update-datafeed.asciidoc 5.0 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160
  1. [role="xpack"]
  2. [testenv="platinum"]
  3. [[ml-update-datafeed]]
  4. === Update {dfeeds} API
  5. [subs="attributes"]
  6. ++++
  7. <titleabbrev>Update {dfeeds}</titleabbrev>
  8. ++++
  9. Updates certain properties of a {dfeed}.
  10. [[ml-update-datafeed-request]]
  11. ==== {api-request-title}
  12. `POST _ml/datafeeds/<feed_id>/_update`
  13. [[ml-update-datafeed-prereqs]]
  14. ==== {api-prereq-title}
  15. * If {es} {security-features} are enabled, you must have `manage_ml`, or `manage`
  16. cluster privileges to use this API. See
  17. <<security-privileges>>.
  18. [[ml-update-datafeed-desc]]
  19. ==== {api-description-title}
  20. If you update a {dfeed} property, you must stop and start the {dfeed} for the
  21. change to be applied.
  22. IMPORTANT: When {es} {security-features} are enabled, your {dfeed} remembers
  23. which roles the user who updated it had at the time of update and runs the query
  24. using those same roles.
  25. [[ml-update-datafeed-path-parms]]
  26. ==== {api-path-parms-title}
  27. `<feed_id>`::
  28. (Required, string) Identifier for the {dfeed}.
  29. [[ml-update-datafeed-request-body]]
  30. ==== {api-request-body-title}
  31. The following properties can be updated after the {dfeed} is created:
  32. `aggregations`::
  33. (Optional, object) If set, the {dfeed} performs aggregation searches. For more
  34. information, see <<ml-datafeed-resource>>.
  35. `chunking_config`::
  36. (Optional, object) Specifies how data searches are split into time chunks. See
  37. <<ml-datafeed-chunking-config>>.
  38. `delayed_data_check_config`::
  39. (Optional, object) Specifies whether the data feed checks for missing data and
  40. the size of the window. See <<ml-datafeed-delayed-data-check-config>>.
  41. `frequency`::
  42. (Optional, <<time-units, time units>>) The interval at which scheduled queries
  43. are made while the {dfeed} runs in real time. The default value is either the
  44. bucket span for short bucket spans, or, for longer bucket spans, a sensible
  45. fraction of the bucket span. For example: `150s`.
  46. `indices`::
  47. (Optional, array) An array of index names. Wildcards are supported. For
  48. example: `["it_ops_metrics", "server*"]`.
  49. `query`::
  50. (Optional, object) The {es} query domain-specific language (DSL). This value
  51. corresponds to the query object in an {es} search POST body. All the options
  52. that are supported by {es} can be used, as this object is passed verbatim to
  53. {es}. By default, this property has the following value:
  54. `{"match_all": {"boost": 1}}`.
  55. +
  56. --
  57. WARNING: If you change the query, then the analyzed data will also be changed,
  58. therefore the required time to learn might be long and the understandability of
  59. the results is unpredictable.
  60. If you want to make significant changes to the source data, we would recommend
  61. you clone it and create a second job containing the amendments. Let both run in
  62. parallel and close one when you are satisfied with the results of the other job.
  63. --
  64. `query_delay`::
  65. (Optional, <<time-units, time units>>) The number of seconds behind real-time
  66. that data is queried. For example, if data from 10:04 a.m. might not be
  67. searchable in {es} until 10:06 a.m., set this property to 120 seconds. The
  68. default value is `60s`.
  69. `script_fields`::
  70. (Optional, object) Specifies scripts that evaluate custom expressions and
  71. returns script fields to the {dfeed}. The
  72. <<ml-detectorconfig,detector configuration objects>> in a job can contain
  73. functions that use these script fields. For more information, see
  74. <<request-body-search-script-fields,Script fields>>.
  75. `scroll_size`::
  76. (Optional, unsigned integer) The `size` parameter that is used in {es}
  77. searches. The default value is `1000`.
  78. `max_empty_searches`::
  79. (Optional, integer) If a real-time {dfeed} has never seen any data (including
  80. during any initial training period) then it will automatically stop itself
  81. and close its associated job after this many real-time searches that return
  82. no documents. In other words, it will stop after `frequency` times
  83. `max_empty_searches` of real-time operation. If not set
  84. then a {dfeed} with no end time that sees no data will remain started until
  85. it is explicitly stopped. The special value `-1` unsets this setting.
  86. For more information about these properties, see <<ml-datafeed-resource>>.
  87. [[ml-update-datafeed-example]]
  88. ==== {api-examples-title}
  89. The following example updates the query for the `datafeed-total-requests`
  90. {dfeed} so that only log entries of error level are analyzed:
  91. [source,console]
  92. --------------------------------------------------
  93. POST _ml/datafeeds/datafeed-total-requests/_update
  94. {
  95. "query": {
  96. "term": {
  97. "level": "error"
  98. }
  99. }
  100. }
  101. --------------------------------------------------
  102. // TEST[skip:setup:server_metrics_datafeed]
  103. When the {dfeed} is updated, you receive the full {dfeed} configuration with
  104. with the updated values:
  105. [source,console-result]
  106. ----
  107. {
  108. "datafeed_id": "datafeed-total-requests",
  109. "job_id": "total-requests",
  110. "query_delay": "83474ms",
  111. "indices": ["server-metrics"],
  112. "query": {
  113. "term": {
  114. "level": {
  115. "value": "error",
  116. "boost": 1.0
  117. }
  118. }
  119. },
  120. "scroll_size": 1000,
  121. "chunking_config": {
  122. "mode": "auto"
  123. }
  124. }
  125. ----
  126. // TESTRESPONSE[s/"query.boost": "1.0"/"query.boost": $body.query.boost/]