Home Explore Help
Sign In
lqb
/
elasticsearch
mirror of https://gitee.com/mirrors/elasticsearch.git
1
0
Fork 0
Files Issues 0 Wiki
Tree: b9707c29a1
Branches Tags
elasticsearch
/
docs
/
reference
/
ml
/
transforms.asciidoc

transforms.asciidoc 15 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592 
  1. [role="xpack"]
    2. 

  2. [[ml-configuring-transform]]
    3. 

  3. === Transforming data with script fields
    4. 

  4. 

  5. If you use {dfeeds}, you can add scripts to transform your data before
    6. 

  6. it is analyzed. {dfeeds-cap} contain an optional `script_fields` property, where
    7. 

  7. you can specify scripts that evaluate custom expressions and return script
    8. 

  8. fields.
    9. 

  9. 

  10. If your {dfeed} defines script fields, you can use those fields in your job.
    11. 

  11. For example, you can use the script fields in the analysis functions in one or
    12. 

  12. more detectors.
    13. 

  13. 

  14. * <<ml-configuring-transform1>>
    15. 

  15. * <<ml-configuring-transform2>>
    16. 

  16. * <<ml-configuring-transform3>>
    17. 

  17. * <<ml-configuring-transform4>>
    18. 

  18. * <<ml-configuring-transform5>>
    19. 

  19. * <<ml-configuring-transform6>>
    20. 

  20. * <<ml-configuring-transform7>>
    21. 

  21. * <<ml-configuring-transform8>>
    22. 

  22. * <<ml-configuring-transform9>>
    23. 

  23. 

  24. The following indices APIs create and add content to an index that is used in
    25. 

  25. subsequent examples:
    26. 

  26. 

  27. [source,js]
    28. 

  28. ----------------------------------
    29. 

  29. PUT /my_index
    30. 

  30. {
    31. 

  31.   "mappings":{
    32. 

  32.     "_doc":{
    33. 

  33.       "properties": {
    34. 

  34.         "@timestamp": {
    35. 

  35.           "type": "date"
    36. 

  36.         },
    37. 

  37.         "aborted_count": {
    38. 

  38.           "type": "long"
    39. 

  39.         },
    40. 

  40.         "another_field": {
    41. 

  41.           "type": "keyword" <1>
    42. 

  42.         },
    43. 

  43.         "clientip": {
    44. 

  44.           "type": "keyword"
    45. 

  45.         },
    46. 

  46.         "coords": {
    47. 

  47.           "properties": {
    48. 

  48.             "lat": {
    49. 

  49.               "type": "keyword"
    50. 

  50.             },
    51. 

  51.             "lon": {
    52. 

  52.               "type": "keyword"
    53. 

  53.             }
    54. 

  54.           }
    55. 

  55.         },
    56. 

  56.         "error_count": {
    57. 

  57.           "type": "long"
    58. 

  58.         },
    59. 

  59.         "query": {
    60. 

  60.           "type": "keyword"
    61. 

  61.         },
    62. 

  62.         "some_field": {
    63. 

  63.           "type": "keyword"
    64. 

  64.         },
    65. 

  65.         "tokenstring1":{
    66. 

  66.           "type":"keyword"
    67. 

  67.         },
    68. 

  68.         "tokenstring2":{
    69. 

  69.           "type":"keyword"
    70. 

  70.         },
    71. 

  71.         "tokenstring3":{
    72. 

  72.           "type":"keyword"
    73. 

  73.         }
    74. 

  74.       }
    75. 

  75.     }
    76. 

  76.   }
    77. 

  77. }
    78. 

  78. 

  79. PUT /my_index/_doc/1
    80. 

  80. {
    81. 

  81.   "@timestamp":"2017-03-23T13:00:00",
    82. 

  82.   "error_count":36320,
    83. 

  83.   "aborted_count":4156,
    84. 

  84.   "some_field":"JOE",
    85. 

  85.   "another_field":"SMITH  ",
    86. 

  86.   "tokenstring1":"foo-bar-baz",
    87. 

  87.   "tokenstring2":"foo bar baz",
    88. 

  88.   "tokenstring3":"foo-bar-19",
    89. 

  89.   "query":"www.ml.elastic.co",
    90. 

  90.   "clientip":"123.456.78.900",
    91. 

  91.   "coords": {
    92. 

  92.     "lat" : 41.44,
    93. 

  93.     "lon":90.5
    94. 

  94.   }
    95. 

  95. }
    96. 

  96. ----------------------------------
    97. 

  97. // CONSOLE
    98. 

  98. // TEST[skip:SETUP]
    99. 

  99. <1> In this example, string fields are mapped as `keyword` fields to support
    100. 

  100. aggregation. If you want both a full text (`text`) and a keyword (`keyword`)
    101. 

  101. version of the same field, use multi-fields. For more information, see
    102. 

  102. {ref}/multi-fields.html[fields].
    103. 

  103. 

  104. [[ml-configuring-transform1]]
    105. 

  105. .Example 1: Adding two numerical fields
    106. 

  106. [source,js]
    107. 

  107. ----------------------------------
    108. 

  108. PUT _xpack/ml/anomaly_detectors/test1
    109. 

  109. {
    110. 

  110.   "analysis_config":{
    111. 

  111.     "bucket_span": "10m",
    112. 

  112.     "detectors":[
    113. 

  113.       {
    114. 

  114.         "function":"mean",
    115. 

  115.         "field_name": "total_error_count", <1>
    116. 

  116.         "detector_description": "Custom script field transformation"
    117. 

  117.       }
    118. 

  118.     ]
    119. 

  119.   },
    120. 

  120.   "data_description": {
    121. 

  121.   "time_field":"@timestamp",
    122. 

  122.   "time_format":"epoch_ms"
    123. 

  123.   }
    124. 

  124. }
    125. 

  125. 

  126. PUT _xpack/ml/datafeeds/datafeed-test1
    127. 

  127. {
    128. 

  128.   "job_id": "test1",
    129. 

  129.   "indices": ["my_index"],
    130. 

  130.   "types": ["_doc"],
    131. 

  131.   "query": {
    132. 

  132.     "match_all": {
    133. 

  133.           "boost": 1
    134. 

  134.     }
    135. 

  135.   },
    136. 

  136.   "script_fields": {
    137. 

  137.     "total_error_count": { <2>
    138. 

  138.       "script": {
    139. 

  139.         "lang": "expression",
    140. 

  140.         "inline": "doc['error_count'].value + doc['aborted_count'].value"
    141. 

  141.       }
    142. 

  142.     }
    143. 

  143.   }
    144. 

  144. }
    145. 

  145. ----------------------------------
    146. 

  146. // CONSOLE
    147. 

  147. // TEST[skip:needs-licence]
    148. 

  148. <1> A script field named `total_error_count` is referenced in the detector
    149. 

  149. within the job.
    150. 

  150. <2> The script field is defined in the {dfeed}.
    151. 

  151. 

  152. This `test1` job contains a detector that uses a script field in a mean analysis
    153. 

  153. function. The `datafeed-test1` {dfeed} defines the script field. It contains a
    154. 

  154. script that adds two fields in the document to produce a "total" error count.
    155. 

  155. 

  156. The syntax for the `script_fields` property is identical to that used by {es}.
    157. 

  157. For more information, see {ref}/search-request-script-fields.html[Script Fields].
    158. 

  158. 

  159. You can preview the contents of the {dfeed} by using the following API:
    160. 

  160. 

  161. [source,js]
    162. 

  162. ----------------------------------
    163. 

  163. GET _xpack/ml/datafeeds/datafeed-test1/_preview
    164. 

  164. ----------------------------------
    165. 

  165. // CONSOLE
    166. 

  166. // TEST[skip:continued]
    167. 

  167. 

  168. In this example, the API returns the following results, which contain a sum of
    169. 

  169. the `error_count` and `aborted_count` values:
    170. 

  170. 

  171. [source,js]
    172. 

  172. ----------------------------------
    173. 

  173. [
    174. 

  174.   {
    175. 

  175.     "@timestamp": 1490274000000,
    176. 

  176.     "total_error_count": 40476
    177. 

  177.   }
    178. 

  178. ]
    179. 

  179. ----------------------------------
    180. 

  180. 

  181. NOTE: This example demonstrates how to use script fields, but it contains
    182. 

  182. insufficient data to generate meaningful results. For a full demonstration of
    183. 

  183. how to create jobs with sample data, see <<ml-getting-started>>.
    184. 

  184. 

  185. You can alternatively use {kib} to create an advanced job that uses script
    186. 

  186. fields. To add the `script_fields` property to your {dfeed}, you must use the
    187. 

  187. **Edit JSON** tab. For example:
    188. 

  188. 

  189. [role="screenshot"]
    190. 

  190. image::images/ml-scriptfields.jpg[Adding script fields to a {dfeed} in {kib}]
    191. 

  191. 

  192. [[ml-configuring-transform-examples]]
    193. 

  193. ==== Common Script Field Examples
    194. 

  194. 

  195. While the possibilities are limitless, there are a number of common scenarios
    196. 

  196. where you might use script fields in your {dfeeds}.
    197. 

  197. 

  198. [NOTE]
    199. 

  199. ===============================
    200. 

  200. Some of these examples use regular expressions. By default, regular
    201. 

  201. expressions are disabled because they circumvent the protection that Painless
    202. 

  202. provides against long running and memory hungry scripts. For more information,
    203. 

  203. see {ref}/modules-scripting-painless.html[Painless Scripting Language].
    204. 

  204. 

  205. Machine learning analysis is case sensitive. For example, "John" is considered
    206. 

  206. to be different than "john". This is one reason you might consider using scripts
    207. 

  207. that convert your strings to upper or lowercase letters.
    208. 

  208. ===============================
    209. 

  209. 

  210. [[ml-configuring-transform2]]
    211. 

  211. .Example 2: Concatenating strings
    212. 

  212. [source,js]
    213. 

  213. --------------------------------------------------
    214. 

  214. PUT _xpack/ml/anomaly_detectors/test2
    215. 

  215. {
    216. 

  216.   "analysis_config":{
    217. 

  217.     "bucket_span": "10m",
    218. 

  218.     "detectors":[
    219. 

  219.       {
    220. 

  220.         "function":"low_info_content",
    221. 

  221.         "field_name":"my_script_field", <1>
    222. 

  222.         "detector_description": "Custom script field transformation"
    223. 

  223.       }
    224. 

  224.     ]
    225. 

  225.   },
    226. 

  226.   "data_description": {
    227. 

  227.   "time_field":"@timestamp",
    228. 

  228.   "time_format":"epoch_ms"
    229. 

  229.   }
    230. 

  230. }
    231. 

  231. 

  232. PUT _xpack/ml/datafeeds/datafeed-test2
    233. 

  233. {
    234. 

  234.   "job_id": "test2",
    235. 

  235.   "indices": ["my_index"],
    236. 

  236.   "types": ["_doc"],
    237. 

  237.   "query": {
    238. 

  238.     "match_all": {
    239. 

  239.           "boost": 1
    240. 

  240.     }
    241. 

  241.   },
    242. 

  242.   "script_fields": {
    243. 

  243.     "my_script_field": {
    244. 

  244.       "script": {
    245. 

  245.         "lang": "painless",
    246. 

  246.         "inline": "doc['some_field'].value + '_' + doc['another_field'].value" <2>
    247. 

  247.       }
    248. 

  248.     }
    249. 

  249.   }
    250. 

  250. }
    251. 

  251. 

  252. GET _xpack/ml/datafeeds/datafeed-test2/_preview
    253. 

  253. --------------------------------------------------
    254. 

  254. // CONSOLE
    255. 

  255. // TEST[skip:needs-licence]
    256. 

  256. <1> The script field has a rather generic name in this case, since it will
    257. 

  257. be used for various tests in the subsequent examples.
    258. 

  258. <2> The script field uses the plus (+) operator to concatenate strings.
    259. 

  259. 

  260. The preview {dfeed} API returns the following results, which show that "JOE"
    261. 

  261. and "SMITH  " have been concatenated and an underscore was added:
    262. 

  262. 

  263. [source,js]
    264. 

  264. ----------------------------------
    265. 

  265. [
    266. 

  266.   {
    267. 

  267.     "@timestamp": 1490274000000,
    268. 

  268.     "my_script_field": "JOE_SMITH  "
    269. 

  269.   }
    270. 

  270. ]
    271. 

  271. ----------------------------------
    272. 

  272. 

  273. [[ml-configuring-transform3]]
    274. 

  274. .Example 3: Trimming strings
    275. 

  275. [source,js]
    276. 

  276. --------------------------------------------------
    277. 

  277. POST _xpack/ml/datafeeds/datafeed-test2/_update
    278. 

  278. {
    279. 

  279.   "script_fields": {
    280. 

  280.     "my_script_field": {
    281. 

  281.       "script": {
    282. 

  282.         "lang": "painless",
    283. 

  283.         "inline": "doc['another_field'].value.trim()" <1>
    284. 

  284.       }
    285. 

  285.     }
    286. 

  286.   }
    287. 

  287. }
    288. 

  288. 

  289. GET _xpack/ml/datafeeds/datafeed-test2/_preview
    290. 

  290. --------------------------------------------------
    291. 

  291. // CONSOLE
    292. 

  292. // TEST[skip:continued]
    293. 

  293. <1> This script field uses the `trim()` function to trim extra white space from a
    294. 

  294. string.
    295. 

  295. 

  296. The preview {dfeed} API returns the following results, which show that "SMITH  "
    297. 

  297. has been trimmed to "SMITH":
    298. 

  298. 

  299. [source,js]
    300. 

  300. ----------------------------------
    301. 

  301. [
    302. 

  302.   {
    303. 

  303.     "@timestamp": 1490274000000,
    304. 

  304.     "my_script_field": "SMITH"
    305. 

  305.   }
    306. 

  306. ]
    307. 

  307. ----------------------------------
    308. 

  308. 

  309. [[ml-configuring-transform4]]
    310. 

  310. .Example 4: Converting strings to lowercase
    311. 

  311. [source,js]
    312. 

  312. --------------------------------------------------
    313. 

  313. POST _xpack/ml/datafeeds/datafeed-test2/_update
    314. 

  314. {
    315. 

  315.   "script_fields": {
    316. 

  316.     "my_script_field": {
    317. 

  317.       "script": {
    318. 

  318.         "lang": "painless",
    319. 

  319.         "inline": "doc['some_field'].value.toLowerCase()" <1>
    320. 

  320.       }
    321. 

  321.     }
    322. 

  322.   }
    323. 

  323. }
    324. 

  324. 

  325. GET _xpack/ml/datafeeds/datafeed-test2/_preview
    326. 

  326. --------------------------------------------------
    327. 

  327. // CONSOLE
    328. 

  328. // TEST[skip:continued]
    329. 

  329. <1> This script field uses the `toLowerCase` function to convert a string to all
    330. 

  330. lowercase letters. Likewise, you can use the `toUpperCase{}` function to convert
    331. 

  331. a string to uppercase letters.
    332. 

  332. 

  333. The preview {dfeed} API returns the following results, which show that "JOE"
    334. 

  334. has been converted to "joe":
    335. 

  335. 

  336. [source,js]
    337. 

  337. ----------------------------------
    338. 

  338. [
    339. 

  339.   {
    340. 

  340.     "@timestamp": 1490274000000,
    341. 

  341.     "my_script_field": "joe"
    342. 

  342.   }
    343. 

  343. ]
    344. 

  344. ----------------------------------
    345. 

  345. 

  346. [[ml-configuring-transform5]]
    347. 

  347. .Example 5: Converting strings to mixed case formats
    348. 

  348. [source,js]
    349. 

  349. --------------------------------------------------
    350. 

  350. POST _xpack/ml/datafeeds/datafeed-test2/_update
    351. 

  351. {
    352. 

  352.   "script_fields": {
    353. 

  353.     "my_script_field": {
    354. 

  354.       "script": {
    355. 

  355.         "lang": "painless",
    356. 

  356.         "inline": "doc['some_field'].value.substring(0, 1).toUpperCase() + doc['some_field'].value.substring(1).toLowerCase()" <1>
    357. 

  357.       }
    358. 

  358.     }
    359. 

  359.   }
    360. 

  360. }
    361. 

  361. 

  362. GET _xpack/ml/datafeeds/datafeed-test2/_preview
    363. 

  363. --------------------------------------------------
    364. 

  364. // CONSOLE
    365. 

  365. // TEST[skip:continued]
    366. 

  366. <1> This script field is a more complicated example of case manipulation. It uses
    367. 

  367. the `subString()` function to capitalize the first letter of a string and
    368. 

  368. converts the remaining characters to lowercase.
    369. 

  369. 

  370. The preview {dfeed} API returns the following results, which show that "JOE"
    371. 

  371. has been converted to "Joe":
    372. 

  372. 

  373. [source,js]
    374. 

  374. ----------------------------------
    375. 

  375. [
    376. 

  376.   {
    377. 

  377.     "@timestamp": 1490274000000,
    378. 

  378.     "my_script_field": "Joe"
    379. 

  379.   }
    380. 

  380. ]
    381. 

  381. ----------------------------------
    382. 

  382. 

  383. [[ml-configuring-transform6]]
    384. 

  384. .Example 6: Replacing tokens
    385. 

  385. [source,js]
    386. 

  386. --------------------------------------------------
    387. 

  387. POST _xpack/ml/datafeeds/datafeed-test2/_update
    388. 

  388. {
    389. 

  389.   "script_fields": {
    390. 

  390.     "my_script_field": {
    391. 

  391.       "script": {
    392. 

  392.         "lang": "painless",
    393. 

  393.         "inline": "/\\s/.matcher(doc['tokenstring2'].value).replaceAll('_')" <1>
    394. 

  394.       }
    395. 

  395.     }
    396. 

  396.   }
    397. 

  397. }
    398. 

  398. 

  399. GET _xpack/ml/datafeeds/datafeed-test2/_preview
    400. 

  400. --------------------------------------------------
    401. 

  401. // CONSOLE
    402. 

  402. // TEST[skip:continued]
    403. 

  403. <1> This script field uses regular expressions to replace white
    404. 

  404. space with underscores.
    405. 

  405. 

  406. The preview {dfeed} API returns the following results, which show that
    407. 

  407. "foo bar baz" has been converted to "foo_bar_baz":
    408. 

  408. 

  409. [source,js]
    410. 

  410. ----------------------------------
    411. 

  411. [
    412. 

  412.   {
    413. 

  413.     "@timestamp": 1490274000000,
    414. 

  414.     "my_script_field": "foo_bar_baz"
    415. 

  415.   }
    416. 

  416. ]
    417. 

  417. ----------------------------------
    418. 

  418. 

  419. [[ml-configuring-transform7]]
    420. 

  420. .Example 7: Regular expression matching and concatenation
    421. 

  421. [source,js]
    422. 

  422. --------------------------------------------------
    423. 

  423. POST _xpack/ml/datafeeds/datafeed-test2/_update
    424. 

  424. {
    425. 

  425.   "script_fields": {
    426. 

  426.     "my_script_field": {
    427. 

  427.       "script": {
    428. 

  428.         "lang": "painless",
    429. 

  429.         "inline": "def m = /(.*)-bar-([0-9][0-9])/.matcher(doc['tokenstring3'].value); return m.find() ? m.group(1) + '_' + m.group(2) : '';" <1>
    430. 

  430.       }
    431. 

  431.     }
    432. 

  432.   }
    433. 

  433. }
    434. 

  434. 

  435. GET _xpack/ml/datafeeds/datafeed-test2/_preview
    436. 

  436. --------------------------------------------------
    437. 

  437. // CONSOLE
    438. 

  438. // TEST[skip:continued]
    439. 

  439. <1> This script field looks for a specific regular expression pattern and emits the
    440. 

  440. matched groups as a concatenated string. If no match is found, it emits an empty
    441. 

  441. string.
    442. 

  442. 

  443. The preview {dfeed} API returns the following results, which show that
    444. 

  444. "foo-bar-19" has been converted to "foo_19":
    445. 

  445. 

  446. [source,js]
    447. 

  447. ----------------------------------
    448. 

  448. [
    449. 

  449.   {
    450. 

  450.     "@timestamp": 1490274000000,
    451. 

  451.     "my_script_field": "foo_19"
    452. 

  452.   }
    453. 

  453. ]
    454. 

  454. ----------------------------------
    455. 

  455. 

  456. [[ml-configuring-transform8]]
    457. 

  457. .Example 8: Splitting strings by domain name
    458. 

  458. [source,js]
    459. 

  459. --------------------------------------------------
    460. 

  460. PUT _xpack/ml/anomaly_detectors/test3
    461. 

  461. {
    462. 

  462.   "description":"DNS tunneling",
    463. 

  463.   "analysis_config":{
    464. 

  464.     "bucket_span": "30m",
    465. 

  465.     "influencers": ["clientip","hrd"],
    466. 

  466.     "detectors":[
    467. 

  467.       {
    468. 

  468.         "function":"high_info_content",
    469. 

  469.         "field_name": "sub",
    470. 

  470.         "over_field_name": "hrd",
    471. 

  471.         "exclude_frequent":"all"
    472. 

  472.       }
    473. 

  473.     ]
    474. 

  474.   },
    475. 

  475.   "data_description": {
    476. 

  476.   "time_field":"@timestamp",
    477. 

  477.   "time_format":"epoch_ms"
    478. 

  478.   }
    479. 

  479. }
    480. 

  480. 

  481. PUT _xpack/ml/datafeeds/datafeed-test3
    482. 

  482. {
    483. 

  483.   "job_id": "test3",
    484. 

  484.   "indices": ["my_index"],
    485. 

  485.   "types": ["_doc"],
    486. 

  486.   "query": {
    487. 

  487.     "match_all": {
    488. 

  488.           "boost": 1
    489. 

  489.     }
    490. 

  490.   },
    491. 

  491.   "script_fields":{
    492. 

  492.     "sub":{
    493. 

  493.       "script":"return domainSplit(doc['query'].value).get(0);"
    494. 

  494.     },
    495. 

  495.     "hrd":{
    496. 

  496.       "script":"return domainSplit(doc['query'].value).get(1);"
    497. 

  497.     }
    498. 

  498.   }
    499. 

  499. }
    500. 

  500. 

  501. GET _xpack/ml/datafeeds/datafeed-test3/_preview
    502. 

  502. --------------------------------------------------
    503. 

  503. // CONSOLE
    504. 

  504. // TEST[skip:needs-licence]
    505. 

  505. 

  506. If you have a single field that contains a well-formed DNS domain name, you can
    507. 

  507. use the `domainSplit()` function to split the string into its highest registered
    508. 

  508. domain and the sub-domain, which is everything to the left of the highest
    509. 

  509. registered domain. For example, the highest registered domain of
    510. 

  510. `www.ml.elastic.co` is `elastic.co` and the sub-domain is `www.ml`. The
    511. 

  511. `domainSplit()` function returns an array of two values: the first value is the
    512. 

  512. subdomain; the second value is the highest registered domain.
    513. 

  513. 

  514. The preview {dfeed} API returns the following results, which show that
    515. 

  515. "www.ml.elastic.co" has been split into "elastic.co" and "www.ml":
    516. 

  516. 

  517. [source,js]
    518. 

  518. ----------------------------------
    519. 

  519. [
    520. 

  520.   {
    521. 

  521.     "@timestamp": 1490274000000,
    522. 

  522.     "clientip.keyword": "123.456.78.900",
    523. 

  523.     "hrd": "elastic.co",
    524. 

  524.     "sub": "www.ml"
    525. 

  525.   }
    526. 

  526. ]
    527. 

  527. ----------------------------------
    528. 

  528. 

  529. [[ml-configuring-transform9]]
    530. 

  530. .Example 9: Transforming geo_point data
    531. 

  531. [source,js]
    532. 

  532. --------------------------------------------------
    533. 

  533. PUT _xpack/ml/anomaly_detectors/test4
    534. 

  534. {
    535. 

  535.   "analysis_config":{
    536. 

  536.     "bucket_span": "10m",
    537. 

  537.     "detectors":[
    538. 

  538.       {
    539. 

  539.         "function":"lat_long",
    540. 

  540.         "field_name": "my_coordinates"
    541. 

  541.       }
    542. 

  542.     ]
    543. 

  543.   },
    544. 

  544.   "data_description": {
    545. 

  545.   "time_field":"@timestamp",
    546. 

  546.   "time_format":"epoch_ms"
    547. 

  547.   }
    548. 

  548. }
    549. 

  549. 

  550. PUT _xpack/ml/datafeeds/datafeed-test4
    551. 

  551. {
    552. 

  552.   "job_id": "test4",
    553. 

  553.   "indices": ["my_index"],
    554. 

  554.   "types": ["_doc"],
    555. 

  555.   "query": {
    556. 

  556.     "match_all": {
    557. 

  557.           "boost": 1
    558. 

  558.     }
    559. 

  559.   },
    560. 

  560.   "script_fields": {
    561. 

  561.     "my_coordinates": {
    562. 

  562.       "script": {
    563. 

  563.         "inline": "doc['coords.lat'].value + ',' + doc['coords.lon'].value",
    564. 

  564.         "lang": "painless"
    565. 

  565.       }
    566. 

  566.     }
    567. 

  567.   }
    568. 

  568. }
    569. 

  569. 

  570. GET _xpack/ml/datafeeds/datafeed-test4/_preview
    571. 

  571. --------------------------------------------------
    572. 

  572. // CONSOLE
    573. 

  573. // TEST[skip:needs-licence]
    574. 

  574. 

  575. In {es}, location data can be stored in `geo_point` fields but this data type is
    576. 

  576. not supported natively in {xpackml} analytics. This example of a script field
    577. 

  577. transforms the data into an appropriate format. For more information,
    578. 

  578. see <<ml-geo-functions>>.
    579. 

  579. 

  580. The preview {dfeed} API returns the following results, which show that
    581. 

  581. `41.44` and `90.5` have been combined into "41.44,90.5":
    582. 

  582. 

  583. [source,js]
    584. 

  584. ----------------------------------
    585. 

  585. [
    586. 

  586.   {
    587. 

  587.     "@timestamp": 1490274000000,
    588. 

  588.     "my_coordinates": "41.44,90.5"
    589. 

  589.   }
    590. 

  590. ]
    591. 

  591. ----------------------------------
    592. 

  592.