Halaman utama Jelajahi Bantuan
Daftar Masuk
lqb
/
elasticsearch
cermin dari https://gitee.com/mirrors/elasticsearch.git
1
0
Fork 0
Berkas Masalah 0 Wiki
Pohon: 86d568ff26
Ranting Tag
elasticsearch
/
docs
/
reference
/
data-streams
/
downsampling-manual.asciidoc

downsampling-manual.asciidoc 23 KB
Riwayat Mentahan

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638 
  1. [[downsampling-manual]]
    2. 

  2. === Run downsampling manually
    3. 

  3. ++++
    4. 

  4. <titleabbrev>Run downsampling manually</titleabbrev>
    5. 

  5. ++++
    6. 

  6. 

  7. ////
    8. 

  8. [source,console]
    9. 

  9. ----
    10. 

  10. DELETE _data_stream/my-data-stream
    11. 

  11. DELETE _index_template/my-data-stream-template
    12. 

  12. DELETE _ingest/pipeline/my-timestamp-pipeline
    13. 

  13. ----
    14. 

  14. // TEARDOWN
    15. 

  15. ////
    16. 

  16. 

  17. The recommended way to <<downsampling,downsample>> a <<tsds,time-series data stream (TSDS)>> is
    18. 

  18. <<downsampling-ilm,through index lifecycle management (ILM)>>. However, if
    19. 

  19. you're not using ILM, you can downsample a TSDS manually. This guide shows you
    20. 

  20. how, using typical Kubernetes cluster monitoring data.
    21. 

  21. 

  22. To test out manual downsampling, follow these steps:
    23. 

  23. 

  24. . Check the <<downsampling-manual-prereqs,prerequisites>>.
    25. 

  25. . <<downsampling-manual-create-index>>.
    26. 

  26. . <<downsampling-manual-ingest-data>>.
    27. 

  27. . <<downsampling-manual-run>>.
    28. 

  28. . <<downsampling-manual-view-results>>.
    29. 

  29. 

  30. [discrete]
    31. 

  31. [[downsampling-manual-prereqs]]
    32. 

  32. ==== Prerequisites
    33. 

  33. 

  34. * Refer to the <<tsds-prereqs,TSDS prerequisites>>.
    35. 

  35. * It is not possible to downsample a <<data-streams,data stream>> directly, nor
    36. 

  36. multiple indices at once. It's only possible to downsample one time series index
    37. 

  37. (TSDS backing index).
    38. 

  38. * In order to downsample an index, it needs to be read-only. For a TSDS write
    39. 

  39. index, this means it needs to be rolled over and made read-only first.
    40. 

  40. * Downsampling uses UTC timestamps.
    41. 

  41. * Downsampling needs at least one metric field to exist in the time series
    42. 

  42. index.
    43. 

  43. 

  44. [discrete]
    45. 

  45. [[downsampling-manual-create-index]]
    46. 

  46. ==== Create a time series data stream
    47. 

  47. 

  48. First, you'll create a TSDS. For simplicity, in the time series mapping all
    49. 

  49. `time_series_metric` parameters are set to type `gauge`, but
    50. 

  50. <<time-series-metric,other values>> such as `counter` and `histogram` may also
    51. 

  51. be used. The `time_series_metric` values determine the kind of statistical
    52. 

  52. representations that are used during downsampling.
    53. 

  53. 

  54. The index template includes a set of static
    55. 

  55. <<time-series-dimension,time series dimensions>>: `host`, `namespace`,
    56. 

  56. `node`, and `pod`. The time series dimensions are not changed by the
    57. 

  57. downsampling process.
    58. 

  58. 

  59. [source,console]
    60. 

  60. ----
    61. 

  61. PUT _index_template/my-data-stream-template
    62. 

  62. {
    63. 

  63.   "index_patterns": [
    64. 

  64.     "my-data-stream*"
    65. 

  65.   ],
    66. 

  66.   "data_stream": {},
    67. 

  67.   "template": {
    68. 

  68.     "settings": {
    69. 

  69.       "index": {
    70. 

  70.         "mode": "time_series",
    71. 

  71.         "routing_path": [
    72. 

  72.           "kubernetes.namespace",
    73. 

  73.           "kubernetes.host",
    74. 

  74.           "kubernetes.node",
    75. 

  75.           "kubernetes.pod"
    76. 

  76.         ],
    77. 

  77.         "number_of_replicas": 0,
    78. 

  78.         "number_of_shards": 2
    79. 

  79.       }
    80. 

  80.     },
    81. 

  81.     "mappings": {
    82. 

  82.       "properties": {
    83. 

  83.         "@timestamp": {
    84. 

  84.           "type": "date"
    85. 

  85.         },
    86. 

  86.         "kubernetes": {
    87. 

  87.           "properties": {
    88. 

  88.             "container": {
    89. 

  89.               "properties": {
    90. 

  90.                 "cpu": {
    91. 

  91.                   "properties": {
    92. 

  92.                     "usage": {
    93. 

  93.                       "properties": {
    94. 

  94.                         "core": {
    95. 

  95.                           "properties": {
    96. 

  96.                             "ns": {
    97. 

  97.                               "type": "long"
    98. 

  98.                             }
    99. 

  99.                           }
    100. 

  100.                         },
    101. 

  101.                         "limit": {
    102. 

  102.                           "properties": {
    103. 

  103.                             "pct": {
    104. 

  104.                               "type": "float"
    105. 

  105.                             }
    106. 

  106.                           }
    107. 

  107.                         },
    108. 

  108.                         "nanocores": {
    109. 

  109.                           "type": "long",
    110. 

  110.                           "time_series_metric": "gauge"
    111. 

  111.                         },
    112. 

  112.                         "node": {
    113. 

  113.                           "properties": {
    114. 

  114.                             "pct": {
    115. 

  115.                               "type": "float"
    116. 

  116.                             }
    117. 

  117.                           }
    118. 

  118.                         }
    119. 

  119.                       }
    120. 

  120.                     }
    121. 

  121.                   }
    122. 

  122.                 },
    123. 

  123.                 "memory": {
    124. 

  124.                   "properties": {
    125. 

  125.                     "available": {
    126. 

  126.                       "properties": {
    127. 

  127.                         "bytes": {
    128. 

  128.                           "type": "long",
    129. 

  129.                           "time_series_metric": "gauge"
    130. 

  130.                         }
    131. 

  131.                       }
    132. 

  132.                     },
    133. 

  133.                     "majorpagefaults": {
    134. 

  134.                       "type": "long"
    135. 

  135.                     },
    136. 

  136.                     "pagefaults": {
    137. 

  137.                       "type": "long",
    138. 

  138.                       "time_series_metric": "gauge"
    139. 

  139.                     },
    140. 

  140.                     "rss": {
    141. 

  141.                       "properties": {
    142. 

  142.                         "bytes": {
    143. 

  143.                           "type": "long",
    144. 

  144.                           "time_series_metric": "gauge"
    145. 

  145.                         }
    146. 

  146.                       }
    147. 

  147.                     },
    148. 

  148.                     "usage": {
    149. 

  149.                       "properties": {
    150. 

  150.                         "bytes": {
    151. 

  151.                           "type": "long",
    152. 

  152.                           "time_series_metric": "gauge"
    153. 

  153.                         },
    154. 

  154.                         "limit": {
    155. 

  155.                           "properties": {
    156. 

  156.                             "pct": {
    157. 

  157.                               "type": "float"
    158. 

  158.                             }
    159. 

  159.                           }
    160. 

  160.                         },
    161. 

  161.                         "node": {
    162. 

  162.                           "properties": {
    163. 

  163.                             "pct": {
    164. 

  164.                               "type": "float"
    165. 

  165.                             }
    166. 

  166.                           }
    167. 

  167.                         }
    168. 

  168.                       }
    169. 

  169.                     },
    170. 

  170.                     "workingset": {
    171. 

  171.                       "properties": {
    172. 

  172.                         "bytes": {
    173. 

  173.                           "type": "long",
    174. 

  174.                           "time_series_metric": "gauge"
    175. 

  175.                         }
    176. 

  176.                       }
    177. 

  177.                     }
    178. 

  178.                   }
    179. 

  179.                 },
    180. 

  180.                 "name": {
    181. 

  181.                   "type": "keyword"
    182. 

  182.                 },
    183. 

  183.                 "start_time": {
    184. 

  184.                   "type": "date"
    185. 

  185.                 }
    186. 

  186.               }
    187. 

  187.             },
    188. 

  188.             "host": {
    189. 

  189.               "type": "keyword",
    190. 

  190.               "time_series_dimension": true
    191. 

  191.             },
    192. 

  192.             "namespace": {
    193. 

  193.               "type": "keyword",
    194. 

  194.               "time_series_dimension": true
    195. 

  195.             },
    196. 

  196.             "node": {
    197. 

  197.               "type": "keyword",
    198. 

  198.               "time_series_dimension": true
    199. 

  199.             },
    200. 

  200.             "pod": {
    201. 

  201.               "type": "keyword",
    202. 

  202.               "time_series_dimension": true
    203. 

  203.             }
    204. 

  204.           }
    205. 

  205.         }
    206. 

  206.       }
    207. 

  207.     }
    208. 

  208.   }
    209. 

  209. }
    210. 

  210. ----
    211. 

  211. 

  212. [discrete]
    213. 

  213. [[downsampling-manual-ingest-data]]
    214. 

  214. ==== Ingest time series data
    215. 

  215. 

  216. Because time series data streams have been designed to
    217. 

  217. <<tsds-accepted-time-range,only accept recent data>>, in this example, you'll
    218. 

  218. use an ingest pipeline to time-shift the data as it gets indexed. As a result,
    219. 

  219. the indexed data will have an `@timestamp` from the last 15 minutes.
    220. 

  220. 

  221. Create the pipeline with this request:
    222. 

  222. 

  223. [source,console]
    224. 

  224. ----
    225. 

  225. PUT _ingest/pipeline/my-timestamp-pipeline
    226. 

  226. {
    227. 

  227.   "description": "Shifts the @timestamp to the last 15 minutes",
    228. 

  228.   "processors": [
    229. 

  229.     {
    230. 

  230.       "set": {
    231. 

  231.         "field": "ingest_time",
    232. 

  232.         "value": "{{_ingest.timestamp}}"
    233. 

  233.       }
    234. 

  234.     },
    235. 

  235.     {
    236. 

  236.       "script": {
    237. 

  237.         "lang": "painless",
    238. 

  238.         "source": """
    239. 

  239.           def delta = ChronoUnit.SECONDS.between(
    240. 

  240.             ZonedDateTime.parse("2022-06-21T15:49:00Z"),
    241. 

  241.             ZonedDateTime.parse(ctx["ingest_time"])
    242. 

  242.           );
    243. 

  243.           ctx["@timestamp"] = ZonedDateTime.parse(ctx["@timestamp"]).plus(delta,ChronoUnit.SECONDS).toString();
    244. 

  244.         """
    245. 

  245.       }
    246. 

  246.     }
    247. 

  247.   ]
    248. 

  248. }
    249. 

  249. ----
    250. 

  250. // TEST[continued]
    251. 

  251. 

  252. Next, use a bulk API request to automatically create your TSDS and index a set
    253. 

  253. of ten documents:
    254. 

  254. 

  255. [source,console]
    256. 

  256. ----
    257. 

  257. PUT /my-data-stream/_bulk?refresh&pipeline=my-timestamp-pipeline
    258. 

  258. {"create": {}}
    259. 

  259. {"@timestamp":"2022-06-21T15:49:00Z","kubernetes":{"host":"gke-apps-0","node":"gke-apps-0-0","pod":"gke-apps-0-0-0","container":{"cpu":{"usage":{"nanocores":91153,"core":{"ns":12828317850},"node":{"pct":2.77905e-05},"limit":{"pct":2.77905e-05}}},"memory":{"available":{"bytes":463314616},"usage":{"bytes":307007078,"node":{"pct":0.01770037710617187},"limit":{"pct":9.923134671484496e-05}},"workingset":{"bytes":585236},"rss":{"bytes":102728},"pagefaults":120901,"majorpagefaults":0},"start_time":"2021-03-30T07:59:06Z","name":"container-name-44"},"namespace":"namespace26"}}
    260. 

  260. {"create": {}}
    261. 

  261. {"@timestamp":"2022-06-21T15:45:50Z","kubernetes":{"host":"gke-apps-0","node":"gke-apps-0-0","pod":"gke-apps-0-0-0","container":{"cpu":{"usage":{"nanocores":124501,"core":{"ns":12828317850},"node":{"pct":2.77905e-05},"limit":{"pct":2.77905e-05}}},"memory":{"available":{"bytes":982546514},"usage":{"bytes":360035574,"node":{"pct":0.01770037710617187},"limit":{"pct":9.923134671484496e-05}},"workingset":{"bytes":1339884},"rss":{"bytes":381174},"pagefaults":178473,"majorpagefaults":0},"start_time":"2021-03-30T07:59:06Z","name":"container-name-44"},"namespace":"namespace26"}}
    262. 

  262. {"create": {}}
    263. 

  263. {"@timestamp":"2022-06-21T15:44:50Z","kubernetes":{"host":"gke-apps-0","node":"gke-apps-0-0","pod":"gke-apps-0-0-0","container":{"cpu":{"usage":{"nanocores":38907,"core":{"ns":12828317850},"node":{"pct":2.77905e-05},"limit":{"pct":2.77905e-05}}},"memory":{"available":{"bytes":862723768},"usage":{"bytes":379572388,"node":{"pct":0.01770037710617187},"limit":{"pct":9.923134671484496e-05}},"workingset":{"bytes":431227},"rss":{"bytes":386580},"pagefaults":233166,"majorpagefaults":0},"start_time":"2021-03-30T07:59:06Z","name":"container-name-44"},"namespace":"namespace26"}}
    264. 

  264. {"create": {}}
    265. 

  265. {"@timestamp":"2022-06-21T15:44:40Z","kubernetes":{"host":"gke-apps-0","node":"gke-apps-0-0","pod":"gke-apps-0-0-0","container":{"cpu":{"usage":{"nanocores":86706,"core":{"ns":12828317850},"node":{"pct":2.77905e-05},"limit":{"pct":2.77905e-05}}},"memory":{"available":{"bytes":567160996},"usage":{"bytes":103266017,"node":{"pct":0.01770037710617187},"limit":{"pct":9.923134671484496e-05}},"workingset":{"bytes":1724908},"rss":{"bytes":105431},"pagefaults":233166,"majorpagefaults":0},"start_time":"2021-03-30T07:59:06Z","name":"container-name-44"},"namespace":"namespace26"}}
    266. 

  266. {"create": {}}
    267. 

  267. {"@timestamp":"2022-06-21T15:44:00Z","kubernetes":{"host":"gke-apps-0","node":"gke-apps-0-0","pod":"gke-apps-0-0-0","container":{"cpu":{"usage":{"nanocores":150069,"core":{"ns":12828317850},"node":{"pct":2.77905e-05},"limit":{"pct":2.77905e-05}}},"memory":{"available":{"bytes":639054643},"usage":{"bytes":265142477,"node":{"pct":0.01770037710617187},"limit":{"pct":9.923134671484496e-05}},"workingset":{"bytes":1786511},"rss":{"bytes":189235},"pagefaults":138172,"majorpagefaults":0},"start_time":"2021-03-30T07:59:06Z","name":"container-name-44"},"namespace":"namespace26"}}
    268. 

  268. {"create": {}}
    269. 

  269. {"@timestamp":"2022-06-21T15:42:40Z","kubernetes":{"host":"gke-apps-0","node":"gke-apps-0-0","pod":"gke-apps-0-0-0","container":{"cpu":{"usage":{"nanocores":82260,"core":{"ns":12828317850},"node":{"pct":2.77905e-05},"limit":{"pct":2.77905e-05}}},"memory":{"available":{"bytes":854735585},"usage":{"bytes":309798052,"node":{"pct":0.01770037710617187},"limit":{"pct":9.923134671484496e-05}},"workingset":{"bytes":924058},"rss":{"bytes":110838},"pagefaults":259073,"majorpagefaults":0},"start_time":"2021-03-30T07:59:06Z","name":"container-name-44"},"namespace":"namespace26"}}
    270. 

  270. {"create": {}}
    271. 

  271. {"@timestamp":"2022-06-21T15:42:10Z","kubernetes":{"host":"gke-apps-0","node":"gke-apps-0-0","pod":"gke-apps-0-0-0","container":{"cpu":{"usage":{"nanocores":153404,"core":{"ns":12828317850},"node":{"pct":2.77905e-05},"limit":{"pct":2.77905e-05}}},"memory":{"available":{"bytes":279586406},"usage":{"bytes":214904955,"node":{"pct":0.01770037710617187},"limit":{"pct":9.923134671484496e-05}},"workingset":{"bytes":1047265},"rss":{"bytes":91914},"pagefaults":302252,"majorpagefaults":0},"start_time":"2021-03-30T07:59:06Z","name":"container-name-44"},"namespace":"namespace26"}}
    272. 

  272. {"create": {}}
    273. 

  273. {"@timestamp":"2022-06-21T15:40:20Z","kubernetes":{"host":"gke-apps-0","node":"gke-apps-0-0","pod":"gke-apps-0-0-0","container":{"cpu":{"usage":{"nanocores":125613,"core":{"ns":12828317850},"node":{"pct":2.77905e-05},"limit":{"pct":2.77905e-05}}},"memory":{"available":{"bytes":822782853},"usage":{"bytes":100475044,"node":{"pct":0.01770037710617187},"limit":{"pct":9.923134671484496e-05}},"workingset":{"bytes":2109932},"rss":{"bytes":278446},"pagefaults":74843,"majorpagefaults":0},"start_time":"2021-03-30T07:59:06Z","name":"container-name-44"},"namespace":"namespace26"}}
    274. 

  274. {"create": {}}
    275. 

  275. {"@timestamp":"2022-06-21T15:40:10Z","kubernetes":{"host":"gke-apps-0","node":"gke-apps-0-0","pod":"gke-apps-0-0-0","container":{"cpu":{"usage":{"nanocores":100046,"core":{"ns":12828317850},"node":{"pct":2.77905e-05},"limit":{"pct":2.77905e-05}}},"memory":{"available":{"bytes":567160996},"usage":{"bytes":362826547,"node":{"pct":0.01770037710617187},"limit":{"pct":9.923134671484496e-05}},"workingset":{"bytes":1986724},"rss":{"bytes":402801},"pagefaults":296495,"majorpagefaults":0},"start_time":"2021-03-30T07:59:06Z","name":"container-name-44"},"namespace":"namespace26"}}
    276. 

  276. {"create": {}}
    277. 

  277. {"@timestamp":"2022-06-21T15:38:30Z","kubernetes":{"host":"gke-apps-0","node":"gke-apps-0-0","pod":"gke-apps-0-0-0","container":{"cpu":{"usage":{"nanocores":40018,"core":{"ns":12828317850},"node":{"pct":2.77905e-05},"limit":{"pct":2.77905e-05}}},"memory":{"available":{"bytes":1062428344},"usage":{"bytes":265142477,"node":{"pct":0.01770037710617187},"limit":{"pct":9.923134671484496e-05}},"workingset":{"bytes":2294743},"rss":{"bytes":340623},"pagefaults":224530,"majorpagefaults":0},"start_time":"2021-03-30T07:59:06Z","name":"container-name-44"},"namespace":"namespace26"}}
    278. 

  278. ----
    279. 

  279. // TEST[continued]
    280. 

  280. 

  281. You can use the search API to check if the documents have been indexed
    282. 

  282. correctly:
    283. 

  283. 

  284. [source,console]
    285. 

  285. ----
    286. 

  286. GET /my-data-stream/_search
    287. 

  287. ----
    288. 

  288. // TEST[continued]
    289. 

  289. 

  290. Run the following aggregation on the data to calculate some interesting
    291. 

  291. statistics:
    292. 

  292. 

  293. [source,console]
    294. 

  294. ----
    295. 

  295. GET /my-data-stream/_search
    296. 

  296. {
    297. 

  297.     "size": 0,
    298. 

  298.     "aggs": {
    299. 

  299.         "tsid": {
    300. 

  300.             "terms": {
    301. 

  301.                 "field": "_tsid"
    302. 

  302.             },
    303. 

  303.             "aggs": {
    304. 

  304.                 "over_time": {
    305. 

  305.                     "date_histogram": {
    306. 

  306.                         "field": "@timestamp",
    307. 

  307.                         "fixed_interval": "1d"
    308. 

  308.                     },
    309. 

  309.                     "aggs": {
    310. 

  310.                         "min": {
    311. 

  311.                             "min": {
    312. 

  312.                                 "field": "kubernetes.container.memory.usage.bytes"
    313. 

  313.                             }
    314. 

  314.                         },
    315. 

  315.                         "max": {
    316. 

  316.                             "max": {
    317. 

  317.                                 "field": "kubernetes.container.memory.usage.bytes"
    318. 

  318.                             }
    319. 

  319.                         },
    320. 

  320.                         "avg": {
    321. 

  321.                             "avg": {
    322. 

  322.                                 "field": "kubernetes.container.memory.usage.bytes"
    323. 

  323.                             }
    324. 

  324.                         }
    325. 

  325.                     }
    326. 

  326.                 }
    327. 

  327.             }
    328. 

  328.         }
    329. 

  329.     }
    330. 

  330. }
    331. 

  331. ----
    332. 

  332. // TEST[continued]
    333. 

  333. 

  334. [discrete]
    335. 

  335. [[downsampling-manual-run]]
    336. 

  336. ==== Downsample the TSDS
    337. 

  337. 

  338. A TSDS can't be downsampled directly. You need to downsample its backing indices
    339. 

  339. instead. You can see the backing index for your data stream by running:
    340. 

  340. 

  341. [source,console]
    342. 

  342. ----
    343. 

  343. GET /_data_stream/my-data-stream
    344. 

  344. ----
    345. 

  345. // TEST[continued]
    346. 

  346. 

  347. This returns:
    348. 

  348. 

  349. [source,console-result]
    350. 

  350. ----
    351. 

  351. {
    352. 

  352.   "data_streams": [
    353. 

  353.     {
    354. 

  354.       "name": "my-data-stream",
    355. 

  355.       "timestamp_field": {
    356. 

  356.         "name": "@timestamp"
    357. 

  357.       },
    358. 

  358.       "indices": [
    359. 

  359.         {
    360. 

  360.           "index_name": ".ds-my-data-stream-2023.07.26-000001", <1>
    361. 

  361.           "index_uuid": "ltOJGmqgTVm4T-Buoe7Acg",
    362. 

  362.           "prefer_ilm": true,
    363. 

  363.           "managed_by": "Unmanaged"
    364. 

  364.         }
    365. 

  365.       ],
    366. 

  366.       "generation": 1,
    367. 

  367.       "status": "GREEN",
    368. 

  368.       "next_generation_managed_by": "Unmanaged",
    369. 

  369.       "prefer_ilm": true,
    370. 

  370.       "template": "my-data-stream-template",
    371. 

  371.       "hidden": false,
    372. 

  372.       "system": false,
    373. 

  373.       "allow_custom_routing": false,
    374. 

  374.       "replicated": false,
    375. 

  375.       "rollover_on_write": false,
    376. 

  376.       "time_series": {
    377. 

  377.         "temporal_ranges": [
    378. 

  378.           {
    379. 

  379.             "start": "2023-07-26T09:26:42.000Z",
    380. 

  380.             "end": "2023-07-26T13:26:42.000Z"
    381. 

  381.           }
    382. 

  382.         ]
    383. 

  383.       }
    384. 

  384.     }
    385. 

  385.   ]
    386. 

  386. }
    387. 

  387. ----
    388. 

  388. // TESTRESPONSE[s/".ds-my-data-stream-2023.07.26-000001"/$body.data_streams.0.indices.0.index_name/]
    389. 

  389. // TESTRESPONSE[s/"ltOJGmqgTVm4T-Buoe7Acg"/$body.data_streams.0.indices.0.index_uuid/]
    390. 

  390. // TESTRESPONSE[s/"2023-07-26T09:26:42.000Z"/$body.data_streams.0.time_series.temporal_ranges.0.start/]
    391. 

  391. // TESTRESPONSE[s/"2023-07-26T13:26:42.000Z"/$body.data_streams.0.time_series.temporal_ranges.0.end/]
    392. 

  392. // TESTRESPONSE[s/"replicated": false/"replicated": false,"failure_store":{"enabled": false, "indices": [], "rollover_on_write": true}/]
    393. 

  393. <1> The backing index for this data stream.
    394. 

  394. 

  395. Before a backing index can be downsampled, the TSDS needs to be rolled over and
    396. 

  396. the old index needs to be made read-only.
    397. 

  397. 

  398. Roll over the TSDS using the <<indices-rollover-index,rollover API>>:
    399. 

  399. 

  400. [source,console]
    401. 

  401. ----
    402. 

  402. POST /my-data-stream/_rollover/
    403. 

  403. ----
    404. 

  404. // TEST[continued]
    405. 

  405. 

  406. Copy the name of the `old_index` from the response. In the following steps,
    407. 

  407. replace the index name with that of your `old_index`.
    408. 

  408. 

  409. The old index needs to be set to read-only mode. Run the following request:
    410. 

  410. 

  411. [source,console]
    412. 

  412. ----
    413. 

  413. PUT /.ds-my-data-stream-2023.07.26-000001/_block/write
    414. 

  414. ----
    415. 

  415. // TEST[skip:We don't know the index name at test time]
    416. 

  416. 

  417. Next, use the <<indices-downsample-data-stream,downsample API>> to downsample
    418. 

  418. the index, setting the time series interval to one hour:
    419. 

  419. 

  420. [source,console]
    421. 

  421. ----
    422. 

  422. POST /.ds-my-data-stream-2023.07.26-000001/_downsample/.ds-my-data-stream-2023.07.26-000001-downsample
    423. 

  423. {
    424. 

  424.   "fixed_interval": "1h"
    425. 

  425. }
    426. 

  426. ----
    427. 

  427. // TEST[skip:We don't know the index name at test time]
    428. 

  428. 

  429. Now you can <<modify-data-streams-api,modify the data stream>>, and replace the
    430. 

  430. original index with the downsampled one:
    431. 

  431. 

  432. [source,console]
    433. 

  433. ----
    434. 

  434. POST _data_stream/_modify
    435. 

  435. {
    436. 

  436.   "actions": [
    437. 

  437.     {
    438. 

  438.       "remove_backing_index": {
    439. 

  439.         "data_stream": "my-data-stream",
    440. 

  440.         "index": ".ds-my-data-stream-2023.07.26-000001"
    441. 

  441.       }
    442. 

  442.     },
    443. 

  443.     {
    444. 

  444.       "add_backing_index": {
    445. 

  445.         "data_stream": "my-data-stream",
    446. 

  446.         "index": ".ds-my-data-stream-2023.07.26-000001-downsample"
    447. 

  447.       }
    448. 

  448.     }
    449. 

  449.   ]
    450. 

  450. }
    451. 

  451. ----
    452. 

  452. // TEST[skip:We don't know the index name at test time]
    453. 

  453. 

  454. You can now delete the old backing index. But be aware this will delete the
    455. 

  455. original data. Don't delete the index if you may need the original data in the
    456. 

  456. future.
    457. 

  457. 

  458. [discrete]
    459. 

  459. [[downsampling-manual-view-results]]
    460. 

  460. ==== View the results
    461. 

  461. 

  462. Re-run the earlier search query (note that when querying downsampled indices
    463. 

  463. there are <<querying-downsampled-indices-notes,a few nuances to be aware of>>):
    464. 

  464. 

  465. [source,console]
    466. 

  466. ----
    467. 

  467. GET /my-data-stream/_search
    468. 

  468. ----
    469. 

  469. // TEST[skip:Because we've skipped the previous steps]
    470. 

  470. 

  471. The TSDS with the new downsampled backing index contains just one document. For
    472. 

  472. counters, this document would only have the last value. For gauges, the field
    473. 

  473. type is now `aggregate_metric_double`. You see the `min`, `max`, `sum`, and
    474. 

  474. `value_count` statistics based off of the original sampled metrics:
    475. 

  475. 

  476. [source,console-result]
    477. 

  477. ----
    478. 

  478. {
    479. 

  479.   "took": 2,
    480. 

  480.   "timed_out": false,
    481. 

  481.   "_shards": {
    482. 

  482.     "total": 4,
    483. 

  483.     "successful": 4,
    484. 

  484.     "skipped": 0,
    485. 

  485.     "failed": 0
    486. 

  486.   },
    487. 

  487.   "hits": {
    488. 

  488.     "total": {
    489. 

  489.       "value": 1,
    490. 

  490.       "relation": "eq"
    491. 

  491.     },
    492. 

  492.     "max_score": 1,
    493. 

  493.     "hits": [
    494. 

  494.       {
    495. 

  495.         "_index": ".ds-my-data-stream-2023.07.26-000001-downsample",
    496. 

  496.         "_id": "0eL0wC_4-45SnTNFAAABiZHbD4A",
    497. 

  497.         "_score": 1,
    498. 

  498.         "_source": {
    499. 

  499.           "@timestamp": "2023-07-26T11:00:00.000Z",
    500. 

  500.           "_doc_count": 10,
    501. 

  501.           "ingest_time": "2023-07-26T11:26:42.715Z",
    502. 

  502.           "kubernetes": {
    503. 

  503.             "container": {
    504. 

  504.               "cpu": {
    505. 

  505.                 "usage": {
    506. 

  506.                   "core": {
    507. 

  507.                     "ns": 12828317850
    508. 

  508.                   },
    509. 

  509.                   "limit": {
    510. 

  510.                     "pct": 0.0000277905
    511. 

  511.                   },
    512. 

  512.                   "nanocores": {
    513. 

  513.                     "min": 38907,
    514. 

  514.                     "max": 153404,
    515. 

  515.                     "sum": 992677,
    516. 

  516.                     "value_count": 10
    517. 

  517.                   },
    518. 

  518.                   "node": {
    519. 

  519.                     "pct": 0.0000277905
    520. 

  520.                   }
    521. 

  521.                 }
    522. 

  522.               },
    523. 

  523.               "memory": {
    524. 

  524.                 "available": {
    525. 

  525.                   "bytes": {
    526. 

  526.                     "min": 279586406,
    527. 

  527.                     "max": 1062428344,
    528. 

  528.                     "sum": 7101494721,
    529. 

  529.                     "value_count": 10
    530. 

  530.                   }
    531. 

  531.                 },
    532. 

  532.                 "majorpagefaults": 0,
    533. 

  533.                 "pagefaults": {
    534. 

  534.                   "min": 74843,
    535. 

  535.                   "max": 302252,
    536. 

  536.                   "sum": 2061071,
    537. 

  537.                   "value_count": 10
    538. 

  538.                 },
    539. 

  539.                 "rss": {
    540. 

  540.                   "bytes": {
    541. 

  541.                     "min": 91914,
    542. 

  542.                     "max": 402801,
    543. 

  543.                     "sum": 2389770,
    544. 

  544.                     "value_count": 10
    545. 

  545.                   }
    546. 

  546.                 },
    547. 

  547.                 "usage": {
    548. 

  548.                   "bytes": {
    549. 

  549.                     "min": 100475044,
    550. 

  550.                     "max": 379572388,
    551. 

  551.                     "sum": 2668170609,
    552. 

  552.                     "value_count": 10
    553. 

  553.                   },
    554. 

  554.                   "limit": {
    555. 

  555.                     "pct": 0.00009923134
    556. 

  556.                   },
    557. 

  557.                   "node": {
    558. 

  558.                     "pct": 0.017700378
    559. 

  559.                   }
    560. 

  560.                 },
    561. 

  561.                 "workingset": {
    562. 

  562.                   "bytes": {
    563. 

  563.                     "min": 431227,
    564. 

  564.                     "max": 2294743,
    565. 

  565.                     "sum": 14230488,
    566. 

  566.                     "value_count": 10
    567. 

  567.                   }
    568. 

  568.                 }
    569. 

  569.               },
    570. 

  570.               "name": "container-name-44",
    571. 

  571.               "start_time": "2021-03-30T07:59:06.000Z"
    572. 

  572.             },
    573. 

  573.             "host": "gke-apps-0",
    574. 

  574.             "namespace": "namespace26",
    575. 

  575.             "node": "gke-apps-0-0",
    576. 

  576.             "pod": "gke-apps-0-0-0"
    577. 

  577.           }
    578. 

  578.         }
    579. 

  579.       }
    580. 

  580.     ]
    581. 

  581.   }
    582. 

  582. }
    583. 

  583. ----
    584. 

  584. // TEST[skip:Because we've skipped the previous step]
    585. 

  585. 

  586. Re-run the earlier aggregation. Even though the aggregation runs on the
    587. 

  587. downsampled TSDS that only contains 1 document, it returns the same results as
    588. 

  588. the earlier aggregation on the original TSDS.
    589. 

  589. 

  590. [source,console]
    591. 

  591. ----
    592. 

  592. GET /my-data-stream/_search
    593. 

  593. {
    594. 

  594.     "size": 0,
    595. 

  595.     "aggs": {
    596. 

  596.         "tsid": {
    597. 

  597.             "terms": {
    598. 

  598.                 "field": "_tsid"
    599. 

  599.             },
    600. 

  600.             "aggs": {
    601. 

  601.                 "over_time": {
    602. 

  602.                     "date_histogram": {
    603. 

  603.                         "field": "@timestamp",
    604. 

  604.                         "fixed_interval": "1d"
    605. 

  605.                     },
    606. 

  606.                     "aggs": {
    607. 

  607.                         "min": {
    608. 

  608.                             "min": {
    609. 

  609.                                 "field": "kubernetes.container.memory.usage.bytes"
    610. 

  610.                             }
    611. 

  611.                         },
    612. 

  612.                         "max": {
    613. 

  613.                             "max": {
    614. 

  614.                                 "field": "kubernetes.container.memory.usage.bytes"
    615. 

  615.                             }
    616. 

  616.                         },
    617. 

  617.                         "avg": {
    618. 

  618.                             "avg": {
    619. 

  619.                                 "field": "kubernetes.container.memory.usage.bytes"
    620. 

  620.                             }
    621. 

  621.                         }
    622. 

  622.                     }
    623. 

  623.                 }
    624. 

  624.             }
    625. 

  625.         }
    626. 

  626.     }
    627. 

  627. }
    628. 

  628. ----
    629. 

  629. // TEST[skip:Because we've skipped the previous steps]
    630. 

  630. 

  631. This example demonstrates how downsampling can dramatically reduce the number of
    632. 

  632. documents stored for time series data, within whatever time boundaries you
    633. 

  633. choose. It's also possible to perform downsampling on already downsampled data,
    634. 

  634. to further reduce storage and associated costs, as the time series data ages and
    635. 

  635. the data resolution becomes less critical.
    636. 

  636. 

  637. The recommended way to downsample a TSDS is with ILM. To learn more, try the
    638. 

  638. <<downsampling-ilm,Run downsampling with ILM>> example.
    639.