| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406 | [role="xpack"][[set-up-a-data-stream]]== Set up a data streamTo set up a data stream, follow these steps:. Check the <<data-stream-prereqs, prerequisites>>.. <<configure-a-data-stream-ilm-policy>>.. <<create-a-data-stream-template>>.. <<create-a-data-stream>>.. <<get-info-about-a-data-stream>> to verify it exists.. <<secure-a-data-stream>>.After you set up a data stream, you can <<use-a-data-stream, use the datastream>> for indexing, searches, and other supported operations.If you no longer need it, you can <<delete-a-data-stream,delete a data stream>>and its backing indices.[discrete][[data-stream-prereqs]]=== Prerequisites* {es} data streams are intended for time series data only. Each documentindexed to a data stream must contain the `@timestamp` field. This field must bemapped as a <<date,`date`>> or <<date_nanos,`date_nanos`>> field data type.* Data streams are best suited for time-based,<<data-streams-append-only,append-only>> use cases. If you frequently need toupdate or delete existing documents, we recommend using an index alias and anindex template instead.[discrete][[configure-a-data-stream-ilm-policy]]=== Optional: Configure an {ilm-init} lifecycle policy for a data streamYou can use <<index-lifecycle-management,{ilm} ({ilm-init})>> to automaticallymanage a data stream's backing indices. For example, you could use {ilm-init}to:* Spin up a new write index for the data stream when the current one reaches a  certain size or age.* Move older backing indices to slower, less expensive hardware.* Delete stale backing indices to enforce data retention standards.To use {ilm-init} with a data stream, you must<<set-up-lifecycle-policy,configure a lifecycle policy>>. This lifecycle policyshould contain the automated actions to take on backing indices and thetriggers for such actions.TIP: While optional, we recommend using {ilm-init} to manage the backing indicesassociated with a data stream.You can create the policy through the Kibana UI. In Kibana, open the menu and goto *Stack Management > Index Lifecycle Policies*. Click *Index LifecyclePolicies*.[role="screenshot"]image::images/ilm/create-policy.png[Index Lifecycle Policies page]You can also create a policy using the <<ilm-put-lifecycle,create lifecyclepolicy API>>.The following request configures the `my-data-stream-policy` lifecycle policy.The policy uses the <<ilm-rollover,`rollover` action>> to create anew <<data-stream-write-index,write index>> for the data stream when the currentone reaches 25GB in size. The policy also deletes backing indices 30 days aftertheir rollover.[source,console]----PUT /_ilm/policy/my-data-stream-policy{  "policy": {    "phases": {      "hot": {        "actions": {          "rollover": {            "max_size": "25GB"          }        }      },      "delete": {        "min_age": "30d",        "actions": {          "delete": {}        }      }    }  }}----[discrete][[create-a-data-stream-template]]=== Create an index template for a data streamA data stream uses an index template to configure its backing indices. Atemplate for a data stream must specify:* One or more index patterns that match the name of the stream.* The mappings and settings for the stream's backing indices.* That the template is used exclusively for data streams.* A priority for the template.[IMPORTANT]===={es} has built-in index templates for the `metrics-*-*` and `logs-*-*` indexpatterns, each with a priority of `100`.{ingest-guide}/ingest-management-overview.html[{agent}] uses these templates tocreate data streams. If you use {agent}, assign your index templates a prioritylower than `100` to avoid overriding the built-in templates.Otherwise, to avoid accidentally applying the built-in templates, use anon-overlapping index pattern or assign templates with an overlapping pattern a`priority` higher than `100`.For example, if you don't use {agent} and want to create a template for the`logs-*` index pattern, assign your template a priority of `200`. This ensuresyour template is applied instead of the built-in template for `logs-*-*`.====Every document indexed to a data stream must have a `@timestamp` field. Thisfield can be mapped as a <<date,`date`>> or <<date_nanos,`date_nanos`>> fielddata type by the stream's index template. This mapping can include other<<mapping-params,mapping parameters>>, such as <<mapping-date-format,`format`>>.If the template does not specify a mapping, the `@timestamp` field is mapped asa `date` field  with default options.We recommend using {ilm-init} to manage a data stream's backing indices. Specifythe name of the lifecycle policy with the `index.lifecycle.name` setting.TIP: We recommend you carefully consider which mappings and settings to includein this template before creating a data stream. Later changes to the mappings orsettings of a stream's backing indices may require reindexing. See<<data-streams-change-mappings-and-settings>>.You can create an index template through the Kibana UI:. From Kibana, open the menu and go to *Stack Management > Index Management*.. In the *Index Templates* tab, click *Create template*.. In the Create template wizard, use the *Data stream* toggle to indicate thetemplate is used exclusively for data streams.[role="screenshot"]image::images/data-streams/create-index-template.png[Create template page]You can also create a template using the <<indices-put-template,put indextemplate API>>. The template must include a `data_stream` object with an emptybody (`{ }`). This object indicates the template is used exclusively for datastreams.The following request configures the `my-data-stream-template` index template.Because no field mapping is specified, the `@timestamp` field uses the `date`field data type by default.[source,console]----PUT /_index_template/my-data-stream-template{  "index_patterns": [ "my-data-stream*" ],  "data_stream": { },  "priority": 200,  "template": {    "settings": {      "index.lifecycle.name": "my-data-stream-policy"    }  }}----// TEST[continued]Alternatively, the following template maps `@timestamp` as a `date_nanos` field.[source,console]----PUT /_index_template/my-data-stream-template{  "index_patterns": [ "my-data-stream*" ],  "data_stream": { },  "priority": 200,  "template": {    "mappings": {      "properties": {        "@timestamp": { "type": "date_nanos" }    <1>      }    },    "settings": {      "index.lifecycle.name": "my-data-stream-policy"    }  }}----// TEST[continued]<1> Maps `@timestamp` as a `date_nanos` field. You can include other supportedmapping parameters in this field mapping.NOTE: You cannot delete an index template that's in use by a data stream.This would prevent the data stream from creating new backing indices.[discrete][[create-a-data-stream]]=== Create a data streamYou can create a data stream using one of two methods:* <<index-documents-to-create-a-data-stream>>* <<manually-create-a-data-stream>>[discrete][[index-documents-to-create-a-data-stream]]====  Index documents to create a data streamYou can automatically create a data stream using an indexing request. Submit an <<add-documents-to-a-data-stream,indexing request>> to a targetmatching the index pattern defined in the template's `index_patterns`property.If the indexing request's target doesn't exist, {es} creates the data stream anduses the target name as the name for the stream.NOTE: Data streams support only specific types of indexing requests. See<<add-documents-to-a-data-stream>>.The following <<docs-index_,index API>> request targets `my-data-stream`, whichmatches the index pattern for `my-data-stream-template`. Becauseno existing index or data stream uses this name, this request creates the`my-data-stream` data stream and indexes the document to it.[source,console]----POST /my-data-stream/_doc/{  "@timestamp": "2020-12-06T11:04:05.000Z",  "user": {    "id": "vlb44hny"  },  "message": "Login attempt failed"}----// TEST[continued]The API returns the following response. Note the `_index` property contains`.ds-my-data-stream-000001`, indicating the document was indexed to the writeindex of the new data stream.[source,console-result]----{  "_index": ".ds-my-data-stream-000001",  "_id": "qecQmXIBT4jB8tq1nG0j",  "_version": 1,  "result": "created",  "_shards": {    "total": 2,    "successful": 1,    "failed": 0  },  "_seq_no": 0,  "_primary_term": 1}----// TESTRESPONSE[s/"_id": "qecQmXIBT4jB8tq1nG0j"/"_id": $body._id/][discrete][[manually-create-a-data-stream]]====  Manually create a data streamYou can use the <<indices-create-data-stream,create data stream API>> tomanually create a data stream. The name of the data stream must match the indexpattern defined in the template's `index_patterns` property.The following create data stream request targets `my-data-stream-alt`, whichmatches the index pattern for `my-data-stream-template`. Becauseno existing index or data stream uses this name, this request creates the`my-data-stream-alt` data stream.[source,console]----PUT /_data_stream/my-data-stream-alt----// TEST[continued][discrete][[get-info-about-a-data-stream]]=== Get information about a data streamTo view information about a data stream in Kibana, open the menu and go to*Stack Management > Index Management*. In the *Data Streams* tab, click a datastream's name to view information about the stream.[role="screenshot"]image::images/data-streams/data-streams-list.png[Data Streams tab]You can also use the <<indices-get-data-stream,get data stream API>> to retrievethe following information about one or more data streams:* The current backing indices, which is returned as an array. The last item in  the array contains information about the stream's current write index.* The current generation* The data stream's health status* The index template used to create the stream's backing indices* The current {ilm-init} lifecycle policy in the stream's matching indextemplateThe following get data stream API request retrieves information about`my-data-stream`.////[source,console]----POST /my-data-stream/_rollover/----// TEST[continued]////[source,console]----GET /_data_stream/my-data-stream----// TEST[continued]The API returns the following response. Note the `indices` property contains anarray of the stream's current backing indices. The last item in this arraycontains information about the stream's write index, `.ds-my-data-stream-000002`.[source,console-result]----{  "data_streams": [    {      "name": "my-data-stream",      "timestamp_field": {        "name": "@timestamp"      },      "indices": [        {          "index_name": ".ds-my-data-stream-000001",          "index_uuid": "krR78LfvTOe6gr5dj2_1xQ"        },        {          "index_name": ".ds-my-data-stream-000002",        <1>          "index_uuid": "C6LWyNJHQWmA08aQGvqRkA"        }      ],      "generation": 2,      "status": "GREEN",      "template": "my-data-stream-template",      "ilm_policy": "my-data-stream-policy"    }  ]}----// TESTRESPONSE[s/"index_uuid": "krR78LfvTOe6gr5dj2_1xQ"/"index_uuid": $body.data_streams.0.indices.0.index_uuid/]// TESTRESPONSE[s/"index_uuid": "C6LWyNJHQWmA08aQGvqRkA"/"index_uuid": $body.data_streams.0.indices.1.index_uuid/]// TESTRESPONSE[s/"status": "GREEN"/"status": "YELLOW"/]<1> Last item in the `indices` array for `my-data-stream`. Thisitem contains information about the stream's current write index,`.ds-my-data-stream-000002`.[discrete][[secure-a-data-stream]]=== Secure a data streamYou can use {es} {security-features} to control access to a data stream and itsdata. See <<data-stream-privileges>>.[discrete][[delete-a-data-stream]]=== Delete a data streamYou can use the Kibana UI to delete a data stream and its backing indices. InKibana, open the menu and go to *Stack Management > Index Management*. In the*Data Streams* tab, click the trash can icon to delete a stream and its backingindices.[role="screenshot"]image::images/data-streams/data-streams-list.png[Data Streams tab]You can also use the the <<indices-delete-data-stream,delete data stream API>>to delete a data stream. The following delete data stream API request deletes`my-data-stream`. This request also deletes the stream's backingindices and any data they contain.[source,console]----DELETE /_data_stream/my-data-stream----// TEST[continued]////[source,console]----DELETE /_data_stream/*DELETE /_index_template/*DELETE /_ilm/policy/my-data-stream-policy----// TEST[continued]////
 |