of data from the source index.
  
  Query DSL
settings object
Hide settings attributes Show settings attributes object
- align_checkpoints boolean
  
  Specifies whether the transform checkpoint ranges should be optimized for performance. Such optimization can align checkpoint ranges with the date histogram interval when date histogram is specified as a group source in the transform config. As a result, less document updates in the destination index will be performed thus improving overall performance.
- dates_as_epoch_millis boolean
  
  Defines if dates in the ouput should be written as ISO formatted string or as millis since epoch. epoch_millis was the default for transforms created before version 7.11. For compatible output set this value to true.
- deduce_mappings boolean
  
  Specifies whether the transform should deduce the destination index mappings from the transform configuration.
- docs_per_second number
  
  Specifies a limit on the number of input documents per second. This setting throttles the transform by adding a wait time between search requests. The default value is null, which disables throttling.
- max_page_search_size number
  
  Defines the initial page size to use for the composite aggregation for each checkpoint. If circuit breaker exceptions occur, the page size is dynamically adjusted to a lower value. The minimum value is 10 and the maximum is 65,536.
- unattended boolean
  
  If true, the transform runs in unattended mode. In unattended mode, the transform retries indefinitely in case of an error which means the transform never fails. Setting the number of retries other than infinite fails in validation.
sync object
Hide sync attribute Show sync attribute object
- time object
  Hide time attributes Show time attributes object
  
  delay string
  
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
  
  field string Required
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
retention_policy object
Hide retention_policy attribute Show retention_policy attribute object
- time object
  Hide time attributes Show time attributes object
  
  field string Required
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
  
  max_age string Required
  
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
latest object
Hide latest attributes Show latest attributes object
- sort string Required
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
- unique_key array[string] Required
  
  Specifies an array of one or more fields that are used to group the data.

Responses

200 application/json
Hide response attributes Show response attributes object
- generated_dest_index object Required
  
  Hide generated_dest_index attributes Show generated_dest_index attributes object
  
  aliases object
  
  Hide aliases attribute Show aliases attribute object
  
  * object Additional properties
  
  Hide * attributes Show * attributes object
  
  filter object
  
  An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
  
  External documentation
  
  index_routing string
  
  is_hidden boolean
  
  If true, the alias is hidden. All indices for the alias must have the same is_hidden value.
  
  is_write_index boolean
  
  If true, the index is the write index for the alias.
  
  routing string
  
  search_routing string
  
  mappings object
  
  Hide mappings attributes Show mappings attributes object
  
  all_field object
  
  Hide all_field attributes Show all_field attributes object
  
  analyzer string Required
  
  enabled boolean Required
  
  omit_norms boolean Required
  
  search_analyzer string Required
  
  similarity string Required
  
  store boolean Required
  
  store_term_vector_offsets boolean Required
  
  store_term_vector_payloads boolean Required
  
  store_term_vector_positions boolean Required
  
  store_term_vectors boolean Required
  
  date_detection boolean
  
  dynamic string
  
  Values are strict, runtime, true, or false.
  
  dynamic_date_formats array[string]
  
  dynamic_templates array[object]
  
  _field_names object
  
  Hide _field_names attribute Show _field_names attribute object
  
  enabled boolean Required
  
  index_field object
  
  Hide index_field attribute Show index_field attribute object
  
  enabled boolean Required
  
  _meta object
  
  Hide _meta attribute Show _meta attribute object
  
  * object Additional properties
  
  numeric_detection boolean
  
  properties object
  
  _routing object
  
  Hide _routing attribute Show _routing attribute object
  
  required boolean Required
  
  _size object
  
  Hide _size attribute Show _size attribute object
  
  enabled boolean Required
  
  _source object
  
  Hide _source attributes Show _source attributes object
  
  compress boolean
  
  compress_threshold string
  
  enabled boolean
  
  excludes array[string]
  
  includes array[string]
  
  mode string
  
  Values are disabled, stored, or synthetic.
  
  runtime object
  
  Hide runtime attribute Show runtime attribute object
  
  * object Additional properties
  
  Hide * attributes Show * attributes object
  
  fields object
  
  For type composite
  
  Hide fields attribute Show fields attribute object
  
  * object Additional properties
  
  fetch_fields array[object]
  
  For type lookup
  
  format string
  
  A custom format for date type runtime fields.
  
  input_field string
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
  
  target_field string
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
  
  target_index string
  
  script object
  
  Hide script attributes Show script attributes object
  
  source
  
  id string
  
  params object
  
  Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
  
  lang
  
  options object
  
  type string Required
  
  Values are boolean, composite, date, double, geo_point, geo_shape, ip, keyword, long, or lookup.
  
  enabled boolean
  
  subobjects string
  
  Values are true or false.
  
  _data_stream_timestamp object
  
  Hide _data_stream_timestamp attribute Show _data_stream_timestamp attribute object
  
  enabled boolean Required
  
  settings object
  Index settings
  
  defaults object
  Index settings
  
  data_stream string
  
  lifecycle object
  
  Hide lifecycle attributes Show lifecycle attributes object
  
  data_retention string
  
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
  
  downsampling object
  
  Hide downsampling attribute Show downsampling attribute object
  
  rounds array[object] Required
  
  The list of downsampling rounds to execute as part of this downsampling configuration
  
  Hide rounds attributes Show rounds attributes object
  
  after string Required
  
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
  
  config object Required
  
  enabled boolean
  
  If defined, it turns data stream lifecycle on/off (true/false) for this data stream. A data stream lifecycle that's disabled (enabled: false) will have no effect on the data stream.
- preview array[object] Required

GET /_transform/{transform_id}/_preview

POST _transform/_preview
{
  "source": {
    "index": "kibana_sample_data_ecommerce"
  },
  "pivot": {
    "group_by": {
      "customer_id": {
        "terms": {
          "field": "customer_id",
          "missing_bucket": true
        }
      }
    },
    "aggregations": {
      "max_price": {
        "max": {
          "field": "taxful_total_price"
        }
      }
    }
  }
}

curl \
 --request GET 'http://api.example.com/_transform/{transform_id}/_preview' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '"{\n  \"source\": {\n    \"index\": \"kibana_sample_data_ecommerce\"\n  },\n  \"pivot\": {\n    \"group_by\": {\n      \"customer_id\": {\n        \"terms\": {\n          \"field\": \"customer_id\",\n          \"missing_bucket\": true\n        }\n      }\n    },\n    \"aggregations\": {\n      \"max_price\": {\n        \"max\": {\n          \"field\": \"taxful_total_price\"\n        }\n      }\n    }\n  }\n}"'

Request example

Run `POST _transform/_preview` to preview a transform that uses the pivot method.

{
  "source": {
    "index": "kibana_sample_data_ecommerce"
  },
  "pivot": {
    "group_by": {
      "customer_id": {
        "terms": {
          "field": "customer_id",
          "missing_bucket": true
        }
      }
    },
    "aggregations": {
      "max_price": {
        "max": {
          "field": "taxful_total_price"
        }
      }
    }
  }
}

Response examples (200)

An abbreviated response from `POST _transform/_preview` that contains a preview a transform that uses the pivot method.

{
  "preview": [
    {
      "max_price": 171,
      "customer_id": "10"
    },
    {
      "max_price": 233,
      "customer_id": "11"
    },
    {
      "max_price": 200,
      "customer_id": "12"
    },
    {
      "max_price": 301,
      "customer_id": "13"
    },
    {
      "max_price": 176,
      "customer_id": "14"
    },
    {
      "max_price": 2250,
      "customer_id": "15"
    },
    {
      "max_price": 170,
      "customer_id": "16"
    },
    {
      "max_price": 243,
      "customer_id": "17"
    },
    {
      "max_price": 154,
      "customer_id": "18"
    },
    {
      "max_price": 393,
      "customer_id": "19"
    },
    {
      "max_price": 165,
      "customer_id": "20"
    },
    {
      "max_price": 115,
      "customer_id": "21"
    },
    {
      "max_price": 192,
      "customer_id": "22"
    },
    {
      "max_price": 169,
      "customer_id": "23"
    },
    {
      "max_price": 230,
      "customer_id": "24"
    },
    {
      "max_price": 278,
      "customer_id": "25"
    },
    {
      "max_price": 200,
      "customer_id": "26"
    },
    {
      "max_price": 344,
      "customer_id": "27"
    },
    {
      "max_price": 175,
      "customer_id": "28"
    },
    {
      "max_price": 177,
      "customer_id": "29"
    },
    {
      "max_price": 190,
      "customer_id": "30"
    },
    {
      "max_price": 190,
      "customer_id": "31"
    },
    {
      "max_price": 205,
      "customer_id": "32"
    },
    {
      "max_price": 215,
      "customer_id": "33"
    },
    {
      "max_price": 270,
      "customer_id": "34"
    },
    {
      "max_price": 184,
      "customer_id": "36"
    },
    {
      "max_price": 222,
      "customer_id": "37"
    },
    {
      "max_price": 370,
      "customer_id": "38"
    },
    {
      "max_price": 240,
      "customer_id": "39"
    },
    {
      "max_price": 230,
      "customer_id": "4"
    },
    {
      "max_price": 229,
      "customer_id": "41"
    },
    {
      "max_price": 190,
      "customer_id": "42"
    },
    {
      "max_price": 150,
      "customer_id": "43"
    },
    {
      "max_price": 175,
      "customer_id": "44"
    },
    {
      "max_price": 190,
      "customer_id": "45"
    },
    {
      "max_price": 150,
      "customer_id": "46"
    },
    {
      "max_price": 310,
      "customer_id": "48"
    },
    {
      "max_price": 223,
      "customer_id": "49"
    },
    {
      "max_price": 283,
      "customer_id": "5"
    },
    {
      "max_price": 185,
      "customer_id": "50"
    },
    {
      "max_price": 190,
      "customer_id": "51"
    },
    {
      "max_price": 333,
      "customer_id": "52"
    },
    {
      "max_price": 165,
      "customer_id": "6"
    },
    {
      "max_price": 144,
      "customer_id": "7"
    },
    {
      "max_price": 198,
      "customer_id": "8"
    },
    {
      "max_price": 210,
      "customer_id": "9"
    }
  ],
  "generated_dest_index": {
    "mappings": {
      "_meta": {
        "_transform": {
          "transform": "transform-preview",
          "version": {
            "created": "10.0.0"
          },
          "creation_date_in_millis": 1712948905889
        },
        "created_by": "transform"
      },
      "properties": {
        "max_price": {
          "type": "half_float"
        },
        "customer_id": {
          "type": "keyword"
        }
      }
    },
    "settings": {
      "index": {
        "number_of_shards": "1",
        "auto_expand_replicas": "0-1"
      }
    },
    "aliases": {}
  }
}

Schedule a transform to start now Added in 8.7.0

POST /_transform/{transform_id}/_schedule_now

Api key auth Basic auth Bearer auth

Instantly run a transform to process data. If you run this API, the transform will process the new data instantly, without waiting for the configured frequency interval. After the API is called, the transform will be processed again at now + frequency unless the API is called again in the meantime.

Path parameters

transform_id string Required

Identifier for the transform.

Query parameters

timeout string

Controls the time to wait for the scheduling to take place

Values are -1 or 0.

Responses

200 application/json
Hide response attribute Show response attribute object
- acknowledged boolean Required
  
  For a successful response, this value is always true. On failure, an exception is returned instead.

POST /_transform/{transform_id}/_schedule_now

curl \
 --request POST 'http://api.example.com/_transform/{transform_id}/_schedule_now' \
 --header "Authorization: $API_KEY"

Response examples (200)

A successful response when the transform is scheduled to run now.

{
  "acknowledged": true
}

Activate a watch

PUT /_watcher/watch/{watch_id}/_activate

Api key auth Basic auth Bearer auth

A watch can be either active or inactive.

External documentation

Path parameters

watch_id string Required

The watch identifier.

Responses

200 application/json
Hide response attribute Show response attribute object
- status object Required
  
  Hide status attributes Show status attributes object
  
  actions object Required
  
  Hide actions attribute Show actions attribute object
  
  * object Additional properties
  
  Hide * attributes Show * attributes object
  
  ack object Required
  
  Hide ack attributes Show ack attributes object
  
  state string Required
  
  Values are awaits_successful_execution, ackable, or acked.
  
  timestamp string
  
  last_execution object
  
  Hide last_execution attributes Show last_execution attributes object
  
  successful boolean Required
  
  timestamp string
  
  reason string
  
  last_successful_execution object
  
  Hide last_successful_execution attributes Show last_successful_execution attributes object
  
  successful boolean Required
  
  timestamp string
  
  reason string
  
  last_throttle object
  
  Hide last_throttle attributes Show last_throttle attributes object
  
  reason string Required
  
  timestamp string
  
  state object Required
  
  Hide state attributes Show state attributes object
  
  active boolean Required
  
  timestamp string | number Required
  
  A date and time, either as a string whose format can depend on the context (defaulting to ISO 8601), or a number of milliseconds since the Epoch. Elasticsearch accepts both as input, but will generally output a string representation.
  
  One of:
  DateTime string UnitMillis number
  
  version number Required

PUT /_watcher/watch/{watch_id}/_activate

curl \
 --request PUT 'http://api.example.com/_watcher/watch/{watch_id}/_activate' \
 --header "Authorization: $API_KEY"

Deactivate a watch

PUT /_watcher/watch/{watch_id}/_deactivate

Api key auth Basic auth Bearer auth

A watch can be either active or inactive.

External documentation

Path parameters

watch_id string Required

The watch identifier.

Responses

200 application/json
Hide response attribute Show response attribute object
- status object Required
  
  Hide status attributes Show status attributes object
  
  actions object Required
  
  Hide actions attribute Show actions attribute object
  
  * object Additional properties
  
  Hide * attributes Show * attributes object
  
  ack object Required
  
  Hide ack attributes Show ack attributes object
  
  state string Required
  
  Values are awaits_successful_execution, ackable, or acked.
  
  timestamp string
  
  last_execution object
  
  Hide last_execution attributes Show last_execution attributes object
  
  successful boolean Required
  
  timestamp string
  
  reason string
  
  last_successful_execution object
  
  Hide last_successful_execution attributes Show last_successful_execution attributes object
  
  successful boolean Required
  
  timestamp string
  
  reason string
  
  last_throttle object
  
  Hide last_throttle attributes Show last_throttle attributes object
  
  reason string Required
  
  timestamp string
  
  state object Required
  
  Hide state attributes Show state attributes object
  
  active boolean Required
  
  timestamp string | number Required
  
  A date and time, either as a string whose format can depend on the context (defaulting to ISO 8601), or a number of milliseconds since the Epoch. Elasticsearch accepts both as input, but will generally output a string representation.
  
  One of:
  DateTime string UnitMillis number
  
  version number Required

PUT /_watcher/watch/{watch_id}/_deactivate

curl \
 --request PUT 'http://api.example.com/_watcher/watch/{watch_id}/_deactivate' \
 --header "Authorization: $API_KEY"

Get Watcher statistics Added in 5.5.0

GET /_watcher/stats/{metric}

Api key auth Basic auth Bearer auth

This API always returns basic metrics. You retrieve more metrics by using the metric parameter.

Path parameters

metric string | array[string] Required

Defines which additional metrics are included in the response.

Supported values include: _all (or all), queued_watches, current_watches, pending_watches

Values are _all, all, queued_watches, current_watches, or pending_watches.

Query parameters

emit_stacktraces boolean

Defines whether stack traces are generated for each watch that is running.
metric string | array[string]

Defines which additional metrics are included in the response.

Supported values include: _all (or all), queued_watches, current_watches, pending_watches

Values are _all, all, queued_watches, current_watches, or pending_watches.

Responses

200 application/json
Hide response attributes Show response attributes object
- _nodes object Required
  
  Hide _nodes attributes Show _nodes attributes object
  
  failures array[object]
  
  Hide failures attributes Show failures attributes object
  
  type string Required
  
  The type of error
  
  reason string | null
  
  A human-readable explanation of the error, in English.
  
  One of:
  string-1 string string-2 string | null
  
  stack_trace string
  
  The server stack trace. Present only if the error_trace=true parameter was sent with the request.
  
  caused_by object
  
  root_cause array[object]
  
  suppressed array[object]
  
  total number Required
  
  Total number of nodes selected by the request.
  
  successful number Required
  
  Number of nodes that responded successfully to the request.
  
  failed number Required
  
  Number of nodes that rejected the request or failed to respond. If this value is not 0, a reason for the rejection or failure is included in the response.
- cluster_name string Required
- manually_stopped boolean Required
- stats array[object] Required
  
  Hide stats attributes Show stats attributes object
  
  current_watches array[object]
  
  The current executing watches metric gives insight into the watches that are currently being executed by Watcher. Additional information is shared per watch that is currently executing. This information includes the watch_id, the time its execution started and its current execution phase. To include this metric, the metric option should be set to current_watches or _all. In addition you can also specify the emit_stacktraces=true parameter, which adds stack traces for each watch that is being run. These stack traces can give you more insight into an execution of a watch.
  
  Hide current_watches attributes Show current_watches attributes object
  
  execution_time
  
  execution_phase string Required
  
  Values are awaits_execution, started, input, condition, actions, watch_transform, aborted, or finished.
  
  triggered_time
  
  executed_actions array[string]
  
  watch_id string Required
  
  watch_record_id string Required
  
  execution_thread_pool object Required
  
  Hide execution_thread_pool attributes Show execution_thread_pool attributes object
  
  max_size number Required
  
  The largest size of the execution thread pool, which indicates the largest number of concurrent running watches.
  
  queue_size number Required
  
  The number of watches that were triggered and are currently queued.
  
  queued_watches array[object]
  
  Watcher moderates the execution of watches such that their execution won't put too much pressure on the node and its resources. If too many watches trigger concurrently and there isn't enough capacity to run them all, some of the watches are queued, waiting for the current running watches to finish.s The queued watches metric gives insight on these queued watches.
  
  To include this metric, the metric option should include queued_watches or _all.
  
  Hide queued_watches attribute Show queued_watches attribute object
  
  execution_time string
  
  watch_count number Required
  
  The number of watches currently registered.
  
  watcher_state string Required
  
  Values are stopped, starting, started, or stopping.
  
  node_id string Required

GET /_watcher/stats/{metric}

GET _watcher/stats

curl \
 --request GET 'http://api.example.com/_watcher/stats/{metric}' \
 --header "Authorization: $API_KEY"

Response examples (200)

A successful response from `GET _watcher/stats`.

{
  "watcher_state": "started",  
  "watch_count": 1, 
  "execution_thread_pool": {
    "size": 1000, 
    "max_size": 1 
  }
}

A successful response from `GET _watcher/stats?metric=current_watches`.

{
  "watcher_state": "started",
  "watch_count": 2,
  "execution_thread_pool": {
      "queue_size": 1000,
      "max_size": 20
  },
  "current_watches": [ 
      {
        "watch_id": "slow_condition", 
        "watch_record_id": "slow_condition_3-2015-05-13T07:42:32.179Z", 
        "triggered_time": "2015-05-12T11:53:51.800Z", 
        "execution_time": "2015-05-13T07:42:32.179Z", 
        "execution_phase": "condition" 
      }
  ]
}

An abbreviated response from `GET _watcher/stats/queued_watches`.

{
  "watcher_state": "started",
  "watch_count": 10,
  "execution_thread_pool": {
      "queue_size": 1000,
      "max_size": 20
  },
  "queued_watches": [ 
        {
            "watch_id": "slow_condition4", 
            "watch_record_id": "slow_condition4_223-2015-05-21T11:59:59.811Z", 
            "triggered_time": "2015-05-21T11:59:59.811Z", 
            "execution_time": "2015-05-21T11:59:59.811Z" 
        }
  ]
}

Create or update an autoscaling policy Added in 7.11.0

Body Required

Get the autoscaling capacity Added in 7.11.0

Get component templates Added in 5.1.0

version string | null Required

epoch number | string

disk.total number | string

disk.used number | string

disk.avail number | string

disk.used_percent string | number

heap.percent string | number

ram.percent string | number

file_desc.percent string | number

size number | string

size.memory number | string

Get snapshot information Added in 2.1.0

start_epoch number | string

start_time string | object

end_epoch number | string

Explain the shard allocations Added in 5.0.0

at string | number Required

Get remote cluster information Added in 6.1.0

Reroute the cluster Added in 5.0.0

Get the cluster state Added in 1.3.0

Get the cluster state Added in 1.3.0

Activate the connector draft filter Technical preview

Update the connector draft filtering validation Technical preview

Body Required

Update the connector is_native flag Beta

Body Required

Downsample an index Technical preview

Body Required

Create a new document in the index Added in 5.0.0

Body Required

reason string | null

Create a new document in the index Added in 5.0.0

Body Required

reason string | null

reason string | null

Get the async EQL status Added in 7.9.0

Get the features Added in 7.12.0

Run multiple Fleet searches Technical preview

Body object Required

_source boolean | object

filter object | array[object]

filter object | array[object]

filter object | array[object]

filter object | array[object]

filter object | array[object]

ruleset_ids string | array[string] Required

filter object | array[object]

filter object | array[object]

filter object | array[object]

source string | object

lang string

source string | object

lang string

Create or update a component template Added in 7.8.0

Body Required

source string | object

lang string

text string | array[string]

Get index templates Added in 7.9.0

data_stream_options object | string | null