Delete a behavioral analytics collection Deprecated Technical preview

DELETE /_application/analytics/{name}

The associated data stream is also deleted.

Path parameters

name string Required

The name of the analytics collection to be deleted

Responses

200 application/json
Hide response attribute Show response attribute object
- acknowledged boolean Required
  
  For a successful response, this value is always true. On failure, an exception is returned instead.

DELETE /_application/analytics/{name}

curl \
 --request DELETE 'http://api.example.com/_application/analytics/{name}' \
 --header "Authorization: $API_KEY"

Get behavioral analytics collections Deprecated Technical preview

GET /_application/analytics

Api key auth

Responses

200 application/json
Hide response attribute Show response attribute object
- * object Additional properties
  
  Hide * attribute Show * attribute object
  
  event_data_stream object Required
  
  Hide event_data_stream attribute Show event_data_stream attribute object
  
  name string Required

GET /_application/analytics

curl \
 --request GET 'http://api.example.com/_application/analytics' \
 --header "Authorization: $API_KEY"

Response examples (200)

A successful response from `GET _application/analytics/my*`

{
  "my_analytics_collection": {
      "event_data_stream": {
          "name": "behavioral_analytics-events-my_analytics_collection"
      }
  },
  "my_analytics_collection2": {
      "event_data_stream": {
          "name": "behavioral_analytics-events-my_analytics_collection2"
      }
  }
}

Get quick access to a document count for a data stream, an index, or an entire cluster. The document count only includes live documents, not deleted documents which have not yet been removed by the merge process.

IMPORTANT: CAT APIs are only intended for human consumption using the command line or Kibana console. They are not intended for use by applications. For application consumption, use the count API.

Path parameters

index string | array[string] Required

A comma-separated list of data streams, indices, and aliases used to limit the request. It supports wildcards (*). To target all data streams and indices, omit this parameter or use * or _all.

Query parameters

h string | array[string]

List of columns to appear in the response. Supports simple wildcards.
s string | array[string]

List of columns that determine how the table should be sorted. Sorting defaults to ascending and can be changed by setting :asc or :desc as a suffix to the column name.

Responses

200 application/json
Hide response attributes Show response attributes object
- epoch number | string
  
  Some APIs will return values such as numbers also as a string (notably epoch timestamps). This behavior is used to capture this behavior while keeping the semantics of the field type.
  
  Depending on the target language, code generators can keep the union or remove it and leniently parse strings to the target type.
  
  One of:
  UnitSeconds number StringifiedEpochTimeUnitSeconds string
  
  Time unit for seconds
- timestamp string
  
  Time of day, expressed as HH:MM:SS
- count string
  
  the document count

GET /_cat/count/{index}

curl \
 --request GET 'http://api.example.com/_cat/count/{index}' \
 --header "Authorization: $API_KEY"

Response examples (200)

A successful response from `GET /_cat/count/my-index-000001?v=true&format=json`. It retrieves the document count for the `my-index-000001` data stream or index.

[
  {
    "epoch": "1475868259",
    "timestamp": "15:24:20",
    "count": "120"
  }
]

A successful response from `GET /_cat/count?v=true&format=json`. It retrieves the document count for all data streams and indices in the cluster.

[
  {
    "epoch": "1475868259",
    "timestamp": "15:24:20",
    "count": "121"
  }
]

Get CAT help

GET /_cat

Api key auth

Get help for the CAT APIs.

Responses

200 application/json

GET /_cat

curl \
 --request GET 'http://api.example.com/_cat' \
 --header "Authorization: $API_KEY"

Get data frame analytics jobs Added in 7.7.0

GET /_cat/ml/data_frame/analytics/{id}

Api key auth

Get configuration and usage information about data frame analytics jobs.

IMPORTANT: CAT APIs are only intended for human consumption using the Kibana console or command line. They are not intended for use by applications. For application consumption, use the get data frame analytics jobs statistics API.

Path parameters

id string Required

The ID of the data frame analytics to fetch

Query parameters

allow_no_match boolean

Whether to ignore if a wildcard expression matches no configs. (This includes _all string or when no configs have been specified)
bytes string

The unit in which to display byte values

Values are b, kb, mb, gb, tb, or pb.
h string | array[string]
Comma-separated list of column names to display.

Supported values include:
- assignment_explanation (or ae): Contains messages relating to the selection of a node.
- create_time (or ct, createTime): The time when the data frame analytics job was created.
- description (or d): A description of a job.
- dest_index (or di, destIndex): Name of the destination index.
- failure_reason (or fr, failureReason): Contains messages about the reason why a data frame analytics job failed.
- id: Identifier for the data frame analytics job.
- model_memory_limit (or mml, modelMemoryLimit): The approximate maximum amount of memory resources that are permitted for the data frame analytics job.
- node.address (or na, nodeAddress): The network address of the node that the data frame analytics job is assigned to.
- node.ephemeral_id (or ne, nodeEphemeralId): The ephemeral ID of the node that the data frame analytics job is assigned to.
- node.id (or ni, nodeId): The unique identifier of the node that the data frame analytics job is assigned to.
- node.name (or nn, nodeName): The name of the node that the data frame analytics job is assigned to.
- progress (or p): The progress report of the data frame analytics job by phase.
- source_index (or si, sourceIndex): Name of the source index.
- state (or s): Current state of the data frame analytics job.
- type (or t): The type of analysis that the data frame analytics job performs.
- version (or v): The Elasticsearch version number in which the data frame analytics job was created.
s string | array[string]
Comma-separated list of column names or column aliases used to sort the response.

Supported values include:
- assignment_explanation (or ae): Contains messages relating to the selection of a node.
- create_time (or ct, createTime): The time when the data frame analytics job was created.
- description (or d): A description of a job.
- dest_index (or di, destIndex): Name of the destination index.
- failure_reason (or fr, failureReason): Contains messages about the reason why a data frame analytics job failed.
- id: Identifier for the data frame analytics job.
- model_memory_limit (or mml, modelMemoryLimit): The approximate maximum amount of memory resources that are permitted for the data frame analytics job.
- node.address (or na, nodeAddress): The network address of the node that the data frame analytics job is assigned to.
- node.ephemeral_id (or ne, nodeEphemeralId): The ephemeral ID of the node that the data frame analytics job is assigned to.
- node.id (or ni, nodeId): The unique identifier of the node that the data frame analytics job is assigned to.
- node.name (or nn, nodeName): The name of the node that the data frame analytics job is assigned to.
- progress (or p): The progress report of the data frame analytics job by phase.
- source_index (or si, sourceIndex): Name of the source index.
- state (or s): Current state of the data frame analytics job.
- type (or t): The type of analysis that the data frame analytics job performs.
- version (or v): The Elasticsearch version number in which the data frame analytics job was created.
time string

Unit used to display time values.

Values are nanos, micros, ms, s, m, h, or d.

Responses

200 application/json
Hide response attributes Show response attributes object
- id string
- type string
  
  The type of analysis that the job performs.
- create_time string
  
  The time when the job was created.
- version string
- source_index string
- dest_index string
- description string
  
  A description of the job.
- model_memory_limit string
  
  The approximate maximum amount of memory resources that are permitted for the job.
- state string
  
  The current status of the job.
- failure_reason string
  
  Messages about the reason why the job failed.
- progress string
  
  The progress report for the job by phase.
- assignment_explanation string
  
  Messages related to the selection of a node.
- node.id string
- node.name string
- node.ephemeral_id string
- node.address string
  
  The network address of the assigned node.

GET /_cat/ml/data_frame/analytics/{id}

curl \
 --request GET 'http://api.example.com/_cat/ml/data_frame/analytics/{id}' \
 --header "Authorization: $API_KEY"

Response examples (200)

A successful response from `GET _cat/ml/data_frame/analytics?v=true&format=json`.

[
  {
    "id": "classifier_job_1",
    "type": "classification",
    "create_time": "2020-02-12T11:49:09.594Z",
    "state": "stopped"
  },
    {
    "id": "classifier_job_2",
    "type": "classification",
    "create_time": "2020-02-12T11:49:14.479Z",
    "state": "stopped"
  },
  {
    "id": "classifier_job_3",
    "type": "classification",
    "create_time": "2020-02-12T11:49:16.928Z",
    "state": "stopped"
  },
  {
    "id": "classifier_job_4",
    "type": "classification",
    "create_time": "2020-02-12T11:49:19.127Z",
    "state": "stopped"
  },
  {
    "id": "classifier_job_5",
    "type": "classification",
    "create_time": "2020-02-12T11:49:21.349Z",
    "state": "stopped"
  }
]

Get datafeeds Added in 7.7.0

GET /_cat/ml/datafeeds/{datafeed_id}

Api key auth

Get configuration and usage information about datafeeds. This API returns a maximum of 10,000 datafeeds. If the Elasticsearch security features are enabled, you must have monitor_ml, monitor, manage_ml, or manage cluster privileges to use this API.

IMPORTANT: CAT APIs are only intended for human consumption using the Kibana console or command line. They are not intended for use by applications. For application consumption, use the get datafeed statistics API.

Path parameters

datafeed_id string Required

A numerical character string that uniquely identifies the datafeed.

Query parameters

allow_no_match boolean
Specifies what to do when the request:
- Contains wildcard expressions and there are no datafeeds that match.
- Contains the _all string or no identifiers and there are no matches.
- Contains wildcard expressions and there are only partial matches.
If true, the API returns an empty datafeeds array when there are no matches and the subset of results when there are partial matches. If false, the API returns a 404 status code when there are no matches or only partial matches.
h string | array[string]
Comma-separated list of column names to display.

Supported values include:
- ae (or assignment_explanation): For started datafeeds only, contains messages relating to the selection of a node.
- bc (or buckets.count, bucketsCount): The number of buckets processed.
- id: A numerical character string that uniquely identifies the datafeed.
- na (or node.address, nodeAddress): For started datafeeds only, the network address of the node where the datafeed is started.
- ne (or node.ephemeral_id, nodeEphemeralId): For started datafeeds only, the ephemeral ID of the node where the datafeed is started.
- ni (or node.id, nodeId): For started datafeeds only, the unique identifier of the node where the datafeed is started.
- nn (or node.name, nodeName): For started datafeeds only, the name of the node where the datafeed is started.
- sba (or search.bucket_avg, searchBucketAvg): The average search time per bucket, in milliseconds.
- sc (or search.count, searchCount): The number of searches run by the datafeed.
- seah (or search.exp_avg_hour, searchExpAvgHour): The exponential average search time per hour, in milliseconds.
- st (or search.time, searchTime): The total time the datafeed spent searching, in milliseconds.
- s (or state): The status of the datafeed: starting, started, stopping, or stopped. If starting, the datafeed has been requested to start but has not yet started. If started, the datafeed is actively receiving data. If stopping, the datafeed has been requested to stop gracefully and is completing its final action. If stopped, the datafeed is stopped and will not receive data until it is re-started.
s string | array[string]
Comma-separated list of column names or column aliases used to sort the response.

Supported values include:
- ae (or assignment_explanation): For started datafeeds only, contains messages relating to the selection of a node.
- bc (or buckets.count, bucketsCount): The number of buckets processed.
- id: A numerical character string that uniquely identifies the datafeed.
- na (or node.address, nodeAddress): For started datafeeds only, the network address of the node where the datafeed is started.
- ne (or node.ephemeral_id, nodeEphemeralId): For started datafeeds only, the ephemeral ID of the node where the datafeed is started.
- ni (or node.id, nodeId): For started datafeeds only, the unique identifier of the node where the datafeed is started.
- nn (or node.name, nodeName): For started datafeeds only, the name of the node where the datafeed is started.
- sba (or search.bucket_avg, searchBucketAvg): The average search time per bucket, in milliseconds.
- sc (or search.count, searchCount): The number of searches run by the datafeed.
- seah (or search.exp_avg_hour, searchExpAvgHour): The exponential average search time per hour, in milliseconds.
- st (or search.time, searchTime): The total time the datafeed spent searching, in milliseconds.
- s (or state): The status of the datafeed: starting, started, stopping, or stopped. If starting, the datafeed has been requested to start but has not yet started. If started, the datafeed is actively receiving data. If stopping, the datafeed has been requested to stop gracefully and is completing its final action. If stopped, the datafeed is stopped and will not receive data until it is re-started.
time string

The unit used to display time values.

Values are nanos, micros, ms, s, m, h, or d.

Responses

200 application/json
Hide response attributes Show response attributes object
- id string
  
  The datafeed identifier.
- state string
  
  Values are started, stopped, starting, or stopping.
- assignment_explanation string
  
  For started datafeeds only, contains messages relating to the selection of a node.
- buckets.count string
  
  The number of buckets processed.
- search.count string
  
  The number of searches run by the datafeed.
- search.time string
  
  The total time the datafeed spent searching, in milliseconds.
- search.bucket_avg string
  
  The average search time per bucket, in milliseconds.
- search.exp_avg_hour string
  
  The exponential average search time per hour, in milliseconds.
- node.id string
  
  The unique identifier of the assigned node. For started datafeeds only, this information pertains to the node upon which the datafeed is started.
- node.name string
  
  The name of the assigned node. For started datafeeds only, this information pertains to the node upon which the datafeed is started.
- node.ephemeral_id string
  
  The ephemeral identifier of the assigned node. For started datafeeds only, this information pertains to the node upon which the datafeed is started.
- node.address string
  
  The network address of the assigned node. For started datafeeds only, this information pertains to the node upon which the datafeed is started.

GET /_cat/ml/datafeeds/{datafeed_id}

curl \
 --request GET 'http://api.example.com/_cat/ml/datafeeds/{datafeed_id}' \
 --header "Authorization: $API_KEY"

Response examples (200)

A successful response from `GET _cat/ml/datafeeds?v=true&format=json`.

[
  {
    "id": "datafeed-high_sum_total_sales",
    "state": "stopped",
    "buckets.count": "743",
    "search.count": "7"
  },
  {
    "id": "datafeed-low_request_rate",
    "state": "stopped",
    "buckets.count": "1457",
    "search.count": "3"
  },
  {
    "id": "datafeed-response_code_rates",
    "state": "stopped",
    "buckets.count": "1460",
    "search.count": "18"
  },
  {
    "id": "datafeed-url_scanning",
    "state": "stopped",
    "buckets.count": "1460",
    "search.count": "18"
  }
]

Get anomaly detection jobs Added in 7.7.0

GET /_cat/ml/anomaly_detectors/{job_id}

Api key auth

Get configuration and usage information for anomaly detection jobs. This API returns a maximum of 10,000 jobs. If the Elasticsearch security features are enabled, you must have monitor_ml, monitor, manage_ml, or manage cluster privileges to use this API.

IMPORTANT: CAT APIs are only intended for human consumption using the Kibana console or command line. They are not intended for use by applications. For application consumption, use the get anomaly detection job statistics API.

Path parameters

job_id string Required

Identifier for the anomaly detection job.

Query parameters

allow_no_match boolean
Specifies what to do when the request:
- Contains wildcard expressions and there are no jobs that match.
- Contains the _all string or no identifiers and there are no matches.
- Contains wildcard expressions and there are only partial matches.
If true, the API returns an empty jobs array when there are no matches and the subset of results when there are partial matches. If false, the API returns a 404 status code when there are no matches or only partial matches.
bytes string

The unit used to display byte values.

Values are b, kb, mb, gb, tb, or pb.
h string | array[string]
Comma-separated list of column names to display.

Supported values include:
- assignment_explanation (or ae): For open anomaly detection jobs only, contains messages relating to the selection of a node to run the job.
- buckets.count (or bc, bucketsCount): The number of bucket results produced by the job.
- buckets.time.exp_avg (or btea, bucketsTimeExpAvg): Exponential moving average of all bucket processing times, in milliseconds.
- buckets.time.exp_avg_hour (or bteah, bucketsTimeExpAvgHour): Exponentially-weighted moving average of bucket processing times calculated in a 1 hour time window, in milliseconds.
- buckets.time.max (or btmax, bucketsTimeMax): Maximum among all bucket processing times, in milliseconds.
- buckets.time.min (or btmin, bucketsTimeMin): Minimum among all bucket processing times, in milliseconds.
- buckets.time.total (or btt, bucketsTimeTotal): Sum of all bucket processing times, in milliseconds.
- data.buckets (or db, dataBuckets): The number of buckets processed.
- data.earliest_record (or der, dataEarliestRecord): The timestamp of the earliest chronologically input document.
- data.empty_buckets (or deb, dataEmptyBuckets): The number of buckets which did not contain any data.
- data.input_bytes (or dib, dataInputBytes): The number of bytes of input data posted to the anomaly detection job.
- data.input_fields (or dif, dataInputFields): The total number of fields in input documents posted to the anomaly detection job. This count includes fields that are not used in the analysis. However, be aware that if you are using a datafeed, it extracts only the required fields from the documents it retrieves before posting them to the job.
- data.input_records (or dir, dataInputRecords): The number of input documents posted to the anomaly detection job.
- data.invalid_dates (or did, dataInvalidDates): The number of input documents with either a missing date field or a date that could not be parsed.
- data.last (or dl, dataLast): The timestamp at which data was last analyzed, according to server time.
- data.last_empty_bucket (or dleb, dataLastEmptyBucket): The timestamp of the last bucket that did not contain any data.
- data.last_sparse_bucket (or dlsb, dataLastSparseBucket): The timestamp of the last bucket that was considered sparse.
- data.latest_record (or dlr, dataLatestRecord): The timestamp of the latest chronologically input document.
- data.missing_fields (or dmf, dataMissingFields): The number of input documents that are missing a field that the anomaly detection job is configured to analyze. Input documents with missing fields are still processed because it is possible that not all fields are missing.
- data.out_of_order_timestamps (or doot, dataOutOfOrderTimestamps): The number of input documents that have a timestamp chronologically preceding the start of the current anomaly detection bucket offset by the latency window. This information is applicable only when you provide data to the anomaly detection job by using the post data API. These out of order documents are discarded, since jobs require time series data to be in ascending chronological order.
- data.processed_fields (or dpf, dataProcessedFields): The total number of fields in all the documents that have been processed by the anomaly detection job. Only fields that are specified in the detector configuration object contribute to this count. The timestamp is not included in this count.
- data.processed_records (or dpr, dataProcessedRecords): The number of input documents that have been processed by the anomaly detection job. This value includes documents with missing fields, since they are nonetheless analyzed. If you use datafeeds and have aggregations in your search query, the processed record count is the number of aggregation results processed, not the number of Elasticsearch documents.
- data.sparse_buckets (or dsb, dataSparseBuckets): The number of buckets that contained few data points compared to the expected number of data points.
- forecasts.memory.avg (or fmavg, forecastsMemoryAvg): The average memory usage in bytes for forecasts related to the anomaly detection job.
- forecasts.memory.max (or fmmax, forecastsMemoryMax): The maximum memory usage in bytes for forecasts related to the anomaly detection job.
- forecasts.memory.min (or fmmin, forecastsMemoryMin): The minimum memory usage in bytes for forecasts related to the anomaly detection job.
- forecasts.memory.total (or fmt, forecastsMemoryTotal): The total memory usage in bytes for forecasts related to the anomaly detection job.
- forecasts.records.avg (or fravg, forecastsRecordsAvg): The average number of model_forecast` documents written for forecasts related to the anomaly detection job.
- forecasts.records.max (or frmax, forecastsRecordsMax): The maximum number of model_forecast documents written for forecasts related to the anomaly detection job.
- forecasts.records.min (or frmin, forecastsRecordsMin): The minimum number of model_forecast documents written for forecasts related to the anomaly detection job.
- forecasts.records.total (or frt, forecastsRecordsTotal): The total number of model_forecast documents written for forecasts related to the anomaly detection job.
- forecasts.time.avg (or ftavg, forecastsTimeAvg): The average runtime in milliseconds for forecasts related to the anomaly detection job.
- forecasts.time.max (or ftmax, forecastsTimeMax): The maximum runtime in milliseconds for forecasts related to the anomaly detection job.
- forecasts.time.min (or ftmin, forecastsTimeMin): The minimum runtime in milliseconds for forecasts related to the anomaly detection job.
- forecasts.time.total (or ftt, forecastsTimeTotal): The total runtime in milliseconds for forecasts related to the anomaly detection job.
- forecasts.total (or ft, forecastsTotal): The number of individual forecasts currently available for the job.
- id: Identifier for the anomaly detection job.
- model.bucket_allocation_failures (or mbaf, modelBucketAllocationFailures): The number of buckets for which new entities in incoming data were not processed due to insufficient model memory.
- model.by_fields (or mbf, modelByFields): The number of by field values that were analyzed by the models. This value is cumulative for all detectors in the job.
- model.bytes (or mb, modelBytes): The number of bytes of memory used by the models. This is the maximum value since the last time the model was persisted. If the job is closed, this value indicates the latest size.
- model.bytes_exceeded (or mbe, modelBytesExceeded): The number of bytes over the high limit for memory usage at the last allocation failure.
- model.categorization_status (or mcs, modelCategorizationStatus): The status of categorization for the job: ok or warn. If ok, categorization is performing acceptably well (or not being used at all). If warn, categorization is detecting a distribution of categories that suggests the input data is inappropriate for categorization. Problems could be that there is only one category, more than 90% of categories are rare, the number of categories is greater than 50% of the number of categorized documents, there are no frequently matched categories, or more than 50% of categories are dead.
- model.categorized_doc_count (or mcdc, modelCategorizedDocCount): The number of documents that have had a field categorized.
- model.dead_category_count (or mdcc, modelDeadCategoryCount): The number of categories created by categorization that will never be assigned again because another category’s definition makes it a superset of the dead category. Dead categories are a side effect of the way categorization has no prior training.
- model.failed_category_count (or mdcc, modelFailedCategoryCount): The number of times that categorization wanted to create a new category but couldn’t because the job had hit its model memory limit. This count does not track which specific categories failed to be created. Therefore, you cannot use this value to determine the number of unique categories that were missed.
- model.frequent_category_count (or mfcc, modelFrequentCategoryCount): The number of categories that match more than 1% of categorized documents.
- model.log_time (or mlt, modelLogTime): The timestamp when the model stats were gathered, according to server time.
- model.memory_limit (or mml, modelMemoryLimit): The timestamp when the model stats were gathered, according to server time.
- model.memory_status (or mms, modelMemoryStatus): The status of the mathematical models: ok, soft_limit, or hard_limit. If ok, the models stayed below the configured value. If soft_limit, the models used more than 60% of the configured memory limit and older unused models will be pruned to free up space. Additionally, in categorization jobs no further category examples will be stored. If hard_limit, the models used more space than the configured memory limit. As a result, not all incoming data was processed.
- model.over_fields (or mof, modelOverFields): The number of over field values that were analyzed by the models. This value is cumulative for all detectors in the job.
- model.partition_fields (or mpf, modelPartitionFields): The number of partition field values that were analyzed by the models. This value is cumulative for all detectors in the job.
- model.rare_category_count (or mrcc, modelRareCategoryCount): The number of categories that match just one categorized document.
- model.timestamp (or mt, modelTimestamp): The timestamp of the last record when the model stats were gathered.
- model.total_category_count (or mtcc, modelTotalCategoryCount): The number of categories created by categorization.
- node.address (or na, nodeAddress): The network address of the node that runs the job. This information is available only for open jobs.
- node.ephemeral_id (or ne, nodeEphemeralId): The ephemeral ID of the node that runs the job. This information is available only for open jobs.
- node.id (or ni, nodeId): The unique identifier of the node that runs the job. This information is available only for open jobs.
- node.name (or nn, nodeName): The name of the node that runs the job. This information is available only for open jobs.
- opened_time (or ot): For open jobs only, the elapsed time for which the job has been open.
- state (or s): The status of the anomaly detection job: closed, closing, failed, opened, or opening. If closed, the job finished successfully with its model state persisted. The job must be opened before it can accept further data. If closing, the job close action is in progress and has not yet completed. A closing job cannot accept further data. If failed, the job did not finish successfully due to an error. This situation can occur due to invalid input data, a fatal error occurring during the analysis, or an external interaction such as the process being killed by the Linux out of memory (OOM) killer. If the job had irrevocably failed, it must be force closed and then deleted. If the datafeed can be corrected, the job can be closed and then re-opened. If opened, the job is available to receive and process data. If opening, the job open action is in progress and has not yet completed.
s string | array[string]
Comma-separated list of column names or column aliases used to sort the response.

Supported values include:
- assignment_explanation (or ae): For open anomaly detection jobs only, contains messages relating to the selection of a node to run the job.
- buckets.count (or bc, bucketsCount): The number of bucket results produced by the job.
- buckets.time.exp_avg (or btea, bucketsTimeExpAvg): Exponential moving average of all bucket processing times, in milliseconds.
- buckets.time.exp_avg_hour (or bteah, bucketsTimeExpAvgHour): Exponentially-weighted moving average of bucket processing times calculated in a 1 hour time window, in milliseconds.
- buckets.time.max (or btmax, bucketsTimeMax): Maximum among all bucket processing times, in milliseconds.
- buckets.time.min (or btmin, bucketsTimeMin): Minimum among all bucket processing times, in milliseconds.
- buckets.time.total (or btt, bucketsTimeTotal): Sum of all bucket processing times, in milliseconds.
- data.buckets (or db, dataBuckets): The number of buckets processed.
- data.earliest_record (or der, dataEarliestRecord): The timestamp of the earliest chronologically input document.
- data.empty_buckets (or deb, dataEmptyBuckets): The number of buckets which did not contain any data.
- data.input_bytes (or dib, dataInputBytes): The number of bytes of input data posted to the anomaly detection job.
- data.input_fields (or dif, dataInputFields): The total number of fields in input documents posted to the anomaly detection job. This count includes fields that are not used in the analysis. However, be aware that if you are using a datafeed, it extracts only the required fields from the documents it retrieves before posting them to the job.
- data.input_records (or dir, dataInputRecords): The number of input documents posted to the anomaly detection job.
- data.invalid_dates (or did, dataInvalidDates): The number of input documents with either a missing date field or a date that could not be parsed.
- data.last (or dl, dataLast): The timestamp at which data was last analyzed, according to server time.
- data.last_empty_bucket (or dleb, dataLastEmptyBucket): The timestamp of the last bucket that did not contain any data.
- data.last_sparse_bucket (or dlsb, dataLastSparseBucket): The timestamp of the last bucket that was considered sparse.
- data.latest_record (or dlr, dataLatestRecord): The timestamp of the latest chronologically input document.
- data.missing_fields (or dmf, dataMissingFields): The number of input documents that are missing a field that the anomaly detection job is configured to analyze. Input documents with missing fields are still processed because it is possible that not all fields are missing.
- data.out_of_order_timestamps (or doot, dataOutOfOrderTimestamps): The number of input documents that have a timestamp chronologically preceding the start of the current anomaly detection bucket offset by the latency window. This information is applicable only when you provide data to the anomaly detection job by using the post data API. These out of order documents are discarded, since jobs require time series data to be in ascending chronological order.
- data.processed_fields (or dpf, dataProcessedFields): The total number of fields in all the documents that have been processed by the anomaly detection job. Only fields that are specified in the detector configuration object contribute to this count. The timestamp is not included in this count.
- data.processed_records (or dpr, dataProcessedRecords): The number of input documents that have been processed by the anomaly detection job. This value includes documents with missing fields, since they are nonetheless analyzed. If you use datafeeds and have aggregations in your search query, the processed record count is the number of aggregation results processed, not the number of Elasticsearch documents.
- data.sparse_buckets (or dsb, dataSparseBuckets): The number of buckets that contained few data points compared to the expected number of data points.
- forecasts.memory.avg (or fmavg, forecastsMemoryAvg): The average memory usage in bytes for forecasts related to the anomaly detection job.
- forecasts.memory.max (or fmmax, forecastsMemoryMax): The maximum memory usage in bytes for forecasts related to the anomaly detection job.
- forecasts.memory.min (or fmmin, forecastsMemoryMin): The minimum memory usage in bytes for forecasts related to the anomaly detection job.
- forecasts.memory.total (or fmt, forecastsMemoryTotal): The total memory usage in bytes for forecasts related to the anomaly detection job.
- forecasts.records.avg (or fravg, forecastsRecordsAvg): The average number of model_forecast` documents written for forecasts related to the anomaly detection job.
- forecasts.records.max (or frmax, forecastsRecordsMax): The maximum number of model_forecast documents written for forecasts related to the anomaly detection job.
- forecasts.records.min (or frmin, forecastsRecordsMin): The minimum number of model_forecast documents written for forecasts related to the anomaly detection job.
- forecasts.records.total (or frt, forecastsRecordsTotal): The total number of model_forecast documents written for forecasts related to the anomaly detection job.
- forecasts.time.avg (or ftavg, forecastsTimeAvg): The average runtime in milliseconds for forecasts related to the anomaly detection job.
- forecasts.time.max (or ftmax, forecastsTimeMax): The maximum runtime in milliseconds for forecasts related to the anomaly detection job.
- forecasts.time.min (or ftmin, forecastsTimeMin): The minimum runtime in milliseconds for forecasts related to the anomaly detection job.
- forecasts.time.total (or ftt, forecastsTimeTotal): The total runtime in milliseconds for forecasts related to the anomaly detection job.
- forecasts.total (or ft, forecastsTotal): The number of individual forecasts currently available for the job.
- id: Identifier for the anomaly detection job.
- model.bucket_allocation_failures (or mbaf, modelBucketAllocationFailures): The number of buckets for which new entities in incoming data were not processed due to insufficient model memory.
- model.by_fields (or mbf, modelByFields): The number of by field values that were analyzed by the models. This value is cumulative for all detectors in the job.
- model.bytes (or mb, modelBytes): The number of bytes of memory used by the models. This is the maximum value since the last time the model was persisted. If the job is closed, this value indicates the latest size.
- model.bytes_exceeded (or mbe, modelBytesExceeded): The number of bytes over the high limit for memory usage at the last allocation failure.
- model.categorization_status (or mcs, modelCategorizationStatus): The status of categorization for the job: ok or warn. If ok, categorization is performing acceptably well (or not being used at all). If warn, categorization is detecting a distribution of categories that suggests the input data is inappropriate for categorization. Problems could be that there is only one category, more than 90% of categories are rare, the number of categories is greater than 50% of the number of categorized documents, there are no frequently matched categories, or more than 50% of categories are dead.
- model.categorized_doc_count (or mcdc, modelCategorizedDocCount): The number of documents that have had a field categorized.
- model.dead_category_count (or mdcc, modelDeadCategoryCount): The number of categories created by categorization that will never be assigned again because another category’s definition makes it a superset of the dead category. Dead categories are a side effect of the way categorization has no prior training.
- model.failed_category_count (or mdcc, modelFailedCategoryCount): The number of times that categorization wanted to create a new category but couldn’t because the job had hit its model memory limit. This count does not track which specific categories failed to be created. Therefore, you cannot use this value to determine the number of unique categories that were missed.
- model.frequent_category_count (or mfcc, modelFrequentCategoryCount): The number of categories that match more than 1% of categorized documents.
- model.log_time (or mlt, modelLogTime): The timestamp when the model stats were gathered, according to server time.
- model.memory_limit (or mml, modelMemoryLimit): The timestamp when the model stats were gathered, according to server time.
- model.memory_status (or mms, modelMemoryStatus): The status of the mathematical models: ok, soft_limit, or hard_limit. If ok, the models stayed below the configured value. If soft_limit, the models used more than 60% of the configured memory limit and older unused models will be pruned to free up space. Additionally, in categorization jobs no further category examples will be stored. If hard_limit, the models used more space than the configured memory limit. As a result, not all incoming data was processed.
- model.over_fields (or mof, modelOverFields): The number of over field values that were analyzed by the models. This value is cumulative for all detectors in the job.
- model.partition_fields (or mpf, modelPartitionFields): The number of partition field values that were analyzed by the models. This value is cumulative for all detectors in the job.
- model.rare_category_count (or mrcc, modelRareCategoryCount): The number of categories that match just one categorized document.
- model.timestamp (or mt, modelTimestamp): The timestamp of the last record when the model stats were gathered.
- model.total_category_count (or mtcc, modelTotalCategoryCount): The number of categories created by categorization.
- node.address (or na, nodeAddress): The network address of the node that runs the job. This information is available only for open jobs.
- node.ephemeral_id (or ne, nodeEphemeralId): The ephemeral ID of the node that runs the job. This information is available only for open jobs.
- node.id (or ni, nodeId): The unique identifier of the node that runs the job. This information is available only for open jobs.
- node.name (or nn, nodeName): The name of the node that runs the job. This information is available only for open jobs.
- opened_time (or ot): For open jobs only, the elapsed time for which the job has been open.
- state (or s): The status of the anomaly detection job: closed, closing, failed, opened, or opening. If closed, the job finished successfully with its model state persisted. The job must be opened before it can accept further data. If closing, the job close action is in progress and has not yet completed. A closing job cannot accept further data. If failed, the job did not finish successfully due to an error. This situation can occur due to invalid input data, a fatal error occurring during the analysis, or an external interaction such as the process being killed by the Linux out of memory (OOM) killer. If the job had irrevocably failed, it must be force closed and then deleted. If the datafeed can be corrected, the job can be closed and then re-opened. If opened, the job is available to receive and process data. If opening, the job open action is in progress and has not yet completed.
time string

The unit used to display time values.

Values are nanos, micros, ms, s, m, h, or d.

Responses

200 application/json
Hide response attributes Show response attributes object
- id string
- state string
  
  Values are closing, closed, opened, failed, or opening.
- opened_time string
  
  For open jobs only, the amount of time the job has been opened.
- assignment_explanation string
  
  For open anomaly detection jobs only, contains messages relating to the selection of a node to run the job.
- data.processed_records string
  
  The number of input documents that have been processed by the anomaly detection job. This value includes documents with missing fields, since they are nonetheless analyzed. If you use datafeeds and have aggregations in your search query, the processed_record_count is the number of aggregation results processed, not the number of Elasticsearch documents.
- data.processed_fields string
  
  The total number of fields in all the documents that have been processed by the anomaly detection job. Only fields that are specified in the detector configuration object contribute to this count. The timestamp is not included in this count.
- data.input_bytes number | string
  
  One of:
  ByteSize number ByteSize string
- data.input_records string
  
  The number of input documents posted to the anomaly detection job.
- data.input_fields string
  
  The total number of fields in input documents posted to the anomaly detection job. This count includes fields that are not used in the analysis. However, be aware that if you are using a datafeed, it extracts only the required fields from the documents it retrieves before posting them to the job.
- data.invalid_dates string
  
  The number of input documents with either a missing date field or a date that could not be parsed.
- data.missing_fields string
  
  The number of input documents that are missing a field that the anomaly detection job is configured to analyze. Input documents with missing fields are still processed because it is possible that not all fields are missing. If you are using datafeeds or posting data to the job in JSON format, a high missing_field_count is often not an indication of data issues. It is not necessarily a cause for concern.
- data.out_of_order_timestamps string
  
  The number of input documents that have a timestamp chronologically preceding the start of the current anomaly detection bucket offset by the latency window. This information is applicable only when you provide data to the anomaly detection job by using the post data API. These out of order documents are discarded, since jobs require time series data to be in ascending chronological order.
- data.empty_buckets string
  
  The number of buckets which did not contain any data. If your data contains many empty buckets, consider increasing your bucket_span or using functions that are tolerant to gaps in data such as mean, non_null_sum or non_zero_count.
- data.sparse_buckets string
  
  The number of buckets that contained few data points compared to the expected number of data points. If your data contains many sparse buckets, consider using a longer bucket_span.
- data.buckets string
  
  The total number of buckets processed.
- data.earliest_record string
  
  The timestamp of the earliest chronologically input document.
- data.latest_record string
  
  The timestamp of the latest chronologically input document.
- data.last string
  
  The timestamp at which data was last analyzed, according to server time.
- data.last_empty_bucket string
  
  The timestamp of the last bucket that did not contain any data.
- data.last_sparse_bucket string
  
  The timestamp of the last bucket that was considered sparse.
- model.bytes number | string
  
  One of:
  ByteSize number ByteSize string
- model.memory_status string
  
  Values are ok, soft_limit, or hard_limit.
- model.bytes_exceeded number | string
  
  One of:
  ByteSize number ByteSize string
- model.memory_limit string
  
  The upper limit for model memory usage, checked on increasing values.
- model.by_fields string
  
  The number of by field values that were analyzed by the models. This value is cumulative for all detectors in the job.
- model.over_fields string
  
  The number of over field values that were analyzed by the models. This value is cumulative for all detectors in the job.
- model.partition_fields string
  
  The number of partition field values that were analyzed by the models. This value is cumulative for all detectors in the job.
- model.bucket_allocation_failures string
  
  The number of buckets for which new entities in incoming data were not processed due to insufficient model memory. This situation is also signified by a hard_limit: memory_status property value.
- model.categorization_status string
  
  Values are ok or warn.
- model.categorized_doc_count string
  
  The number of documents that have had a field categorized.
- model.total_category_count string
  
  The number of categories created by categorization.
- model.frequent_category_count string
  
  The number of categories that match more than 1% of categorized documents.
- model.rare_category_count string
  
  The number of categories that match just one categorized document.
- model.dead_category_count string
  
  The number of categories created by categorization that will never be assigned again because another category’s definition makes it a superset of the dead category. Dead categories are a side effect of the way categorization has no prior training.
- model.failed_category_count string
  
  The number of times that categorization wanted to create a new category but couldn’t because the job had hit its model_memory_limit. This count does not track which specific categories failed to be created. Therefore you cannot use this value to determine the number of unique categories that were missed.
- model.log_time string
  
  The timestamp when the model stats were gathered, according to server time.
- model.timestamp string
  
  The timestamp of the last record when the model stats were gathered.
- forecasts.total string
  
  The number of individual forecasts currently available for the job. A value of one or more indicates that forecasts exist.
- forecasts.memory.min string
  
  The minimum memory usage in bytes for forecasts related to the anomaly detection job.
- forecasts.memory.max string
  
  The maximum memory usage in bytes for forecasts related to the anomaly detection job.
- forecasts.memory.avg string
  
  The average memory usage in bytes for forecasts related to the anomaly detection job.
- forecasts.memory.total string
  
  The total memory usage in bytes for forecasts related to the anomaly detection job.
- forecasts.records.min string
  
  The minimum number of model_forecast documents written for forecasts related to the anomaly detection job.
- forecasts.records.max string
  
  The maximum number of model_forecast documents written for forecasts related to the anomaly detection job.
- forecasts.records.avg string
  
  The average number of model_forecast documents written for forecasts related to the anomaly detection job.
- forecasts.records.total string
  
  The total number of model_forecast documents written for forecasts related to the anomaly detection job.
- forecasts.time.min string
  
  The minimum runtime in milliseconds for forecasts related to the anomaly detection job.
- forecasts.time.max string
  
  The maximum runtime in milliseconds for forecasts related to the anomaly detection job.
- forecasts.time.avg string
  
  The average runtime in milliseconds for forecasts related to the anomaly detection job.
- forecasts.time.total string
  
  The total runtime in milliseconds for forecasts related to the anomaly detection job.
- node.id string
- node.name string
  
  The name of the assigned node.
- node.ephemeral_id string
- node.address string
  
  The network address of the assigned node.
- buckets.count string
  
  The number of bucket results produced by the job.
- buckets.time.total string
  
  The sum of all bucket processing times, in milliseconds.
- buckets.time.min string
  
  The minimum of all bucket processing times, in milliseconds.
- buckets.time.max string
  
  The maximum of all bucket processing times, in milliseconds.
- buckets.time.exp_avg string
  
  The exponential moving average of all bucket processing times, in milliseconds.
- buckets.time.exp_avg_hour string
  
  The exponential moving average of bucket processing times calculated in a one hour time window, in milliseconds.

GET /_cat/ml/anomaly_detectors/{job_id}

curl \
 --request GET 'http://api.example.com/_cat/ml/anomaly_detectors/{job_id}' \
 --header "Authorization: $API_KEY"

Response examples (200)

A successful response from `GET _cat/ml/anomaly_detectors?h=id,s,dpr,mb&v=true&format=json`.

[
  {
    "id": "high_sum_total_sales",
    "s": "closed",
    "dpr": "14022",
    "mb": "1.5mb"
  },
  {
    "id": "low_request_rate",
    "s": "closed",
    "dpr": "1216",
    "mb": "40.5kb"
  },
  {
    "id": "response_code_rates",
    "s": "closed",
    "dpr": "28146",
    "mb": "132.7kb"
  },
  {
    "id": "url_scanning",
    "s": "closed",
    "dpr": "28146",
    "mb": "501.6kb"
  }
]

Get trained models Added in 7.7.0

GET /_cat/ml/trained_models

Api key auth

Get configuration and usage information about inference trained models.

IMPORTANT: CAT APIs are only intended for human consumption using the Kibana console or command line. They are not intended for use by applications. For application consumption, use the get trained models statistics API.

Query parameters

allow_no_match boolean

Specifies what to do when the request: contains wildcard expressions and there are no models that match; contains the _all string or no identifiers and there are no matches; contains wildcard expressions and there are only partial matches. If true, the API returns an empty array when there are no matches and the subset of results when there are partial matches. If false, the API returns a 404 status code when there are no matches or only partial matches.
bytes string

The unit used to display byte values.

Values are b, kb, mb, gb, tb, or pb.
h string | array[string]
A comma-separated list of column names to display.

Supported values include:
- create_time (or ct): The time when the trained model was created.
- created_by (or c, createdBy): Information on the creator of the trained model.
- data_frame_analytics_id (or df, dataFrameAnalytics, dfid): Identifier for the data frame analytics job that created the model. Only displayed if it is still available.
- description (or d): The description of the trained model.
- heap_size (or hs, modelHeapSize): The estimated heap size to keep the trained model in memory.
- id: Identifier for the trained model.
- ingest.count (or ic, ingestCount): The total number of documents that are processed by the model.
- ingest.current (or icurr, ingestCurrent): The total number of document that are currently being handled by the trained model.
- ingest.failed (or if, ingestFailed): The total number of failed ingest attempts with the trained model.
- ingest.pipelines (or ip, ingestPipelines): The total number of ingest pipelines that are referencing the trained model.
- ingest.time (or it, ingestTime): The total time that is spent processing documents with the trained model.
- license (or l): The license level of the trained model.
- operations (or o, modelOperations): The estimated number of operations to use the trained model. This number helps measuring the computational complexity of the model.
- version (or v): The Elasticsearch version number in which the trained model was created.
s string | array[string]
A comma-separated list of column names or aliases used to sort the response.

Supported values include:
- create_time (or ct): The time when the trained model was created.
- created_by (or c, createdBy): Information on the creator of the trained model.
- data_frame_analytics_id (or df, dataFrameAnalytics, dfid): Identifier for the data frame analytics job that created the model. Only displayed if it is still available.
- description (or d): The description of the trained model.
- heap_size (or hs, modelHeapSize): The estimated heap size to keep the trained model in memory.
- id: Identifier for the trained model.
- ingest.count (or ic, ingestCount): The total number of documents that are processed by the model.
- ingest.current (or icurr, ingestCurrent): The total number of document that are currently being handled by the trained model.
- ingest.failed (or if, ingestFailed): The total number of failed ingest attempts with the trained model.
- ingest.pipelines (or ip, ingestPipelines): The total number of ingest pipelines that are referencing the trained model.
- ingest.time (or it, ingestTime): The total time that is spent processing documents with the trained model.
- license (or l): The license level of the trained model.
- operations (or o, modelOperations): The estimated number of operations to use the trained model. This number helps measuring the computational complexity of the model.
- version (or v): The Elasticsearch version number in which the trained model was created.
from number

Skips the specified number of transforms.
size number

The maximum number of transforms to display.
time string

Unit used to display time values.

Values are nanos, micros, ms, s, m, h, or d.

Responses

200 application/json
Hide response attributes Show response attributes object
- id string
- created_by string
  
  Information about the creator of the model.
- heap_size number | string
  
  One of:
  ByteSize number ByteSize string
- operations string
  
  The estimated number of operations to use the model. This number helps to measure the computational complexity of the model.
- license string
  
  The license level of the model.
- create_time string | number
  
  A date and time, either as a string whose format can depend on the context (defaulting to ISO 8601), or a number of milliseconds since the Epoch. Elasticsearch accepts both as input, but will generally output a string representation.
  
  One of:
  DateTime string UnitMillis number
- version string
- description string
  
  A description of the model.
- ingest.pipelines string
  
  The number of pipelines that are referencing the model.
- ingest.count string
  
  The total number of documents that are processed by the model.
- ingest.time string
  
  The total time spent processing documents with thie model.
- ingest.current string
  
  The total number of documents that are currently being handled by the model.
- ingest.failed string
  
  The total number of failed ingest attempts with the model.
- data_frame.id string
  
  The identifier for the data frame analytics job that created the model. Only displayed if the job is still available.
- data_frame.create_time string
  
  The time the data frame analytics job was created.
- data_frame.source_index string
  
  The source index used to train in the data frame analysis.
- data_frame.analysis string
  
  The analysis used by the data frame to build the model.
- type string

GET /_cat/ml/trained_models

curl \
 --request GET 'http://api.example.com/_cat/ml/trained_models' \
 --header "Authorization: $API_KEY"

Response examples (200)

A successful response from `GET _cat/ml/trained_models?v=true&format=json`.

[
  {
    "id": "ddddd-1580216177138",
    "heap_size": "0b",
    "operations": "196",
    "create_time": "2025-03-25T00:01:38.662Z",
    "type": "pytorch",
    "ingest.pipelines": "0",
    "data_frame.id": "__none__"
  },
  {
    "id": "lang_ident_model_1",
    "heap_size": "1mb",
    "operations": "39629",
    "create_time": "2019-12-05T12:28:34.594Z",
    "type": "lang_ident",
    "ingest.pipelines": "0",
    "data_frame.id": "__none__"
  }
]

Get trained models Added in 7.7.0

GET /_cat/ml/trained_models/{model_id}

Api key auth

Get configuration and usage information about inference trained models.

IMPORTANT: CAT APIs are only intended for human consumption using the Kibana console or command line. They are not intended for use by applications. For application consumption, use the get trained models statistics API.

Path parameters

model_id string Required

A unique identifier for the trained model.

Query parameters

allow_no_match boolean

Specifies what to do when the request: contains wildcard expressions and there are no models that match; contains the _all string or no identifiers and there are no matches; contains wildcard expressions and there are only partial matches. If true, the API returns an empty array when there are no matches and the subset of results when there are partial matches. If false, the API returns a 404 status code when there are no matches or only partial matches.
bytes string

The unit used to display byte values.

Values are b, kb, mb, gb, tb, or pb.
h string | array[string]
A comma-separated list of column names to display.

Supported values include:
- create_time (or ct): The time when the trained model was created.
- created_by (or c, createdBy): Information on the creator of the trained model.
- data_frame_analytics_id (or df, dataFrameAnalytics, dfid): Identifier for the data frame analytics job that created the model. Only displayed if it is still available.
- description (or d): The description of the trained model.
- heap_size (or hs, modelHeapSize): The estimated heap size to keep the trained model in memory.
- id: Identifier for the trained model.
- ingest.count (or ic, ingestCount): The total number of documents that are processed by the model.
- ingest.current (or icurr, ingestCurrent): The total number of document that are currently being handled by the trained model.
- ingest.failed (or if, ingestFailed): The total number of failed ingest attempts with the trained model.
- ingest.pipelines (or ip, ingestPipelines): The total number of ingest pipelines that are referencing the trained model.
- ingest.time (or it, ingestTime): The total time that is spent processing documents with the trained model.
- license (or l): The license level of the trained model.
- operations (or o, modelOperations): The estimated number of operations to use the trained model. This number helps measuring the computational complexity of the model.
- version (or v): The Elasticsearch version number in which the trained model was created.
s string | array[string]
A comma-separated list of column names or aliases used to sort the response.

Supported values include:
- create_time (or ct): The time when the trained model was created.
- created_by (or c, createdBy): Information on the creator of the trained model.
- data_frame_analytics_id (or df, dataFrameAnalytics, dfid): Identifier for the data frame analytics job that created the model. Only displayed if it is still available.
- description (or d): The description of the trained model.
- heap_size (or hs, modelHeapSize): The estimated heap size to keep the trained model in memory.
- id: Identifier for the trained model.
- ingest.count (or ic, ingestCount): The total number of documents that are processed by the model.
- ingest.current (or icurr, ingestCurrent): The total number of document that are currently being handled by the trained model.
- ingest.failed (or if, ingestFailed): The total number of failed ingest attempts with the trained model.
- ingest.pipelines (or ip, ingestPipelines): The total number of ingest pipelines that are referencing the trained model.
- ingest.time (or it, ingestTime): The total time that is spent processing documents with the trained model.
- license (or l): The license level of the trained model.
- operations (or o, modelOperations): The estimated number of operations to use the trained model. This number helps measuring the computational complexity of the model.
- version (or v): The Elasticsearch version number in which the trained model was created.
from number

Skips the specified number of transforms.
size number

The maximum number of transforms to display.
time string

Unit used to display time values.

Values are nanos, micros, ms, s, m, h, or d.

Responses

200 application/json
Hide response attributes Show response attributes object
- id string
- created_by string
  
  Information about the creator of the model.
- heap_size number | string
  
  One of:
  ByteSize number ByteSize string
- operations string
  
  The estimated number of operations to use the model. This number helps to measure the computational complexity of the model.
- license string
  
  The license level of the model.
- create_time string | number
  
  A date and time, either as a string whose format can depend on the context (defaulting to ISO 8601), or a number of milliseconds since the Epoch. Elasticsearch accepts both as input, but will generally output a string representation.
  
  One of:
  DateTime string UnitMillis number
- version string
- description string
  
  A description of the model.
- ingest.pipelines string
  
  The number of pipelines that are referencing the model.
- ingest.count string
  
  The total number of documents that are processed by the model.
- ingest.time string
  
  The total time spent processing documents with thie model.
- ingest.current string
  
  The total number of documents that are currently being handled by the model.
- ingest.failed string
  
  The total number of failed ingest attempts with the model.
- data_frame.id string
  
  The identifier for the data frame analytics job that created the model. Only displayed if the job is still available.
- data_frame.create_time string
  
  The time the data frame analytics job was created.
- data_frame.source_index string
  
  The source index used to train in the data frame analysis.
- data_frame.analysis string
  
  The analysis used by the data frame to build the model.
- type string

GET /_cat/ml/trained_models/{model_id}

curl \
 --request GET 'http://api.example.com/_cat/ml/trained_models/{model_id}' \
 --header "Authorization: $API_KEY"

Response examples (200)

A successful response from `GET _cat/ml/trained_models?v=true&format=json`.

[
  {
    "id": "ddddd-1580216177138",
    "heap_size": "0b",
    "operations": "196",
    "create_time": "2025-03-25T00:01:38.662Z",
    "type": "pytorch",
    "ingest.pipelines": "0",
    "data_frame.id": "__none__"
  },
  {
    "id": "lang_ident_model_1",
    "heap_size": "1mb",
    "operations": "39629",
    "create_time": "2019-12-05T12:28:34.594Z",
    "type": "lang_ident",
    "ingest.pipelines": "0",
    "data_frame.id": "__none__"
  }
]

Get transform information Added in 7.7.0

GET /_cat/transforms

Api key auth

Get configuration and usage information about transforms.

CAT APIs are only intended for human consumption using the Kibana console or command line. They are not intended for use by applications. For application consumption, use the get transform statistics API.

Query parameters

allow_no_match boolean

Specifies what to do when the request: contains wildcard expressions and there are no transforms that match; contains the _all string or no identifiers and there are no matches; contains wildcard expressions and there are only partial matches. If true, it returns an empty transforms array when there are no matches and the subset of results when there are partial matches. If false, the request returns a 404 status code when there are no matches or only partial matches.
from number

Skips the specified number of transforms.
h string | array[string]
Comma-separated list of column names to display.

Supported values include:
- changes_last_detection_time (or cldt): The timestamp when changes were last detected in the source indices.
- checkpoint (or cp): The sequence number for the checkpoint.
- checkpoint_duration_time_exp_avg (or cdtea, checkpointTimeExpAvg): Exponential moving average of the duration of the checkpoint, in milliseconds.
- checkpoint_progress (or c, checkpointProgress): The progress of the next checkpoint that is currently in progress.
- create_time (or ct, createTime): The time the transform was created.
- delete_time (or dtime): The amount of time spent deleting, in milliseconds.
- description (or d): The description of the transform.
- dest_index (or di, destIndex): The destination index for the transform. The mappings of the destination index are deduced based on the source fields when possible. If alternate mappings are required, use the Create index API prior to starting the transform.
- documents_deleted (or docd): The number of documents that have been deleted from the destination index due to the retention policy for this transform.
- documents_indexed (or doci): The number of documents that have been indexed into the destination index for the transform.
- docs_per_second (or dps): Specifies a limit on the number of input documents per second. This setting throttles the transform by adding a wait time between search requests. The default value is null, which disables throttling.
- documents_processed (or docp): The number of documents that have been processed from the source index of the transform.
- frequency (or f): The interval between checks for changes in the source indices when the transform is running continuously. Also determines the retry interval in the event of transient failures while the transform is searching or indexing. The minimum value is 1s and the maximum is 1h. The default value is 1m.
- id: Identifier for the transform.
- index_failure (or if): The number of indexing failures.
- index_time (or itime): The amount of time spent indexing, in milliseconds.
- index_total (or it): The number of index operations.
- indexed_documents_exp_avg (or idea): Exponential moving average of the number of new documents that have been indexed.
- last_search_time (or lst, lastSearchTime): The timestamp of the last search in the source indices. This field is only shown if the transform is running.
- max_page_search_size (or mpsz): Defines the initial page size to use for the composite aggregation for each checkpoint. If circuit breaker exceptions occur, the page size is dynamically adjusted to a lower value. The minimum value is 10 and the maximum is 65,536. The default value is 500.
- pages_processed (or pp): The number of search or bulk index operations processed. Documents are processed in batches instead of individually.
- pipeline (or p): The unique identifier for an ingest pipeline.
- processed_documents_exp_avg (or pdea): Exponential moving average of the number of documents that have been processed.
- processing_time (or pt): The amount of time spent processing results, in milliseconds.
- reason (or r): If a transform has a failed state, this property provides details about the reason for the failure.
- search_failure (or sf): The number of search failures.
- search_time (or stime): The amount of time spent searching, in milliseconds.
- search_total (or st): The number of search operations on the source index for the transform.
- source_index (or si, sourceIndex): The source indices for the transform. It can be a single index, an index pattern (for example, "my-index-*"), an array of indices (for example, ["my-index-000001", "my-index-000002"]), or an array of index patterns (for example, ["my-index-*", "my-other-index-*"]. For remote indices use the syntax "remote_name:index_name". If any indices are in remote clusters then the master node and at least one transform node must have the remote_cluster_client node role.
- state (or s): The status of the transform, which can be one of the following values:
  - aborting: The transform is aborting.
  - failed: The transform failed. For more information about the failure, check the reason field.
  - indexing: The transform is actively processing data and creating new documents.
  - started: The transform is running but not actively indexing data.
  - stopped: The transform is stopped.
  - stopping: The transform is stopping.
- transform_type (or tt): Indicates the type of transform: batch or continuous.
- trigger_count (or tc): The number of times the transform has been triggered by the scheduler. For example, the scheduler triggers the transform indexer to check for updates or ingest new data at an interval specified in the frequency property.
- version (or v): The version of Elasticsearch that existed on the node when the transform was created.
s string | array[string]
Comma-separated list of column names or column aliases used to sort the response.

Supported values include:
- changes_last_detection_time (or cldt): The timestamp when changes were last detected in the source indices.
- checkpoint (or cp): The sequence number for the checkpoint.
- checkpoint_duration_time_exp_avg (or cdtea, checkpointTimeExpAvg): Exponential moving average of the duration of the checkpoint, in milliseconds.
- checkpoint_progress (or c, checkpointProgress): The progress of the next checkpoint that is currently in progress.
- create_time (or ct, createTime): The time the transform was created.
- delete_time (or dtime): The amount of time spent deleting, in milliseconds.
- description (or d): The description of the transform.
- dest_index (or di, destIndex): The destination index for the transform. The mappings of the destination index are deduced based on the source fields when possible. If alternate mappings are required, use the Create index API prior to starting the transform.
- documents_deleted (or docd): The number of documents that have been deleted from the destination index due to the retention policy for this transform.
- documents_indexed (or doci): The number of documents that have been indexed into the destination index for the transform.
- docs_per_second (or dps): Specifies a limit on the number of input documents per second. This setting throttles the transform by adding a wait time between search requests. The default value is null, which disables throttling.
- documents_processed (or docp): The number of documents that have been processed from the source index of the transform.
- frequency (or f): The interval between checks for changes in the source indices when the transform is running continuously. Also determines the retry interval in the event of transient failures while the transform is searching or indexing. The minimum value is 1s and the maximum is 1h. The default value is 1m.
- id: Identifier for the transform.
- index_failure (or if): The number of indexing failures.
- index_time (or itime): The amount of time spent indexing, in milliseconds.
- index_total (or it): The number of index operations.
- indexed_documents_exp_avg (or idea): Exponential moving average of the number of new documents that have been indexed.
- last_search_time (or lst, lastSearchTime): The timestamp of the last search in the source indices. This field is only shown if the transform is running.
- max_page_search_size (or mpsz): Defines the initial page size to use for the composite aggregation for each checkpoint. If circuit breaker exceptions occur, the page size is dynamically adjusted to a lower value. The minimum value is 10 and the maximum is 65,536. The default value is 500.
- pages_processed (or pp): The number of search or bulk index operations processed. Documents are processed in batches instead of individually.
- pipeline (or p): The unique identifier for an ingest pipeline.
- processed_documents_exp_avg (or pdea): Exponential moving average of the number of documents that have been processed.
- processing_time (or pt): The amount of time spent processing results, in milliseconds.
- reason (or r): If a transform has a failed state, this property provides details about the reason for the failure.
- search_failure (or sf): The number of search failures.
- search_time (or stime): The amount of time spent searching, in milliseconds.
- search_total (or st): The number of search operations on the source index for the transform.
- source_index (or si, sourceIndex): The source indices for the transform. It can be a single index, an index pattern (for example, "my-index-*"), an array of indices (for example, ["my-index-000001", "my-index-000002"]), or an array of index patterns (for example, ["my-index-*", "my-other-index-*"]. For remote indices use the syntax "remote_name:index_name". If any indices are in remote clusters then the master node and at least one transform node must have the remote_cluster_client node role.
- state (or s): The status of the transform, which can be one of the following values:
  - aborting: The transform is aborting.
  - failed: The transform failed. For more information about the failure, check the reason field.
  - indexing: The transform is actively processing data and creating new documents.
  - started: The transform is running but not actively indexing data.
  - stopped: The transform is stopped.
  - stopping: The transform is stopping.
- transform_type (or tt): Indicates the type of transform: batch or continuous.
- trigger_count (or tc): The number of times the transform has been triggered by the scheduler. For example, the scheduler triggers the transform indexer to check for updates or ingest new data at an interval specified in the frequency property.
- version (or v): The version of Elasticsearch that existed on the node when the transform was created.
time string

The unit used to display time values.

Values are nanos, micros, ms, s, m, h, or d.
size number

The maximum number of transforms to obtain.

Responses

200 application/json
Hide response attributes Show response attributes object
- id string
- state string
  
  The status of the transform. Returned values include: aborting: The transform is aborting. failed: The transform failed. For more information about the failure, check thereasonfield.indexing: The transform is actively processing data and creating new documents.started: The transform is running but not actively indexing data.stopped: The transform is stopped.stopping`: The transform is stopping.
- checkpoint string
  
  The sequence number for the checkpoint.
- documents_processed string
  
  The number of documents that have been processed from the source index of the transform.
- checkpoint_progress string | null
  
  The progress of the next checkpoint that is currently in progress.
  
  One of:
  string-1 string string-2 string | null
- last_search_time string | null
  
  The timestamp of the last search in the source indices. This field is shown only if the transform is running.
  
  One of:
  string-1 string string-2 string | null
- changes_last_detection_time string | null
  
  The timestamp when changes were last detected in the source indices.
  
  One of:
  string-1 string string-2 string | null
- create_time string
  
  The time the transform was created.
- version string
- source_index string
  
  The source indices for the transform.
- dest_index string
  
  The destination index for the transform.
- pipeline string
  
  The unique identifier for the ingest pipeline.
- description string
  
  The description of the transform.
- transform_type string
  
  The type of transform: batch or continuous.
- frequency string
  
  The interval between checks for changes in the source indices when the transform is running continuously.
- max_page_search_size string
  
  The initial page size that is used for the composite aggregation for each checkpoint.
- docs_per_second string
  
  The number of input documents per second.
- reason string
  
  If a transform has a failed state, these details describe the reason for failure.
- search_total string
  
  The total number of search operations on the source index for the transform.
- search_failure string
  
  The total number of search failures.
- search_time string
  
  The total amount of search time, in milliseconds.
- index_total string
  
  The total number of index operations done by the transform.
- index_failure string
  
  The total number of indexing failures.
- index_time string
  
  The total time spent indexing documents, in milliseconds.
- documents_indexed string
  
  The number of documents that have been indexed into the destination index for the transform.
- delete_time string
  
  The total time spent deleting documents, in milliseconds.
- documents_deleted string
  
  The number of documents deleted from the destination index due to the retention policy for the transform.
- trigger_count string
  
  The number of times the transform has been triggered by the scheduler. For example, the scheduler triggers the transform indexer to check for updates or ingest new data at an interval specified in the frequency property.
- pages_processed string
  
  The number of search or bulk index operations processed. Documents are processed in batches instead of individually.
- processing_time string
  
  The total time spent processing results, in milliseconds.
- checkpoint_duration_time_exp_avg string
  
  The exponential moving average of the duration of the checkpoint, in milliseconds.
- indexed_documents_exp_avg string
  
  The exponential moving average of the number of new documents that have been indexed.
- processed_documents_exp_avg string
  
  The exponential moving average of the number of documents that have been processed.

GET /_cat/transforms

curl \
 --request GET 'http://api.example.com/_cat/transforms' \
 --header "Authorization: $API_KEY"

Response examples (200)

A successful response from `GET /_cat/transforms?v=true&format=json`.

[
  {
    "id" : "ecommerce_transform",
    "state" : "started",
    "checkpoint" : "1",
    "documents_processed" : "705",
    "checkpoint_progress" : "100.00",
    "changes_last_detection_time" : null
  }
]

Get transform information Added in 7.7.0

GET /_cat/transforms/{transform_id}

Api key auth

Get configuration and usage information about transforms.

CAT APIs are only intended for human consumption using the Kibana console or command line. They are not intended for use by applications. For application consumption, use the get transform statistics API.

Path parameters

transform_id string Required

A transform identifier or a wildcard expression. If you do not specify one of these options, the API returns information for all transforms.

Query parameters

allow_no_match boolean

Specifies what to do when the request: contains wildcard expressions and there are no transforms that match; contains the _all string or no identifiers and there are no matches; contains wildcard expressions and there are only partial matches. If true, it returns an empty transforms array when there are no matches and the subset of results when there are partial matches. If false, the request returns a 404 status code when there are no matches or only partial matches.
from number

Skips the specified number of transforms.
h string | array[string]
Comma-separated list of column names to display.

Supported values include:
- changes_last_detection_time (or cldt): The timestamp when changes were last detected in the source indices.
- checkpoint (or cp): The sequence number for the checkpoint.
- checkpoint_duration_time_exp_avg (or cdtea, checkpointTimeExpAvg): Exponential moving average of the duration of the checkpoint, in milliseconds.
- checkpoint_progress (or c, checkpointProgress): The progress of the next checkpoint that is currently in progress.
- create_time (or ct, createTime): The time the transform was created.
- delete_time (or dtime): The amount of time spent deleting, in milliseconds.
- description (or d): The description of the transform.
- dest_index (or di, destIndex): The destination index for the transform. The mappings of the destination index are deduced based on the source fields when possible. If alternate mappings are required, use the Create index API prior to starting the transform.
- documents_deleted (or docd): The number of documents that have been deleted from the destination index due to the retention policy for this transform.
- documents_indexed (or doci): The number of documents that have been indexed into the destination index for the transform.
- docs_per_second (or dps): Specifies a limit on the number of input documents per second. This setting throttles the transform by adding a wait time between search requests. The default value is null, which disables throttling.
- documents_processed (or docp): The number of documents that have been processed from the source index of the transform.
- frequency (or f): The interval between checks for changes in the source indices when the transform is running continuously. Also determines the retry interval in the event of transient failures while the transform is searching or indexing. The minimum value is 1s and the maximum is 1h. The default value is 1m.
- id: Identifier for the transform.
- index_failure (or if): The number of indexing failures.
- index_time (or itime): The amount of time spent indexing, in milliseconds.
- index_total (or it): The number of index operations.
- indexed_documents_exp_avg (or idea): Exponential moving average of the number of new documents that have been indexed.
- last_search_time (or lst, lastSearchTime): The timestamp of the last search in the source indices. This field is only shown if the transform is running.
- max_page_search_size (or mpsz): Defines the initial page size to use for the composite aggregation for each checkpoint. If circuit breaker exceptions occur, the page size is dynamically adjusted to a lower value. The minimum value is 10 and the maximum is 65,536. The default value is 500.
- pages_processed (or pp): The number of search or bulk index operations processed. Documents are processed in batches instead of individually.
- pipeline (or p): The unique identifier for an ingest pipeline.
- processed_documents_exp_avg (or pdea): Exponential moving average of the number of documents that have been processed.
- processing_time (or pt): The amount of time spent processing results, in milliseconds.
- reason (or r): If a transform has a failed state, this property provides details about the reason for the failure.
- search_failure (or sf): The number of search failures.
- search_time (or stime): The amount of time spent searching, in milliseconds.
- search_total (or st): The number of search operations on the source index for the transform.
- source_index (or si, sourceIndex): The source indices for the transform. It can be a single index, an index pattern (for example, "my-index-*"), an array of indices (for example, ["my-index-000001", "my-index-000002"]), or an array of index patterns (for example, ["my-index-*", "my-other-index-*"]. For remote indices use the syntax "remote_name:index_name". If any indices are in remote clusters then the master node and at least one transform node must have the remote_cluster_client node role.
- state (or s): The status of the transform, which can be one of the following values:
  - aborting: The transform is aborting.
  - failed: The transform failed. For more information about the failure, check the reason field.
  - indexing: The transform is actively processing data and creating new documents.
  - started: The transform is running but not actively indexing data.
  - stopped: The transform is stopped.
  - stopping: The transform is stopping.
- transform_type (or tt): Indicates the type of transform: batch or continuous.
- trigger_count (or tc): The number of times the transform has been triggered by the scheduler. For example, the scheduler triggers the transform indexer to check for updates or ingest new data at an interval specified in the frequency property.
- version (or v): The version of Elasticsearch that existed on the node when the transform was created.
s string | array[string]
Comma-separated list of column names or column aliases used to sort the response.

Supported values include:
- changes_last_detection_time (or cldt): The timestamp when changes were last detected in the source indices.
- checkpoint (or cp): The sequence number for the checkpoint.
- checkpoint_duration_time_exp_avg (or cdtea, checkpointTimeExpAvg): Exponential moving average of the duration of the checkpoint, in milliseconds.
- checkpoint_progress (or c, checkpointProgress): The progress of the next checkpoint that is currently in progress.
- create_time (or ct, createTime): The time the transform was created.
- delete_time (or dtime): The amount of time spent deleting, in milliseconds.
- description (or d): The description of the transform.
- dest_index (or di, destIndex): The destination index for the transform. The mappings of the destination index are deduced based on the source fields when possible. If alternate mappings are required, use the Create index API prior to starting the transform.
- documents_deleted (or docd): The number of documents that have been deleted from the destination index due to the retention policy for this transform.
- documents_indexed (or doci): The number of documents that have been indexed into the destination index for the transform.
- docs_per_second (or dps): Specifies a limit on the number of input documents per second. This setting throttles the transform by adding a wait time between search requests. The default value is null, which disables throttling.
- documents_processed (or docp): The number of documents that have been processed from the source index of the transform.
- frequency (or f): The interval between checks for changes in the source indices when the transform is running continuously. Also determines the retry interval in the event of transient failures while the transform is searching or indexing. The minimum value is 1s and the maximum is 1h. The default value is 1m.
- id: Identifier for the transform.
- index_failure (or if): The number of indexing failures.
- index_time (or itime): The amount of time spent indexing, in milliseconds.
- index_total (or it): The number of index operations.
- indexed_documents_exp_avg (or idea): Exponential moving average of the number of new documents that have been indexed.
- last_search_time (or lst, lastSearchTime): The timestamp of the last search in the source indices. This field is only shown if the transform is running.
- max_page_search_size (or mpsz): Defines the initial page size to use for the composite aggregation for each checkpoint. If circuit breaker exceptions occur, the page size is dynamically adjusted to a lower value. The minimum value is 10 and the maximum is 65,536. The default value is 500.
- pages_processed (or pp): The number of search or bulk index operations processed. Documents are processed in batches instead of individually.
- pipeline (or p): The unique identifier for an ingest pipeline.
- processed_documents_exp_avg (or pdea): Exponential moving average of the number of documents that have been processed.
- processing_time (or pt): The amount of time spent processing results, in milliseconds.
- reason (or r): If a transform has a failed state, this property provides details about the reason for the failure.
- search_failure (or sf): The number of search failures.
- search_time (or stime): The amount of time spent searching, in milliseconds.
- search_total (or st): The number of search operations on the source index for the transform.
- source_index (or si, sourceIndex): The source indices for the transform. It can be a single index, an index pattern (for example, "my-index-*"), an array of indices (for example, ["my-index-000001", "my-index-000002"]), or an array of index patterns (for example, ["my-index-*", "my-other-index-*"]. For remote indices use the syntax "remote_name:index_name". If any indices are in remote clusters then the master node and at least one transform node must have the remote_cluster_client node role.
- state (or s): The status of the transform, which can be one of the following values:
  - aborting: The transform is aborting.
  - failed: The transform failed. For more information about the failure, check the reason field.
  - indexing: The transform is actively processing data and creating new documents.
  - started: The transform is running but not actively indexing data.
  - stopped: The transform is stopped.
  - stopping: The transform is stopping.
- transform_type (or tt): Indicates the type of transform: batch or continuous.
- trigger_count (or tc): The number of times the transform has been triggered by the scheduler. For example, the scheduler triggers the transform indexer to check for updates or ingest new data at an interval specified in the frequency property.
- version (or v): The version of Elasticsearch that existed on the node when the transform was created.
time string

The unit used to display time values.

Values are nanos, micros, ms, s, m, h, or d.
size number

The maximum number of transforms to obtain.

Responses

200 application/json
Hide response attributes Show response attributes object
- id string
- state string
  
  The status of the transform. Returned values include: aborting: The transform is aborting. failed: The transform failed. For more information about the failure, check thereasonfield.indexing: The transform is actively processing data and creating new documents.started: The transform is running but not actively indexing data.stopped: The transform is stopped.stopping`: The transform is stopping.
- checkpoint string
  
  The sequence number for the checkpoint.
- documents_processed string
  
  The number of documents that have been processed from the source index of the transform.
- checkpoint_progress string | null
  
  The progress of the next checkpoint that is currently in progress.
  
  One of:
  string-1 string string-2 string | null
- last_search_time string | null
  
  The timestamp of the last search in the source indices. This field is shown only if the transform is running.
  
  One of:
  string-1 string string-2 string | null
- changes_last_detection_time string | null
  
  The timestamp when changes were last detected in the source indices.
  
  One of:
  string-1 string string-2 string | null
- create_time string
  
  The time the transform was created.
- version string
- source_index string
  
  The source indices for the transform.
- dest_index string
  
  The destination index for the transform.
- pipeline string
  
  The unique identifier for the ingest pipeline.
- description string
  
  The description of the transform.
- transform_type string
  
  The type of transform: batch or continuous.
- frequency string
  
  The interval between checks for changes in the source indices when the transform is running continuously.
- max_page_search_size string
  
  The initial page size that is used for the composite aggregation for each checkpoint.
- docs_per_second string
  
  The number of input documents per second.
- reason string
  
  If a transform has a failed state, these details describe the reason for failure.
- search_total string
  
  The total number of search operations on the source index for the transform.
- search_failure string
  
  The total number of search failures.
- search_time string
  
  The total amount of search time, in milliseconds.
- index_total string
  
  The total number of index operations done by the transform.
- index_failure string
  
  The total number of indexing failures.
- index_time string
  
  The total time spent indexing documents, in milliseconds.
- documents_indexed string
  
  The number of documents that have been indexed into the destination index for the transform.
- delete_time string
  
  The total time spent deleting documents, in milliseconds.
- documents_deleted string
  
  The number of documents deleted from the destination index due to the retention policy for the transform.
- trigger_count string
  
  The number of times the transform has been triggered by the scheduler. For example, the scheduler triggers the transform indexer to check for updates or ingest new data at an interval specified in the frequency property.
- pages_processed string
  
  The number of search or bulk index operations processed. Documents are processed in batches instead of individually.
- processing_time string
  
  The total time spent processing results, in milliseconds.
- checkpoint_duration_time_exp_avg string
  
  The exponential moving average of the duration of the checkpoint, in milliseconds.
- indexed_documents_exp_avg string
  
  The exponential moving average of the number of new documents that have been indexed.
- processed_documents_exp_avg string
  
  The exponential moving average of the number of documents that have been processed.

GET /_cat/transforms/{transform_id}

curl \
 --request GET 'http://api.example.com/_cat/transforms/{transform_id}' \
 --header "Authorization: $API_KEY"

Response examples (200)

A successful response from `GET /_cat/transforms?v=true&format=json`.

[
  {
    "id" : "ecommerce_transform",
    "state" : "started",
    "checkpoint" : "1",
    "documents_processed" : "705",
    "checkpoint_progress" : "100.00",
    "changes_last_detection_time" : null
  }
]

Connector

The connector and sync jobs APIs provide a convenient way to create and manage Elastic connectors and sync jobs in an internal index. Connectors are Elasticsearch integrations for syncing content from third-party data sources, which can be deployed on Elastic Cloud or hosted on your own infrastructure. This API provides an alternative to relying solely on Kibana UI for connector and sync job management. The API comes with a set of validations and assertions to ensure that the state representation in the internal index remains valid. This API requires the manage_connector privilege or, for read-only endpoints, the monitor_connector privilege.

Check out the connector API tutorial

Check in a connector Technical preview

PUT /_connector/{connector_id}/_check_in

Api key auth

Update the last_seen field in the connector and set it to the current timestamp.

Path parameters

connector_id string Required

The unique identifier of the connector to be checked in

Responses

200 application/json
Hide response attribute Show response attribute object
- result string Required
  
  Values are created, updated, deleted, not_found, or noop.

PUT /_connector/{connector_id}/_check_in

curl \
 --request PUT 'http://api.example.com/_connector/{connector_id}/_check_in' \
 --header "Authorization: $API_KEY"

Response examples (200)

{
    "result": "updated"
}

Create or update a connector Beta

PUT /_connector/{connector_id}

Api key auth

Path parameters

connector_id string Required

The unique identifier of the connector to be created or updated. ID is auto-generated if not provided.

application/json

Body

description string
index_name string
is_native boolean
language string
name string
service_type string

Responses

200 application/json
Hide response attributes Show response attributes object
- result string Required
  
  Values are created, updated, deleted, not_found, or noop.
- id string Required

PUT /_connector/{connector_id}

curl \
 --request PUT 'http://api.example.com/_connector/{connector_id}' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '"{\n  \"index_name\": \"search-google-drive\",\n  \"name\": \"My Connector\",\n  \"service_type\": \"google_drive\"\n}"'

Request examples

{
  "index_name": "search-google-drive",
  "name": "My Connector",
  "service_type": "google_drive"
}

{
  "index_name": "search-google-drive",
  "name": "My Connector",
  "description": "My Connector to sync data to Elastic index from Google Drive",
  "service_type": "google_drive",
  "language": "english"
}

Response examples (200)

{
  "result": "created",
  "id": "my-connector"
}

Delete a connector Beta

DELETE /_connector/{connector_id}

Api key auth

Removes a connector and associated sync jobs. This is a destructive action that is not recoverable. NOTE: This action doesn’t delete any API keys, ingest pipelines, or data indices associated with the connector. These need to be removed manually.

Path parameters

connector_id string Required

The unique identifier of the connector to be deleted

Query parameters

delete_sync_jobs boolean

A flag indicating if associated sync jobs should be also removed. Defaults to false.
hard boolean

A flag indicating if the connector should be hard deleted.

Responses

200 application/json
Hide response attribute Show response attribute object
- acknowledged boolean Required
  
  For a successful response, this value is always true. On failure, an exception is returned instead.

DELETE /_connector/{connector_id}

curl \
 --request DELETE 'http://api.example.com/_connector/{connector_id}' \
 --header "Authorization: $API_KEY"

Response examples (200)

{
    "acknowledged": true
}

Cancel a connector sync job Beta

PUT /_connector/_sync_job/{connector_sync_job_id}/_cancel

Api key auth

Cancel a connector sync job, which sets the status to cancelling and updates cancellation_requested_at to the current time. The connector service is then responsible for setting the status of connector sync jobs to cancelled.

Path parameters

connector_sync_job_id string Required

The unique identifier of the connector sync job

Responses

200 application/json
Hide response attribute Show response attribute object
- result string Required
  
  Values are created, updated, deleted, not_found, or noop.

PUT /_connector/_sync_job/{connector_sync_job_id}/_cancel

curl \
 --request PUT 'http://api.example.com/_connector/_sync_job/{connector_sync_job_id}/_cancel' \
 --header "Authorization: $API_KEY"

Create a connector sync job Beta

POST /_connector/_sync_job

Api key auth

Create a connector sync job document in the internal index and initialize its counters and timestamps with default values.

application/json

Body Required

id string Required
job_type string

Values are full, incremental, or access_control.
trigger_method string

Values are on_demand or scheduled.

Responses

200 application/json
Hide response attribute Show response attribute object
- id string Required

POST /_connector/_sync_job

curl \
 --request POST 'http://api.example.com/_connector/_sync_job' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '"{\n  \"id\": \"connector-id\",\n  \"job_type\": \"full\",\n  \"trigger_method\": \"on_demand\"\n}"'

Request example

{
  "id": "connector-id",
  "job_type": "full",
  "trigger_method": "on_demand"
}

Update the connector name and description Beta

PUT /_connector/{connector_id}/_name

Api key auth

Path parameters

connector_id string Required

The unique identifier of the connector to be updated

application/json

Body Required

name string
description string

Responses

200 application/json
Hide response attribute Show response attribute object
- result string Required
  
  Values are created, updated, deleted, not_found, or noop.

PUT /_connector/{connector_id}/_name

curl \
 --request PUT 'http://api.example.com/_connector/{connector_id}/_name' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '"{\n    \"name\": \"Custom connector\",\n    \"description\": \"This is my customized connector\"\n}"'

Request example

{
    "name": "Custom connector",
    "description": "This is my customized connector"
}

Response examples (200)

{
  "result": "updated"
}

Create a data stream Added in 7.9.0

PUT /_data_stream/{name}

Api key auth

You must have a matching index template with data stream enabled.

Path parameters

name string Required

Name of the data stream, which must meet the following criteria: Lowercase only; Cannot include \, /, *, ?, ", <, >, |, ,, #, :, or a space character; Cannot start with -, _, +, or .ds-; Cannot be . or ..; Cannot be longer than 255 bytes. Multi-byte characters count towards this limit faster.

Query parameters

master_timeout string

Period to wait for a connection to the master node. If no response is received before the timeout expires, the request fails and returns an error.
timeout string

Period to wait for a response. If no response is received before the timeout expires, the request fails and returns an error.

Responses

200 application/json
Hide response attribute Show response attribute object
- acknowledged boolean Required
  
  For a successful response, this value is always true. On failure, an exception is returned instead.

PUT /_data_stream/{name}

curl \
 --request PUT 'http://api.example.com/_data_stream/{name}' \
 --header "Authorization: $API_KEY"

Get the status for a data stream lifecycle Added in 8.11.0

GET /{index}/_lifecycle/explain

Api key auth

Get information about an index or data stream's current data stream lifecycle status, such as time since index creation, time since rollover, the lifecycle configuration managing the index, or any errors encountered during lifecycle execution.

Path parameters

index string | array[string] Required

The name of the index to explain

Query parameters

include_defaults boolean

indicates if the API should return the default values the system uses for the index's lifecycle
master_timeout string

Specify timeout for connection to master

Responses

200 application/json
Hide response attribute Show response attribute object
- indices object Required
  
  Hide indices attribute Show indices attribute object
  
  * object Additional properties
  
  Hide * attributes Show * attributes object
  
  index string Required
  
  managed_by_lifecycle boolean Required
  
  index_creation_date_millis number
  
  Time unit for milliseconds
  
  time_since_index_creation string
  
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
  
  rollover_date_millis number
  
  Time unit for milliseconds
  
  time_since_rollover string
  
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
  
  lifecycle object
  
  Hide lifecycle attributes Show lifecycle attributes object
  
  data_retention string
  
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
  
  downsampling object
  
  Hide downsampling attribute Show downsampling attribute object
  
  rounds array[object] Required
  
  The list of downsampling rounds to execute as part of this downsampling configuration
  
  enabled boolean
  
  If defined, it turns data stream lifecycle on/off (true/false) for this data stream. A data stream lifecycle that's disabled (enabled: false) will have no effect on the data stream.
  
  rollover object
  
  Hide rollover attributes Show rollover attributes object
  
  min_age string
  
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
  
  max_age string
  
  min_docs number
  
  max_docs number
  
  min_size
  
  max_size
  
  min_primary_shard_size
  
  max_primary_shard_size
  
  min_primary_shard_docs number
  
  max_primary_shard_docs number
  
  generation_time string
  
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
  
  error string

GET /{index}/_lifecycle/explain

curl \
 --request GET 'http://api.example.com/{index}/_lifecycle/explain' \
 --header "Authorization: $API_KEY"

Response examples (200)

A successful response from `GET .ds-metrics-2023.03.22-000001/_lifecycle/explain`, which retrieves the lifecycle status for a data stream backing index. If the index is managed by a data stream lifecycle, the API will show the `managed_by_lifecycle` field set to `true` and the rest of the response will contain information about the lifecycle execution status for this index.

{
  "indices": {
    ".ds-metrics-2023.03.22-000001": {
      "index" : ".ds-metrics-2023.03.22-000001",
      "managed_by_lifecycle" : true,
      "index_creation_date_millis" : 1679475563571,
      "time_since_index_creation" : "843ms",
      "rollover_date_millis" : 1679475564293,
      "time_since_rollover" : "121ms",
      "lifecycle" : { },
      "generation_time" : "121ms"
  }
}

The API reports any errors related to the lifecycle execution for the target index.

{
  "indices": {
    ".ds-metrics-2023.03.22-000001": {
      "index" : ".ds-metrics-2023.03.22-000001",
      "managed_by_lifecycle" : true,
      "index_creation_date_millis" : 1679475563571,
      "time_since_index_creation" : "843ms",
      "lifecycle" : {
        "enabled": true
      },
      "error": "{\"type\":\"validation_exception\",\"reason\":\"Validation Failed: 1: this action would add [2] shards, but this cluster
currently has [4]/[3] maximum normal shards open;\"}"
  }
}

Convert an index alias to a data stream Added in 7.9.0

POST /_data_stream/_migrate/{name}

Api key auth

Converts an index alias to a data stream. You must have a matching index template that is data stream enabled. The alias must meet the following criteria: The alias must have a write index; All indices for the alias must have a @timestamp field mapping of a date or date_nanos field type; The alias must not have any filters; The alias must not use custom routing. If successful, the request removes the alias and creates a data stream with the same name. The indices for the alias become hidden backing indices for the stream. The write index for the alias becomes the write index for the stream.

Path parameters

name string Required

Name of the index alias to convert to a data stream.

Query parameters

master_timeout string

Period to wait for a connection to the master node. If no response is received before the timeout expires, the request fails and returns an error.
timeout string

Period to wait for a response. If no response is received before the timeout expires, the request fails and returns an error.

Responses

200 application/json
Hide response attribute Show response attribute object
- acknowledged boolean Required
  
  For a successful response, this value is always true. On failure, an exception is returned instead.

POST /_data_stream/_migrate/{name}

curl \
 --request POST 'http://api.example.com/_data_stream/_migrate/{name}' \
 --header "Authorization: $API_KEY"

Delete a document

DELETE /{index}/_doc/{id}

Api key auth

Remove a JSON document from the specified index.

NOTE: You cannot send deletion requests directly to a data stream. To delete a document in a data stream, you must target the backing index containing the document.

Optimistic concurrency control

Delete operations can be made conditional and only be performed if the last modification to the document was assigned the sequence number and primary term specified by the if_seq_no and if_primary_term parameters. If a mismatch is detected, the operation will result in a VersionConflictException and a status code of 409.

Versioning

Each document indexed is versioned. When deleting a document, the version can be specified to make sure the relevant document you are trying to delete is actually being deleted and it has not changed in the meantime. Every write operation run on a document, deletes included, causes its version to be incremented. The version number of a deleted document remains available for a short time after deletion to allow for control of concurrent operations. The length of time for which a deleted document's version remains available is determined by the index.gc_deletes index setting.

Routing

If routing is used during indexing, the routing value also needs to be specified to delete a document.

If the _routing mapping is set to required and no routing value is specified, the delete API throws a RoutingMissingException and rejects the request.

For example:

DELETE /my-index-000001/_doc/1?routing=shard-1

This request deletes the document with ID 1, but it is routed based on the user. The document is not deleted if the correct routing is not specified.

Distributed

The delete operation gets hashed into a specific shard ID. It then gets redirected into the primary shard within that ID group and replicated (if needed) to shard replicas within that ID group.

Path parameters

index string Required

The name of the target index.
id string Required

A unique identifier for the document.

Query parameters

if_primary_term number

Only perform the operation if the document has this primary term.
if_seq_no number

Only perform the operation if the document has this sequence number.
refresh string

If true, Elasticsearch refreshes the affected shards to make this operation visible to search. If wait_for, it waits for a refresh to make this operation visible to search. If false, it does nothing with refreshes.

Values are true, false, or wait_for.
routing string

A custom value used to route operations to a specific shard.
timeout string

The period to wait for active shards.

This parameter is useful for situations where the primary shard assigned to perform the delete operation might not be available when the delete operation runs. Some reasons for this might be that the primary shard is currently recovering from a store or undergoing relocation. By default, the delete operation will wait on the primary shard to become available for up to 1 minute before failing and responding with an error.
version number

An explicit version number for concurrency control. It must match the current version of the document for the request to succeed.
version_type string
The version type.

Supported values include:
- internal: Use internal versioning that starts at 1 and increments with each update or delete.
- external: Only index the document if the specified version is strictly higher than the version of the stored document or if there is no existing document.
- external_gte: Only index the document if the specified version is equal or higher than the version of the stored document or if there is no existing document. NOTE: The external_gte version type is meant for special use cases and should be used with care. If used incorrectly, it can result in loss of data.
- force: This option is deprecated because it can cause primary and replica shards to diverge.
Values are internal, external, external_gte, or force.
wait_for_active_shards number | string

The minimum number of shard copies that must be active before proceeding with the operation. You can set it to all or any positive integer up to the total number of shards in the index (number_of_replicas+1). The default value of 1 means it waits for each primary shard to be active.

Responses

200 application/json
Hide response attributes Show response attributes object
- _id string Required
- _index string Required
- _primary_term number
  
  The primary term assigned to the document for the indexing operation.
- result string Required
  
  Values are created, updated, deleted, not_found, or noop.
- _seq_no number
- _shards object Required
  
  Hide _shards attributes Show _shards attributes object
  
  failed number Required
  
  successful number Required
  
  total number Required
  
  failures array[object]
  
  Hide failures attributes Show failures attributes object
  
  index string
  
  node string
  
  reason object Required
  
  Hide reason attributes Show reason attributes object
  
  type string Required
  
  The type of error
  
  reason string
  
  A human-readable explanation of the error, in English.
  
  stack_trace string
  
  The server stack trace. Present only if the error_trace=true parameter was sent with the request.
  
  caused_by object
  
  root_cause array[object]
  
  suppressed array[object]
  
  shard number Required
  
  status string
  
  skipped number
- _version number Required
- forced_refresh boolean

DELETE /{index}/_doc/{id}

curl \
 --request DELETE 'http://api.example.com/{index}/_doc/{id}' \
 --header "Authorization: $API_KEY"

Response examples (200)

A successful response from `DELETE /my-index-000001/_doc/1`, which deletes the JSON document 1 from the `my-index-000001` index.

{
  "_shards": {
    "total": 2,
    "failed": 0,
    "successful": 2
  },
  "_index": "my-index-000001",
  "_id": "1",
  "_version": 2,
  "_primary_term": 1,
  "_seq_no": 5,
  "result": "deleted"
}

Get multiple documents Added in 1.3.0

GET /_mget

Api key auth

Get multiple JSON documents by ID from one or more indices. If you specify an index in the request URI, you only need to specify the document IDs in the request body. To ensure fast responses, this multi get (mget) API responds with partial results if one or more shards fail.

Filter source fields

By default, the _source field is returned for every document (if stored). Use the _source and _source_include or source_exclude attributes to filter what fields are returned for a particular document. You can include the _source, _source_includes, and _source_excludes query parameters in the request URI to specify the defaults to use when there are no per-document instructions.

Get stored fields

Use the stored_fields attribute to specify the set of stored fields you want to retrieve. Any requested fields that are not stored are ignored. You can include the stored_fields query parameter in the request URI to specify the defaults to use when there are no per-document instructions.

Query parameters

preference string

Specifies the node or shard the operation should be performed on. Random by default.
realtime boolean

If true, the request is real-time as opposed to near-real-time.
refresh boolean

If true, the request refreshes relevant shards before retrieving documents.
routing string

Custom value used to route operations to a specific shard.
_source boolean | string | array[string]

True or false to return the _source field or not, or a list of fields to return.
_source_excludes string | array[string]

A comma-separated list of source fields to exclude from the response. You can also use this parameter to exclude fields from the subset specified in _source_includes query parameter.
_source_includes string | array[string]

A comma-separated list of source fields to include in the response. If this parameter is specified, only these source fields are returned. You can exclude fields from this subset using the _source_excludes query parameter. If the _source parameter is false, this parameter is ignored.
stored_fields string | array[string]

If true, retrieves the document fields stored in the index rather than the document _source.

application/json

Body Required

docs array[object]

The documents you want to retrieve. Required if no index is specified in the request URI.
Hide docs attributes Show docs attributes object
- _id string Required
- _index string
- routing string
- _source boolean | object
  
  Defines how to fetch a source. Fetching can be disabled entirely, or the source can be filtered.
  
  One of:
  SourceConfig boolean SourceFilter object
- stored_fields string | array[string]
- version number
- version_type string
  
  Values are internal, external, external_gte, or force.
ids string | array[string]

One of:
Id string Ids array[string]

Responses

200 application/json
Hide response attribute Show response attribute object
- docs array[object] Required
  
  The response includes a docs array that contains the documents in the order specified in the request. The structure of the returned documents is similar to that returned by the get API. If there is a failure getting a particular document, the error is included in place of the document.
  
  One of:
  GetResult object MultiGetError object
  
  Hide attributes Show attributes
  
  _index string Required
  
  fields object
  
  If the stored_fields parameter is set to true and found is true, it contains the document fields stored in the index.
  
  Hide fields attribute Show fields attribute object
  
  * object Additional properties
  
  _ignored array[string]
  
  found boolean Required
  
  Indicates whether the document exists.
  
  _id string Required
  
  _primary_term number
  
  The primary term assigned to the document for the indexing operation.
  
  _routing string
  
  The explicit routing, if set.
  
  _seq_no number
  
  _source object
  
  If found is true, it contains the document data formatted in JSON. If the _source parameter is set to false or the stored_fields parameter is set to true, it is excluded.
  
  _version number
  
  Hide attributes Show attributes
  
  error object Required
  
  Hide error attributes Show error attributes object
  
  type string Required
  
  The type of error
  
  reason string
  
  A human-readable explanation of the error, in English.
  
  stack_trace string
  
  The server stack trace. Present only if the error_trace=true parameter was sent with the request.
  
  caused_by object
  
  root_cause array[object]
  
  suppressed array[object]
  
  _id string Required
  
  _index string Required

GET /_mget

curl \
 --request GET 'http://api.example.com/_mget' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '"{\n  \"docs\": [\n    {\n      \"_id\": \"1\"\n    },\n    {\n      \"_id\": \"2\"\n    }\n  ]\n}"'

Request examples

Run `GET /my-index-000001/_mget`. When you specify an index in the request URI, only the document IDs are required in the request body.

{
  "docs": [
    {
      "_id": "1"
    },
    {
      "_id": "2"
    }
  ]
}

Run `GET /_mget`. This request sets `_source` to `false` for document 1 to exclude the source entirely. It retrieves `field3` and `field4` from document 2. It retrieves the `user` field from document 3 but filters out the `user.location` field.

{
  "docs": [
    {
      "_index": "test",
      "_id": "1",
      "_source": false
    },
    {
      "_index": "test",
      "_id": "2",
      "_source": [ "field3", "field4" ]
    },
    {
      "_index": "test",
      "_id": "3",
      "_source": {
        "include": [ "user" ],
        "exclude": [ "user.location" ]
      }
    }
  ]
}

Run `GET /_mget`. This request retrieves `field1` and `field2` from document 1 and `field3` and `field4` from document 2.

{
  "docs": [
    {
      "_index": "test",
      "_id": "1",
      "stored_fields": [ "field1", "field2" ]
    },
    {
      "_index": "test",
      "_id": "2",
      "stored_fields": [ "field3", "field4" ]
    }
  ]
}

Run `GET /_mget?routing=key1`. If routing is used during indexing, you need to specify the routing value to retrieve documents. This request fetches `test/_doc/2` from the shard corresponding to routing key `key1`. It fetches `test/_doc/1` from the shard corresponding to routing key `key2`.

{
  "docs": [
    {
      "_index": "test",
      "_id": "1",
      "routing": "key2"
    },
    {
      "_index": "test",
      "_id": "2"
    }
  ]
}

Get multiple term vectors

GET /_mtermvectors

Api key auth

Get multiple term vectors with a single request. You can specify existing documents by index and ID or provide artificial documents in the body of the request. You can specify the index in the request body or request URI. The response contains a docs array with all the fetched termvectors. Each element has the structure provided by the termvectors API.

Artificial documents

You can also use mtermvectors to generate term vectors for artificial documents provided in the body of the request. The mapping used is determined by the specified _index.

Query parameters

ids array[string]

A comma-separated list of documents ids. You must define ids as parameter or set "ids" or "docs" in the request body
fields string | array[string]

A comma-separated list or wildcard expressions of fields to include in the statistics. It is used as the default list unless a specific field list is provided in the completion_fields or fielddata_fields parameters.
field_statistics boolean

If true, the response includes the document count, sum of document frequencies, and sum of total term frequencies.
offsets boolean

If true, the response includes term offsets.
payloads boolean

If true, the response includes term payloads.
positions boolean

If true, the response includes term positions.
preference string

The node or shard the operation should be performed on. It is random by default.
realtime boolean

If true, the request is real-time as opposed to near-real-time.
routing string

A custom value used to route operations to a specific shard.
term_statistics boolean

If true, the response includes term frequency and document frequency.
version number

If true, returns the document version as part of a hit.
version_type string
The version type.

Supported values include:
- internal: Use internal versioning that starts at 1 and increments with each update or delete.
- external: Only index the document if the specified version is strictly higher than the version of the stored document or if there is no existing document.
- external_gte: Only index the document if the specified version is equal or higher than the version of the stored document or if there is no existing document. NOTE: The external_gte version type is meant for special use cases and should be used with care. If used incorrectly, it can result in loss of data.
- force: This option is deprecated because it can cause primary and replica shards to diverge.
Values are internal, external, external_gte, or force.

application/json

Body

docs array[object]

An array of existing or artificial documents.
Hide docs attributes Show docs attributes object
- _id string
- _index string
- doc object
  
  An artificial document (a document not present in the index) for which you want to retrieve term vectors.
- fields string | array[string]
- field_statistics boolean
  
  If true, the response includes the document count, sum of document frequencies, and sum of total term frequencies.
- filter object
  Hide filter attributes Show filter attributes object
  
  max_doc_freq number
  
  Ignore words which occur in more than this many docs. Defaults to unbounded.
  
  max_num_terms number
  
  The maximum number of terms that must be returned per field.
  
  max_term_freq number
  
  Ignore words with more than this frequency in the source doc. It defaults to unbounded.
  
  max_word_length number
  
  The maximum word length above which words will be ignored. Defaults to unbounded.
  
  min_doc_freq number
  
  Ignore terms which do not occur in at least this many docs.
  
  min_term_freq number
  
  Ignore words with less than this frequency in the source doc.
  
  min_word_length number
  
  The minimum word length below which words will be ignored.
- offsets boolean
  
  If true, the response includes term offsets.
- payloads boolean
  
  If true, the response includes term payloads.
- positions boolean
  
  If true, the response includes term positions.
- routing string
- term_statistics boolean
  
  If true, the response includes term frequency and document frequency.
- version number
- version_type string
  
  Values are internal, external, external_gte, or force.
ids array[string]

A simplified syntax to specify documents by their ID if they're in the same index.

Responses

200 application/json
Hide response attribute Show response attribute object
- docs array[object] Required
  
  Hide docs attributes Show docs attributes object
  
  _id string
  
  _index string Required
  
  _version number
  
  took number
  
  found boolean
  
  term_vectors object
  
  Hide term_vectors attribute Show term_vectors attribute object
  
  * object Additional properties
  
  Hide * attributes Show * attributes object
  
  field_statistics object
  
  Hide field_statistics attributes Show field_statistics attributes object
  
  doc_count number Required
  
  sum_doc_freq number Required
  
  sum_ttf number Required
  
  terms object Required
  
  Hide terms attribute Show terms attribute object
  
  * object Additional properties
  
  error object
  
  Hide error attributes Show error attributes object
  
  type string Required
  
  The type of error
  
  reason string
  
  A human-readable explanation of the error, in English.
  
  stack_trace string
  
  The server stack trace. Present only if the error_trace=true parameter was sent with the request.
  
  caused_by object
  
  root_cause array[object]
  
  suppressed array[object]

GET /_mtermvectors

curl \
 --request GET 'http://api.example.com/_mtermvectors' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '"{\n  \"docs\": [\n      {\n        \"_id\": \"2\",\n        \"fields\": [\n            \"message\"\n        ],\n        \"term_statistics\": true\n      },\n      {\n        \"_id\": \"1\"\n      }\n  ]\n}"'

Request examples

Run `POST /my-index-000001/_mtermvectors`. When you specify an index in the request URI, the index does not need to be specified for each documents in the request body.

{
  "docs": [
      {
        "_id": "2",
        "fields": [
            "message"
        ],
        "term_statistics": true
      },
      {
        "_id": "1"
      }
  ]
}

Run `POST /my-index-000001/_mtermvectors`. If all requested documents are in same index and the parameters are the same, you can use a simplified syntax.

{
  "ids": [ "1", "2" ],
  "fields": [
    "message"
  ],
  "term_statistics": true
}

Run `POST /_mtermvectors` to generate term vectors for artificial documents provided in the body of the request. The mapping used is determined by the specified `_index`.

{
  "docs": [
      {
        "_index": "my-index-000001",
        "doc" : {
            "message" : "test test test"
        }
      },
      {
        "_index": "my-index-000001",
        "doc" : {
          "message" : "Another test ..."
        }
      }
  ]
}

Get multiple term vectors

GET /{index}/_mtermvectors

Api key auth

Get multiple term vectors with a single request. You can specify existing documents by index and ID or provide artificial documents in the body of the request. You can specify the index in the request body or request URI. The response contains a docs array with all the fetched termvectors. Each element has the structure provided by the termvectors API.

Artificial documents

You can also use mtermvectors to generate term vectors for artificial documents provided in the body of the request. The mapping used is determined by the specified _index.

Path parameters

index string Required

The name of the index that contains the documents.

Query parameters

ids array[string]

A comma-separated list of documents ids. You must define ids as parameter or set "ids" or "docs" in the request body
fields string | array[string]

A comma-separated list or wildcard expressions of fields to include in the statistics. It is used as the default list unless a specific field list is provided in the completion_fields or fielddata_fields parameters.
field_statistics boolean

If true, the response includes the document count, sum of document frequencies, and sum of total term frequencies.
offsets boolean

If true, the response includes term offsets.
payloads boolean

If true, the response includes term payloads.
positions boolean

If true, the response includes term positions.
preference string

The node or shard the operation should be performed on. It is random by default.
realtime boolean

If true, the request is real-time as opposed to near-real-time.
routing string

A custom value used to route operations to a specific shard.
term_statistics boolean

If true, the response includes term frequency and document frequency.
version number

If true, returns the document version as part of a hit.
version_type string
The version type.

Supported values include:
- internal: Use internal versioning that starts at 1 and increments with each update or delete.
- external: Only index the document if the specified version is strictly higher than the version of the stored document or if there is no existing document.
- external_gte: Only index the document if the specified version is equal or higher than the version of the stored document or if there is no existing document. NOTE: The external_gte version type is meant for special use cases and should be used with care. If used incorrectly, it can result in loss of data.
- force: This option is deprecated because it can cause primary and replica shards to diverge.
Values are internal, external, external_gte, or force.

application/json

Body

docs array[object]

An array of existing or artificial documents.
Hide docs attributes Show docs attributes object
- _id string
- _index string
- doc object
  
  An artificial document (a document not present in the index) for which you want to retrieve term vectors.
- fields string | array[string]
- field_statistics boolean
  
  If true, the response includes the document count, sum of document frequencies, and sum of total term frequencies.
- filter object
  Hide filter attributes Show filter attributes object
  
  max_doc_freq number
  
  Ignore words which occur in more than this many docs. Defaults to unbounded.
  
  max_num_terms number
  
  The maximum number of terms that must be returned per field.
  
  max_term_freq number
  
  Ignore words with more than this frequency in the source doc. It defaults to unbounded.
  
  max_word_length number
  
  The maximum word length above which words will be ignored. Defaults to unbounded.
  
  min_doc_freq number
  
  Ignore terms which do not occur in at least this many docs.
  
  min_term_freq number
  
  Ignore words with less than this frequency in the source doc.
  
  min_word_length number
  
  The minimum word length below which words will be ignored.
- offsets boolean
  
  If true, the response includes term offsets.
- payloads boolean
  
  If true, the response includes term payloads.
- positions boolean
  
  If true, the response includes term positions.
- routing string
- term_statistics boolean
  
  If true, the response includes term frequency and document frequency.
- version number
- version_type string
  
  Values are internal, external, external_gte, or force.
ids array[string]

A simplified syntax to specify documents by their ID if they're in the same index.

Responses

200 application/json
Hide response attribute Show response attribute object
- docs array[object] Required
  
  Hide docs attributes Show docs attributes object
  
  _id string
  
  _index string Required
  
  _version number
  
  took number
  
  found boolean
  
  term_vectors object
  
  Hide term_vectors attribute Show term_vectors attribute object
  
  * object Additional properties
  
  Hide * attributes Show * attributes object
  
  field_statistics object
  
  Hide field_statistics attributes Show field_statistics attributes object
  
  doc_count number Required
  
  sum_doc_freq number Required
  
  sum_ttf number Required
  
  terms object Required
  
  Hide terms attribute Show terms attribute object
  
  * object Additional properties
  
  error object
  
  Hide error attributes Show error attributes object
  
  type string Required
  
  The type of error
  
  reason string
  
  A human-readable explanation of the error, in English.
  
  stack_trace string
  
  The server stack trace. Present only if the error_trace=true parameter was sent with the request.
  
  caused_by object
  
  root_cause array[object]
  
  suppressed array[object]

GET /{index}/_mtermvectors

curl \
 --request GET 'http://api.example.com/{index}/_mtermvectors' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '"{\n  \"docs\": [\n      {\n        \"_id\": \"2\",\n        \"fields\": [\n            \"message\"\n        ],\n        \"term_statistics\": true\n      },\n      {\n        \"_id\": \"1\"\n      }\n  ]\n}"'

Request examples

Run `POST /my-index-000001/_mtermvectors`. When you specify an index in the request URI, the index does not need to be specified for each documents in the request body.

{
  "docs": [
      {
        "_id": "2",
        "fields": [
            "message"
        ],
        "term_statistics": true
      },
      {
        "_id": "1"
      }
  ]
}

Run `POST /my-index-000001/_mtermvectors`. If all requested documents are in same index and the parameters are the same, you can use a simplified syntax.

{
  "ids": [ "1", "2" ],
  "fields": [
    "message"
  ],
  "term_statistics": true
}

Run `POST /_mtermvectors` to generate term vectors for artificial documents provided in the body of the request. The mapping used is determined by the specified `_index`.

{
  "docs": [
      {
        "_index": "my-index-000001",
        "doc" : {
            "message" : "test test test"
        }
      },
      {
        "_index": "my-index-000001",
        "doc" : {
          "message" : "Another test ..."
        }
      }
  ]
}

Get multiple term vectors

POST /{index}/_mtermvectors

Api key auth

Get multiple term vectors with a single request. You can specify existing documents by index and ID or provide artificial documents in the body of the request. You can specify the index in the request body or request URI. The response contains a docs array with all the fetched termvectors. Each element has the structure provided by the termvectors API.

Artificial documents

You can also use mtermvectors to generate term vectors for artificial documents provided in the body of the request. The mapping used is determined by the specified _index.

Path parameters

index string Required

The name of the index that contains the documents.

Query parameters

ids array[string]

A comma-separated list of documents ids. You must define ids as parameter or set "ids" or "docs" in the request body
fields string | array[string]

A comma-separated list or wildcard expressions of fields to include in the statistics. It is used as the default list unless a specific field list is provided in the completion_fields or fielddata_fields parameters.
field_statistics boolean

If true, the response includes the document count, sum of document frequencies, and sum of total term frequencies.
offsets boolean

If true, the response includes term offsets.
payloads boolean

If true, the response includes term payloads.
positions boolean

If true, the response includes term positions.
preference string

The node or shard the operation should be performed on. It is random by default.
realtime boolean

If true, the request is real-time as opposed to near-real-time.
routing string

A custom value used to route operations to a specific shard.
term_statistics boolean

If true, the response includes term frequency and document frequency.
version number

If true, returns the document version as part of a hit.
version_type string
The version type.

Supported values include:
- internal: Use internal versioning that starts at 1 and increments with each update or delete.
- external: Only index the document if the specified version is strictly higher than the version of the stored document or if there is no existing document.
- external_gte: Only index the document if the specified version is equal or higher than the version of the stored document or if there is no existing document. NOTE: The external_gte version type is meant for special use cases and should be used with care. If used incorrectly, it can result in loss of data.
- force: This option is deprecated because it can cause primary and replica shards to diverge.
Values are internal, external, external_gte, or force.

application/json

Body

docs array[object]

An array of existing or artificial documents.
Hide docs attributes Show docs attributes object
- _id string
- _index string
- doc object
  
  An artificial document (a document not present in the index) for which you want to retrieve term vectors.
- fields string | array[string]
- field_statistics boolean
  
  If true, the response includes the document count, sum of document frequencies, and sum of total term frequencies.
- filter object
  Hide filter attributes Show filter attributes object
  
  max_doc_freq number
  
  Ignore words which occur in more than this many docs. Defaults to unbounded.
  
  max_num_terms number
  
  The maximum number of terms that must be returned per field.
  
  max_term_freq number
  
  Ignore words with more than this frequency in the source doc. It defaults to unbounded.
  
  max_word_length number
  
  The maximum word length above which words will be ignored. Defaults to unbounded.
  
  min_doc_freq number
  
  Ignore terms which do not occur in at least this many docs.
  
  min_term_freq number
  
  Ignore words with less than this frequency in the source doc.
  
  min_word_length number
  
  The minimum word length below which words will be ignored.
- offsets boolean
  
  If true, the response includes term offsets.
- payloads boolean
  
  If true, the response includes term payloads.
- positions boolean
  
  If true, the response includes term positions.
- routing string
- term_statistics boolean
  
  If true, the response includes term frequency and document frequency.
- version number
- version_type string
  
  Values are internal, external, external_gte, or force.
ids array[string]

A simplified syntax to specify documents by their ID if they're in the same index.

Responses

200 application/json
Hide response attribute Show response attribute object
- docs array[object] Required
  
  Hide docs attributes Show docs attributes object
  
  _id string
  
  _index string Required
  
  _version number
  
  took number
  
  found boolean
  
  term_vectors object
  
  Hide term_vectors attribute Show term_vectors attribute object
  
  * object Additional properties
  
  Hide * attributes Show * attributes object
  
  field_statistics object
  
  Hide field_statistics attributes Show field_statistics attributes object
  
  doc_count number Required
  
  sum_doc_freq number Required
  
  sum_ttf number Required
  
  terms object Required
  
  Hide terms attribute Show terms attribute object
  
  * object Additional properties
  
  error object
  
  Hide error attributes Show error attributes object
  
  type string Required
  
  The type of error
  
  reason string
  
  A human-readable explanation of the error, in English.
  
  stack_trace string
  
  The server stack trace. Present only if the error_trace=true parameter was sent with the request.
  
  caused_by object
  
  root_cause array[object]
  
  suppressed array[object]

POST /{index}/_mtermvectors

curl \
 --request POST 'http://api.example.com/{index}/_mtermvectors' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '"{\n  \"docs\": [\n      {\n        \"_id\": \"2\",\n        \"fields\": [\n            \"message\"\n        ],\n        \"term_statistics\": true\n      },\n      {\n        \"_id\": \"1\"\n      }\n  ]\n}"'

Request examples

Run `POST /my-index-000001/_mtermvectors`. When you specify an index in the request URI, the index does not need to be specified for each documents in the request body.

{
  "docs": [
      {
        "_id": "2",
        "fields": [
            "message"
        ],
        "term_statistics": true
      },
      {
        "_id": "1"
      }
  ]
}

Run `POST /my-index-000001/_mtermvectors`. If all requested documents are in same index and the parameters are the same, you can use a simplified syntax.

{
  "ids": [ "1", "2" ],
  "fields": [
    "message"
  ],
  "term_statistics": true
}

Run `POST /_mtermvectors` to generate term vectors for artificial documents provided in the body of the request. The mapping used is determined by the specified `_index`.

{
  "docs": [
      {
        "_index": "my-index-000001",
        "doc" : {
            "message" : "test test test"
        }
      },
      {
        "_index": "my-index-000001",
        "doc" : {
          "message" : "Another test ..."
        }
      }
  ]
}

Get term vector information

GET /{index}/_termvectors

Api key auth

Get information and statistics about terms in the fields of a particular document.

You can retrieve term vectors for documents stored in the index or for artificial documents passed in the body of the request. You can specify the fields you are interested in through the fields parameter or by adding the fields to the request body. For example:

GET /my-index-000001/_termvectors/1?fields=message

Fields can be specified using wildcards, similar to the multi match query.

Term vectors are real-time by default, not near real-time. This can be changed by setting realtime parameter to false.

You can request three types of values: term information, term statistics, and field statistics. By default, all term information and field statistics are returned for all fields but term statistics are excluded.

Term information

term frequency in the field (always returned)
term positions (positions: true)
start and end offsets (offsets: true)
term payloads (payloads: true), as base64 encoded bytes

If the requested information wasn't stored in the index, it will be computed on the fly if possible. Additionally, term vectors could be computed for documents not even existing in the index, but instead provided by the user.

Start and end offsets assume UTF-16 encoding is being used. If you want to use these offsets in order to get the original text that produced this token, you should make sure that the string you are taking a sub-string of is also encoded using UTF-16.

Behaviour

The term and field statistics are not accurate. Deleted documents are not taken into account. The information is only retrieved for the shard the requested document resides in. The term and field statistics are therefore only useful as relative measures whereas the absolute numbers have no meaning in this context. By default, when requesting term vectors of artificial documents, a shard to get the statistics from is randomly selected. Use routing only to hit a particular shard.

Path parameters

index string Required

The name of the index that contains the document.

Query parameters

fields string | array[string]

A comma-separated list or wildcard expressions of fields to include in the statistics. It is used as the default list unless a specific field list is provided in the completion_fields or fielddata_fields parameters.
field_statistics boolean
If true, the response includes:
- The document count (how many documents contain this field).
- The sum of document frequencies (the sum of document frequencies for all terms in this field).
- The sum of total term frequencies (the sum of total term frequencies of each term in this field).
offsets boolean

If true, the response includes term offsets.
payloads boolean

If true, the response includes term payloads.
positions boolean

If true, the response includes term positions.
preference string

The node or shard the operation should be performed on. It is random by default.
realtime boolean

If true, the request is real-time as opposed to near-real-time.
routing string

A custom value that is used to route operations to a specific shard.
term_statistics boolean
If true, the response includes:
- The total term frequency (how often a term occurs in all documents).
- The document frequency (the number of documents containing the current term).
By default these values are not returned since term statistics can have a serious performance impact.
version number

If true, returns the document version as part of a hit.
version_type string
The version type.

Supported values include:
- internal: Use internal versioning that starts at 1 and increments with each update or delete.
- external: Only index the document if the specified version is strictly higher than the version of the stored document or if there is no existing document.
- external_gte: Only index the document if the specified version is equal or higher than the version of the stored document or if there is no existing document. NOTE: The external_gte version type is meant for special use cases and should be used with care. If used incorrectly, it can result in loss of data.
- force: This option is deprecated because it can cause primary and replica shards to diverge.
Values are internal, external, external_gte, or force.

application/json

Body

doc object

An artificial document (a document not present in the index) for which you want to retrieve term vectors.
filter object
Hide filter attributes Show filter attributes object
- max_doc_freq number
  
  Ignore words which occur in more than this many docs. Defaults to unbounded.
- max_num_terms number
  
  The maximum number of terms that must be returned per field.
- max_term_freq number
  
  Ignore words with more than this frequency in the source doc. It defaults to unbounded.
- max_word_length number
  
  The maximum word length above which words will be ignored. Defaults to unbounded.
- min_doc_freq number
  
  Ignore terms which do not occur in at least this many docs.
- min_term_freq number
  
  Ignore words with less than this frequency in the source doc.
- min_word_length number
  
  The minimum word length below which words will be ignored.
per_field_analyzer object

Override the default per-field analyzer. This is useful in order to generate term vectors in any fashion, especially when using artificial documents. When providing an analyzer for a field that already stores term vectors, the term vectors will be regenerated.
Hide per_field_analyzer attribute Show per_field_analyzer attribute object
- * string Additional properties
fields string | array[string]
field_statistics boolean
If true, the response includes:
- The document count (how many documents contain this field).
- The sum of document frequencies (the sum of document frequencies for all terms in this field).
- The sum of total term frequencies (the sum of total term frequencies of each term in this field).
offsets boolean

If true, the response includes term offsets.
payloads boolean

If true, the response includes term payloads.
positions boolean

If true, the response includes term positions.
term_statistics boolean
If true, the response includes:
- The total term frequency (how often a term occurs in all documents).
- The document frequency (the number of documents containing the current term).
By default these values are not returned since term statistics can have a serious performance impact.
routing string
version number
version_type string

Values are internal, external, external_gte, or force.

Responses

200 application/json
Hide response attributes Show response attributes object
- found boolean Required
- _id string
- _index string Required
- term_vectors object
  
  Hide term_vectors attribute Show term_vectors attribute object
  
  * object Additional properties
  
  Hide * attributes Show * attributes object
  
  field_statistics object
  
  Hide field_statistics attributes Show field_statistics attributes object
  
  doc_count number Required
  
  sum_doc_freq number Required
  
  sum_ttf number Required
  
  terms object Required
  
  Hide terms attribute Show terms attribute object
  
  * object Additional properties
  
  Hide * attributes Show * attributes object
  
  doc_freq number
  
  score number
  
  term_freq number Required
  
  tokens array[object]
  
  ttf number
- took number Required
- _version number Required

GET /{index}/_termvectors

curl \
 --request GET 'http://api.example.com/{index}/_termvectors' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '"{\n  \"fields\" : [\"text\"],\n  \"offsets\" : true,\n  \"payloads\" : true,\n  \"positions\" : true,\n  \"term_statistics\" : true,\n  \"field_statistics\" : true\n}"'

Request examples

Run `GET /my-index-000001/_termvectors/1` to return all information and statistics for field `text` in document 1.

{
  "fields" : ["text"],
  "offsets" : true,
  "payloads" : true,
  "positions" : true,
  "term_statistics" : true,
  "field_statistics" : true
}

Run `GET /my-index-000001/_termvectors/1` to set per-field analyzers. A different analyzer than the one at the field may be provided by using the `per_field_analyzer` parameter.

{
  "doc" : {
    "fullname" : "John Doe",
    "text" : "test test test"
  },
  "fields": ["fullname"],
  "per_field_analyzer" : {
    "fullname": "keyword"
  }
}

Run `GET /imdb/_termvectors` to filter the terms returned based on their tf-idf scores. It returns the three most "interesting" keywords from the artificial document having the given "plot" field value. Notice that the keyword "Tony" or any stop words are not part of the response, as their tf-idf must be too low.

{
  "doc": {
    "plot": "When wealthy industrialist Tony Stark is forced to build an armored suit after a life-threatening incident, he ultimately decides to use its technology to fight against evil."
  },
  "term_statistics": true,
  "field_statistics": true,
  "positions": false,
  "offsets": false,
  "filter": {
    "max_num_terms": 3,
    "min_term_freq": 1,
    "min_doc_freq": 1
  }
}

Run `GET /my-index-000001/_termvectors/1`. Term vectors which are not explicitly stored in the index are automatically computed on the fly. This request returns all information and statistics for the fields in document 1, even though the terms haven't been explicitly stored in the index. Note that for the field text, the terms are not regenerated.

{
  "fields" : ["text", "some_field_without_term_vectors"],
  "offsets" : true,
  "positions" : true,
  "term_statistics" : true,
  "field_statistics" : true
}

Run `GET /my-index-000001/_termvectors`. Term vectors can be generated for artificial documents, that is for documents not present in the index. If dynamic mapping is turned on (default), the document fields not in the original mapping will be dynamically created.

{
  "doc" : {
    "fullname" : "John Doe",
    "text" : "test test test"
  }
}

Response examples (200)

A successful response from `GET /my-index-000001/_termvectors/1`.

{
  "_index": "my-index-000001",
  "_id": "1",
  "_version": 1,
  "found": true,
  "took": 6,
  "term_vectors": {
    "text": {
      "field_statistics": {
        "sum_doc_freq": 4,
        "doc_count": 2,
        "sum_ttf": 6
      },
      "terms": {
        "test": {
          "doc_freq": 2,
          "ttf": 4,
          "term_freq": 3,
          "tokens": [
            {
              "position": 0,
              "start_offset": 0,
              "end_offset": 4,
              "payload": "d29yZA=="
            },
            {
              "position": 1,
              "start_offset": 5,
              "end_offset": 9,
              "payload": "d29yZA=="
            },
            {
              "position": 2,
              "start_offset": 10,
              "end_offset": 14,
              "payload": "d29yZA=="
            }
          ]
        }
      }
    }
  }
}

A successful response from `GET /my-index-000001/_termvectors` with `per_field_analyzer` in the request body.

{
  "_index": "my-index-000001",
  "_version": 0,
  "found": true,
  "took": 6,
  "term_vectors": {
    "fullname": {
      "field_statistics": {
          "sum_doc_freq": 2,
          "doc_count": 4,
          "sum_ttf": 4
      },
      "terms": {
          "John Doe": {
            "term_freq": 1,
            "tokens": [
                {
                  "position": 0,
                  "start_offset": 0,
                  "end_offset": 8
                }
            ]
          }
      }
    }
  }
}

A successful response from `GET /my-index-000001/_termvectors` with a `filter` in the request body.

{
  "_index": "imdb",
  "_version": 0,
  "found": true,
  "term_vectors": {
      "plot": {
        "field_statistics": {
            "sum_doc_freq": 3384269,
            "doc_count": 176214,
            "sum_ttf": 3753460
        },
        "terms": {
            "armored": {
              "doc_freq": 27,
              "ttf": 27,
              "term_freq": 1,
              "score": 9.74725
            },
            "industrialist": {
              "doc_freq": 88,
              "ttf": 88,
              "term_freq": 1,
              "score": 8.590818
            },
            "stark": {
              "doc_freq": 44,
              "ttf": 47,
              "term_freq": 1,
              "score": 9.272792
            }
        }
      }
  }
}

Run an enrich policy Added in 7.5.0

PUT /_enrich/policy/{name}/_execute

Api key auth

Create the enrich index for an existing enrich policy.

Path parameters

name string Required

Enrich policy to execute.

Query parameters

master_timeout string

Period to wait for a connection to the master node.
wait_for_completion boolean

If true, the request blocks other enrich policy execution requests until complete.

Responses

200 application/json
Hide response attributes Show response attributes object
- status object
  
  Hide status attributes Show status attributes object
  
  phase string Required
  
  Values are SCHEDULED, RUNNING, COMPLETE, FAILED, or CANCELLED.
  
  step string
- task string | number
  
  One of:
  TaskId string TaskId number

PUT /_enrich/policy/{name}/_execute

curl \
 --request PUT 'http://api.example.com/_enrich/policy/{name}/_execute' \
 --header "Authorization: $API_KEY"

Get an enrich policy Added in 7.5.0

GET /_enrich/policy

Api key auth

Returns information about an enrich policy.

Query parameters

master_timeout string

Period to wait for a connection to the master node.

Responses

200 application/json
Hide response attribute Show response attribute object
- policies array[object] Required
  
  Hide policies attribute Show policies attribute object
  
  config object Required
  
  Hide config attribute Show config attribute object
  
  * object Additional properties
  
  Hide * attributes Show * attributes object
  
  enrich_fields string | array[string] Required
  
  indices string | array[string] Required
  
  match_field string Required
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
  
  query object
  
  An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
  
  External documentation
  
  name string
  
  elasticsearch_version string

GET /_enrich/policy

curl \
 --request GET 'http://api.example.com/_enrich/policy' \
 --header "Authorization: $API_KEY"

Get async EQL search results Added in 7.9.0

GET /_eql/search/{id}

Api key auth

Get the current status and available results for an async EQL search or a stored synchronous EQL search.

Path parameters

id string Required

Identifier for the search.

Query parameters

keep_alive string

Period for which the search and its results are stored on the cluster. Defaults to the keep_alive value set by the search’s EQL search API request.
wait_for_completion_timeout string

Timeout duration to wait for the request to finish. Defaults to no timeout, meaning the request waits for complete search results.

Responses

200 application/json
Hide response attributes Show response attributes object
- id string
- is_partial boolean
  
  If true, the response does not contain complete search results.
- is_running boolean
  
  If true, the search request is still executing.
- took number
  
  Time unit for milliseconds
- timed_out boolean
  
  If true, the request timed out before completion.
- hits object Required
  
  Hide hits attributes Show hits attributes object
  
  total object
  
  Hide total attributes Show total attributes object
  
  relation string Required
  
  Values are eq or gte.
  
  value number Required
  
  events array[object]
  
  Contains events matching the query. Each object represents a matching event.
  
  Hide events attributes Show events attributes object
  
  _index string Required
  
  _id string Required
  
  _source object Required
  
  Original JSON body passed for the event at index time.
  
  missing boolean
  
  Set to true for events in a timespan-constrained sequence that do not meet a given condition.
  
  fields object
  
  Hide fields attribute Show fields attribute object
  
  * array[object] Additional properties
  
  sequences array[object]
  
  Contains event sequences matching the query. Each object represents a matching sequence. This parameter is only returned for EQL queries containing a sequence.
  
  Hide sequences attributes Show sequences attributes object
  
  events array[object] Required
  
  Contains events matching the query. Each object represents a matching event.
  
  Hide events attributes Show events attributes object
  
  _index string Required
  
  _id string Required
  
  _source object Required
  
  Original JSON body passed for the event at index time.
  
  missing boolean
  
  Set to true for events in a timespan-constrained sequence that do not meet a given condition.
  
  fields object
  
  join_keys array[object]
  
  Shared field values used to constrain matches in the sequence. These are defined using the by keyword in the EQL query syntax.
- shard_failures array[object]
  
  Contains information about shard failures (if any), in case allow_partial_search_results=true
  
  Hide shard_failures attributes Show shard_failures attributes object
  
  index string
  
  node string
  
  reason object Required
  
  Hide reason attributes Show reason attributes object
  
  type string Required
  
  The type of error
  
  reason string
  
  A human-readable explanation of the error, in English.
  
  stack_trace string
  
  The server stack trace. Present only if the error_trace=true parameter was sent with the request.
  
  caused_by object
  
  root_cause array[object]
  
  suppressed array[object]
  
  shard number Required
  
  status string

GET /_eql/search/{id}

curl \
 --request GET 'http://api.example.com/_eql/search/{id}' \
 --header "Authorization: $API_KEY"

Explore graph analytics

GET /{index}/_graph/explore

Api key auth

Extract and summarize information about the documents and terms in an Elasticsearch data stream or index. The easiest way to understand the behavior of this API is to use the Graph UI to explore connections. An initial request to the _explore API contains a seed query that identifies the documents of interest and specifies the fields that define the vertices and connections you want to include in the graph. Subsequent requests enable you to spider out from one more vertices of interest. You can exclude vertices that have already been returned.

External documentation

Path parameters

index string | array[string] Required

Name of the index.

Query parameters

routing string

Custom value used to route operations to a specific shard.
timeout string

Specifies the period of time to wait for a response from each shard. If no response is received before the timeout expires, the request fails and returns an error. Defaults to no timeout.

application/json

Body

connections object
Hide connections attributes Show connections attributes object
- connections object
- query object
  
  An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
  
  External documentation
- vertices array[object] Required
  
  Contains the fields you are interested in.
  Hide vertices attributes Show vertices attributes object
  
  exclude array[string]
  
  Prevents the specified terms from being included in the results.
  
  field string Required
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
  
  include array[object]
  
  Identifies the terms of interest that form the starting points from which you want to spider out.
  
  Hide include attributes Show include attributes object
  
  boost number
  
  term string Required
  
  min_doc_count number
  
  Specifies how many documents must contain a pair of terms before it is considered to be a useful connection. This setting acts as a certainty threshold.
  
  shard_min_doc_count number
  
  Controls how many documents on a particular shard have to contain a pair of terms before the connection is returned for global consideration.
  
  size number
  
  Specifies the maximum number of vertex terms returned for each field.
controls object
Hide controls attributes Show controls attributes object
- sample_diversity object
  Hide sample_diversity attributes Show sample_diversity attributes object
  
  field string Required
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
  
  max_docs_per_value number Required
- sample_size number
  
  Each hop considers a sample of the best-matching documents on each shard. Using samples improves the speed of execution and keeps exploration focused on meaningfully-connected terms. Very small values (less than 50) might not provide sufficient weight-of-evidence to identify significant connections between terms. Very large sample sizes can dilute the quality of the results and increase execution times.
- timeout string
  
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
- use_significance boolean Required
  
  Filters associated terms so only those that are significantly associated with your query are included.
query object

An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.

External documentation
vertices array[object]

Specifies one or more fields that contain the terms you want to include in the graph as vertices.
Hide vertices attributes Show vertices attributes object
- exclude array[string]
  
  Prevents the specified terms from being included in the results.
- field string Required
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
- include array[object]
  
  Identifies the terms of interest that form the starting points from which you want to spider out.
  Hide include attributes Show include attributes object
  
  boost number
  
  term string Required
- min_doc_count number
  
  Specifies how many documents must contain a pair of terms before it is considered to be a useful connection. This setting acts as a certainty threshold.
- shard_min_doc_count number
  
  Controls how many documents on a particular shard have to contain a pair of terms before the connection is returned for global consideration.
- size number
  
  Specifies the maximum number of vertex terms returned for each field.

Responses

200 application/json
Hide response attributes Show response attributes object
- connections array[object] Required
  
  Hide connections attributes Show connections attributes object
  
  doc_count number Required
  
  source number Required
  
  target number Required
  
  weight number Required
- failures array[object] Required
  
  Hide failures attributes Show failures attributes object
  
  index string
  
  node string
  
  reason object Required
  
  Hide reason attributes Show reason attributes object
  
  type string Required
  
  The type of error
  
  reason string
  
  A human-readable explanation of the error, in English.
  
  stack_trace string
  
  The server stack trace. Present only if the error_trace=true parameter was sent with the request.
  
  caused_by object
  
  root_cause array[object]
  
  suppressed array[object]
  
  shard number Required
  
  status string
- timed_out boolean Required
- took number Required
- vertices array[object] Required
  
  Hide vertices attributes Show vertices attributes object
  
  depth number Required
  
  field string Required
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
  
  term string Required
  
  weight number Required

GET /{index}/_graph/explore

curl \
 --request GET 'http://api.example.com/{index}/_graph/explore' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '"{\n  \"query\": {\n    \"match\": {\n      \"query.raw\": \"midi\"\n    }\n  },\n  \"vertices\": [\n    {\n      \"field\": \"product\"\n    }\n  ],\n  \"connections\": {\n    \"vertices\": [\n      {\n        \"field\": \"query.raw\"\n      }\n    ]\n  }\n}"'

Request example

Run `POST clicklogs/_graph/explore` for a basic exploration An initial graph explore query typically begins with a query to identify strongly related terms. Seed the exploration with a query. This example is searching `clicklogs` for people who searched for the term `midi`.Identify the vertices to include in the graph. This example is looking for product codes that are significantly associated with searches for `midi`. Find the connections. This example is looking for other search terms that led people to click on the products that are associated with searches for `midi`.

{
  "query": {
    "match": {
      "query.raw": "midi"
    }
  },
  "vertices": [
    {
      "field": "product"
    }
  ],
  "connections": {
    "vertices": [
      {
        "field": "query.raw"
      }
    ]
  }
}

Get component templates Added in 7.8.0

GET /_component_template/{name}

Api key auth

Get information about component templates.

Path parameters

name string Required

Comma-separated list of component template names used to limit the request. Wildcard (*) expressions are supported.

Query parameters

flat_settings boolean

If true, returns settings in flat format.
include_defaults boolean

Return all default configurations for the component template (default: false)
local boolean

If true, the request retrieves information from the local node only. If false, information is retrieved from the master node.
master_timeout string

Period to wait for a connection to the master node. If no response is received before the timeout expires, the request fails and returns an error.

Responses

200 application/json
Hide response attribute Show response attribute object
- component_templates array[object] Required
  
  Hide component_templates attributes Show component_templates attributes object
  
  name string Required
  
  component_template object Required
  
  Hide component_template attributes Show component_template attributes object
  
  template object Required
  
  Hide template attributes Show template attributes object
  
  _meta object
  
  Hide _meta attribute Show _meta attribute object
  
  * object Additional properties
  
  version number
  
  settings object
  
  Hide settings attribute Show settings attribute object
  
  * object Additional properties
  
  mappings object
  
  Hide mappings attributes Show mappings attributes object
  
  all_field object
  
  date_detection boolean
  
  dynamic string
  
  Values are strict, runtime, true, or false.
  
  dynamic_date_formats array[string]
  
  dynamic_templates array[object]
  
  _field_names object
  
  index_field object
  
  _meta object
  
  numeric_detection boolean
  
  properties object
  
  _routing object
  
  _size object
  
  _source object
  
  runtime object
  
  enabled boolean
  
  subobjects string
  
  Values are true or false.
  
  _data_stream_timestamp object
  
  aliases object
  
  Hide aliases attribute Show aliases attribute object
  
  * object Additional properties
  
  lifecycle object
  
  version number
  
  _meta object
  
  Hide _meta attribute Show _meta attribute object
  
  * object Additional properties
  
  deprecated boolean

GET /_component_template/{name}

curl \
 --request GET 'http://api.example.com/_component_template/{name}' \
 --header "Authorization: $API_KEY"

Delete component templates Added in 7.8.0

DELETE /_component_template/{name}

Api key auth

Component templates are building blocks for constructing index templates that specify index mappings, settings, and aliases.

Path parameters

name string | array[string] Required

Comma-separated list or wildcard expression of component template names used to limit the request.

Query parameters

master_timeout string

Period to wait for a connection to the master node. If no response is received before the timeout expires, the request fails and returns an error.
timeout string

Period to wait for a response. If no response is received before the timeout expires, the request fails and returns an error.

Responses

200 application/json
Hide response attribute Show response attribute object
- acknowledged boolean Required
  
  For a successful response, this value is always true. On failure, an exception is returned instead.

DELETE /_component_template/{name}

curl \
 --request DELETE 'http://api.example.com/_component_template/{name}' \
 --header "Authorization: $API_KEY"

Get tokens from text analysis

GET /_analyze

Api key auth

The analyze API performs analysis on a text string and returns the resulting tokens.

Generating excessive amount of tokens may cause a node to run out of memory. The index.analyze.max_token_count setting enables you to limit the number of tokens that can be produced. If more than this limit of tokens gets generated, an error occurs. The _analyze endpoint without a specified index will always use 10000 as its limit.

External documentation

Query parameters

index string

Index used to derive the analyzer. If specified, the analyzer or field parameter overrides this value. If no index is specified or the index does not have a default analyzer, the analyze API uses the standard analyzer.

application/json

Body

analyzer string

The name of the analyzer that should be applied to the provided text. This could be a built-in analyzer, or an analyzer that’s been configured in the index.
attributes array[string]

Array of token attributes used to filter the output of the explain parameter.
char_filter array

Array of character filters used to preprocess characters before the tokenizer.

External documentation
explain boolean

If true, the response includes token attributes and additional details.
field string

Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
filter array

Array of token filters used to apply after the tokenizer.

External documentation
normalizer string

Normalizer to use to convert text into a single token.
text string | array[string]

One of:
TextToAnalyze string TextToAnalyze array[string]

Responses

200 application/json
Hide response attributes Show response attributes object
- detail object
  
  Hide detail attributes Show detail attributes object
  
  analyzer object
  
  Hide analyzer attributes Show analyzer attributes object
  
  name string Required
  
  tokens array[object] Required
  
  Hide tokens attributes Show tokens attributes object
  
  bytes string Required
  
  end_offset number Required
  
  keyword boolean
  
  position number Required
  
  positionLength number Required
  
  start_offset number Required
  
  termFrequency number Required
  
  token string Required
  
  type string Required
  
  charfilters array[object]
  
  Hide charfilters attributes Show charfilters attributes object
  
  filtered_text array[string] Required
  
  name string Required
  
  custom_analyzer boolean Required
  
  tokenfilters array[object]
  
  Hide tokenfilters attributes Show tokenfilters attributes object
  
  name string Required
  
  tokens array[object] Required
  
  Hide tokens attributes Show tokens attributes object
  
  bytes string Required
  
  end_offset number Required
  
  keyword boolean
  
  position number Required
  
  positionLength number Required
  
  start_offset number Required
  
  termFrequency number Required
  
  token string Required
  
  type string Required
  
  tokenizer object
  
  Hide tokenizer attributes Show tokenizer attributes object
  
  name string Required
  
  tokens array[object] Required
  
  Hide tokens attributes Show tokens attributes object
  
  bytes string Required
  
  end_offset number Required
  
  keyword boolean
  
  position number Required
  
  positionLength number Required
  
  start_offset number Required
  
  termFrequency number Required
  
  token string Required
  
  type string Required
- tokens array[object]
  
  Hide tokens attributes Show tokens attributes object
  
  end_offset number Required
  
  position number Required
  
  positionLength number
  
  start_offset number Required
  
  token string Required
  
  type string Required

GET /_analyze

curl \
 --request GET 'http://api.example.com/_analyze' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '"{\n  \"analyzer\": \"standard\",\n  \"text\": \"this is a test\"\n}"'

Request examples

You can apply any of the built-in analyzers to the text string without specifying an index.

{
  "analyzer": "standard",
  "text": "this is a test"
}

If the text parameter is provided as array of strings, it is analyzed as a multi-value field.

{
  "analyzer": "standard",
  "text": [
    "this is a test",
    "the second text"
  ]
}

You can test a custom transient analyzer built from tokenizers, token filters, and char filters. Token filters use the filter parameter.

{
  "tokenizer": "keyword",
  "filter": [
    "lowercase"
  ],
  "char_filter": [
    "html_strip"
  ],
  "text": "this is a <b>test</b>"
}

Custom tokenizers, token filters, and character filters can be specified in the request body.

{
  "tokenizer": "whitespace",
  "filter": [
    "lowercase",
    {
      "type": "stop",
      "stopwords": [
        "a",
        "is",
        "this"
      ]
    }
  ],
  "text": "this is a test"
}

Run `GET /analyze_sample/_analyze` to run an analysis on the text using the default index analyzer associated with the `analyze_sample` index. Alternatively, the analyzer can be derived based on a field mapping.

{
  "field": "obj1.field1",
  "text": "this is a test"
}

Run `GET /analyze_sample/_analyze` and supply a normalizer for a keyword field if there is a normalizer associated with the specified index.

{
  "normalizer": "my_normalizer",
  "text": "BaR"
}

If you want to get more advanced details, set `explain` to `true`. It will output all token attributes for each token. You can filter token attributes you want to output by setting the `attributes` option. NOTE: The format of the additional detail information is labelled as experimental in Lucene and it may change in the future.

{
  "tokenizer": "standard",
  "filter": [
    "snowball"
  ],
  "text": "detailed output",
  "explain": true,
  "attributes": [
    "keyword"
  ]
}

Response examples (200)

A successful response for an analysis with `explain` set to `true`.

{
  "detail": {
    "custom_analyzer": true,
    "charfilters": [],
    "tokenizer": {
      "name": "standard",
      "tokens": [
        {
          "token": "detailed",
          "start_offset": 0,
          "end_offset": 8,
          "type": "<ALPHANUM>",
          "position": 0
        },
        {
          "token": "output",
          "start_offset": 9,
          "end_offset": 15,
          "type": "<ALPHANUM>",
          "position": 1
        }
      ]
    },
    "tokenfilters": [
      {
        "name": "snowball",
        "tokens": [
          {
            "token": "detail",
            "start_offset": 0,
            "end_offset": 8,
            "type": "<ALPHANUM>",
            "position": 0,
            "keyword": false
          },
          {
            "token": "output",
            "start_offset": 9,
            "end_offset": 15,
            "type": "<ALPHANUM>",
            "position": 1,
            "keyword": false
          }
        ]
      }
    ]
  }
}

Check indices

HEAD /{index}

Api key auth

Check if one or more indices, index aliases, or data streams exist.

Path parameters

index string | array[string] Required

Comma-separated list of data streams, indices, and aliases. Supports wildcards (*).

Query parameters

allow_no_indices boolean

If false, the request returns an error if any wildcard expression, index alias, or _all value targets only missing or closed indices. This behavior applies even if the request targets other open indices.
expand_wildcards string | array[string]
Type of index that wildcard patterns can match. If the request can target data streams, this argument determines whether wildcard expressions match hidden data streams. Supports comma-separated values, such as open,hidden. Valid values are: all, open, closed, hidden, none.

Supported values include:
- all: Match any data stream or index, including hidden ones.
- open: Match open, non-hidden indices. Also matches any non-hidden data stream.
- closed: Match closed, non-hidden indices. Also matches any non-hidden data stream. Data streams cannot be closed.
- hidden: Match hidden data streams and hidden indices. Must be combined with open, closed, or both.
- none: Wildcard expressions are not accepted.
flat_settings boolean

If true, returns settings in flat format.
ignore_unavailable boolean

If false, the request returns an error if it targets a missing or closed index.
include_defaults boolean

If true, return all default settings in the response.
local boolean

If true, the request retrieves information from the local node only.

Responses

200 application/json

HEAD /{index}

curl \
 --request HEAD 'http://api.example.com/{index}' \
 --header "Authorization: $API_KEY"

Create or update an alias

POST /{index}/_alias/{name}

Api key auth

Adds a data stream or index to an alias.

Path parameters

index string | array[string] Required

Comma-separated list of data streams or indices to add. Supports wildcards (*). Wildcard patterns that match both data streams and indices return an error.
name string Required

Alias to update. If the alias doesn’t exist, the request creates it. Index alias names support date math.

Query parameters

master_timeout string

Period to wait for a connection to the master node. If no response is received before the timeout expires, the request fails and returns an error.
timeout string

Period to wait for a response. If no response is received before the timeout expires, the request fails and returns an error.

application/json

Body

filter object

An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.

External documentation
index_routing string
is_write_index boolean

If true, sets the write index or data stream for the alias. If an alias points to multiple indices or data streams and is_write_index isn’t set, the alias rejects write requests. If an index alias points to one index and is_write_index isn’t set, the index automatically acts as the write index. Data stream aliases don’t automatically set a write data stream, even if the alias points to one data stream.
routing string
search_routing string

Responses

200 application/json
Hide response attribute Show response attribute object
- acknowledged boolean Required
  
  For a successful response, this value is always true. On failure, an exception is returned instead.

POST /{index}/_alias/{name}

curl \
 --request POST 'http://api.example.com/{index}/_alias/{name}' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '"{\n  \"actions\": [\n    {\n      \"add\": {\n        \"index\": \"my-data-stream\",\n        \"alias\": \"my-alias\"\n      }\n    }\n  ]\n}"'

Request example

{
  "actions": [
    {
      "add": {
        "index": "my-data-stream",
        "alias": "my-alias"
      }
    }
  ]
}

Create or update an alias

PUT /{index}/_aliases/{name}

Api key auth

Adds a data stream or index to an alias.

Path parameters

index string | array[string] Required

Comma-separated list of data streams or indices to add. Supports wildcards (*). Wildcard patterns that match both data streams and indices return an error.
name string Required

Alias to update. If the alias doesn’t exist, the request creates it. Index alias names support date math.

Query parameters

master_timeout string

Period to wait for a connection to the master node. If no response is received before the timeout expires, the request fails and returns an error.
timeout string

Period to wait for a response. If no response is received before the timeout expires, the request fails and returns an error.

application/json

Body

filter object

An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.

External documentation
index_routing string
is_write_index boolean

If true, sets the write index or data stream for the alias. If an alias points to multiple indices or data streams and is_write_index isn’t set, the alias rejects write requests. If an index alias points to one index and is_write_index isn’t set, the index automatically acts as the write index. Data stream aliases don’t automatically set a write data stream, even if the alias points to one data stream.
routing string
search_routing string

Responses

200 application/json
Hide response attribute Show response attribute object
- acknowledged boolean Required
  
  For a successful response, this value is always true. On failure, an exception is returned instead.

PUT /{index}/_aliases/{name}

curl \
 --request PUT 'http://api.example.com/{index}/_aliases/{name}' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '"{\n  \"actions\": [\n    {\n      \"add\": {\n        \"index\": \"my-data-stream\",\n        \"alias\": \"my-alias\"\n      }\n    }\n  ]\n}"'

Request example

{
  "actions": [
    {
      "add": {
        "index": "my-data-stream",
        "alias": "my-alias"
      }
    }
  ]
}

Create or update an alias

POST /{index}/_aliases/{name}

Api key auth

Adds a data stream or index to an alias.

Path parameters

index string | array[string] Required

Comma-separated list of data streams or indices to add. Supports wildcards (*). Wildcard patterns that match both data streams and indices return an error.
name string Required

Alias to update. If the alias doesn’t exist, the request creates it. Index alias names support date math.

Query parameters

master_timeout string

Period to wait for a connection to the master node. If no response is received before the timeout expires, the request fails and returns an error.
timeout string

Period to wait for a response. If no response is received before the timeout expires, the request fails and returns an error.

application/json

Body

filter object

An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.

External documentation
index_routing string
is_write_index boolean

If true, sets the write index or data stream for the alias. If an alias points to multiple indices or data streams and is_write_index isn’t set, the alias rejects write requests. If an index alias points to one index and is_write_index isn’t set, the index automatically acts as the write index. Data stream aliases don’t automatically set a write data stream, even if the alias points to one data stream.
routing string
search_routing string

Responses

200 application/json
Hide response attribute Show response attribute object
- acknowledged boolean Required
  
  For a successful response, this value is always true. On failure, an exception is returned instead.

POST /{index}/_aliases/{name}

curl \
 --request POST 'http://api.example.com/{index}/_aliases/{name}' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '"{\n  \"actions\": [\n    {\n      \"add\": {\n        \"index\": \"my-data-stream\",\n        \"alias\": \"my-alias\"\n      }\n    }\n  ]\n}"'

Request example

{
  "actions": [
    {
      "add": {
        "index": "my-data-stream",
        "alias": "my-alias"
      }
    }
  ]
}

Delete an alias

DELETE /{index}/_aliases/{name}

Api key auth

Removes a data stream or index from an alias.

Path parameters

index string | array[string] Required

Comma-separated list of data streams or indices used to limit the request. Supports wildcards (*).
name string | array[string] Required

Comma-separated list of aliases to remove. Supports wildcards (*). To remove all aliases, use * or _all.

Query parameters

master_timeout string

Period to wait for a connection to the master node. If no response is received before the timeout expires, the request fails and returns an error.
timeout string

Period to wait for a response. If no response is received before the timeout expires, the request fails and returns an error.

Responses

200 application/json
Hide response attribute Show response attribute object
- acknowledged boolean Required
  
  For a successful response, this value is always true. On failure, an exception is returned instead.

DELETE /{index}/_aliases/{name}

curl \
 --request DELETE 'http://api.example.com/{index}/_aliases/{name}' \
 --header "Authorization: $API_KEY"

Get index templates Added in 7.9.0

GET /_index_template/{name}

Api key auth

Get information about one or more index templates.

Path parameters

name string Required

Comma-separated list of index template names used to limit the request. Wildcard (*) expressions are supported.

Query parameters

local boolean

If true, the request retrieves information from the local node only. Defaults to false, which means information is retrieved from the master node.
flat_settings boolean

If true, returns settings in flat format.
master_timeout string

Period to wait for a connection to the master node. If no response is received before the timeout expires, the request fails and returns an error.
include_defaults boolean

If true, returns all relevant default configurations for the index template.

Responses

200 application/json
Hide response attribute Show response attribute object
- index_templates array[object] Required
  
  Hide index_templates attributes Show index_templates attributes object
  
  name string Required
  
  index_template object Required
  
  Hide index_template attributes Show index_template attributes object
  
  index_patterns string | array[string] Required
  
  composed_of array[string] Required
  
  An ordered list of component template names. Component templates are merged in the order specified, meaning that the last component template specified has the highest precedence.
  
  template object
  
  Hide template attributes Show template attributes object
  
  aliases object
  
  Aliases to add. If the index template includes a data_stream object, these are data stream aliases. Otherwise, these are index aliases. Data stream aliases ignore the index_routing, routing, and search_routing options.
  
  Hide aliases attribute Show aliases attribute object
  
  * object Additional properties
  
  mappings object
  
  Hide mappings attributes Show mappings attributes object
  
  all_field object
  
  date_detection boolean
  
  dynamic string
  
  Values are strict, runtime, true, or false.
  
  dynamic_date_formats array[string]
  
  dynamic_templates array[object]
  
  _field_names object
  
  index_field object
  
  _meta object
  
  numeric_detection boolean
  
  properties object
  
  _routing object
  
  _size object
  
  _source object
  
  runtime object
  
  enabled boolean
  
  subobjects string
  
  Values are true or false.
  
  _data_stream_timestamp object
  
  settings object Additional properties
  
  Hide settings attributes Show settings attributes object
  
  index object Additional properties
  
  mode string
  
  routing_path
  
  soft_deletes object
  
  sort object
  
  number_of_routing_shards number
  
  check_on_startup string
  
  Values are true, false, or checksum.
  
  codec string
  
  routing_partition_size
  
  load_fixed_bitset_filters_eagerly boolean
  
  hidden
  
  auto_expand_replicas
  
  merge object
  
  search object
  
  refresh_interval string
  
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
  
  max_result_window number
  
  max_inner_result_window number
  
  max_rescore_window number
  
  max_docvalue_fields_search number
  
  max_script_fields number
  
  max_ngram_diff number
  
  max_shingle_diff number
  
  blocks object
  
  max_refresh_listeners number
  
  analyze object
  
  highlight object
  
  max_terms_count number
  
  max_regex_length number
  
  routing object
  
  gc_deletes string
  
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
  
  default_pipeline string
  
  final_pipeline string
  
  lifecycle object
  
  provided_name string
  
  creation_date
  
  creation_date_string
  
  uuid string
  
  version object
  
  verified_before_close
  
  format
  
  max_slices_per_scroll number
  
  translog object
  
  query_string object
  
  priority
  
  top_metrics_max_size number
  
  analysis object
  
  settings object Additional properties
  
  time_series object
  
  queries object
  
  similarity object
  
  Configure custom similarity settings to customize how search results are scored.
  
  mapping object
  
  indexing.slowlog object
  
  indexing_pressure object
  
  store object
  
  lifecycle object
  
  version number
  
  priority number
  
  Priority to determine index template precedence when a new data stream or index is created. The index template with the highest priority is chosen. If no priority is specified the template is treated as though it is of priority 0 (lowest priority). This number is not automatically generated by Elasticsearch.
  
  _meta object
  
  Hide _meta attribute Show _meta attribute object
  
  * object Additional properties
  
  allow_auto_create boolean
  
  data_stream object
  
  Hide data_stream attributes Show data_stream attributes object
  
  hidden boolean
  
  If true, the data stream is hidden.
  
  allow_custom_routing boolean
  
  If true, the data stream supports custom routing.
  
  deprecated boolean
  
  Marks this index template as deprecated. When creating or updating a non-deprecated index template that uses deprecated components, Elasticsearch will emit a deprecation warning.
  
  ignore_missing_component_templates string | array[string]

GET /_index_template/{name}

curl \
 --request GET 'http://api.example.com/_index_template/{name}' \
 --header "Authorization: $API_KEY"

Get aliases

GET /_alias/{name}

Api key auth

Retrieves information for one or more data stream or index aliases.

Path parameters

name string | array[string] Required

Comma-separated list of aliases to retrieve. Supports wildcards (*). To retrieve all aliases, omit this parameter or use * or _all.

Query parameters

allow_no_indices boolean

If false, the request returns an error if any wildcard expression, index alias, or _all value targets only missing or closed indices. This behavior applies even if the request targets other open indices.
expand_wildcards string | array[string]
Type of index that wildcard patterns can match. If the request can target data streams, this argument determines whether wildcard expressions match hidden data streams. Supports comma-separated values, such as open,hidden. Valid values are: all, open, closed, hidden, none.

Supported values include:
- all: Match any data stream or index, including hidden ones.
- open: Match open, non-hidden indices. Also matches any non-hidden data stream.
- closed: Match closed, non-hidden indices. Also matches any non-hidden data stream. Data streams cannot be closed.
- hidden: Match hidden data streams and hidden indices. Must be combined with open, closed, or both.
- none: Wildcard expressions are not accepted.
ignore_unavailable boolean

If false, the request returns an error if it targets a missing or closed index.
master_timeout string

Period to wait for a connection to the master node. If no response is received before the timeout expires, the request fails and returns an error.

Responses

200 application/json
Hide response attribute Show response attribute object
- * object Additional properties
  
  Hide * attribute Show * attribute object
  
  aliases object Required
  
  Hide aliases attribute Show aliases attribute object
  
  * object Additional properties
  
  Hide * attributes Show * attributes object
  
  filter object
  
  An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
  
  External documentation
  
  index_routing string
  
  Value used to route indexing operations to a specific shard. If specified, this overwrites the routing value for indexing operations.
  
  is_write_index boolean
  
  If true, the index is the write index for the alias.
  
  routing string
  
  Value used to route indexing and search operations to a specific shard.
  
  search_routing string
  
  Value used to route search operations to a specific shard. If specified, this overwrites the routing value for search operations.
  
  is_hidden boolean
  
  If true, the alias is hidden. All indices for the alias must have the same is_hidden value.

GET /_alias/{name}

curl \
 --request GET 'http://api.example.com/_alias/{name}' \
 --header "Authorization: $API_KEY"

Get aliases

GET /_alias

Api key auth

Retrieves information for one or more data stream or index aliases.

Query parameters

allow_no_indices boolean

If false, the request returns an error if any wildcard expression, index alias, or _all value targets only missing or closed indices. This behavior applies even if the request targets other open indices.
expand_wildcards string | array[string]
Type of index that wildcard patterns can match. If the request can target data streams, this argument determines whether wildcard expressions match hidden data streams. Supports comma-separated values, such as open,hidden. Valid values are: all, open, closed, hidden, none.

Supported values include:
- all: Match any data stream or index, including hidden ones.
- open: Match open, non-hidden indices. Also matches any non-hidden data stream.
- closed: Match closed, non-hidden indices. Also matches any non-hidden data stream. Data streams cannot be closed.
- hidden: Match hidden data streams and hidden indices. Must be combined with open, closed, or both.
- none: Wildcard expressions are not accepted.
ignore_unavailable boolean

If false, the request returns an error if it targets a missing or closed index.
master_timeout string

Period to wait for a connection to the master node. If no response is received before the timeout expires, the request fails and returns an error.

Responses

200 application/json
Hide response attribute Show response attribute object
- * object Additional properties
  
  Hide * attribute Show * attribute object
  
  aliases object Required
  
  Hide aliases attribute Show aliases attribute object
  
  * object Additional properties
  
  Hide * attributes Show * attributes object
  
  filter object
  
  An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
  
  External documentation
  
  index_routing string
  
  Value used to route indexing operations to a specific shard. If specified, this overwrites the routing value for indexing operations.
  
  is_write_index boolean
  
  If true, the index is the write index for the alias.
  
  routing string
  
  Value used to route indexing and search operations to a specific shard.
  
  search_routing string
  
  Value used to route search operations to a specific shard. If specified, this overwrites the routing value for search operations.
  
  is_hidden boolean
  
  If true, the alias is hidden. All indices for the alias must have the same is_hidden value.

GET /_alias

curl \
 --request GET 'http://api.example.com/_alias' \
 --header "Authorization: $API_KEY"

Get aliases

GET /{index}/_alias

Api key auth

Retrieves information for one or more data stream or index aliases.

Path parameters

index string | array[string] Required

Comma-separated list of data streams or indices used to limit the request. Supports wildcards (*). To target all data streams and indices, omit this parameter or use * or _all.

Query parameters

allow_no_indices boolean

If false, the request returns an error if any wildcard expression, index alias, or _all value targets only missing or closed indices. This behavior applies even if the request targets other open indices.
expand_wildcards string | array[string]
Type of index that wildcard patterns can match. If the request can target data streams, this argument determines whether wildcard expressions match hidden data streams. Supports comma-separated values, such as open,hidden. Valid values are: all, open, closed, hidden, none.

Supported values include:
- all: Match any data stream or index, including hidden ones.
- open: Match open, non-hidden indices. Also matches any non-hidden data stream.
- closed: Match closed, non-hidden indices. Also matches any non-hidden data stream. Data streams cannot be closed.
- hidden: Match hidden data streams and hidden indices. Must be combined with open, closed, or both.
- none: Wildcard expressions are not accepted.
ignore_unavailable boolean

If false, the request returns an error if it targets a missing or closed index.
master_timeout string

Period to wait for a connection to the master node. If no response is received before the timeout expires, the request fails and returns an error.

Responses

200 application/json
Hide response attribute Show response attribute object
- * object Additional properties
  
  Hide * attribute Show * attribute object
  
  aliases object Required
  
  Hide aliases attribute Show aliases attribute object
  
  * object Additional properties
  
  Hide * attributes Show * attributes object
  
  filter object
  
  An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
  
  External documentation
  
  index_routing string
  
  Value used to route indexing operations to a specific shard. If specified, this overwrites the routing value for indexing operations.
  
  is_write_index boolean
  
  If true, the index is the write index for the alias.
  
  routing string
  
  Value used to route indexing and search operations to a specific shard.
  
  search_routing string
  
  Value used to route search operations to a specific shard. If specified, this overwrites the routing value for search operations.
  
  is_hidden boolean
  
  If true, the alias is hidden. All indices for the alias must have the same is_hidden value.

GET /{index}/_alias

curl \
 --request GET 'http://api.example.com/{index}/_alias' \
 --header "Authorization: $API_KEY"

Validate a query Added in 1.3.0

GET /{index}/_validate/query

Api key auth

Validates a query without running it.

Path parameters

index string | array[string] Required

Comma-separated list of data streams, indices, and aliases to search. Supports wildcards (*). To search all data streams or indices, omit this parameter or use * or _all.

Query parameters

allow_no_indices boolean

If false, the request returns an error if any wildcard expression, index alias, or _all value targets only missing or closed indices. This behavior applies even if the request targets other open indices.
all_shards boolean

If true, the validation is executed on all shards instead of one random shard per index.
analyzer string

Analyzer to use for the query string. This parameter can only be used when the q query string parameter is specified.
analyze_wildcard boolean

If true, wildcard and prefix queries are analyzed.
default_operator string

The default operator for query string query: AND or OR.

Values are and, AND, or, or OR.
df string

Field to use as default where no field prefix is given in the query string. This parameter can only be used when the q query string parameter is specified.
expand_wildcards string | array[string]
Type of index that wildcard patterns can match. If the request can target data streams, this argument determines whether wildcard expressions match hidden data streams. Supports comma-separated values, such as open,hidden. Valid values are: all, open, closed, hidden, none.

Supported values include:
- all: Match any data stream or index, including hidden ones.
- open: Match open, non-hidden indices. Also matches any non-hidden data stream.
- closed: Match closed, non-hidden indices. Also matches any non-hidden data stream. Data streams cannot be closed.
- hidden: Match hidden data streams and hidden indices. Must be combined with open, closed, or both.
- none: Wildcard expressions are not accepted.
explain boolean

If true, the response returns detailed information if an error has occurred.
ignore_unavailable boolean

If false, the request returns an error if it targets a missing or closed index.
lenient boolean

If true, format-based query failures (such as providing text to a numeric field) in the query string will be ignored.
rewrite boolean

If true, returns a more detailed explanation showing the actual Lucene query that will be executed.
q string

Query in the Lucene query string syntax.

application/json

Body

query object

An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.

External documentation

Responses

200 application/json
Hide response attributes Show response attributes object
- explanations array[object]
  
  Hide explanations attributes Show explanations attributes object
  
  error string
  
  explanation string
  
  index string Required
  
  valid boolean Required
- _shards object
  
  Hide _shards attributes Show _shards attributes object
  
  failed number Required
  
  successful number Required
  
  total number Required
  
  failures array[object]
  
  Hide failures attributes Show failures attributes object
  
  index string
  
  node string
  
  reason object Required
  
  Hide reason attributes Show reason attributes object
  
  type string Required
  
  The type of error
  
  reason string
  
  A human-readable explanation of the error, in English.
  
  stack_trace string
  
  The server stack trace. Present only if the error_trace=true parameter was sent with the request.
  
  caused_by object
  
  root_cause array[object]
  
  suppressed array[object]
  
  shard number Required
  
  status string
  
  skipped number
- valid boolean Required
- error string

GET /{index}/_validate/query

curl \
 --request GET 'http://api.example.com/{index}/_validate/query' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"query":{}}'

Validate a query Added in 1.3.0

POST /{index}/_validate/query

Api key auth

Validates a query without running it.

Path parameters

index string | array[string] Required

Comma-separated list of data streams, indices, and aliases to search. Supports wildcards (*). To search all data streams or indices, omit this parameter or use * or _all.

Query parameters

allow_no_indices boolean

If false, the request returns an error if any wildcard expression, index alias, or _all value targets only missing or closed indices. This behavior applies even if the request targets other open indices.
all_shards boolean

If true, the validation is executed on all shards instead of one random shard per index.
analyzer string

Analyzer to use for the query string. This parameter can only be used when the q query string parameter is specified.
analyze_wildcard boolean

If true, wildcard and prefix queries are analyzed.
default_operator string

The default operator for query string query: AND or OR.

Values are and, AND, or, or OR.
df string

Field to use as default where no field prefix is given in the query string. This parameter can only be used when the q query string parameter is specified.
expand_wildcards string | array[string]
Type of index that wildcard patterns can match. If the request can target data streams, this argument determines whether wildcard expressions match hidden data streams. Supports comma-separated values, such as open,hidden. Valid values are: all, open, closed, hidden, none.

Supported values include:
- all: Match any data stream or index, including hidden ones.
- open: Match open, non-hidden indices. Also matches any non-hidden data stream.
- closed: Match closed, non-hidden indices. Also matches any non-hidden data stream. Data streams cannot be closed.
- hidden: Match hidden data streams and hidden indices. Must be combined with open, closed, or both.
- none: Wildcard expressions are not accepted.
explain boolean

If true, the response returns detailed information if an error has occurred.
ignore_unavailable boolean

If false, the request returns an error if it targets a missing or closed index.
lenient boolean

If true, format-based query failures (such as providing text to a numeric field) in the query string will be ignored.
rewrite boolean

If true, returns a more detailed explanation showing the actual Lucene query that will be executed.
q string

Query in the Lucene query string syntax.

application/json

Body

query object

An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.

External documentation

Responses

200 application/json
Hide response attributes Show response attributes object
- explanations array[object]
  
  Hide explanations attributes Show explanations attributes object
  
  error string
  
  explanation string
  
  index string Required
  
  valid boolean Required
- _shards object
  
  Hide _shards attributes Show _shards attributes object
  
  failed number Required
  
  successful number Required
  
  total number Required
  
  failures array[object]
  
  Hide failures attributes Show failures attributes object
  
  index string
  
  node string
  
  reason object Required
  
  Hide reason attributes Show reason attributes object
  
  type string Required
  
  The type of error
  
  reason string
  
  A human-readable explanation of the error, in English.
  
  stack_trace string
  
  The server stack trace. Present only if the error_trace=true parameter was sent with the request.
  
  caused_by object
  
  root_cause array[object]
  
  suppressed array[object]
  
  shard number Required
  
  status string
  
  skipped number
- valid boolean Required
- error string

POST /{index}/_validate/query

curl \
 --request POST 'http://api.example.com/{index}/_validate/query' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"query":{}}'

Perform completion inference on the service Added in 8.11.0

POST /_inference/completion/{inference_id}

Api key auth

Path parameters

inference_id string Required

The inference Id

Query parameters

timeout string

Specifies the amount of time to wait for the inference request to complete.

application/json

Body

input string | array[string] Required

Inference input. Either a string or an array of strings.

One of:
string-1 string array-2 array[string]
task_settings object

Responses

200 application/json
Hide response attribute Show response attribute object
- completion array[object] Required
  
  Hide completion attribute Show completion attribute object
  
  result string Required

POST /_inference/completion/{inference_id}

curl \
 --request POST 'http://api.example.com/_inference/completion/{inference_id}' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '"{\n  \"input\": \"What is Elastic?\"\n}"'

Request example

Run `POST _inference/completion/openai_chat_completions` to perform a completion on the example question.

{
  "input": "What is Elastic?"
}

Response examples (200)

A successful response from `POST _inference/completion/openai_chat_completions`.

{
  "completion": [
    {
      "result": "Elastic is a company that provides a range of software solutions for search, logging, security, and analytics. Their flagship product is Elasticsearch, an open-source, distributed search engine that allows users to search, analyze, and visualize large volumes of data in real-time. Elastic also offers products such as Kibana, a data visualization tool, and Logstash, a log management and pipeline tool, as well as various other tools and solutions for data analysis and management."
    }
  ]
}

Get an inference endpoint Added in 8.11.0

GET /_inference/{inference_id}

Api key auth

Path parameters

inference_id string Required

The inference Id

Responses

200 application/json
Hide response attribute Show response attribute object
- endpoints array[object] Required
  
  Hide endpoints attributes Show endpoints attributes object
  
  chunking_settings object
  
  Hide chunking_settings attributes Show chunking_settings attributes object
  
  max_chunk_size number
  
  The maximum size of a chunk in words. This value cannot be higher than 300 or lower than 20 (for sentence strategy) or 10 (for word strategy).
  
  overlap number
  
  The number of overlapping words for chunks. It is applicable only to a word chunking strategy. This value cannot be higher than half the max_chunk_size value.
  
  sentence_overlap number
  
  The number of overlapping sentences for chunks. It is applicable only for a sentence chunking strategy. It can be either 1 or 0.
  
  strategy string
  
  The chunking strategy: sentence or word.
  
  service string Required
  
  The service type
  
  service_settings object Required
  
  task_settings object
  
  inference_id string Required
  
  The inference Id
  
  task_type string Required
  
  Values are sparse_embedding, text_embedding, rerank, completion, or chat_completion.

GET /_inference/{inference_id}

curl \
 --request GET 'http://api.example.com/_inference/{inference_id}' \
 --header "Authorization: $API_KEY"

Create an inference endpoint Added in 8.11.0

PUT /_inference/{inference_id}

Api key auth

When you create an inference endpoint, the associated machine learning model is automatically deployed if it is not already running. After creating the endpoint, wait for the model deployment to complete before using it. To verify the deployment status, use the get trained model statistics API. Look for "state": "fully_allocated" in the response and ensure that the "allocation_count" matches the "target_allocation_count". Avoid creating multiple endpoints for the same model unless required, as each endpoint consumes significant resources.

IMPORTANT: The inference APIs enable you to use certain services, such as built-in machine learning models (ELSER, E5), models uploaded through Eland, Cohere, OpenAI, Mistral, Azure OpenAI, Google AI Studio, Google Vertex AI, Anthropic, Watsonx.ai, or Hugging Face. For built-in models and models uploaded through Eland, the inference APIs offer an alternative way to use and manage trained models. However, if you do not plan to use the inference APIs to use these models or if you want to use non-NLP models, use the machine learning trained model APIs.

Path parameters

inference_id string Required

The inference Id

application/json

Body Required

chunking_settings object
Hide chunking_settings attributes Show chunking_settings attributes object
- max_chunk_size number
  
  The maximum size of a chunk in words. This value cannot be higher than 300 or lower than 20 (for sentence strategy) or 10 (for word strategy).
- overlap number
  
  The number of overlapping words for chunks. It is applicable only to a word chunking strategy. This value cannot be higher than half the max_chunk_size value.
- sentence_overlap number
  
  The number of overlapping sentences for chunks. It is applicable only for a sentence chunking strategy. It can be either 1 or 0.
- strategy string
  
  The chunking strategy: sentence or word.
service string Required

The service type
service_settings object Required
task_settings object

Responses

200 application/json
Hide response attributes Show response attributes object
- chunking_settings object
  
  Hide chunking_settings attributes Show chunking_settings attributes object
  
  max_chunk_size number
  
  The maximum size of a chunk in words. This value cannot be higher than 300 or lower than 20 (for sentence strategy) or 10 (for word strategy).
  
  overlap number
  
  The number of overlapping words for chunks. It is applicable only to a word chunking strategy. This value cannot be higher than half the max_chunk_size value.
  
  sentence_overlap number
  
  The number of overlapping sentences for chunks. It is applicable only for a sentence chunking strategy. It can be either 1 or 0.
  
  strategy string
  
  The chunking strategy: sentence or word.
- service string Required
  
  The service type
- service_settings object Required
- task_settings object
- inference_id string Required
  
  The inference Id
- task_type string Required
  
  Values are sparse_embedding, text_embedding, rerank, completion, or chat_completion.

PUT /_inference/{inference_id}

curl \
 --request PUT 'http://api.example.com/_inference/{inference_id}' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"chunking_settings":{"max_chunk_size":42.0,"overlap":42.0,"sentence_overlap":42.0,"strategy":"string"},"service":"string","service_settings":{},"task_settings":{}}'

Delete an inference endpoint Added in 8.11.0

DELETE /_inference/{task_type}/{inference_id}

Api key auth

Path parameters

task_type string Required

The task type

Values are sparse_embedding, text_embedding, rerank, completion, or chat_completion.
inference_id string Required

The inference identifier.

Query parameters

dry_run boolean

When true, the endpoint is not deleted and a list of ingest processors which reference this endpoint is returned.
force boolean

When true, the inference endpoint is forcefully deleted even if it is still being used by ingest processors or semantic text fields.

Responses

200 application/json
Hide response attributes Show response attributes object
- acknowledged boolean Required
  
  For a successful response, this value is always true. On failure, an exception is returned instead.
- pipelines array[string] Required

DELETE /_inference/{task_type}/{inference_id}

curl \
 --request DELETE 'http://api.example.com/_inference/{task_type}/{inference_id}' \
 --header "Authorization: $API_KEY"

Create an AlibabaCloud AI Search inference endpoint Added in 8.16.0

PUT /_inference/{task_type}/{alibabacloud_inference_id}

Api key auth

Create an inference endpoint to perform an inference task with the alibabacloud-ai-search service.

When you create an inference endpoint, the associated machine learning model is automatically deployed if it is not already running. After creating the endpoint, wait for the model deployment to complete before using it. To verify the deployment status, use the get trained model statistics API. Look for "state": "fully_allocated" in the response and ensure that the "allocation_count" matches the "target_allocation_count". Avoid creating multiple endpoints for the same model unless required, as each endpoint consumes significant resources.

Path parameters

task_type string Required

The type of the inference task that the model will perform.

Values are completion, rerank, space_embedding, or text_embedding.
alibabacloud_inference_id string Required

The unique identifier of the inference endpoint.

application/json

Body

chunking_settings object
Hide chunking_settings attributes Show chunking_settings attributes object
- max_chunk_size number
  
  The maximum size of a chunk in words. This value cannot be higher than 300 or lower than 20 (for sentence strategy) or 10 (for word strategy).
- overlap number
  
  The number of overlapping words for chunks. It is applicable only to a word chunking strategy. This value cannot be higher than half the max_chunk_size value.
- sentence_overlap number
  
  The number of overlapping sentences for chunks. It is applicable only for a sentence chunking strategy. It can be either 1 or 0.
- strategy string
  
  The chunking strategy: sentence or word.
service string Required

Value is alibabacloud-ai-search.
service_settings object Required
Hide service_settings attributes Show service_settings attributes object
- api_key string Required
  
  A valid API key for the AlibabaCloud AI Search API.
- host string Required
  
  The name of the host address used for the inference task. You can find the host address in the API keys section of the documentation.
  
  External documentation
- rate_limit object
  Hide rate_limit attribute Show rate_limit attribute object
  
  requests_per_minute number
  
  The number of requests allowed per minute.
- service_id string Required
  The name of the model service to use for the inference task. The following service IDs are available for the completion task:
  
  ops-qwen-turbo
  
  qwen-turbo
  
  qwen-plus
  
  qwen-max ÷ qwen-max-longcontext
  
  The following service ID is available for the rerank task:
  
  ops-bge-reranker-larger
  
  The following service ID is available for the sparse_embedding task:
  
  ops-text-sparse-embedding-001
  
  The following service IDs are available for the text_embedding task:
  
  ops-text-embedding-001 ops-text-embedding-zh-001 ops-text-embedding-en-001 ops-text-embedding-002
- workspace string Required
  
  The name of the workspace used for the inference task.
task_settings object
Hide task_settings attributes Show task_settings attributes object
- input_type string
  For a sparse_embedding or text_embedding task, specify the type of input passed to the model. Valid values are:
  
  ingest for storing document embeddings in a vector database.
  
  search for storing embeddings of search queries run against a vector database to find relevant documents.
- return_token boolean
  
  For a sparse_embedding task, it affects whether the token name will be returned in the response. It defaults to false, which means only the token ID will be returned in the response.

Responses

200 application/json
Hide response attributes Show response attributes object
- chunking_settings object
  
  Hide chunking_settings attributes Show chunking_settings attributes object
  
  max_chunk_size number
  
  The maximum size of a chunk in words. This value cannot be higher than 300 or lower than 20 (for sentence strategy) or 10 (for word strategy).
  
  overlap number
  
  The number of overlapping words for chunks. It is applicable only to a word chunking strategy. This value cannot be higher than half the max_chunk_size value.
  
  sentence_overlap number
  
  The number of overlapping sentences for chunks. It is applicable only for a sentence chunking strategy. It can be either 1 or 0.
  
  strategy string
  
  The chunking strategy: sentence or word.
- service string Required
  
  The service type
- service_settings object Required
- task_settings object
- inference_id string Required
  
  The inference Id
- task_type string Required
  
  Values are sparse_embedding, text_embedding, rerank, completion, or chat_completion.

PUT /_inference/{task_type}/{alibabacloud_inference_id}

curl \
 --request PUT 'http://api.example.com/_inference/{task_type}/{alibabacloud_inference_id}' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '"{\n    \"service\": \"alibabacloud-ai-search\",\n    \"service_settings\": {\n        \"host\" : \"default-j01.platform-cn-shanghai.opensearch.aliyuncs.com\",\n        \"api_key\": \"AlibabaCloud-API-Key\",\n        \"service_id\": \"ops-qwen-turbo\",\n        \"workspace\" : \"default\"\n    }\n}"'

Request examples

Run `PUT _inference/completion/alibabacloud_ai_search_completion` to create an inference endpoint that performs a completion task.

{
    "service": "alibabacloud-ai-search",
    "service_settings": {
        "host" : "default-j01.platform-cn-shanghai.opensearch.aliyuncs.com",
        "api_key": "AlibabaCloud-API-Key",
        "service_id": "ops-qwen-turbo",
        "workspace" : "default"
    }
}

Run `PUT _inference/rerank/alibabacloud_ai_search_rerank` to create an inference endpoint that performs a rerank task.

{
    "service": "alibabacloud-ai-search",
    "service_settings": {
        "api_key": "AlibabaCloud-API-Key",
        "service_id": "ops-bge-reranker-larger",
        "host": "default-j01.platform-cn-shanghai.opensearch.aliyuncs.com",
        "workspace": "default"
    }
}

Run `PUT _inference/sparse_embedding/alibabacloud_ai_search_sparse` to create an inference endpoint that performs perform a sparse embedding task.

{
    "service": "alibabacloud-ai-search",
    "service_settings": {
        "api_key": "AlibabaCloud-API-Key",
        "service_id": "ops-text-sparse-embedding-001",
        "host": "default-j01.platform-cn-shanghai.opensearch.aliyuncs.com",
        "workspace": "default"
    }
}

Run `PUT _inference/text_embedding/alibabacloud_ai_search_embeddings` to create an inference endpoint that performs a text embedding task.

{
    "service": "alibabacloud-ai-search",
    "service_settings": {
        "api_key": "AlibabaCloud-API-Key",
        "service_id": "ops-text-embedding-001",
        "host": "default-j01.platform-cn-shanghai.opensearch.aliyuncs.com",
        "workspace": "default"
    }
}

Create an Anthropic inference endpoint Added in 8.16.0

PUT /_inference/{task_type}/{anthropic_inference_id}

Api key auth

Create an inference endpoint to perform an inference task with the anthropic service.

When you create an inference endpoint, the associated machine learning model is automatically deployed if it is not already running. After creating the endpoint, wait for the model deployment to complete before using it. To verify the deployment status, use the get trained model statistics API. Look for "state": "fully_allocated" in the response and ensure that the "allocation_count" matches the "target_allocation_count". Avoid creating multiple endpoints for the same model unless required, as each endpoint consumes significant resources.

Path parameters

task_type string Required

The task type. The only valid task type for the model to perform is completion.

Value is completion.
anthropic_inference_id string Required

The unique identifier of the inference endpoint.

application/json

Body

chunking_settings object
Hide chunking_settings attributes Show chunking_settings attributes object
- max_chunk_size number
  
  The maximum size of a chunk in words. This value cannot be higher than 300 or lower than 20 (for sentence strategy) or 10 (for word strategy).
- overlap number
  
  The number of overlapping words for chunks. It is applicable only to a word chunking strategy. This value cannot be higher than half the max_chunk_size value.
- sentence_overlap number
  
  The number of overlapping sentences for chunks. It is applicable only for a sentence chunking strategy. It can be either 1 or 0.
- strategy string
  
  The chunking strategy: sentence or word.
service string Required

Value is anthropic.
service_settings object Required
Hide service_settings attributes Show service_settings attributes object
- api_key string Required
  
  A valid API key for the Anthropic API.
- model_id string Required
  
  The name of the model to use for the inference task. Refer to the Anthropic documentation for the list of supported models.
- rate_limit object
  Hide rate_limit attribute Show rate_limit attribute object
  
  requests_per_minute number
  
  The number of requests allowed per minute.
task_settings object
Hide task_settings attributes Show task_settings attributes object
- max_tokens number Required
  
  For a completion task, it is the maximum number of tokens to generate before stopping.
- temperature number
  
  For a completion task, it is the amount of randomness injected into the response. For more details about the supported range, refer to Anthropic documentation.
  
  External documentation
- top_k number
  
  For a completion task, it specifies to only sample from the top K options for each subsequent token. It is recommended for advanced use cases only. You usually only need to use temperature.
- top_p number
  
  For a completion task, it specifies to use Anthropic's nucleus sampling. In nucleus sampling, Anthropic computes the cumulative distribution over all the options for each subsequent token in decreasing probability order and cuts it off once it reaches the specified probability. You should either alter temperature or top_p, but not both. It is recommended for advanced use cases only. You usually only need to use temperature.

Responses

200 application/json
Hide response attributes Show response attributes object
- chunking_settings object
  
  Hide chunking_settings attributes Show chunking_settings attributes object
  
  max_chunk_size number
  
  The maximum size of a chunk in words. This value cannot be higher than 300 or lower than 20 (for sentence strategy) or 10 (for word strategy).
  
  overlap number
  
  The number of overlapping words for chunks. It is applicable only to a word chunking strategy. This value cannot be higher than half the max_chunk_size value.
  
  sentence_overlap number
  
  The number of overlapping sentences for chunks. It is applicable only for a sentence chunking strategy. It can be either 1 or 0.
  
  strategy string
  
  The chunking strategy: sentence or word.
- service string Required
  
  The service type
- service_settings object Required
- task_settings object
- inference_id string Required
  
  The inference Id
- task_type string Required
  
  Values are sparse_embedding, text_embedding, rerank, completion, or chat_completion.

PUT /_inference/{task_type}/{anthropic_inference_id}

curl \
 --request PUT 'http://api.example.com/_inference/{task_type}/{anthropic_inference_id}' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '"{\n    \"service\": \"anthropic\",\n    \"service_settings\": {\n        \"api_key\": \"Anthropic-Api-Key\",\n        \"model_id\": \"Model-ID\"\n    },\n    \"task_settings\": {\n        \"max_tokens\": 1024\n    }\n}"'

Request example

Run `PUT _inference/completion/anthropic_completion` to create an inference endpoint that performs a completion task.

{
    "service": "anthropic",
    "service_settings": {
        "api_key": "Anthropic-Api-Key",
        "model_id": "Model-ID"
    },
    "task_settings": {
        "max_tokens": 1024
    }
}

Create an Azure AI studio inference endpoint Added in 8.14.0

PUT /_inference/{task_type}/{azureaistudio_inference_id}

Api key auth

Create an inference endpoint to perform an inference task with the azureaistudio service.

When you create an inference endpoint, the associated machine learning model is automatically deployed if it is not already running. After creating the endpoint, wait for the model deployment to complete before using it. To verify the deployment status, use the get trained model statistics API. Look for "state": "fully_allocated" in the response and ensure that the "allocation_count" matches the "target_allocation_count". Avoid creating multiple endpoints for the same model unless required, as each endpoint consumes significant resources.

Path parameters

task_type string Required

The type of the inference task that the model will perform.

Values are completion or text_embedding.
azureaistudio_inference_id string Required

The unique identifier of the inference endpoint.

application/json

Body

chunking_settings object
Hide chunking_settings attributes Show chunking_settings attributes object
- max_chunk_size number
  
  The maximum size of a chunk in words. This value cannot be higher than 300 or lower than 20 (for sentence strategy) or 10 (for word strategy).
- overlap number
  
  The number of overlapping words for chunks. It is applicable only to a word chunking strategy. This value cannot be higher than half the max_chunk_size value.
- sentence_overlap number
  
  The number of overlapping sentences for chunks. It is applicable only for a sentence chunking strategy. It can be either 1 or 0.
- strategy string
  
  The chunking strategy: sentence or word.
service string Required

Value is azureaistudio.
service_settings object Required
Hide service_settings attributes Show service_settings attributes object
- api_key string Required
  
  A valid API key of your Azure AI Studio model deployment. This key can be found on the overview page for your deployment in the management section of your Azure AI Studio account.
  
  IMPORTANT: You need to provide the API key only once, during the inference model creation. The get inference endpoint API does not retrieve your API key. After creating the inference model, you cannot change the associated API key. If you want to use a different API key, delete the inference model and recreate it with the same name and the updated API key.
  
  External documentation
- endpoint_type string Required
  
  The type of endpoint that is available for deployment through Azure AI Studio: token or realtime. The token endpoint type is for "pay as you go" endpoints that are billed per token. The realtime endpoint type is for "real-time" endpoints that are billed per hour of usage.
  
  External documentation
- target string Required
  
  The target URL of your Azure AI Studio model deployment. This can be found on the overview page for your deployment in the management section of your Azure AI Studio account.
- provider string Required
  The model provider for your deployment. Note that some providers may support only certain task types. Supported providers include:
  
  cohere - available for text_embedding and completion task types
  
  databricks - available for completion task type only
  
  meta - available for completion task type only
  
  microsoft_phi - available for completion task type only
  
  mistral - available for completion task type only
  
  openai - available for text_embedding and completion task types
- rate_limit object
  Hide rate_limit attribute Show rate_limit attribute object
  
  requests_per_minute number
  
  The number of requests allowed per minute.
task_settings object
Hide task_settings attributes Show task_settings attributes object
- do_sample number
  
  For a completion task, instruct the inference process to perform sampling. It has no effect unless temperature or top_p is specified.
- max_new_tokens number
  
  For a completion task, provide a hint for the maximum number of output tokens to be generated.
- temperature number
  
  For a completion task, control the apparent creativity of generated completions with a sampling temperature. It must be a number in the range of 0.0 to 2.0. It should not be used if top_p is specified.
- top_p number
  
  For a completion task, make the model consider the results of the tokens with nucleus sampling probability. It is an alternative value to temperature and must be a number in the range of 0.0 to 2.0. It should not be used if temperature is specified.
- user string
  
  For a text_embedding task, specify the user issuing the request. This information can be used for abuse detection.

Responses

200 application/json
Hide response attributes Show response attributes object
- chunking_settings object
  
  Hide chunking_settings attributes Show chunking_settings attributes object
  
  max_chunk_size number
  
  The maximum size of a chunk in words. This value cannot be higher than 300 or lower than 20 (for sentence strategy) or 10 (for word strategy).
  
  overlap number
  
  The number of overlapping words for chunks. It is applicable only to a word chunking strategy. This value cannot be higher than half the max_chunk_size value.
  
  sentence_overlap number
  
  The number of overlapping sentences for chunks. It is applicable only for a sentence chunking strategy. It can be either 1 or 0.
  
  strategy string
  
  The chunking strategy: sentence or word.
- service string Required
  
  The service type
- service_settings object Required
- task_settings object
- inference_id string Required
  
  The inference Id
- task_type string Required
  
  Values are sparse_embedding, text_embedding, rerank, completion, or chat_completion.

PUT /_inference/{task_type}/{azureaistudio_inference_id}

curl \
 --request PUT 'http://api.example.com/_inference/{task_type}/{azureaistudio_inference_id}' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '"{\n    \"service\": \"azureaistudio\",\n    \"service_settings\": {\n        \"api_key\": \"Azure-AI-Studio-API-key\",\n        \"target\": \"Target-Uri\",\n        \"provider\": \"openai\",\n        \"endpoint_type\": \"token\"\n    }\n}"'

Request examples

Run `PUT _inference/text_embedding/azure_ai_studio_embeddings` to create an inference endpoint that performs a text_embedding task. Note that you do not specify a model here, as it is defined already in the Azure AI Studio deployment.

{
    "service": "azureaistudio",
    "service_settings": {
        "api_key": "Azure-AI-Studio-API-key",
        "target": "Target-Uri",
        "provider": "openai",
        "endpoint_type": "token"
    }
}

Run `PUT _inference/completion/azure_ai_studio_completion` to create an inference endpoint that performs a completion task.

{
    "service": "azureaistudio",
    "service_settings": {
        "api_key": "Azure-AI-Studio-API-key",
        "target": "Target-URI",
        "provider": "databricks",
        "endpoint_type": "realtime"
    }
}

Create an Azure OpenAI inference endpoint Added in 8.14.0

PUT /_inference/{task_type}/{azureopenai_inference_id}

Api key auth

Create an inference endpoint to perform an inference task with the azureopenai service.

The list of chat completion models that you can choose from in your Azure OpenAI deployment include:

The list of embeddings models that you can choose from in your deployment can be found in the Azure models documentation.

When you create an inference endpoint, the associated machine learning model is automatically deployed if it is not already running. After creating the endpoint, wait for the model deployment to complete before using it. To verify the deployment status, use the get trained model statistics API. Look for "state": "fully_allocated" in the response and ensure that the "allocation_count" matches the "target_allocation_count". Avoid creating multiple endpoints for the same model unless required, as each endpoint consumes significant resources.

Path parameters

task_type string Required

The type of the inference task that the model will perform. NOTE: The chat_completion task type only supports streaming and only through the _stream API.

Values are completion or text_embedding.
azureopenai_inference_id string Required

The unique identifier of the inference endpoint.

application/json

Body

chunking_settings object
Hide chunking_settings attributes Show chunking_settings attributes object
- max_chunk_size number
  
  The maximum size of a chunk in words. This value cannot be higher than 300 or lower than 20 (for sentence strategy) or 10 (for word strategy).
- overlap number
  
  The number of overlapping words for chunks. It is applicable only to a word chunking strategy. This value cannot be higher than half the max_chunk_size value.
- sentence_overlap number
  
  The number of overlapping sentences for chunks. It is applicable only for a sentence chunking strategy. It can be either 1 or 0.
- strategy string
  
  The chunking strategy: sentence or word.
service string Required

Value is azureopenai.
service_settings object Required
Hide service_settings attributes Show service_settings attributes object
- api_key string
  
  A valid API key for your Azure OpenAI account. You must specify either api_key or entra_id. If you do not provide either or you provide both, you will receive an error when you try to create your model.
  
  IMPORTANT: You need to provide the API key only once, during the inference model creation. The get inference endpoint API does not retrieve your API key. After creating the inference model, you cannot change the associated API key. If you want to use a different API key, delete the inference model and recreate it with the same name and the updated API key.
  
  External documentation
- api_version string Required
  
  The Azure API version ID to use. It is recommended to use the latest supported non-preview version.
- deployment_id string Required
  
  The deployment name of your deployed models. Your Azure OpenAI deployments can be found though the Azure OpenAI Studio portal that is linked to your subscription.
  
  External documentation
- entra_id string
  
  A valid Microsoft Entra token. You must specify either api_key or entra_id. If you do not provide either or you provide both, you will receive an error when you try to create your model.
  
  External documentation
- rate_limit object
  Hide rate_limit attribute Show rate_limit attribute object
  
  requests_per_minute number
  
  The number of requests allowed per minute.
- resource_name string Required
  
  The name of your Azure OpenAI resource. You can find this from the list of resources in the Azure Portal for your subscription.
  
  External documentation
task_settings object
Hide task_settings attribute Show task_settings attribute object
- user string
  
  For a completion or text_embedding task, specify the user issuing the request. This information can be used for abuse detection.

Responses

200 application/json
Hide response attributes Show response attributes object
- chunking_settings object
  
  Hide chunking_settings attributes Show chunking_settings attributes object
  
  max_chunk_size number
  
  The maximum size of a chunk in words. This value cannot be higher than 300 or lower than 20 (for sentence strategy) or 10 (for word strategy).
  
  overlap number
  
  The number of overlapping words for chunks. It is applicable only to a word chunking strategy. This value cannot be higher than half the max_chunk_size value.
  
  sentence_overlap number
  
  The number of overlapping sentences for chunks. It is applicable only for a sentence chunking strategy. It can be either 1 or 0.
  
  strategy string
  
  The chunking strategy: sentence or word.
- service string Required
  
  The service type
- service_settings object Required
- task_settings object
- inference_id string Required
  
  The inference Id
- task_type string Required
  
  Values are sparse_embedding, text_embedding, rerank, completion, or chat_completion.

PUT /_inference/{task_type}/{azureopenai_inference_id}

curl \
 --request PUT 'http://api.example.com/_inference/{task_type}/{azureopenai_inference_id}' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '"{\n    \"service\": \"azureopenai\",\n    \"service_settings\": {\n        \"api_key\": \"Api-Key\",\n        \"resource_name\": \"Resource-name\",\n        \"deployment_id\": \"Deployment-id\",\n        \"api_version\": \"2024-02-01\"\n    }\n}"'

Request examples

Run `PUT _inference/text_embedding/azure_openai_embeddings` to create an inference endpoint that performs a `text_embedding` task. You do not specify a model, as it is defined already in the Azure OpenAI deployment.

{
    "service": "azureopenai",
    "service_settings": {
        "api_key": "Api-Key",
        "resource_name": "Resource-name",
        "deployment_id": "Deployment-id",
        "api_version": "2024-02-01"
    }
}

Run `PUT _inference/completion/azure_openai_completion` to create an inference endpoint that performs a `completion` task.

{
    "service": "azureopenai",
    "service_settings": {
        "api_key": "Api-Key",
        "resource_name": "Resource-name",
        "deployment_id": "Deployment-id",
        "api_version": "2024-02-01"
    }
}

Create a Hugging Face inference endpoint Added in 8.12.0

PUT /_inference/{task_type}/{huggingface_inference_id}

Api key auth

Create an inference endpoint to perform an inference task with the hugging_face service.

You must first create an inference endpoint on the Hugging Face endpoint page to get an endpoint URL. Select the model you want to use on the new endpoint creation page (for example intfloat/e5-small-v2), then select the sentence embeddings task under the advanced configuration section. Create the endpoint and copy the URL after the endpoint initialization has been finished.

The following models are recommended for the Hugging Face service:

all-MiniLM-L6-v2
all-MiniLM-L12-v2
all-mpnet-base-v2
e5-base-v2
e5-small-v2
multilingual-e5-base
multilingual-e5-small

When you create an inference endpoint, the associated machine learning model is automatically deployed if it is not already running. After creating the endpoint, wait for the model deployment to complete before using it. To verify the deployment status, use the get trained model statistics API. Look for "state": "fully_allocated" in the response and ensure that the "allocation_count" matches the "target_allocation_count". Avoid creating multiple endpoints for the same model unless required, as each endpoint consumes significant resources.

Path parameters

task_type string Required

The type of the inference task that the model will perform.

Value is text_embedding.
huggingface_inference_id string Required

The unique identifier of the inference endpoint.

application/json

Body

chunking_settings object
Hide chunking_settings attributes Show chunking_settings attributes object
- max_chunk_size number
  
  The maximum size of a chunk in words. This value cannot be higher than 300 or lower than 20 (for sentence strategy) or 10 (for word strategy).
- overlap number
  
  The number of overlapping words for chunks. It is applicable only to a word chunking strategy. This value cannot be higher than half the max_chunk_size value.
- sentence_overlap number
  
  The number of overlapping sentences for chunks. It is applicable only for a sentence chunking strategy. It can be either 1 or 0.
- strategy string
  
  The chunking strategy: sentence or word.
service string Required

Value is hugging_face.
service_settings object Required
Hide service_settings attributes Show service_settings attributes object
- api_key string Required
  
  A valid access token for your HuggingFace account. You can create or find your access tokens on the HuggingFace settings page.
  
  IMPORTANT: You need to provide the API key only once, during the inference model creation. The get inference endpoint API does not retrieve your API key. After creating the inference model, you cannot change the associated API key. If you want to use a different API key, delete the inference model and recreate it with the same name and the updated API key.
  
  External documentation
- rate_limit object
  Hide rate_limit attribute Show rate_limit attribute object
  
  requests_per_minute number
  
  The number of requests allowed per minute.
- url string Required
  
  The URL endpoint to use for the requests.

Responses

200 application/json
Hide response attributes Show response attributes object
- chunking_settings object
  
  Hide chunking_settings attributes Show chunking_settings attributes object
  
  max_chunk_size number
  
  The maximum size of a chunk in words. This value cannot be higher than 300 or lower than 20 (for sentence strategy) or 10 (for word strategy).
  
  overlap number
  
  The number of overlapping words for chunks. It is applicable only to a word chunking strategy. This value cannot be higher than half the max_chunk_size value.
  
  sentence_overlap number
  
  The number of overlapping sentences for chunks. It is applicable only for a sentence chunking strategy. It can be either 1 or 0.
  
  strategy string
  
  The chunking strategy: sentence or word.
- service string Required
  
  The service type
- service_settings object Required
- task_settings object
- inference_id string Required
  
  The inference Id
- task_type string Required
  
  Values are sparse_embedding, text_embedding, rerank, completion, or chat_completion.

PUT /_inference/{task_type}/{huggingface_inference_id}

curl \
 --request PUT 'http://api.example.com/_inference/{task_type}/{huggingface_inference_id}' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '"{\n    \"service\": \"hugging_face\",\n    \"service_settings\": {\n        \"api_key\": \"hugging-face-access-token\", \n        \"url\": \"url-endpoint\" \n    }\n}"'

Request example

Run `PUT _inference/text_embedding/hugging-face-embeddings` to create an inference endpoint that performs a `text_embedding` task type.

{
    "service": "hugging_face",
    "service_settings": {
        "api_key": "hugging-face-access-token", 
        "url": "url-endpoint" 
    }
}

Create a Watsonx inference endpoint Added in 8.16.0

PUT /_inference/{task_type}/{watsonx_inference_id}

Api key auth

Create an inference endpoint to perform an inference task with the watsonxai service. You need an IBM Cloud Databases for Elasticsearch deployment to use the watsonxai inference service. You can provision one through the IBM catalog, the Cloud Databases CLI plug-in, the Cloud Databases API, or Terraform.

When you create an inference endpoint, the associated machine learning model is automatically deployed if it is not already running. After creating the endpoint, wait for the model deployment to complete before using it. To verify the deployment status, use the get trained model statistics API. Look for "state": "fully_allocated" in the response and ensure that the "allocation_count" matches the "target_allocation_count". Avoid creating multiple endpoints for the same model unless required, as each endpoint consumes significant resources.

Path parameters

task_type string Required

The task type. The only valid task type for the model to perform is text_embedding.

Value is text_embedding.
watsonx_inference_id string Required

The unique identifier of the inference endpoint.

application/json

Body

service string Required

Value is watsonxai.
service_settings object Required
Hide service_settings attributes Show service_settings attributes object
- api_key string Required
  
  A valid API key of your Watsonx account. You can find your Watsonx API keys or you can create a new one on the API keys page.
  
  IMPORTANT: You need to provide the API key only once, during the inference model creation. The get inference endpoint API does not retrieve your API key. After creating the inference model, you cannot change the associated API key. If you want to use a different API key, delete the inference model and recreate it with the same name and the updated API key.
  
  External documentation
- api_version string Required
  
  A version parameter that takes a version date in the format of YYYY-MM-DD. For the active version data parameters, refer to the Wastonx documentation.
  
  External documentation
- model_id string Required
  
  The name of the model to use for the inference task. Refer to the IBM Embedding Models section in the Watsonx documentation for the list of available text embedding models.
  
  External documentation
- project_id string Required
  
  The identifier of the IBM Cloud project to use for the inference task.
- rate_limit object
  Hide rate_limit attribute Show rate_limit attribute object
  
  requests_per_minute number
  
  The number of requests allowed per minute.
- url string Required
  
  The URL of the inference endpoint that you created on Watsonx.

Responses

200 application/json
Hide response attributes Show response attributes object
- chunking_settings object
  
  Hide chunking_settings attributes Show chunking_settings attributes object
  
  max_chunk_size number
  
  The maximum size of a chunk in words. This value cannot be higher than 300 or lower than 20 (for sentence strategy) or 10 (for word strategy).
  
  overlap number
  
  The number of overlapping words for chunks. It is applicable only to a word chunking strategy. This value cannot be higher than half the max_chunk_size value.
  
  sentence_overlap number
  
  The number of overlapping sentences for chunks. It is applicable only for a sentence chunking strategy. It can be either 1 or 0.
  
  strategy string
  
  The chunking strategy: sentence or word.
- service string Required
  
  The service type
- service_settings object Required
- task_settings object
- inference_id string Required
  
  The inference Id
- task_type string Required
  
  Values are sparse_embedding, text_embedding, rerank, completion, or chat_completion.

PUT /_inference/{task_type}/{watsonx_inference_id}

curl \
 --request PUT 'http://api.example.com/_inference/{task_type}/{watsonx_inference_id}' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '"{\n  \"service\": \"watsonxai\",\n  \"service_settings\": {\n      \"api_key\": \"Watsonx-API-Key\", \n      \"url\": \"Wastonx-URL\", \n      \"model_id\": \"ibm/slate-30m-english-rtrvr\",\n      \"project_id\": \"IBM-Cloud-ID\", \n      \"api_version\": \"2024-03-14\"\n  }\n}"'

Request example

Run `PUT _inference/text_embedding/watsonx-embeddings` to create an Watonsx inference endpoint that performs a text embedding task.

{
  "service": "watsonxai",
  "service_settings": {
      "api_key": "Watsonx-API-Key", 
      "url": "Wastonx-URL", 
      "model_id": "ibm/slate-30m-english-rtrvr",
      "project_id": "IBM-Cloud-ID", 
      "api_version": "2024-03-14"
  }
}

Perform text embedding inference on the service Added in 8.11.0

POST /_inference/text_embedding/{inference_id}

Api key auth

Path parameters

inference_id string Required

The inference Id

Query parameters

timeout string

Specifies the amount of time to wait for the inference request to complete.

application/json

Body

input string | array[string] Required

Inference input. Either a string or an array of strings.

One of:
string-1 string array-2 array[string]
task_settings object

Responses

200 application/json
Hide response attributes Show response attributes object
- text_embedding_bytes array[object]
  
  Hide text_embedding_bytes attribute Show text_embedding_bytes attribute object
  
  embedding array[number] Required
  
  Text Embedding results containing bytes are represented as Dense Vectors of bytes.
- text_embedding_bits array[object]
  
  Hide text_embedding_bits attribute Show text_embedding_bits attribute object
  
  embedding array[number] Required
  
  Text Embedding results containing bytes are represented as Dense Vectors of bytes.
- text_embedding array[object]
  
  Hide text_embedding attribute Show text_embedding attribute object
  
  embedding array[number] Required
  
  Text Embedding results are represented as Dense Vectors of floats.

POST /_inference/text_embedding/{inference_id}

curl \
 --request POST 'http://api.example.com/_inference/text_embedding/{inference_id}' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '"{\n  \"input\": \"The sky above the port was the color of television tuned to a dead channel.\",\n  \"task_settings\": {\n    \"input_type\": \"ingest\"\n  }\n}"'

Request example

Run `POST _inference/text_embedding/my-cohere-endpoint` to perform text embedding on the example sentence using the Cohere integration,

{
  "input": "The sky above the port was the color of television tuned to a dead channel.",
  "task_settings": {
    "input_type": "ingest"
  }
}

Response examples (200)

An abbreviated response from `POST _inference/text_embedding/my-cohere-endpoint`.

{
  "text_embedding": [
    {
      "embedding": [
        {
          0.018569946,
          -0.036895752,
          0.01486969,
          -0.0045204163,
          -0.04385376,
          0.0075950623,
          0.04260254,
          -0.004005432,
          0.007865906,
          0.030792236,
          -0.050476074,
          0.011795044,
          -0.011642456,
          -0.010070801
        }
      ]
    }
  ]
}

Get license information

GET /_license

Api key auth

Get information about your Elastic license including its type, its status, when it was issued, and when it expires.

If the master node is generating a new cluster state, the get license API may return a 404 Not Found response. If you receive an unexpected 404 response after cluster startup, wait a short period and retry the request.

Query parameters

accept_enterprise boolean Deprecated

If true, this parameter returns enterprise for Enterprise license types. If false, this parameter returns platinum for both platinum and enterprise license types. This behavior is maintained for backwards compatibility. This parameter is deprecated and will always be set to true in 8.x.
local boolean

Specifies whether to retrieve local information. The default value is false, which means the information is retrieved from the master node.

Responses

200 application/json
Hide response attribute Show response attribute object
- license object Required
  
  Hide license attributes Show license attributes object
  
  expiry_date string | number
  
  A date and time, either as a string whose format can depend on the context (defaulting to ISO 8601), or a number of milliseconds since the Epoch. Elasticsearch accepts both as input, but will generally output a string representation.
  
  One of:
  DateTime string UnitMillis number
  
  expiry_date_in_millis number
  
  Time unit for milliseconds
  
  issue_date string | number Required
  
  A date and time, either as a string whose format can depend on the context (defaulting to ISO 8601), or a number of milliseconds since the Epoch. Elasticsearch accepts both as input, but will generally output a string representation.
  
  One of:
  DateTime string UnitMillis number
  
  issue_date_in_millis number
  
  Time unit for milliseconds
  
  issued_to string Required
  
  issuer string Required
  
  max_nodes number | string | null Required
  
  One of:
  number-1 number string-2 string | null
  
  max_resource_units number | string | null
  
  One of:
  number-1 number string-2 string | null
  
  status string Required
  
  Values are active, valid, invalid, or expired.
  
  type string Required
  
  Values are missing, trial, basic, standard, dev, silver, gold, platinum, or enterprise.
  
  uid string Required
  
  start_date_in_millis number
  
  Time unit for milliseconds

GET /_license

curl \
 --request GET 'http://api.example.com/_license' \
 --header "Authorization: $API_KEY"

Response examples (200)

A successful response from `GET /_license`.

{
  "license" : {
    "status" : "active",
    "uid" : "cbff45e7-c553-41f7-ae4f-9205eabd80xx",
    "type" : "trial",
    "issue_date" : "2018-10-20T22:05:12.332Z",
    "issue_date_in_millis" : 1540073112332,
    "expiry_date" : "2018-11-19T22:05:12.332Z",
    "expiry_date_in_millis" : 1542665112332,
    "max_nodes" : 1000,
    "max_resource_units" : null,
    "issued_to" : "test",
    "issuer" : "elasticsearch",
    "start_date_in_millis" : -1
  }
}

Get Logstash pipelines Added in 7.12.0

GET /_logstash/pipeline/{id}

Api key auth

Get pipelines that are used for Logstash Central Management.

External documentation

Path parameters

id string | array[string] Required

A comma-separated list of pipeline identifiers.

Responses

200 application/json
Hide response attribute Show response attribute object
- * object Additional properties
  
  Hide * attributes Show * attributes object
  
  description string Required
  
  A description of the pipeline. This description is not used by Elasticsearch or Logstash.
  
  last_modified string | number Required
  
  A date and time, either as a string whose format can depend on the context (defaulting to ISO 8601), or a number of milliseconds since the Epoch. Elasticsearch accepts both as input, but will generally output a string representation.
  
  One of:
  DateTime string UnitMillis number
  
  pipeline string Required
  
  The configuration for the pipeline.
  
  External documentation
  
  pipeline_metadata object Required
  
  Hide pipeline_metadata attributes Show pipeline_metadata attributes object
  
  type string Required
  
  version string Required
  
  pipeline_settings object Required
  
  Hide pipeline_settings attributes Show pipeline_settings attributes object
  
  pipeline.workers number Required
  
  The number of workers that will, in parallel, execute the filter and output stages of the pipeline.
  
  pipeline.batch.size number Required
  
  The maximum number of events an individual worker thread will collect from inputs before attempting to execute its filters and outputs.
  
  pipeline.batch.delay number Required
  
  When creating pipeline event batches, how long in milliseconds to wait for each event before dispatching an undersized batch to pipeline workers.
  
  queue.type string Required
  
  The internal queuing model to use for event buffering.
  
  queue.max_bytes string Required
  
  The total capacity of the queue (queue.type: persisted) in number of bytes.
  
  queue.checkpoint.writes number Required
  
  The maximum number of written events before forcing a checkpoint when persistent queues are enabled (queue.type: persisted).
  
  username string Required
  
  The user who last updated the pipeline.

GET /_logstash/pipeline/{id}

curl \
 --request GET 'http://api.example.com/_logstash/pipeline/{id}' \
 --header "Authorization: $API_KEY"

Response examples (200)

A successful response from `GET _logstash/pipeline/my_pipeline`.

{
  "my_pipeline": {
    "description": "Sample pipeline for illustration purposes",
    "last_modified": "2021-01-02T02:50:51.250Z",
    "pipeline_metadata": {
      "type": "logstash_pipeline",
      "version": "1"
    },
    "username": "elastic",
    "pipeline": "input {}\\n filter { grok {} }\\n output {}",
    "pipeline_settings": {
      "pipeline.workers": 1,
      "pipeline.batch.size": 125,
      "pipeline.batch.delay": 50,
      "queue.type": "memory",
      "queue.max_bytes": "1gb",
      "queue.checkpoint.writes": 1024
    }
  }
}

Delete a Logstash pipeline Added in 7.12.0

DELETE /_logstash/pipeline/{id}

Api key auth

Delete a pipeline that is used for Logstash Central Management. If the request succeeds, you receive an empty response with an appropriate status code.

External documentation

Path parameters

id string Required

An identifier for the pipeline.

Responses

200 application/json

DELETE /_logstash/pipeline/{id}

curl \
 --request DELETE 'http://api.example.com/_logstash/pipeline/{id}' \
 --header "Authorization: $API_KEY"

Get calendar configuration info Added in 6.2.0

GET /_ml/calendars/{calendar_id}

Api key auth

Path parameters

calendar_id string Required

A string that uniquely identifies a calendar. You can get information for multiple calendars by using a comma-separated list of ids or a wildcard expression. You can get information for all calendars by using _all or * or by omitting the calendar identifier.

Query parameters

from number

Skips the specified number of calendars. This parameter is supported only when you omit the calendar identifier.
size number

Specifies the maximum number of calendars to obtain. This parameter is supported only when you omit the calendar identifier.

application/json

Body

page object
Hide page attributes Show page attributes object
- from number
  
  Skips the specified number of items.
- size number
  
  Specifies the maximum number of items to obtain.

Responses

200 application/json
Hide response attributes Show response attributes object
- calendars array[object] Required
  
  Hide calendars attributes Show calendars attributes object
  
  calendar_id string Required
  
  description string
  
  A description of the calendar.
  
  job_ids array[string] Required
  
  An array of anomaly detection job identifiers.
- count number Required

GET /_ml/calendars/{calendar_id}

curl \
 --request GET 'http://api.example.com/_ml/calendars/{calendar_id}' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"page":{"from":42.0,"size":42.0}}'

Get calendar configuration info Added in 6.2.0

POST /_ml/calendars/{calendar_id}

Api key auth

Path parameters

calendar_id string Required

A string that uniquely identifies a calendar. You can get information for multiple calendars by using a comma-separated list of ids or a wildcard expression. You can get information for all calendars by using _all or * or by omitting the calendar identifier.

Query parameters

from number

Skips the specified number of calendars. This parameter is supported only when you omit the calendar identifier.
size number

Specifies the maximum number of calendars to obtain. This parameter is supported only when you omit the calendar identifier.

application/json

Body

page object
Hide page attributes Show page attributes object
- from number
  
  Skips the specified number of items.
- size number
  
  Specifies the maximum number of items to obtain.

Responses

200 application/json
Hide response attributes Show response attributes object
- calendars array[object] Required
  
  Hide calendars attributes Show calendars attributes object
  
  calendar_id string Required
  
  description string
  
  A description of the calendar.
  
  job_ids array[string] Required
  
  An array of anomaly detection job identifiers.
- count number Required

POST /_ml/calendars/{calendar_id}

curl \
 --request POST 'http://api.example.com/_ml/calendars/{calendar_id}' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"page":{"from":42.0,"size":42.0}}'

Delete events from a calendar Added in 6.2.0

DELETE /_ml/calendars/{calendar_id}/events/{event_id}

Api key auth

Path parameters

calendar_id string Required

A string that uniquely identifies a calendar.
event_id string Required

Identifier for the scheduled event. You can obtain this identifier by using the get calendar events API.

Responses

200 application/json
Hide response attribute Show response attribute object
- acknowledged boolean Required
  
  For a successful response, this value is always true. On failure, an exception is returned instead.

DELETE /_ml/calendars/{calendar_id}/events/{event_id}

curl \
 --request DELETE 'http://api.example.com/_ml/calendars/{calendar_id}/events/{event_id}' \
 --header "Authorization: $API_KEY"

Response examples (200)

A successful response when deleting a calendar event.

{
  "acknowledged": true
}

Add anomaly detection job to calendar Added in 6.2.0

PUT /_ml/calendars/{calendar_id}/jobs/{job_id}

Api key auth

Path parameters

calendar_id string Required

A string that uniquely identifies a calendar.
job_id string | array[string] Required

An identifier for the anomaly detection jobs. It can be a job identifier, a group name, or a comma-separated list of jobs or groups.

Responses

200 application/json
Hide response attributes Show response attributes object
- calendar_id string Required
- description string
  
  A description of the calendar.
- job_ids string | array[string] Required
  
  One of:
  Id string Ids array[string]

PUT /_ml/calendars/{calendar_id}/jobs/{job_id}

curl \
 --request PUT 'http://api.example.com/_ml/calendars/{calendar_id}/jobs/{job_id}' \
 --header "Authorization: $API_KEY"

Create a filter Added in 5.4.0

PUT /_ml/filters/{filter_id}

Api key auth

A filter contains a list of strings. It can be used by one or more anomaly detection jobs. Specifically, filters are referenced in the custom_rules property of detector configuration objects.

Path parameters

filter_id string Required

A string that uniquely identifies a filter.

application/json

Body Required

description string

A description of the filter.
items array[string]

The items of the filter. A wildcard * can be used at the beginning or the end of an item. Up to 10000 items are allowed in each filter.

Responses

200 application/json
Hide response attributes Show response attributes object
- description string Required
- filter_id string Required
- items array[string] Required

PUT /_ml/filters/{filter_id}

curl \
 --request PUT 'http://api.example.com/_ml/filters/{filter_id}' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"description":"string","items":["string"]}'

Delete a filter Added in 5.4.0

DELETE /_ml/filters/{filter_id}

Api key auth

If an anomaly detection job references the filter, you cannot delete the filter. You must update or delete the job before you can delete the filter.

Path parameters

filter_id string Required

A string that uniquely identifies a filter.

Responses

200 application/json
Hide response attribute Show response attribute object
- acknowledged boolean Required
  
  For a successful response, this value is always true. On failure, an exception is returned instead.

DELETE /_ml/filters/{filter_id}

curl \
 --request DELETE 'http://api.example.com/_ml/filters/{filter_id}' \
 --header "Authorization: $API_KEY"

Response examples (200)

A successful response when deleting a filter.

{
  "acknowledged": true
}

Get calendar configuration info Added in 6.2.0

GET /_ml/calendars

Api key auth

Query parameters

from number

Skips the specified number of calendars. This parameter is supported only when you omit the calendar identifier.
size number

Specifies the maximum number of calendars to obtain. This parameter is supported only when you omit the calendar identifier.

application/json

Body

page object
Hide page attributes Show page attributes object
- from number
  
  Skips the specified number of items.
- size number
  
  Specifies the maximum number of items to obtain.

Responses

200 application/json
Hide response attributes Show response attributes object
- calendars array[object] Required
  
  Hide calendars attributes Show calendars attributes object
  
  calendar_id string Required
  
  description string
  
  A description of the calendar.
  
  job_ids array[string] Required
  
  An array of anomaly detection job identifiers.
- count number Required

GET /_ml/calendars

curl \
 --request GET 'http://api.example.com/_ml/calendars' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"page":{"from":42.0,"size":42.0}}'

Get datafeeds configuration info Added in 5.5.0

GET /_ml/datafeeds

Api key auth

You can get information for multiple datafeeds in a single API request by using a comma-separated list of datafeeds or a wildcard expression. You can get information for all datafeeds by using _all, by specifying * as the <feed_id>, or by omitting the <feed_id>. This API returns a maximum of 10,000 datafeeds.

Query parameters

allow_no_match boolean
Specifies what to do when the request:
1. Contains wildcard expressions and there are no datafeeds that match.
2. Contains the _all string or no identifiers and there are no matches.
3. Contains wildcard expressions and there are only partial matches.
The default value is true, which returns an empty datafeeds array when there are no matches and the subset of results when there are partial matches. If this parameter is false, the request returns a 404 status code when there are no matches or only partial matches.
exclude_generated boolean

Indicates if certain fields should be removed from the configuration on retrieval. This allows the configuration to be in an acceptable format to be retrieved and then added to another cluster.

Responses

200 application/json
Hide response attributes Show response attributes object
- count number Required
- datafeeds array[object] Required
  
  Hide datafeeds attributes Show datafeeds attributes object
  
  aggregations object
  
  authorization object
  
  Hide authorization attributes Show authorization attributes object
  
  api_key object
  
  Hide api_key attributes Show api_key attributes object
  
  id string Required
  
  The identifier for the API key.
  
  name string Required
  
  The name of the API key.
  
  roles array[string]
  
  If a user ID was used for the most recent update to the datafeed, its roles at the time of the update are listed in the response.
  
  service_account string
  
  If a service account was used for the most recent update to the datafeed, the account name is listed in the response.
  
  chunking_config object
  
  Hide chunking_config attributes Show chunking_config attributes object
  
  mode string Required
  
  Values are auto, manual, or off.
  
  time_span string
  
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
  
  datafeed_id string Required
  
  frequency string
  
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
  
  indices array[string] Required
  
  indexes array[string]
  
  job_id string Required
  
  max_empty_searches number
  
  query_delay string
  
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
  
  script_fields object
  
  Hide script_fields attribute Show script_fields attribute object
  
  * object Additional properties
  
  Hide * attributes Show * attributes object
  
  script object Required
  
  Hide script attributes Show script attributes object
  
  source
  
  id string
  
  params object
  
  Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
  
  lang
  
  options object
  
  ignore_failure boolean
  
  scroll_size number
  
  delayed_data_check_config object Required
  
  Hide delayed_data_check_config attributes Show delayed_data_check_config attributes object
  
  check_window string
  
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
  
  enabled boolean Required
  
  Specifies whether the datafeed periodically checks for delayed data.
  
  runtime_mappings object
  
  Hide runtime_mappings attribute Show runtime_mappings attribute object
  
  * object Additional properties
  
  Hide * attributes Show * attributes object
  
  fields object
  
  For type composite
  
  Hide fields attribute Show fields attribute object
  
  * object Additional properties
  
  fetch_fields array[object]
  
  For type lookup
  
  format string
  
  A custom format for date type runtime fields.
  
  input_field string
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
  
  target_field string
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
  
  target_index string
  
  script object
  
  Hide script attributes Show script attributes object
  
  source
  
  id string
  
  params object
  
  Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
  
  lang
  
  options object
  
  type string Required
  
  Values are boolean, composite, date, double, geo_point, geo_shape, ip, keyword, long, or lookup.
  
  indices_options object
  
  Hide indices_options attributes Show indices_options attributes object
  
  allow_no_indices boolean
  
  If false, the request returns an error if any wildcard expression, index alias, or _all value targets only missing or closed indices. This behavior applies even if the request targets other open indices. For example, a request targeting foo*,bar* returns an error if an index starts with foo but no index starts with bar.
  
  expand_wildcards string | array[string]
  
  ignore_unavailable boolean
  
  If true, missing or closed indices are not included in the response.
  
  ignore_throttled boolean
  
  If true, concrete, expanded or aliased indices are ignored when frozen.
  
  query object Required
  
  The Elasticsearch query domain-specific language (DSL). This value corresponds to the query object in an Elasticsearch search POST body. All the options that are supported by Elasticsearch can be used, as this object is passed verbatim to Elasticsearch. By default, this property has the following value: {"match_all": {"boost": 1}}.
  
  Query DSL

GET /_ml/datafeeds

curl \
 --request GET 'http://api.example.com/_ml/datafeeds' \
 --header "Authorization: $API_KEY"

Get overall bucket results Added in 6.1.0

POST /_ml/anomaly_detectors/{job_id}/results/overall_buckets

Api key auth

Retrievs overall bucket results that summarize the bucket results of multiple anomaly detection jobs.

The overall_score is calculated by combining the scores of all the buckets within the overall bucket span. First, the maximum anomaly_score per anomaly detection job in the overall bucket is calculated. Then the top_n of those scores are averaged to result in the overall_score. This means that you can fine-tune the overall_score so that it is more or less sensitive to the number of jobs that detect an anomaly at the same time. For example, if you set top_n to 1, the overall_score is the maximum bucket score in the overall bucket. Alternatively, if you set top_n to the number of jobs, the overall_score is high only when all jobs detect anomalies in that overall bucket. If you set the bucket_span parameter (to a value greater than its default), the overall_score is the maximum overall_score of the overall buckets that have a span equal to the jobs' largest bucket span.

Path parameters

job_id string Required

Identifier for the anomaly detection job. It can be a job identifier, a group name, a comma-separated list of jobs or groups, or a wildcard expression.

You can summarize the bucket results for all anomaly detection jobs by using _all or by specifying * as the <job_id>.

Query parameters

allow_no_match boolean
Specifies what to do when the request:
1. Contains wildcard expressions and there are no jobs that match.
2. Contains the _all string or no identifiers and there are no matches.
3. Contains wildcard expressions and there are only partial matches.
If true, the request returns an empty jobs array when there are no matches and the subset of results when there are partial matches. If this parameter is false, the request returns a 404 status code when there are no matches or only partial matches.
bucket_span string

The span of the overall buckets. Must be greater or equal to the largest bucket span of the specified anomaly detection jobs, which is the default value.

By default, an overall bucket has a span equal to the largest bucket span of the specified anomaly detection jobs. To override that behavior, use the optional bucket_span parameter.
end string | number

Returns overall buckets with timestamps earlier than this time.
exclude_interim boolean

If true, the output excludes interim results.
overall_score number | string

Returns overall buckets with overall scores greater than or equal to this value.
start string | number

Returns overall buckets with timestamps after this time.
top_n number

The number of top anomaly detection job bucket scores to be used in the overall_score calculation.

application/json

Body

allow_no_match boolean

Refer to the description for the allow_no_match query parameter.
bucket_span string

A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
end string | number

A date and time, either as a string whose format can depend on the context (defaulting to ISO 8601), or a number of milliseconds since the Epoch. Elasticsearch accepts both as input, but will generally output a string representation.

One of:
DateTime string UnitMillis number
exclude_interim boolean

Refer to the description for the exclude_interim query parameter.
overall_score number | string

Refer to the description for the overall_score query parameter.

One of:
number-1 number string-2 string
start string | number

A date and time, either as a string whose format can depend on the context (defaulting to ISO 8601), or a number of milliseconds since the Epoch. Elasticsearch accepts both as input, but will generally output a string representation.

One of:
DateTime string UnitMillis number
top_n number

Refer to the description for the top_n query parameter.

Responses

200 application/json
Hide response attributes Show response attributes object
- count number Required
- overall_buckets array[object] Required
  
  Array of overall bucket objects
  
  Hide overall_buckets attributes Show overall_buckets attributes object
  
  bucket_span number
  
  Time unit for seconds
  
  is_interim boolean Required
  
  If true, this is an interim result. In other words, the results are calculated based on partial input data.
  
  jobs array[object] Required
  
  An array of objects that contain the max_anomaly_score per job_id.
  
  Hide jobs attributes Show jobs attributes object
  
  job_id string Required
  
  max_anomaly_score number Required
  
  overall_score number Required
  
  The top_n average of the maximum bucket anomaly_score per job.
  
  result_type string Required
  
  Internal. This is always set to overall_bucket.
  
  timestamp number
  
  Time unit for milliseconds
  
  timestamp_string string | number
  
  A date and time, either as a string whose format can depend on the context (defaulting to ISO 8601), or a number of milliseconds since the Epoch. Elasticsearch accepts both as input, but will generally output a string representation.
  
  One of:
  DateTime string UnitMillis number

POST /_ml/anomaly_detectors/{job_id}/results/overall_buckets

curl \
 --request POST 'http://api.example.com/_ml/anomaly_detectors/{job_id}/results/overall_buckets' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"allow_no_match":true,"bucket_span":"string","":"string","exclude_interim":true,"overall_score":42.0,"top_n":42.0}'

Open anomaly detection jobs Added in 5.4.0

POST /_ml/anomaly_detectors/{job_id}/_open

Api key auth

An anomaly detection job must be opened to be ready to receive and analyze data. It can be opened and closed multiple times throughout its lifecycle. When you open a new job, it starts with an empty model. When you open an existing job, the most recent model state is automatically loaded. The job is ready to resume its analysis from where it left off, once new data is received.

Path parameters

job_id string Required

Identifier for the anomaly detection job.

Query parameters

timeout string

Controls the time to wait until a job has opened.

application/json

Body

timeout string

A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.

Responses

200 application/json
Hide response attributes Show response attributes object
- opened boolean Required
- node string Required

POST /_ml/anomaly_detectors/{job_id}/_open

curl \
 --request POST 'http://api.example.com/_ml/anomaly_detectors/{job_id}/_open' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '"{\n  \"timeout\": \"35m\"\n}"'

Request example

A request to open anomaly detection jobs. The timeout specifies to wait 35 minutes for the job to open.

{
  "timeout": "35m"
}

Response examples (200)

A successful response when opening an anomaly detection job.

{
  "opened": true,
  "node": "node-1"
}

Reset an anomaly detection job Added in 7.14.0

POST /_ml/anomaly_detectors/{job_id}/_reset

Api key auth

All model state and results are deleted. The job is ready to start over as if it had just been created. It is not currently possible to reset multiple jobs using wildcards or a comma separated list.

Path parameters

job_id string Required

The ID of the job to reset.

Query parameters

wait_for_completion boolean

Should this request wait until the operation has completed before returning.
delete_user_annotations boolean

Specifies whether annotations that have been added by the user should be deleted along with any auto-generated annotations when the job is reset.

Responses

200 application/json
Hide response attribute Show response attribute object
- acknowledged boolean Required
  
  For a successful response, this value is always true. On failure, an exception is returned instead.

POST /_ml/anomaly_detectors/{job_id}/_reset

curl \
 --request POST 'http://api.example.com/_ml/anomaly_detectors/{job_id}/_reset' \
 --header "Authorization: $API_KEY"

Start a data frame analytics job Added in 7.3.0

POST /_ml/data_frame/analytics/{id}/_start

Api key auth

A data frame analytics job can be started and stopped multiple times throughout its lifecycle. If the destination index does not exist, it is created automatically the first time you start the data frame analytics job. The index.number_of_shards and index.number_of_replicas settings for the destination index are copied from the source index. If there are multiple source indices, the destination index copies the highest setting values. The mappings for the destination index are also copied from the source indices. If there are any mapping conflicts, the job fails to start. If the destination index exists, it is used as is. You can therefore set up the destination index in advance with custom settings and mappings.

Path parameters

id string Required

Identifier for the data frame analytics job. This identifier can contain lowercase alphanumeric characters (a-z and 0-9), hyphens, and underscores. It must start and end with alphanumeric characters.

Query parameters

timeout string

Controls the amount of time to wait until the data frame analytics job starts.

Responses

200 application/json
Hide response attributes Show response attributes object
- acknowledged boolean Required
- node string Required

POST /_ml/data_frame/analytics/{id}/_start

curl \
 --request POST 'http://api.example.com/_ml/data_frame/analytics/{id}/_start' \
 --header "Authorization: $API_KEY"

Create or update a trained model alias Added in 7.13.0

PUT /_ml/trained_models/{model_id}/model_aliases/{model_alias}

Api key auth

A trained model alias is a logical name used to reference a single trained model. You can use aliases instead of trained model identifiers to make it easier to reference your models. For example, you can use aliases in inference aggregations and processors. An alias must be unique and refer to only a single trained model. However, you can have multiple aliases for each trained model. If you use this API to update an alias such that it references a different trained model ID and the model uses a different type of data frame analytics, an error occurs. For example, this situation occurs if you have a trained model for regression analysis and a trained model for classification analysis; you cannot reassign an alias from one type of trained model to another. If you use this API to update an alias and there are very few input fields in common between the old and new trained models for the model alias, the API returns a warning.

Path parameters

model_id string Required

The identifier for the trained model that the alias refers to.
model_alias string Required

The alias to create or update. This value cannot end in numbers.

Query parameters

reassign boolean

Specifies whether the alias gets reassigned to the specified trained model if it is already assigned to a different model. If the alias is already assigned and this parameter is false, the API returns an error.

Responses

200 application/json
Hide response attribute Show response attribute object
- acknowledged boolean Required
  
  For a successful response, this value is always true. On failure, an exception is returned instead.

PUT /_ml/trained_models/{model_id}/model_aliases/{model_alias}

curl \
 --request PUT 'http://api.example.com/_ml/trained_models/{model_id}/model_aliases/{model_alias}' \
 --header "Authorization: $API_KEY"

Create a trained model vocabulary Added in 8.0.0

PUT /_ml/trained_models/{model_id}/vocabulary

Api key auth

This API is supported only for natural language processing (NLP) models. The vocabulary is stored in the index as described in inference_config.*.vocabulary of the trained model definition.

Path parameters

model_id string Required

The unique identifier of the trained model.

application/json

Body Required

vocabulary array[string] Required

The model vocabulary, which must not be empty.
merges array[string]

The optional model merges if required by the tokenizer.
scores array[number]

The optional vocabulary value scores if required by the tokenizer.

Responses

200 application/json
Hide response attribute Show response attribute object
- acknowledged boolean Required
  
  For a successful response, this value is always true. On failure, an exception is returned instead.

PUT /_ml/trained_models/{model_id}/vocabulary

curl \
 --request PUT 'http://api.example.com/_ml/trained_models/{model_id}/vocabulary' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"vocabulary":["string"],"merges":["string"],"scores":[42.0]}'

Stop a trained model deployment Added in 8.0.0

POST /_ml/trained_models/{model_id}/deployment/_stop

Api key auth

Path parameters

model_id string Required

The unique identifier of the trained model.

Query parameters

allow_no_match boolean

Specifies what to do when the request: contains wildcard expressions and there are no deployments that match; contains the _all string or no identifiers and there are no matches; or contains wildcard expressions and there are only partial matches. By default, it returns an empty array when there are no matches and the subset of results when there are partial matches. If false, the request returns a 404 status code when there are no matches or only partial matches.
force boolean

Forcefully stops the deployment, even if it is used by ingest pipelines. You can't use these pipelines until you restart the model deployment.

Responses

200 application/json
Hide response attribute Show response attribute object
- stopped boolean Required

POST /_ml/trained_models/{model_id}/deployment/_stop

curl \
 --request POST 'http://api.example.com/_ml/trained_models/{model_id}/deployment/_stop' \
 --header "Authorization: $API_KEY"

Query rules

Query rules enable you to configure per-query rules that are applied at query time to queries that match the specific rule. Query rules are organized into rulesets, collections of query rules that are matched against incoming queries. Query rules are applied using the rule query. If a query matches one or more rules in the ruleset, the query is re-written to apply the rules before searching. This allows pinning documents for only queries that match a specific term.

Learn more about the rule query

Delete an async search Added in 7.7.0

DELETE /_async_search/{id}

Api key auth

If the asynchronous search is still running, it is cancelled. Otherwise, the saved search results are deleted. If the Elasticsearch security features are enabled, the deletion of a specific async search is restricted to: the authenticated user that submitted the original search request; users that have the cancel_task cluster privilege.

Path parameters

id string Required

A unique identifier for the async search.

Responses

200 application/json
Hide response attribute Show response attribute object
- acknowledged boolean Required
  
  For a successful response, this value is always true. On failure, an exception is returned instead.

DELETE /_async_search/{id}

curl \
 --request DELETE 'http://api.example.com/_async_search/{id}' \
 --header "Authorization: $API_KEY"

Count search results

GET /_count

Api key auth

Get the number of documents matching a query.

The query can be provided either by using a simple query string as a parameter, or by defining Query DSL within the request body. The query is optional. When no query is provided, the API uses match_all to count all the documents.

The count API supports multi-target syntax. You can run a single count API search across multiple data streams and indices.

The operation is broadcast across all shards. For each shard ID group, a replica is chosen and the search is run against it. This means that replicas increase the scalability of the count.

Query parameters

allow_no_indices boolean

If false, the request returns an error if any wildcard expression, index alias, or _all value targets only missing or closed indices. This behavior applies even if the request targets other open indices. For example, a request targeting foo*,bar* returns an error if an index starts with foo but no index starts with bar.
analyzer string

The analyzer to use for the query string. This parameter can be used only when the q query string parameter is specified.
analyze_wildcard boolean

If true, wildcard and prefix queries are analyzed. This parameter can be used only when the q query string parameter is specified.
default_operator string

The default operator for query string query: AND or OR. This parameter can be used only when the q query string parameter is specified.

Values are and, AND, or, or OR.
df string

The field to use as a default when no field prefix is given in the query string. This parameter can be used only when the q query string parameter is specified.
expand_wildcards string | array[string]
The type of index that wildcard patterns can match. If the request can target data streams, this argument determines whether wildcard expressions match hidden data streams. It supports comma-separated values, such as open,hidden.

Supported values include:
- all: Match any data stream or index, including hidden ones.
- open: Match open, non-hidden indices. Also matches any non-hidden data stream.
- closed: Match closed, non-hidden indices. Also matches any non-hidden data stream. Data streams cannot be closed.
- hidden: Match hidden data streams and hidden indices. Must be combined with open, closed, or both.
- none: Wildcard expressions are not accepted.
ignore_throttled boolean Deprecated

If true, concrete, expanded, or aliased indices are ignored when frozen.
ignore_unavailable boolean

If false, the request returns an error if it targets a missing or closed index.
lenient boolean

If true, format-based query failures (such as providing text to a numeric field) in the query string will be ignored. This parameter can be used only when the q query string parameter is specified.
min_score number

The minimum _score value that documents must have to be included in the result.
preference string

The node or shard the operation should be performed on. By default, it is random.
routing string

A custom value used to route operations to a specific shard.
terminate_after number

The maximum number of documents to collect for each shard. If a query reaches this limit, Elasticsearch terminates the query early. Elasticsearch collects documents before sorting.

IMPORTANT: Use with caution. Elasticsearch applies this parameter to each shard handling the request. When possible, let Elasticsearch perform early termination automatically. Avoid specifying this parameter for requests that target data streams with backing indices across multiple data tiers.
q string

The query in Lucene query string syntax. This parameter cannot be used with a request body.

application/json

Body

query object

An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.

External documentation

Responses

200 application/json
Hide response attributes Show response attributes object
- count number Required
- _shards object Required
  
  Hide _shards attributes Show _shards attributes object
  
  failed number Required
  
  successful number Required
  
  total number Required
  
  failures array[object]
  
  Hide failures attributes Show failures attributes object
  
  index string
  
  node string
  
  reason object Required
  
  Hide reason attributes Show reason attributes object
  
  type string Required
  
  The type of error
  
  reason string
  
  A human-readable explanation of the error, in English.
  
  stack_trace string
  
  The server stack trace. Present only if the error_trace=true parameter was sent with the request.
  
  caused_by object
  
  root_cause array[object]
  
  suppressed array[object]
  
  shard number Required
  
  status string
  
  skipped number

GET /_count

curl \
 --request GET 'http://api.example.com/_count' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '"{\n  \"query\" : {\n    \"term\" : { \"user.id\" : \"kimchy\" }\n  }\n}"'

Request example

Run `GET /my-index-000001/_count?q=user:kimchy`. Alternatively, run `GET /my-index-000001/_count` with the same query in the request body. Both requests count the number of documents in `my-index-000001` with a `user.id` of `kimchy`.

{
  "query" : {
    "term" : { "user.id" : "kimchy" }
  }
}

Response examples (200)

A successful response from `GET /my-index-000001/_count?q=user:kimchy`.

{
  "count": 1,
  "_shards": {
    "total": 1,
    "successful": 1,
    "skipped": 0,
    "failed": 0
  }
}

Count search results

POST /_count

Api key auth

Get the number of documents matching a query.

The query can be provided either by using a simple query string as a parameter, or by defining Query DSL within the request body. The query is optional. When no query is provided, the API uses match_all to count all the documents.

The count API supports multi-target syntax. You can run a single count API search across multiple data streams and indices.

The operation is broadcast across all shards. For each shard ID group, a replica is chosen and the search is run against it. This means that replicas increase the scalability of the count.

Query parameters

allow_no_indices boolean

If false, the request returns an error if any wildcard expression, index alias, or _all value targets only missing or closed indices. This behavior applies even if the request targets other open indices. For example, a request targeting foo*,bar* returns an error if an index starts with foo but no index starts with bar.
analyzer string

The analyzer to use for the query string. This parameter can be used only when the q query string parameter is specified.
analyze_wildcard boolean

If true, wildcard and prefix queries are analyzed. This parameter can be used only when the q query string parameter is specified.
default_operator string

The default operator for query string query: AND or OR. This parameter can be used only when the q query string parameter is specified.

Values are and, AND, or, or OR.
df string

The field to use as a default when no field prefix is given in the query string. This parameter can be used only when the q query string parameter is specified.
expand_wildcards string | array[string]
The type of index that wildcard patterns can match. If the request can target data streams, this argument determines whether wildcard expressions match hidden data streams. It supports comma-separated values, such as open,hidden.

Supported values include:
- all: Match any data stream or index, including hidden ones.
- open: Match open, non-hidden indices. Also matches any non-hidden data stream.
- closed: Match closed, non-hidden indices. Also matches any non-hidden data stream. Data streams cannot be closed.
- hidden: Match hidden data streams and hidden indices. Must be combined with open, closed, or both.
- none: Wildcard expressions are not accepted.
ignore_throttled boolean Deprecated

If true, concrete, expanded, or aliased indices are ignored when frozen.
ignore_unavailable boolean

If false, the request returns an error if it targets a missing or closed index.
lenient boolean

If true, format-based query failures (such as providing text to a numeric field) in the query string will be ignored. This parameter can be used only when the q query string parameter is specified.
min_score number

The minimum _score value that documents must have to be included in the result.
preference string

The node or shard the operation should be performed on. By default, it is random.
routing string

A custom value used to route operations to a specific shard.
terminate_after number

The maximum number of documents to collect for each shard. If a query reaches this limit, Elasticsearch terminates the query early. Elasticsearch collects documents before sorting.

IMPORTANT: Use with caution. Elasticsearch applies this parameter to each shard handling the request. When possible, let Elasticsearch perform early termination automatically. Avoid specifying this parameter for requests that target data streams with backing indices across multiple data tiers.
q string

The query in Lucene query string syntax. This parameter cannot be used with a request body.

application/json

Body

query object

An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.

External documentation

Responses

200 application/json
Hide response attributes Show response attributes object
- count number Required
- _shards object Required
  
  Hide _shards attributes Show _shards attributes object
  
  failed number Required
  
  successful number Required
  
  total number Required
  
  failures array[object]
  
  Hide failures attributes Show failures attributes object
  
  index string
  
  node string
  
  reason object Required
  
  Hide reason attributes Show reason attributes object
  
  type string Required
  
  The type of error
  
  reason string
  
  A human-readable explanation of the error, in English.
  
  stack_trace string
  
  The server stack trace. Present only if the error_trace=true parameter was sent with the request.
  
  caused_by object
  
  root_cause array[object]
  
  suppressed array[object]
  
  shard number Required
  
  status string
  
  skipped number

POST /_count

curl \
 --request POST 'http://api.example.com/_count' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '"{\n  \"query\" : {\n    \"term\" : { \"user.id\" : \"kimchy\" }\n  }\n}"'

Request example

Run `GET /my-index-000001/_count?q=user:kimchy`. Alternatively, run `GET /my-index-000001/_count` with the same query in the request body. Both requests count the number of documents in `my-index-000001` with a `user.id` of `kimchy`.

{
  "query" : {
    "term" : { "user.id" : "kimchy" }
  }
}

Response examples (200)

A successful response from `GET /my-index-000001/_count?q=user:kimchy`.

{
  "count": 1,
  "_shards": {
    "total": 1,
    "successful": 1,
    "skipped": 0,
    "failed": 0
  }
}

Get terms in an index Added in 7.14.0

GET /{index}/_terms_enum

Api key auth

Discover terms that match a partial string in an index. This API is designed for low-latency look-ups used in auto-complete scenarios.

The terms enum API may return terms from deleted documents. Deleted documents are initially only marked as deleted. It is not until their segments are merged that documents are actually deleted. Until that happens, the terms enum API will return terms from these documents.

Path parameters

index string Required

A comma-separated list of data streams, indices, and index aliases to search. Wildcard (*) expressions are supported. To search all data streams or indices, omit this parameter or use * or _all.

application/json

Body

field string Required

Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
size number

The number of matching terms to return.
timeout string

A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
case_insensitive boolean

When true, the provided search string is matched against index terms without case sensitivity.
index_filter object

An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.

External documentation
string string

The string to match at the start of indexed terms. If it is not provided, all terms in the field are considered.

The prefix string cannot be larger than the largest possible keyword value, which is Lucene's term byte-length limit of 32766.
search_after string

The string after which terms in the index should be returned. It allows for a form of pagination if the last result from one request is passed as the search_after parameter for a subsequent request.

Responses

200 application/json
Hide response attributes Show response attributes object
- _shards object Required
  
  Hide _shards attributes Show _shards attributes object
  
  failed number Required
  
  successful number Required
  
  total number Required
  
  failures array[object]
  
  Hide failures attributes Show failures attributes object
  
  index string
  
  node string
  
  reason object Required
  
  Hide reason attributes Show reason attributes object
  
  type string Required
  
  The type of error
  
  reason string
  
  A human-readable explanation of the error, in English.
  
  stack_trace string
  
  The server stack trace. Present only if the error_trace=true parameter was sent with the request.
  
  caused_by object
  
  root_cause array[object]
  
  suppressed array[object]
  
  shard number Required
  
  status string
  
  skipped number
- terms array[string] Required
- complete boolean Required
  
  If false, the returned terms set may be incomplete and should be treated as approximate. This can occur due to a few reasons, such as a request timeout or a node error.

GET /{index}/_terms_enum

curl \
 --request GET 'http://api.example.com/{index}/_terms_enum' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '"{\n    \"field\" : \"tags\",\n    \"string\" : \"kiba\"\n}"'

Request example

Run `POST stackoverflow/_terms_enum`.

{
    "field" : "tags",
    "string" : "kiba"
}

Response examples (200)

A successful response from `POST stackoverflow/_terms_enum`.

{
  "_shards": {
    "total": 1,
    "successful": 1,
    "failed": 0
  },
  "terms": [
    "kibana"
  ],
  "complete" : true
}

Get search application details Beta

GET /_application/search_application/{name}

Api key auth

Path parameters

name string Required

The name of the search application

Responses

200 application/json
Hide response attributes Show response attributes object
- indices array[string] Required
  
  Indices that are part of the Search Application.
- analytics_collection_name string
- template object
  
  Hide template attribute Show template attribute object
  
  script object Required
  
  Hide script attributes Show script attributes object
  
  source string | object
  
  One of:
  ScriptSource string SearchRequestBody object
  
  Hide attributes Show attributes
  
  aggregations object
  
  Defines the aggregations that are run as part of the search request.
  
  collapse object
  
  explain boolean
  
  If true, the request returns detailed information about score computation as part of a hit.
  
  ext object
  
  Configuration of search extensions defined by Elasticsearch plugins.
  
  from number
  
  The starting document offset, which must be non-negative. By default, you cannot page through more than 10,000 hits using the from and size parameters. To page through more hits, use the search_after parameter.
  
  highlight
  
  track_total_hits boolean | number
  
  Number of hits matching the query to count accurately. If true, the exact number of hits is returned at the cost of some performance. If false, the response does not include the total number of hits matching the query. Defaults to 10,000 hits.
  
  indices_boost array[object]
  
  Boost the _score of documents from specified indices. The boost value is the factor by which scores are multiplied. A boost value greater than 1.0 increases the score. A boost value between 0 and 1.0 decreases the score.
  
  docvalue_fields array[object]
  
  An array of wildcard (*) field patterns. The request returns doc values for field names matching these patterns in the hits.fields property of the response.
  
  knn
  
  min_score number
  
  The minimum _score for matching documents. Documents with a lower _score are not included in search results or results collected by aggregations.
  
  post_filter object
  
  An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
  
  profile boolean
  
  Set to true to return detailed timing information about the execution of individual components in a search request. NOTE: This is a debugging tool and adds significant overhead to search execution.
  
  query object
  
  An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
  
  rescore
  
  retriever object
  
  script_fields object
  
  Retrieve a script evaluation (based on different fields) for each hit.
  
  search_after array[number | string | boolean | null]
  
  A field value.
  
  size number
  
  The number of hits to return, which must not be negative. By default, you cannot page through more than 10,000 hits using the from and size parameters. To page through more hits, use the search_after property.
  
  slice object
  
  sort
  
  _source
  
  fields array[object]
  
  An array of wildcard (*) field patterns. The request returns values for field names matching these patterns in the hits.fields property of the response.
  
  suggest object
  
  terminate_after number
  
  The maximum number of documents to collect for each shard. If a query reaches this limit, Elasticsearch terminates the query early. Elasticsearch collects documents before sorting.
  
  IMPORTANT: Use with caution. Elasticsearch applies this property to each shard handling the request. When possible, let Elasticsearch perform early termination automatically. Avoid specifying this property for requests that target data streams with backing indices across multiple data tiers.
  
  If set to 0 (default), the query does not terminate early.
  
  timeout string
  
  The period of time to wait for a response from each shard. If no response is received before the timeout expires, the request fails and returns an error. Defaults to no timeout.
  
  track_scores boolean
  
  If true, calculate and return document scores, even if the scores are not used for sorting.
  
  version boolean
  
  If true, the request returns the document version as part of a hit.
  
  seq_no_primary_term boolean
  
  If true, the request returns sequence number and primary term of the last modification of each hit.
  
  stored_fields string | array[string]
  
  pit object
  
  runtime_mappings object
  
  stats array[string]
  
  The stats groups to associate with the search. Each group maintains a statistics aggregation for its associated searches. You can retrieve these stats using the indices stats API.
  
  id string
  
  params object
  
  Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
  
  Hide params attribute Show params attribute object
  
  * object Additional properties
  
  lang string
  
  Any of:
  ScriptLanguage string ScriptLanguage string
  
  Values are painless, expression, mustache, or java.
  
  options object
  
  Hide options attribute Show options attribute object
  
  * string Additional properties
- name string Required
- Time unit for milliseconds

GET /_application/search_application/{name}

curl \
 --request GET 'http://api.example.com/_application/search_application/{name}' \
 --header "Authorization: $API_KEY"

Response examples (200)

A sucessful response from `GET _application/search_application/my-app/`.

{
  "name": "my-app",
  "indices": [ "index1", "index2" ],
  "updated_at_millis": 1682105622204,
  "template": {
    "script": {
      "source": {
        "query": {
          "query_string": {
            "query": "{{query_string}}",
            "default_field": "{{default_field}}"
          }
        }
      },
      "lang": "mustache",
      "options": {
        "content_type": "application/json;charset=utf-8"
      },
      "params": {
        "query_string": "*",
        "default_field": "*"
      }
    }
  }
}

Authenticate a user Added in 5.5.0

GET /_security/_authenticate

Api key auth

Authenticates a user and returns information about the authenticated user. Include the user information in a basic auth header. A successful call returns a JSON structure that shows user information such as their username, the roles that are assigned to the user, any assigned metadata, and information about the realms that authenticated and authorized the user. If the user cannot be authenticated, this API returns a 401 status code.

Responses

200 application/json
Hide response attributes Show response attributes object
- api_key object
  
  Hide api_key attributes Show api_key attributes object
  
  id string Required
  
  name string
- authentication_realm object Required
  
  Hide authentication_realm attributes Show authentication_realm attributes object
  
  name string Required
  
  type string Required
- email string | null
  
  One of:
  string-1 string string-2 string | null
- full_name string | null
  
  One of:
  Name string string-2 string | null
- lookup_realm object Required
  
  Hide lookup_realm attributes Show lookup_realm attributes object
  
  name string Required
  
  type string Required
- metadata object Required
  
  Hide metadata attribute Show metadata attribute object
  
  * object Additional properties
- roles array[string] Required
- username string Required
- enabled boolean Required
- authentication_type string Required
- token object
  
  Hide token attributes Show token attributes object
  
  name string Required
  
  type string

GET /_security/_authenticate

curl \
 --request GET 'http://api.example.com/_security/_authenticate' \
 --header "Authorization: $API_KEY"

Response examples (200)

A successful response from `GET /_security/_authenticate`.

{
  "username": "rdeniro",
  "roles": [
    "admin"
  ],
  "full_name": null,
  "email":  null,
  "metadata": { },
  "enabled": true,
  "authentication_realm": {
    "name" : "file",
    "type" : "file"
  },
  "lookup_realm": {
    "name" : "file",
    "type" : "file"
  },
  "authentication_type": "realm"
}

Create an API key Added in 6.7.0

PUT /_security/api_key

Api key auth

Create an API key for access without requiring basic authentication.

IMPORTANT: If the credential that is used to authenticate this request is an API key, the derived API key cannot have any privileges. If you specify privileges, the API returns an error.

A successful request returns a JSON structure that contains the API key, its unique id, and its name. If applicable, it also returns expiration information for the API key in milliseconds.

NOTE: By default, API keys never expire. You can specify expiration information when you create the API keys.

The API keys are created by the Elasticsearch API key service, which is automatically enabled. To configure or turn off the API key service, refer to API key service setting documentation.

External documentation

Query parameters

refresh string

If true (the default) then refresh the affected shards to make this operation visible to search, if wait_for then wait for a refresh to make this operation visible to search, if false then do nothing with refreshes.

Values are true, false, or wait_for.

application/json

Body Required

expiration string

A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
name string
role_descriptors object

An array of role descriptors for this API key. When it is not specified or it is an empty array, the API key will have a point in time snapshot of permissions of the authenticated user. If you supply role descriptors, the resultant permissions are an intersection of API keys permissions and the authenticated user's permissions thereby limiting the access scope for API keys. The structure of role descriptor is the same as the request for the create role API. For more details, refer to the create or update roles API.

NOTE: Due to the way in which this permission intersection is calculated, it is not possible to create an API key that is a child of another API key, unless the derived key is created without any privileges. In this case, you must explicitly specify a role descriptor with no privileges. The derived API key can be used for authentication; it will not have authority to call Elasticsearch APIs.

External documentation
Hide role_descriptors attribute Show role_descriptors attribute object
- * object Additional properties
  Hide * attributes Show * attributes object
  
  cluster array[string]
  
  A list of cluster privileges. These privileges define the cluster level actions that API keys are able to execute.
  
  indices array[object]
  
  A list of indices permissions entries.
  
  Hide indices attributes Show indices attributes object
  
  field_security object
  
  Hide field_security attributes Show field_security attributes object
  
  except string | array[string]
  
  grant string | array[string]
  
  names string | array[string]
  
  A list of indices (or index name patterns) to which the permissions in this entry apply.
  
  One of:
  IndexName string array-2 array[string]
  
  privileges array[string] Required
  
  The index level privileges that owners of the role have on the specified indices.
  
  query string | object
  
  While creating or updating a role you can provide either a JSON structure or a string to the API. However, the response provided by Elasticsearch will only be string with a json-as-text content.
  
  Since this is embedded in IndicesPrivileges, the same structure is used for clarity in both contexts.
  
  One of:
  IndicesPrivilegesQuery string QueryContainer object RoleTemplateQuery object
  
  applications array[object]
  
  A list of application privilege entries
  
  Hide applications attributes Show applications attributes object
  
  application string Required
  
  The name of the application to which this entry applies.
  
  privileges array[string] Required
  
  A list of strings, where each element is the name of an application privilege or action.
  
  resources array[string] Required
  
  A list resources to which the privileges are applied.
  
  metadata object
  
  Hide metadata attribute Show metadata attribute object
  
  * object Additional properties
  
  run_as array[string]
  
  A list of users that the API keys can impersonate. NOTE: In Elastic Cloud Serverless, the run-as feature is disabled. For API compatibility, you can still specify an empty run_as field, but a non-empty list will be rejected.
  
  description string
  
  Optional description of the role descriptor
  
  restriction object
  
  Hide restriction attribute Show restriction attribute object
  
  workflows array[string] Required
  
  A list of workflows to which the API key is restricted. NOTE: In order to use a role restriction, an API key must be created with a single role descriptor.
  
  transient_metadata object
  
  Hide transient_metadata attribute Show transient_metadata attribute object
  
  * object Additional properties
metadata object
Hide metadata attribute Show metadata attribute object
- * object Additional properties

Responses

200 application/json
Hide response attributes Show response attributes object
- api_key string Required
  
  Generated API key.
- expiration number
  
  Expiration in milliseconds for the API key.
- id string Required
- name string Required
- encoded string Required
  
  API key credentials which is the base64-encoding of the UTF-8 representation of id and api_key joined by a colon (:).

PUT /_security/api_key

curl \
 --request PUT 'http://api.example.com/_security/api_key' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '"{\n  \"name\": \"my-api-key\",\n  \"expiration\": \"1d\",   \n  \"role_descriptors\": { \n    \"role-a\": {\n      \"cluster\": [\"all\"],\n      \"indices\": [\n        {\n          \"names\": [\"index-a*\"],\n          \"privileges\": [\"read\"]\n        }\n      ]\n    },\n    \"role-b\": {\n      \"cluster\": [\"all\"],\n      \"indices\": [\n        {\n          \"names\": [\"index-b*\"],\n          \"privileges\": [\"all\"]\n        }\n      ]\n    }\n  },\n  \"metadata\": {\n    \"application\": \"my-application\",\n    \"environment\": {\n      \"level\": 1,\n      \"trusted\": true,\n      \"tags\": [\"dev\", \"staging\"]\n    }\n  }\n}"'

Request example

Run `POST /_security/api_key` to create an API key. If `expiration` is not provided, the API keys do not expire. If `role_descriptors` is not provided, the permissions of the authenticated user are applied.

{
  "name": "my-api-key",
  "expiration": "1d",   
  "role_descriptors": { 
    "role-a": {
      "cluster": ["all"],
      "indices": [
        {
          "names": ["index-a*"],
          "privileges": ["read"]
        }
      ]
    },
    "role-b": {
      "cluster": ["all"],
      "indices": [
        {
          "names": ["index-b*"],
          "privileges": ["all"]
        }
      ]
    }
  },
  "metadata": {
    "application": "my-application",
    "environment": {
      "level": 1,
      "trusted": true,
      "tags": ["dev", "staging"]
    }
  }
}

Response examples (200)

A successful response from `POST /_security/api_key`.

{
  "id": "VuaCfGcBCdbkQm-e5aOx",        
  "name": "my-api-key",
  "expiration": 1544068612110,         
  "api_key": "ui2lp2axTNmsyakw9tvNnw", 
  "encoded": "VnVhQ2ZHY0JDZGJrUW0tZTVhT3g6dWkybHAyYXhUTm1zeWFrdzl0dk5udw=="  
}

Get roles

GET /_security/role/{name}

Api key auth

Get roles in the native realm. The role management APIs are generally the preferred way to manage roles, rather than using file-based role management. The get roles API cannot retrieve roles that are defined in roles files.

Path parameters

name string | array[string] Required

The name of the role. You can specify multiple roles as a comma-separated list. If you do not specify this parameter, the API returns information about all roles.

Responses

200 application/json
Hide response attribute Show response attribute object
- * object Additional properties
  
  Hide * attributes Show * attributes object
  
  cluster array[string] Required
  
  indices array[object] Required
  
  Hide indices attributes Show indices attributes object
  
  field_security object
  
  Hide field_security attributes Show field_security attributes object
  
  except string | array[string]
  
  grant string | array[string]
  
  names string | array[string]
  
  A list of indices (or index name patterns) to which the permissions in this entry apply.
  
  One of:
  IndexName string array-2 array[string]
  
  privileges array[string] Required
  
  The index level privileges that owners of the role have on the specified indices.
  
  query string | object
  
  While creating or updating a role you can provide either a JSON structure or a string to the API. However, the response provided by Elasticsearch will only be string with a json-as-text content.
  
  Since this is embedded in IndicesPrivileges, the same structure is used for clarity in both contexts.
  
  One of:
  IndicesPrivilegesQuery string QueryContainer object RoleTemplateQuery object
  
  metadata object Required
  
  Hide metadata attribute Show metadata attribute object
  
  * object Additional properties
  
  description string
  
  run_as array[string]
  
  transient_metadata object
  
  Hide transient_metadata attribute Show transient_metadata attribute object
  
  * object Additional properties
  
  applications array[object] Required
  
  Hide applications attributes Show applications attributes object
  
  application string Required
  
  The name of the application to which this entry applies.
  
  privileges array[string] Required
  
  A list of strings, where each element is the name of an application privilege or action.
  
  resources array[string] Required
  
  A list resources to which the privileges are applied.
  
  role_templates array[object]
  
  Hide role_templates attributes Show role_templates attributes object
  
  format string
  
  Values are string or json.
  
  template object Required
  
  Hide template attributes Show template attributes object
  
  source string | object
  
  One of:
  ScriptSource string SearchRequestBody object
  
  id string
  
  params object
  
  Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
  
  Hide params attribute Show params attribute object
  
  * object Additional properties
  
  lang string
  
  Any of:
  ScriptLanguage string ScriptLanguage string
  
  Values are painless, expression, mustache, or java.
  
  options object
  
  Hide options attribute Show options attribute object
  
  * string Additional properties
  
  global object
  
  Hide global attribute Show global attribute object
  
  * object Additional properties
  
  Hide * attribute Show * attribute object
  
  * object Additional properties
  
  Hide * attribute Show * attribute object
  
  * array[string] Additional properties

GET /_security/role/{name}

curl \
 --request GET 'http://api.example.com/_security/role/{name}' \
 --header "Authorization: $API_KEY"

Response examples (200)

A successful response from `GET /_security/role/my_admin_role`. The response contains information about the `my_admin_role` role in the native realm.

{
  "my_admin_role": {
    "description": "Grants full access to all management features within the cluster.",
    "cluster" : [ "all" ],
    "indices" : [
      {
        "names" : [ "index1", "index2" ],
        "privileges" : [ "all" ],
        "allow_restricted_indices" : false,
        "field_security" : {
          "grant" : [ "title", "body" ]}
      }
    ],
    "applications" : [ ],
    "run_as" : [ "other_user" ],
    "metadata" : {
      "version" : 1
    },
    "transient_metadata": {
      "enabled": true
    }
  }
}

Delete roles

DELETE /_security/role/{name}

Api key auth

Delete roles in the native realm. The role management APIs are generally the preferred way to manage roles, rather than using file-based role management. The delete roles API cannot remove roles that are defined in roles files.

Path parameters

name string Required

The name of the role.

Query parameters

refresh string

If true (the default) then refresh the affected shards to make this operation visible to search, if wait_for then wait for a refresh to make this operation visible to search, if false then do nothing with refreshes.

Values are true, false, or wait_for.

Responses

200 application/json
Hide response attribute Show response attribute object
- found boolean Required
  
  If the role is successfully deleted, found is true. Otherwise, found is false.

DELETE /_security/role/{name}

curl \
 --request DELETE 'http://api.example.com/_security/role/{name}' \
 --header "Authorization: $API_KEY"

Response examples (200)

A successful response from `DELETE /_security/role/my_admin_role`. If the role is successfully deleted, `found` is set to `true`.

{
  "found" : true
}

Get builtin privileges Added in 7.3.0

GET /_security/privilege/_builtin

Api key auth

Get the list of cluster privileges and index privileges that are available in this version of Elasticsearch.

External documentation

Responses

200 application/json
Hide response attributes Show response attributes object
- cluster array[string] Required
  
  The list of cluster privileges that are understood by this version of Elasticsearch.
- index array[string] Required
  
  The list of index privileges that are understood by this version of Elasticsearch.

GET /_security/privilege/_builtin

curl \
 --request GET 'http://api.example.com/_security/privilege/_builtin' \
 --header "Authorization: $API_KEY"

Response examples (200)

A successful response from `GET /_security/privilege/_builtin`.

{
  "cluster" : [
    "all",
    "cancel_task",
    "create_snapshot",
    "cross_cluster_replication",
    "cross_cluster_search",
    "delegate_pki",
    "grant_api_key",
    "manage",
    "manage_api_key",
    "manage_autoscaling",
    "manage_behavioral_analytics",
    "manage_ccr",
    "manage_connector",
    "manage_data_frame_transforms",
    "manage_data_stream_global_retention",
    "manage_enrich",
    "manage_ilm",
    "manage_index_templates",
    "manage_inference",
    "manage_ingest_pipelines",
    "manage_logstash_pipelines",
    "manage_ml",
    "manage_oidc",
    "manage_own_api_key",
    "manage_pipeline",
    "manage_rollup",
    "manage_saml",
    "manage_search_application",
    "manage_search_query_rules",
    "manage_search_synonyms",
    "manage_security",
    "manage_service_account",
    "manage_slm",
    "manage_token",
    "manage_transform",
    "manage_user_profile",
    "manage_watcher",
    "monitor",
    "monitor_connector",
    "monitor_data_frame_transforms",
    "monitor_data_stream_global_retention",
    "monitor_enrich",
    "monitor_inference",
    "monitor_ml",
    "monitor_rollup",
    "monitor_snapshot",
    "monitor_stats",
    "monitor_text_structure",
    "monitor_transform",
    "monitor_watcher",
    "none",
    "post_behavioral_analytics_event",
    "read_ccr",
    "read_connector_secrets",
    "read_fleet_secrets",
    "read_ilm",
    "read_pipeline",
    "read_security",
    "read_slm",
    "transport_client",
    "write_connector_secrets",
    "write_fleet_secrets"
  ],
  "index" : [
    "all",
    "auto_configure",
    "create",
    "create_doc",
    "create_index",
    "cross_cluster_replication",
    "cross_cluster_replication_internal",
    "delete",
    "delete_index",
    "index",
    "maintenance",
    "manage",
    "manage_data_stream_lifecycle",
    "manage_follow_index",
    "manage_ilm",
    "manage_leader_index",
    "monitor",
    "none",
    "read",
    "read_cross_cluster",
    "view_index_metadata",
    "write"
  ],
  "remote_cluster" : [
    "monitor_enrich",
    "monitor_stats"
  ]
}

Check user privileges Added in 6.4.0

GET /_security/user/{user}/_has_privileges

Api key auth

Determine whether the specified user has a specified list of privileges. All users can use this API, but only to determine their own privileges. To check the privileges of other users, you must use the run as feature.

External documentation

Path parameters

user string Required

Username

application/json

Body Required

application array[object]
Hide application attributes Show application attributes object
- application string Required
  
  The name of the application.
- privileges array[string] Required
  
  A list of the privileges that you want to check for the specified resources. It may be either application privilege names or the names of actions that are granted by those privileges
- resources array[string] Required
  
  A list of resource names against which the privileges should be checked.
cluster array[string]

A list of the cluster privileges that you want to check.
index array[object]
Hide index attributes Show index attributes object
- names string | array[string] Required
- privileges array[string] Required
  
  A list of the privileges that you want to check for the specified indices.
- allow_restricted_indices boolean
  
  This needs to be set to true (default is false) if using wildcards or regexps for patterns that cover restricted indices. Implicitly, restricted indices do not match index patterns because restricted indices usually have limited privileges and including them in pattern tests would render most such tests false. If restricted indices are explicitly included in the names list, privileges will be checked against them regardless of the value of allow_restricted_indices.

Responses

200 application/json
Hide response attributes Show response attributes object
- application object Required
  
  Hide application attribute Show application attribute object
  
  * object Additional properties
  
  Hide * attribute Show * attribute object
  
  * object Additional properties
  
  Hide * attribute Show * attribute object
  
  * boolean Additional properties
- cluster object Required
  
  Hide cluster attribute Show cluster attribute object
  
  * boolean Additional properties
- has_all_requested boolean Required
- index object Required
  
  Hide index attribute Show index attribute object
  
  * object Additional properties
  
  Hide * attribute Show * attribute object
  
  * boolean Additional properties
- username string Required

GET /_security/user/{user}/_has_privileges

curl \
 --request GET 'http://api.example.com/_security/user/{user}/_has_privileges' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '"{\n  \"cluster\": [ \"monitor\", \"manage\" ],\n  \"index\" : [\n    {\n      \"names\": [ \"suppliers\", \"products\" ],\n      \"privileges\": [ \"read\" ]\n    },\n    {\n      \"names\": [ \"inventory\" ],\n      \"privileges\" : [ \"read\", \"write\" ]\n    }\n  ],\n  \"application\": [\n    {\n      \"application\": \"inventory_manager\",\n      \"privileges\" : [ \"read\", \"data:write/inventory\" ],\n      \"resources\" : [ \"product/1852563\" ]\n    }\n  ]\n}"'

Request example

Run `GET /_security/user/_has_privileges` to check whether the current user has a specific set of cluster, index, and application privileges.

{
  "cluster": [ "monitor", "manage" ],
  "index" : [
    {
      "names": [ "suppliers", "products" ],
      "privileges": [ "read" ]
    },
    {
      "names": [ "inventory" ],
      "privileges" : [ "read", "write" ]
    }
  ],
  "application": [
    {
      "application": "inventory_manager",
      "privileges" : [ "read", "data:write/inventory" ],
      "resources" : [ "product/1852563" ]
    }
  ]
}

Response examples (200)

A successful response from `GET /_security/user/_has_privileges`, which lists the privileges for the `rdeniro` user.

{
  "username": "rdeniro",
  "has_all_requested" : false,
  "cluster" : {
    "monitor" : true,
    "manage" : false
  },
  "index" : {
    "suppliers" : {
      "read" : true
    },
    "products" : {
      "read" : true
    },
    "inventory" : {
      "read" : true,
      "write" : false
    }
  },
  "application" : {
    "inventory_manager" : {
      "product/1852563" : {
        "read": false,
        "data:write/inventory": false
      }
    }
  }
}

Update an API key Added in 8.4.0

PUT /_security/api_key/{id}

Api key auth

Update attributes of an existing API key. This API supports updates to an API key's access scope, expiration, and metadata.

To use this API, you must have at least the manage_own_api_key cluster privilege. Users can only update API keys that they created or that were granted to them. To update another user’s API key, use the run_as feature to submit a request on behalf of another user.

IMPORTANT: It's not possible to use an API key as the authentication credential for this API. The owner user’s credentials are required.

Use this API to update API keys created by the create API key or grant API Key APIs. If you need to apply the same update to many API keys, you can use the bulk update API keys API to reduce overhead. It's not possible to update expired API keys or API keys that have been invalidated by the invalidate API key API.

The access scope of an API key is derived from the role_descriptors you specify in the request and a snapshot of the owner user's permissions at the time of the request. The snapshot of the owner's permissions is updated automatically on every call.

IMPORTANT: If you don't specify role_descriptors in the request, a call to this API might still change the API key's access scope. This change can occur if the owner user's permissions have changed since the API key was created or last modified.

Path parameters

id string Required

The ID of the API key to update.

application/json

Body

role_descriptors object

The role descriptors to assign to this API key. The API key's effective permissions are an intersection of its assigned privileges and the point in time snapshot of permissions of the owner user. You can assign new privileges by specifying them in this parameter. To remove assigned privileges, you can supply an empty role_descriptors parameter, that is to say, an empty object {}. If an API key has no assigned privileges, it inherits the owner user's full permissions. The snapshot of the owner's permissions is always updated, whether you supply the role_descriptors parameter or not. The structure of a role descriptor is the same as the request for the create API keys API.
Hide role_descriptors attribute Show role_descriptors attribute object
- * object Additional properties
  Hide * attributes Show * attributes object
  
  cluster array[string]
  
  A list of cluster privileges. These privileges define the cluster level actions that API keys are able to execute.
  
  indices array[object]
  
  A list of indices permissions entries.
  
  Hide indices attributes Show indices attributes object
  
  field_security object
  
  Hide field_security attributes Show field_security attributes object
  
  except string | array[string]
  
  grant string | array[string]
  
  names string | array[string]
  
  A list of indices (or index name patterns) to which the permissions in this entry apply.
  
  One of:
  IndexName string array-2 array[string]
  
  privileges array[string] Required
  
  The index level privileges that owners of the role have on the specified indices.
  
  query string | object
  
  While creating or updating a role you can provide either a JSON structure or a string to the API. However, the response provided by Elasticsearch will only be string with a json-as-text content.
  
  Since this is embedded in IndicesPrivileges, the same structure is used for clarity in both contexts.
  
  One of:
  IndicesPrivilegesQuery string QueryContainer object RoleTemplateQuery object
  
  applications array[object]
  
  A list of application privilege entries
  
  Hide applications attributes Show applications attributes object
  
  application string Required
  
  The name of the application to which this entry applies.
  
  privileges array[string] Required
  
  A list of strings, where each element is the name of an application privilege or action.
  
  resources array[string] Required
  
  A list resources to which the privileges are applied.
  
  metadata object
  
  Hide metadata attribute Show metadata attribute object
  
  * object Additional properties
  
  run_as array[string]
  
  A list of users that the API keys can impersonate. NOTE: In Elastic Cloud Serverless, the run-as feature is disabled. For API compatibility, you can still specify an empty run_as field, but a non-empty list will be rejected.
  
  description string
  
  Optional description of the role descriptor
  
  restriction object
  
  Hide restriction attribute Show restriction attribute object
  
  workflows array[string] Required
  
  A list of workflows to which the API key is restricted. NOTE: In order to use a role restriction, an API key must be created with a single role descriptor.
  
  transient_metadata object
  
  Hide transient_metadata attribute Show transient_metadata attribute object
  
  * object Additional properties
metadata object
Hide metadata attribute Show metadata attribute object
- * object Additional properties
expiration string

A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.

Responses

200 application/json
Hide response attribute Show response attribute object
- updated boolean Required
  
  If true, the API key was updated. If false, the API key didn't change because no change was detected.

PUT /_security/api_key/{id}

curl \
 --request PUT 'http://api.example.com/_security/api_key/{id}' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '"{\n  \"role_descriptors\": {\n    \"role-a\": {\n      \"indices\": [\n        {\n          \"names\": [\"*\"],\n          \"privileges\": [\"write\"]\n        }\n      ]\n    }\n  },\n  \"metadata\": {\n    \"environment\": {\n      \"level\": 2,\n      \"trusted\": true,\n      \"tags\": [\"production\"]\n    }\n  }\n}"'

Request examples

Run `PUT /_security/api_key/VuaCfGcBCdbkQm-e5aOx` to assign new role descriptors and metadata to an API key.

{
  "role_descriptors": {
    "role-a": {
      "indices": [
        {
          "names": ["*"],
          "privileges": ["write"]
        }
      ]
    }
  },
  "metadata": {
    "environment": {
      "level": 2,
      "trusted": true,
      "tags": ["production"]
    }
  }
}

Run `PUT /_security/api_key/VuaCfGcBCdbkQm-e5aOx` to remove the API key's previously assigned permissions. It will inherit the owner user's full permissions.

{
  "role_descriptors": {}
}

Response examples (200)

A successful response from `PUT /_security/api_key/VuaCfGcBCdbkQm-e5aOx`. The API key's effective permissions after the update will be the intersection of the supplied role descriptors and the owner user's permissions.

{
  "updated": true
}

Delete an async SQL search Added in 7.15.0

DELETE /_sql/async/delete/{id}

Api key auth

Delete an async SQL search or a stored synchronous SQL search. If the search is still running, the API cancels it.

If the Elasticsearch security features are enabled, only the following users can use this API to delete a search:

Users with the cancel_task cluster privilege.
The user who first submitted the search.

Path parameters

id string Required

The identifier for the search.

Responses

200 application/json
Hide response attribute Show response attribute object
- acknowledged boolean Required
  
  For a successful response, this value is always true. On failure, an exception is returned instead.

DELETE /_sql/async/delete/{id}

curl \
 --request DELETE 'http://api.example.com/_sql/async/delete/{id}' \
 --header "Authorization: $API_KEY"

Get the async SQL search status Added in 7.15.0

GET /_sql/async/status/{id}

Api key auth

Get the current status of an async SQL search or a stored synchronous SQL search.

Path parameters

id string Required

The identifier for the search.

Responses

200 application/json
Hide response attributes Show response attributes object
- expiration_time_in_millis number
  
  Time unit for milliseconds
- id string Required
  
  The identifier for the search.
- is_running boolean Required
  
  If true, the search is still running. If false, the search has finished.
- is_partial boolean Required
  
  If true, the response does not contain complete search results. If is_partial is true and is_running is true, the search is still running. If is_partial is true but is_running is false, the results are partial due to a failure or timeout.
- start_time_in_millis number
  
  Time unit for milliseconds
- completion_status number

GET /_sql/async/status/{id}

curl \
 --request GET 'http://api.example.com/_sql/async/status/{id}' \
 --header "Authorization: $API_KEY"

Preview a transform Added in 7.2.0

POST /_transform/{transform_id}/_preview

Api key auth

Generates a preview of the results that you will get when you create a transform with the same configuration.

It returns a maximum of 100 results. The calculations are based on all the current data in the source index. It also generates a list of mappings and settings for the destination index. These values are determined based on the field types of the source index and the transform aggregations.

Path parameters

transform_id string Required

Identifier for the transform to preview. If you specify this path parameter, you cannot provide transform configuration details in the request body.

Query parameters

timeout string

Period to wait for a response. If no response is received before the timeout expires, the request fails and returns an error.

application/json

Body

dest object
Hide dest attributes Show dest attributes object
- index string
- pipeline string
  
  The unique identifier for an ingest pipeline.
description string

Free text description of the transform.
frequency string

A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
pivot object
Hide pivot attributes Show pivot attributes object
- aggregations object
  
  Defines how to aggregate the grouped data. The following aggregations are currently supported: average, bucket script, bucket selector, cardinality, filter, geo bounds, geo centroid, geo line, max, median absolute deviation, min, missing, percentiles, rare terms, scripted metric, stats, sum, terms, top metrics, value count, weighted average.
- group_by object
  
  Defines how to group the data. More than one grouping can be defined per pivot. The following groupings are currently supported: date histogram, geotile grid, histogram, terms.
  Hide group_by attribute Show group_by attribute object
  
  * object Additional properties
  
  Hide * attributes Show * attributes object
  
  date_histogram object
  
  Hide date_histogram attributes Show date_histogram attributes object
  
  calendar_interval string
  
  Values are second, 1s, minute, 1m, hour, 1h, day, 1d, week, 1w, month, 1M, quarter, 1q, year, or 1y.
  
  extended_bounds object
  
  Hide extended_bounds attributes Show extended_bounds attributes object
  
  max
  
  min
  
  hard_bounds object
  
  Hide hard_bounds attributes Show hard_bounds attributes object
  
  max
  
  min
  
  field string
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
  
  fixed_interval string
  
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
  
  format string
  
  The date format used to format key_as_string in the response. If no format is specified, the first date format specified in the field mapping is used.
  
  interval string
  
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
  
  min_doc_count number
  
  Only returns buckets that have min_doc_count number of documents. By default, all buckets between the first bucket that matches documents and the last one are returned.
  
  missing string
  
  offset string
  
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
  
  order object | array[object]
  
  One of:
  AggregateOrder object AggregateOrder array[object]
  
  params object
  
  Hide params attribute Show params attribute object
  
  * object Additional properties
  
  script object
  
  Hide script attributes Show script attributes object
  
  source
  
  id string
  
  params object
  
  Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
  
  lang
  
  options object
  
  time_zone string
  
  keyed boolean
  
  Set to true to associate a unique string key with each bucket and return the ranges as a hash rather than an array.
  
  geotile_grid object
  
  Hide geotile_grid attributes Show geotile_grid attributes object
  
  field string
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
  
  precision number
  
  shard_size number
  
  Allows for more accurate counting of the top cells returned in the final result the aggregation. Defaults to returning max(10,(size x number-of-shards)) buckets from each shard.
  
  size number
  
  The maximum number of buckets to return.
  
  bounds object
  
  A geo bounding box. It can be represented in various ways:
  
  as 4 top/bottom/left/right coordinates
  
  as 2 top_left / bottom_right points
  
  as 2 top_right / bottom_left points
  
  as a WKT bounding box
  
  One of:
  CoordsGeoBounds object TopLeftBottomRightGeoBounds object TopRightBottomLeftGeoBounds object WktGeoBounds object
  
  histogram object
  
  Hide histogram attributes Show histogram attributes object
  
  extended_bounds object
  
  Hide extended_bounds attributes Show extended_bounds attributes object
  
  max number
  
  Maximum value for the bound.
  
  min number
  
  Minimum value for the bound.
  
  hard_bounds object
  
  Hide hard_bounds attributes Show hard_bounds attributes object
  
  max number
  
  Maximum value for the bound.
  
  min number
  
  Minimum value for the bound.
  
  field string
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
  
  interval number
  
  The interval for the buckets. Must be a positive decimal.
  
  min_doc_count number
  
  Only returns buckets that have min_doc_count number of documents. By default, the response will fill gaps in the histogram with empty buckets.
  
  missing number
  
  The value to apply to documents that do not have a value. By default, documents without a value are ignored.
  
  offset number
  
  By default, the bucket keys start with 0 and then continue in even spaced steps of interval. The bucket boundaries can be shifted by using the offset option.
  
  order object | array[object]
  
  One of:
  AggregateOrder object AggregateOrder array[object]
  
  script object
  
  Hide script attributes Show script attributes object
  
  source
  
  id string
  
  params object
  
  Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
  
  lang
  
  options object
  
  format string
  
  keyed boolean
  
  If true, returns buckets as a hash instead of an array, keyed by the bucket keys.
  
  terms
source object
Hide source attributes Show source attributes object
- index string | array[string] Required
- runtime_mappings object
  Hide runtime_mappings attribute Show runtime_mappings attribute object
  
  * object Additional properties
  
  Hide * attributes Show * attributes object
  
  fields object
  
  For type composite
  
  Hide fields attribute Show fields attribute object
  
  * object Additional properties
  
  Hide * attribute Show * attribute object
  
  type string Required
  
  Values are boolean, composite, date, double, geo_point, geo_shape, ip, keyword, long, or lookup.
  
  fetch_fields array[object]
  
  For type lookup
  
  Hide fetch_fields attributes Show fetch_fields attributes object
  
  field string Required
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
  
  format string
  
  format string
  
  A custom format for date type runtime fields.
  
  input_field string
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
  
  target_field string
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
  
  target_index string
  
  script object
  
  Hide script attributes Show script attributes object
  
  source string | object
  
  One of:
  ScriptSource string SearchRequestBody object
  
  Hide attributes Show attributes
  
  aggregations object
  
  Defines the aggregations that are run as part of the search request.
  
  collapse object
  
  explain boolean
  
  If true, the request returns detailed information about score computation as part of a hit.
  
  ext object
  
  Configuration of search extensions defined by Elasticsearch plugins.
  
  from number
  
  The starting document offset, which must be non-negative. By default, you cannot page through more than 10,000 hits using the from and size parameters. To page through more hits, use the search_after parameter.
  
  highlight
  
  track_total_hits boolean | number
  
  Number of hits matching the query to count accurately. If true, the exact number of hits is returned at the cost of some performance. If false, the response does not include the total number of hits matching the query. Defaults to 10,000 hits.
  
  indices_boost array[object]
  
  Boost the _score of documents from specified indices. The boost value is the factor by which scores are multiplied. A boost value greater than 1.0 increases the score. A boost value between 0 and 1.0 decreases the score.
  
  docvalue_fields array[object]
  
  An array of wildcard (*) field patterns. The request returns doc values for field names matching these patterns in the hits.fields property of the response.
  
  knn
  
  min_score number
  
  The minimum _score for matching documents. Documents with a lower _score are not included in search results or results collected by aggregations.
  
  post_filter object
  
  An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
  
  profile boolean
  
  Set to true to return detailed timing information about the execution of individual components in a search request. NOTE: This is a debugging tool and adds significant overhead to search execution.
  
  query object
  
  An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
  
  rescore
  
  retriever object
  
  script_fields object
  
  Retrieve a script evaluation (based on different fields) for each hit.
  
  search_after array[number | string | boolean | null]
  
  A field value.
  
  size number
  
  The number of hits to return, which must not be negative. By default, you cannot page through more than 10,000 hits using the from and size parameters. To page through more hits, use the search_after property.
  
  slice object
  
  sort
  
  _source
  
  fields array[object]
  
  An array of wildcard (*) field patterns. The request returns values for field names matching these patterns in the hits.fields property of the response.
  
  suggest object
  
  terminate_after number
  
  The maximum number of documents to collect for each shard. If a query reaches this limit, Elasticsearch terminates the query early. Elasticsearch collects documents before sorting.
  
  IMPORTANT: Use with caution. Elasticsearch applies this property to each shard handling the request. When possible, let Elasticsearch perform early termination automatically. Avoid specifying this property for requests that target data streams with backing indices across multiple data tiers.
  
  If set to 0 (default), the query does not terminate early.
  
  timeout string
  
  The period of time to wait for a response from each shard. If no response is received before the timeout expires, the request fails and returns an error. Defaults to no timeout.
  
  track_scores boolean
  
  If true, calculate and return document scores, even if the scores are not used for sorting.
  
  version boolean
  
  If true, the request returns the document version as part of a hit.
  
  seq_no_primary_term boolean
  
  If true, the request returns sequence number and primary term of the last modification of each hit.
  
  stored_fields string | array[string]
  
  pit object
  
  runtime_mappings object
  
  stats array[string]
  
  The stats groups to associate with the search. Each group maintains a statistics aggregation for its associated searches. You can retrieve these stats using the indices stats API.
  
  id string
  
  params object
  
  Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
  
  Hide params attribute Show params attribute object
  
  * object Additional properties
  
  lang string
  
  Any of:
  ScriptLanguage string ScriptLanguage string
  
  Values are painless, expression, mustache, or java.
  
  options object
  
  Hide options attribute Show options attribute object
  
  * string Additional properties
  
  type string Required
  
  Values are boolean, composite, date, double, geo_point, geo_shape, ip, keyword, long, or lookup.
- query object
  
  A query clause that retrieves a subset of data from the source index.
  
  Query DSL
settings object
Hide settings attributes Show settings attributes object
- align_checkpoints boolean
  
  Specifies whether the transform checkpoint ranges should be optimized for performance. Such optimization can align checkpoint ranges with the date histogram interval when date histogram is specified as a group source in the transform config. As a result, less document updates in the destination index will be performed thus improving overall performance.
- dates_as_epoch_millis boolean
  
  Defines if dates in the ouput should be written as ISO formatted string or as millis since epoch. epoch_millis was the default for transforms created before version 7.11. For compatible output set this value to true.
- deduce_mappings boolean
  
  Specifies whether the transform should deduce the destination index mappings from the transform configuration.
- docs_per_second number
  
  Specifies a limit on the number of input documents per second. This setting throttles the transform by adding a wait time between search requests. The default value is null, which disables throttling.
- max_page_search_size number
  
  Defines the initial page size to use for the composite aggregation for each checkpoint. If circuit breaker exceptions occur, the page size is dynamically adjusted to a lower value. The minimum value is 10 and the maximum is 65,536.
- unattended boolean
  
  If true, the transform runs in unattended mode. In unattended mode, the transform retries indefinitely in case of an error which means the transform never fails. Setting the number of retries other than infinite fails in validation.
sync object
Hide sync attribute Show sync attribute object
- time object
  Hide time attributes Show time attributes object
  
  delay string
  
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
  
  field string Required
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
retention_policy object
Hide retention_policy attribute Show retention_policy attribute object
- time object
  Hide time attributes Show time attributes object
  
  field string Required
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
  
  max_age string Required
  
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
latest object
Hide latest attributes Show latest attributes object
- sort string Required
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
- unique_key array[string] Required
  
  Specifies an array of one or more fields that are used to group the data.

Responses

200 application/json
Hide response attributes Show response attributes object
- generated_dest_index object Required
  
  Hide generated_dest_index attributes Show generated_dest_index attributes object
  
  aliases object
  
  Hide aliases attribute Show aliases attribute object
  
  * object Additional properties
  
  Hide * attributes Show * attributes object
  
  filter object
  
  An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
  
  External documentation
  
  index_routing string
  
  is_hidden boolean
  
  If true, the alias is hidden. All indices for the alias must have the same is_hidden value.
  
  is_write_index boolean
  
  If true, the index is the write index for the alias.
  
  routing string
  
  search_routing string
  
  mappings object
  
  Hide mappings attributes Show mappings attributes object
  
  all_field object
  
  Hide all_field attributes Show all_field attributes object
  
  analyzer string Required
  
  enabled boolean Required
  
  omit_norms boolean Required
  
  search_analyzer string Required
  
  similarity string Required
  
  store boolean Required
  
  store_term_vector_offsets boolean Required
  
  store_term_vector_payloads boolean Required
  
  store_term_vector_positions boolean Required
  
  store_term_vectors boolean Required
  
  date_detection boolean
  
  dynamic string
  
  Values are strict, runtime, true, or false.
  
  dynamic_date_formats array[string]
  
  dynamic_templates array[object]
  
  _field_names object
  
  Hide _field_names attribute Show _field_names attribute object
  
  enabled boolean Required
  
  index_field object
  
  Hide index_field attribute Show index_field attribute object
  
  enabled boolean Required
  
  _meta object
  
  Hide _meta attribute Show _meta attribute object
  
  * object Additional properties
  
  numeric_detection boolean
  
  properties object
  
  _routing object
  
  Hide _routing attribute Show _routing attribute object
  
  required boolean Required
  
  _size object
  
  Hide _size attribute Show _size attribute object
  
  enabled boolean Required
  
  _source object
  
  Hide _source attributes Show _source attributes object
  
  compress boolean
  
  compress_threshold string
  
  enabled boolean
  
  excludes array[string]
  
  includes array[string]
  
  mode string
  
  Values are disabled, stored, or synthetic.
  
  runtime object
  
  Hide runtime attribute Show runtime attribute object
  
  * object Additional properties
  
  Hide * attributes Show * attributes object
  
  fields object
  
  For type composite
  
  Hide fields attribute Show fields attribute object
  
  * object Additional properties
  
  fetch_fields array[object]
  
  For type lookup
  
  format string
  
  A custom format for date type runtime fields.
  
  input_field string
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
  
  target_field string
  
  Path to field or array of paths. Some API's support wildcards in the path to select multiple fields.
  
  target_index string
  
  script object
  
  Hide script attributes Show script attributes object
  
  source
  
  id string
  
  params object
  
  Specifies any named parameters that are passed into the script as variables. Use parameters instead of hard-coded values to decrease compile time.
  
  lang
  
  options object
  
  type string Required
  
  Values are boolean, composite, date, double, geo_point, geo_shape, ip, keyword, long, or lookup.
  
  enabled boolean
  
  subobjects string
  
  Values are true or false.
  
  _data_stream_timestamp object
  
  Hide _data_stream_timestamp attribute Show _data_stream_timestamp attribute object
  
  enabled boolean Required
  
  settings object Additional properties
  
  Hide settings attributes Show settings attributes object
  
  index object Additional properties
  
  mode string
  
  routing_path string | array[string]
  
  One of:
  string-1 string array-2 array[string]
  
  soft_deletes object
  
  Hide soft_deletes attributes Show soft_deletes attributes object
  
  enabled boolean
  
  Indicates whether soft deletes are enabled on the index.
  
  retention_lease object
  
  Hide retention_lease attribute Show retention_lease attribute object
  
  period string Required
  
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
  
  sort object
  
  Hide sort attributes Show sort attributes object
  
  field string | array[string]
  
  order string | array[string]
  
  Supported values include: asc (or ASC), desc (or DESC)
  
  One of:
  SegmentSortOrder string array-2 array[string]
  
  Values are asc, ASC, desc, or DESC.
  
  mode string | array[string]
  
  Supported values include: min (or MIN), max (or MAX)
  
  One of:
  SegmentSortMode string array-2 array[string]
  
  Values are min, MIN, max, or MAX.
  
  missing string | array[string]
  
  Supported values include: _last, _first
  
  One of:
  SegmentSortMissing string array-2 array[string]
  
  Values are _last or _first.
  
  number_of_routing_shards number
  
  check_on_startup string
  
  Values are true, false, or checksum.
  
  codec string
  
  routing_partition_size number | string
  
  Some APIs will return values such as numbers also as a string (notably epoch timestamps). This behavior is used to capture this behavior while keeping the semantics of the field type.
  
  Depending on the target language, code generators can keep the union or remove it and leniently parse strings to the target type.
  
  One of:
  Stringifiedinteger number Stringifiedinteger string
  
  load_fixed_bitset_filters_eagerly boolean
  
  hidden boolean | string
  
  One of:
  boolean-1 boolean string-2 string
  
  auto_expand_replicas string | null
  
  One of:
  string-1 string NullValue string | null
  
  merge object
  
  Hide merge attribute Show merge attribute object
  
  scheduler object
  
  Hide scheduler attributes Show scheduler attributes object
  
  max_thread_count number | string
  
  Some APIs will return values such as numbers also as a string (notably epoch timestamps). This behavior is used to capture this behavior while keeping the semantics of the field type.
  
  Depending on the target language, code generators can keep the union or remove it and leniently parse strings to the target type.
  
  One of:
  Stringifiedinteger number Stringifiedinteger string
  
  max_merge_count number | string
  
  Some APIs will return values such as numbers also as a string (notably epoch timestamps). This behavior is used to capture this behavior while keeping the semantics of the field type.
  
  Depending on the target language, code generators can keep the union or remove it and leniently parse strings to the target type.
  
  One of:
  Stringifiedinteger number Stringifiedinteger string
  
  search object
  
  Hide search attributes Show search attributes object
  
  idle object
  
  Hide idle attribute Show idle attribute object
  
  after string
  
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
  
  slowlog object
  
  Hide slowlog attributes Show slowlog attributes object
  
  level string
  
  source number
  
  reformat boolean
  
  threshold object
  
  Hide threshold attributes Show threshold attributes object
  
  query object
  
  fetch object
  
  refresh_interval string
  
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
  
  max_result_window number
  
  max_inner_result_window number
  
  max_rescore_window number
  
  max_docvalue_fields_search number
  
  max_script_fields number
  
  max_ngram_diff number
  
  max_shingle_diff number
  
  blocks object
  
  Hide blocks attributes Show blocks attributes object
  
  read_only boolean | string
  
  Some APIs will return values such as numbers also as a string (notably epoch timestamps). This behavior is used to capture this behavior while keeping the semantics of the field type.
  
  Depending on the target language, code generators can keep the union or remove it and leniently parse strings to the target type.
  
  One of:
  Stringifiedboolean boolean Stringifiedboolean string
  
  read_only_allow_delete boolean | string
  
  Some APIs will return values such as numbers also as a string (notably epoch timestamps). This behavior is used to capture this behavior while keeping the semantics of the field type.
  
  Depending on the target language, code generators can keep the union or remove it and leniently parse strings to the target type.
  
  One of:
  Stringifiedboolean boolean Stringifiedboolean string
  
  read boolean | string
  
  Some APIs will return values such as numbers also as a string (notably epoch timestamps). This behavior is used to capture this behavior while keeping the semantics of the field type.
  
  Depending on the target language, code generators can keep the union or remove it and leniently parse strings to the target type.
  
  One of:
  Stringifiedboolean boolean Stringifiedboolean string
  
  write boolean | string
  
  Some APIs will return values such as numbers also as a string (notably epoch timestamps). This behavior is used to capture this behavior while keeping the semantics of the field type.
  
  Depending on the target language, code generators can keep the union or remove it and leniently parse strings to the target type.
  
  One of:
  Stringifiedboolean boolean Stringifiedboolean string
  
  metadata boolean | string
  
  Some APIs will return values such as numbers also as a string (notably epoch timestamps). This behavior is used to capture this behavior while keeping the semantics of the field type.
  
  Depending on the target language, code generators can keep the union or remove it and leniently parse strings to the target type.
  
  One of:
  Stringifiedboolean boolean Stringifiedboolean string
  
  max_refresh_listeners number
  
  analyze object
  
  Hide analyze attribute Show analyze attribute object
  
  max_token_count number | string
  
  Some APIs will return values such as numbers also as a string (notably epoch timestamps). This behavior is used to capture this behavior while keeping the semantics of the field type.
  
  Depending on the target language, code generators can keep the union or remove it and leniently parse strings to the target type.
  
  One of:
  Stringifiedinteger number Stringifiedinteger string
  
  highlight object
  
  Hide highlight attribute Show highlight attribute object
  
  max_analyzed_offset number
  
  max_terms_count number
  
  max_regex_length number
  
  routing object
  
  Hide routing attributes Show routing attributes object
  
  allocation object
  
  Hide allocation attributes Show allocation attributes object
  
  enable string
  
  Values are all, primaries, new_primaries, or none.
  
  include object
  
  Hide include attributes Show include attributes object
  
  _tier_preference string
  
  _id string
  
  initial_recovery object
  
  Hide initial_recovery attribute Show initial_recovery attribute object
  
  _id string
  
  disk object
  
  Hide disk attribute Show disk attribute object
  
  threshold_enabled
  
  rebalance object
  
  Hide rebalance attribute Show rebalance attribute object
  
  enable string Required
  
  Values are all, primaries, replicas, or none.
  
  gc_deletes string
  
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
  
  default_pipeline string
  
  final_pipeline string
  
  lifecycle object
  
  Hide lifecycle attributes Show lifecycle attributes object
  
  name string
  
  indexing_complete boolean | string
  
  Some APIs will return values such as numbers also as a string (notably epoch timestamps). This behavior is used to capture this behavior while keeping the semantics of the field type.
  
  Depending on the target language, code generators can keep the union or remove it and leniently parse strings to the target type.
  
  One of:
  Stringifiedboolean boolean Stringifiedboolean string
  
  origination_date number
  
  If specified, this is the timestamp used to calculate the index age for its phase transitions. Use this setting if you create a new index that contains old data and want to use the original creation date to calculate the index age. Specified as a Unix epoch value in milliseconds.
  
  parse_origination_date boolean
  
  Set to true to parse the origination date from the index name. This origination date is used to calculate the index age for its phase transitions. The index name must match the pattern ^{.*-{date_format}-\d+,} where the date_format is yyyy.MM.dd and the trailing digits are optional. An index that was rolled over would normally match the full format, for example logs-2016.10.31-000002). If the index name doesn’t match the pattern, index creation fails.
  
  step object
  
  Hide step attribute Show step attribute object
  
  wait_time_threshold string
  
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
  
  rollover_alias string
  
  The index alias to update when the index rolls over. Specify when using a policy that contains a rollover action. When the index rolls over, the alias is updated to reflect that the index is no longer the write index. For more information about rolling indices, see Rollover.
  
  prefer_ilm boolean | string
  
  Preference for the system that manages a data stream backing index (preferring ILM when both ILM and DLM are applicable for an index).
  
  One of:
  boolean-1 boolean string-2 string
  
  provided_name string
  
  creation_date number | string
  
  Some APIs will return values such as numbers also as a string (notably epoch timestamps). This behavior is used to capture this behavior while keeping the semantics of the field type.
  
  Depending on the target language, code generators can keep the union or remove it and leniently parse strings to the target type.
  
  One of:
  UnitMillis number StringifiedEpochTimeUnitMillis string
  
  Time unit for milliseconds
  
  creation_date_string string | number
  
  A date and time, either as a string whose format can depend on the context (defaulting to ISO 8601), or a number of milliseconds since the Epoch. Elasticsearch accepts both as input, but will generally output a string representation.
  
  One of:
  DateTime string UnitMillis number
  
  uuid string
  
  version object
  
  Hide version attributes Show version attributes object
  
  created string
  
  created_string string
  
  verified_before_close boolean | string
  
  One of:
  boolean-1 boolean string-2 string
  
  format string | number
  
  One of:
  string-1 string number-2 number
  
  max_slices_per_scroll number
  
  translog object
  
  Hide translog attributes Show translog attributes object
  
  sync_interval string
  
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
  
  durability string
  
  Values are request, REQUEST, async, or ASYNC.
  
  flush_threshold_size number | string
  
  One of:
  ByteSize number ByteSize string
  
  retention object
  
  Hide retention attributes Show retention attributes object
  
  size number | string
  
  One of:
  ByteSize number ByteSize string
  
  age string
  
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
  
  query_string object
  
  Hide query_string attribute Show query_string attribute object
  
  lenient boolean | string Required
  
  Some APIs will return values such as numbers also as a string (notably epoch timestamps). This behavior is used to capture this behavior while keeping the semantics of the field type.
  
  Depending on the target language, code generators can keep the union or remove it and leniently parse strings to the target type.
  
  One of:
  Stringifiedboolean boolean Stringifiedboolean string
  
  priority number | string
  
  One of:
  number-1 number string-2 string
  
  top_metrics_max_size number
  
  analysis object
  
  Hide analysis attributes Show analysis attributes object
  
  analyzer object
  
  char_filter object
  
  filter object
  
  normalizer object
  
  tokenizer object
  
  settings object Additional properties
  
  time_series object
  
  Hide time_series attributes Show time_series attributes object
  
  end_time string | number
  
  A date and time, either as a string whose format can depend on the context (defaulting to ISO 8601), or a number of milliseconds since the Epoch. Elasticsearch accepts both as input, but will generally output a string representation.
  
  One of:
  DateTime string UnitMillis number
  
  start_time string | number
  
  A date and time, either as a string whose format can depend on the context (defaulting to ISO 8601), or a number of milliseconds since the Epoch. Elasticsearch accepts both as input, but will generally output a string representation.
  
  One of:
  DateTime string UnitMillis number
  
  queries object
  
  Hide queries attribute Show queries attribute object
  
  cache object
  
  Hide cache attribute Show cache attribute object
  
  enabled boolean Required
  
  similarity object
  
  Configure custom similarity settings to customize how search results are scored.
  
  mapping object
  
  Hide mapping attributes Show mapping attributes object
  
  coerce boolean
  
  total_fields object
  
  Hide total_fields attributes Show total_fields attributes object
  
  limit number | string
  
  The maximum number of fields in an index. Field and object mappings, as well as field aliases count towards this limit. The limit is in place to prevent mappings and searches from becoming too large. Higher values can lead to performance degradations and memory issues, especially in clusters with a high load or few resources.
  
  One of:
  number-1 number string-2 string
  
  ignore_dynamic_beyond_limit boolean | string
  
  This setting determines what happens when a dynamically mapped field would exceed the total fields limit. When set to false (the default), the index request of the document that tries to add a dynamic field to the mapping will fail with the message Limit of total fields [X] has been exceeded. When set to true, the index request will not fail. Instead, fields that would exceed the limit are not added to the mapping, similar to dynamic: false. The fields that were not added to the mapping will be added to the _ignored field.
  
  One of:
  boolean-1 boolean string-2 string
  
  depth object
  
  Hide depth attribute Show depth attribute object
  
  limit number
  
  The maximum depth for a field, which is measured as the number of inner objects. For instance, if all fields are defined at the root object level, then the depth is 1. If there is one object mapping, then the depth is 2, etc.
  
  nested_fields object
  
  Hide nested_fields attribute Show nested_fields attribute object
  
  limit number
  
  The maximum number of distinct nested mappings in an index. The nested type should only be used in special cases, when arrays of objects need to be queried independently of each other. To safeguard against poorly designed mappings, this setting limits the number of unique nested types per index.
  
  nested_objects object
  
  Hide nested_objects attribute Show nested_objects attribute object
  
  limit number
  
  The maximum number of nested JSON objects that a single document can contain across all nested types. This limit helps to prevent out of memory errors when a document contains too many nested objects.
  
  field_name_length object
  
  Hide field_name_length attribute Show field_name_length attribute object
  
  limit number
  
  Setting for the maximum length of a field name. This setting isn’t really something that addresses mappings explosion but might still be useful if you want to limit the field length. It usually shouldn’t be necessary to set this setting. The default is okay unless a user starts to add a huge number of fields with really long names. Default is Long.MAX_VALUE (no limit).
  
  dimension_fields object
  
  Hide dimension_fields attribute Show dimension_fields attribute object
  
  limit number
  
  [preview] This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
  
  source object
  
  Hide source attribute Show source attribute object
  
  mode string Required
  
  Values are disabled, stored, or synthetic.
  
  ignore_malformed boolean | string
  
  One of:
  boolean-1 boolean string-2 string
  
  indexing.slowlog object
  
  Hide indexing.slowlog attributes Show indexing.slowlog attributes object
  
  level string
  
  source number
  
  reformat boolean
  
  threshold object
  
  Hide threshold attribute Show threshold attribute object
  
  index object
  
  Hide index attributes Show index attributes object
  
  warn string
  
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
  
  info string
  
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
  
  debug string
  
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
  
  trace string
  
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
  
  indexing_pressure object
  
  Hide indexing_pressure attribute Show indexing_pressure attribute object
  
  memory object Required
  
  Hide memory attribute Show memory attribute object
  
  limit number
  
  Number of outstanding bytes that may be consumed by indexing requests. When this limit is reached or exceeded, the node will reject new coordinating and primary operations. When replica operations consume 1.5x this limit, the node will reject new replica operations. Defaults to 10% of the heap.
  
  store object
  
  Hide store attributes Show store attributes object
  
  type string Required
  
  Any of:
  StorageType string StorageType string
  
  Values are fs, niofs, mmapfs, or hybridfs.
  
  allow_mmap boolean
  
  You can restrict the use of the mmapfs and the related hybridfs store type via the setting node.store.allow_mmap. This is a boolean setting indicating whether or not memory-mapping is allowed. The default is to allow it. This setting is useful, for example, if you are in an environment where you can not control the ability to create a lot of memory maps so you need disable the ability to use memory-mapping.
  
  defaults object Additional properties
  
  Hide defaults attributes Show defaults attributes object
  
  index object Additional properties
  
  mode string
  
  routing_path string | array[string]
  
  One of:
  string-1 string array-2 array[string]
  
  soft_deletes object
  
  Hide soft_deletes attributes Show soft_deletes attributes object
  
  enabled boolean
  
  Indicates whether soft deletes are enabled on the index.
  
  retention_lease object
  
  Hide retention_lease attribute Show retention_lease attribute object
  
  period string Required
  
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
  
  sort object
  
  Hide sort attributes Show sort attributes object
  
  field string | array[string]
  
  order string | array[string]
  
  Supported values include: asc (or ASC), desc (or DESC)
  
  One of:
  SegmentSortOrder string array-2 array[string]
  
  Values are asc, ASC, desc, or DESC.
  
  mode string | array[string]
  
  Supported values include: min (or MIN), max (or MAX)
  
  One of:
  SegmentSortMode string array-2 array[string]
  
  Values are min, MIN, max, or MAX.
  
  missing string | array[string]
  
  Supported values include: _last, _first
  
  One of:
  SegmentSortMissing string array-2 array[string]
  
  Values are _last or _first.
  
  number_of_routing_shards number
  
  check_on_startup string
  
  Values are true, false, or checksum.
  
  codec string
  
  routing_partition_size number | string
  
  Some APIs will return values such as numbers also as a string (notably epoch timestamps). This behavior is used to capture this behavior while keeping the semantics of the field type.
  
  Depending on the target language, code generators can keep the union or remove it and leniently parse strings to the target type.
  
  One of:
  Stringifiedinteger number Stringifiedinteger string
  
  load_fixed_bitset_filters_eagerly boolean
  
  hidden boolean | string
  
  One of:
  boolean-1 boolean string-2 string
  
  auto_expand_replicas string | null
  
  One of:
  string-1 string NullValue string | null
  
  merge object
  
  Hide merge attribute Show merge attribute object
  
  scheduler object
  
  Hide scheduler attributes Show scheduler attributes object
  
  max_thread_count number | string
  
  Some APIs will return values such as numbers also as a string (notably epoch timestamps). This behavior is used to capture this behavior while keeping the semantics of the field type.
  
  Depending on the target language, code generators can keep the union or remove it and leniently parse strings to the target type.
  
  One of:
  Stringifiedinteger number Stringifiedinteger string
  
  max_merge_count number | string
  
  Some APIs will return values such as numbers also as a string (notably epoch timestamps). This behavior is used to capture this behavior while keeping the semantics of the field type.
  
  Depending on the target language, code generators can keep the union or remove it and leniently parse strings to the target type.
  
  One of:
  Stringifiedinteger number Stringifiedinteger string
  
  search object
  
  Hide search attributes Show search attributes object
  
  idle object
  
  Hide idle attribute Show idle attribute object
  
  after string
  
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
  
  slowlog object
  
  Hide slowlog attributes Show slowlog attributes object
  
  level string
  
  source number
  
  reformat boolean
  
  threshold object
  
  Hide threshold attributes Show threshold attributes object
  
  query object
  
  fetch object
  
  refresh_interval string
  
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
  
  max_result_window number
  
  max_inner_result_window number
  
  max_rescore_window number
  
  max_docvalue_fields_search number
  
  max_script_fields number
  
  max_ngram_diff number
  
  max_shingle_diff number
  
  blocks object
  
  Hide blocks attributes Show blocks attributes object
  
  read_only boolean | string
  
  Some APIs will return values such as numbers also as a string (notably epoch timestamps). This behavior is used to capture this behavior while keeping the semantics of the field type.
  
  Depending on the target language, code generators can keep the union or remove it and leniently parse strings to the target type.
  
  One of:
  Stringifiedboolean boolean Stringifiedboolean string
  
  read_only_allow_delete boolean | string
  
  Some APIs will return values such as numbers also as a string (notably epoch timestamps). This behavior is used to capture this behavior while keeping the semantics of the field type.
  
  Depending on the target language, code generators can keep the union or remove it and leniently parse strings to the target type.
  
  One of:
  Stringifiedboolean boolean Stringifiedboolean string
  
  read boolean | string
  
  Some APIs will return values such as numbers also as a string (notably epoch timestamps). This behavior is used to capture this behavior while keeping the semantics of the field type.
  
  Depending on the target language, code generators can keep the union or remove it and leniently parse strings to the target type.
  
  One of:
  Stringifiedboolean boolean Stringifiedboolean string
  
  write boolean | string
  
  Some APIs will return values such as numbers also as a string (notably epoch timestamps). This behavior is used to capture this behavior while keeping the semantics of the field type.
  
  Depending on the target language, code generators can keep the union or remove it and leniently parse strings to the target type.
  
  One of:
  Stringifiedboolean boolean Stringifiedboolean string
  
  metadata boolean | string
  
  Some APIs will return values such as numbers also as a string (notably epoch timestamps). This behavior is used to capture this behavior while keeping the semantics of the field type.
  
  Depending on the target language, code generators can keep the union or remove it and leniently parse strings to the target type.
  
  One of:
  Stringifiedboolean boolean Stringifiedboolean string
  
  max_refresh_listeners number
  
  analyze object
  
  Hide analyze attribute Show analyze attribute object
  
  max_token_count number | string
  
  Some APIs will return values such as numbers also as a string (notably epoch timestamps). This behavior is used to capture this behavior while keeping the semantics of the field type.
  
  Depending on the target language, code generators can keep the union or remove it and leniently parse strings to the target type.
  
  One of:
  Stringifiedinteger number Stringifiedinteger string
  
  highlight object
  
  Hide highlight attribute Show highlight attribute object
  
  max_analyzed_offset number
  
  max_terms_count number
  
  max_regex_length number
  
  routing object
  
  Hide routing attributes Show routing attributes object
  
  allocation object
  
  Hide allocation attributes Show allocation attributes object
  
  enable string
  
  Values are all, primaries, new_primaries, or none.
  
  include object
  
  Hide include attributes Show include attributes object
  
  _tier_preference string
  
  _id string
  
  initial_recovery object
  
  Hide initial_recovery attribute Show initial_recovery attribute object
  
  _id string
  
  disk object
  
  Hide disk attribute Show disk attribute object
  
  threshold_enabled
  
  rebalance object
  
  Hide rebalance attribute Show rebalance attribute object
  
  enable string Required
  
  Values are all, primaries, replicas, or none.
  
  gc_deletes string
  
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
  
  default_pipeline string
  
  final_pipeline string
  
  lifecycle object
  
  Hide lifecycle attributes Show lifecycle attributes object
  
  name string
  
  indexing_complete boolean | string
  
  Some APIs will return values such as numbers also as a string (notably epoch timestamps). This behavior is used to capture this behavior while keeping the semantics of the field type.
  
  Depending on the target language, code generators can keep the union or remove it and leniently parse strings to the target type.
  
  One of:
  Stringifiedboolean boolean Stringifiedboolean string
  
  origination_date number
  
  If specified, this is the timestamp used to calculate the index age for its phase transitions. Use this setting if you create a new index that contains old data and want to use the original creation date to calculate the index age. Specified as a Unix epoch value in milliseconds.
  
  parse_origination_date boolean
  
  Set to true to parse the origination date from the index name. This origination date is used to calculate the index age for its phase transitions. The index name must match the pattern ^{.*-{date_format}-\d+,} where the date_format is yyyy.MM.dd and the trailing digits are optional. An index that was rolled over would normally match the full format, for example logs-2016.10.31-000002). If the index name doesn’t match the pattern, index creation fails.
  
  step object
  
  Hide step attribute Show step attribute object
  
  wait_time_threshold string
  
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
  
  rollover_alias string
  
  The index alias to update when the index rolls over. Specify when using a policy that contains a rollover action. When the index rolls over, the alias is updated to reflect that the index is no longer the write index. For more information about rolling indices, see Rollover.
  
  prefer_ilm boolean | string
  
  Preference for the system that manages a data stream backing index (preferring ILM when both ILM and DLM are applicable for an index).
  
  One of:
  boolean-1 boolean string-2 string
  
  provided_name string
  
  creation_date number | string
  
  Some APIs will return values such as numbers also as a string (notably epoch timestamps). This behavior is used to capture this behavior while keeping the semantics of the field type.
  
  Depending on the target language, code generators can keep the union or remove it and leniently parse strings to the target type.
  
  One of:
  UnitMillis number StringifiedEpochTimeUnitMillis string
  
  Time unit for milliseconds
  
  creation_date_string string | number
  
  A date and time, either as a string whose format can depend on the context (defaulting to ISO 8601), or a number of milliseconds since the Epoch. Elasticsearch accepts both as input, but will generally output a string representation.
  
  One of:
  DateTime string UnitMillis number
  
  uuid string
  
  version object
  
  Hide version attributes Show version attributes object
  
  created string
  
  created_string string
  
  verified_before_close boolean | string
  
  One of:
  boolean-1 boolean string-2 string
  
  format string | number
  
  One of:
  string-1 string number-2 number
  
  max_slices_per_scroll number
  
  translog object
  
  Hide translog attributes Show translog attributes object
  
  sync_interval string
  
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
  
  durability string
  
  Values are request, REQUEST, async, or ASYNC.
  
  flush_threshold_size number | string
  
  One of:
  ByteSize number ByteSize string
  
  retention object
  
  Hide retention attributes Show retention attributes object
  
  size number | string
  
  One of:
  ByteSize number ByteSize string
  
  age string
  
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
  
  query_string object
  
  Hide query_string attribute Show query_string attribute object
  
  lenient boolean | string Required
  
  Some APIs will return values such as numbers also as a string (notably epoch timestamps). This behavior is used to capture this behavior while keeping the semantics of the field type.
  
  Depending on the target language, code generators can keep the union or remove it and leniently parse strings to the target type.
  
  One of:
  Stringifiedboolean boolean Stringifiedboolean string
  
  priority number | string
  
  One of:
  number-1 number string-2 string
  
  top_metrics_max_size number
  
  analysis object
  
  Hide analysis attributes Show analysis attributes object
  
  analyzer object
  
  char_filter object
  
  filter object
  
  normalizer object
  
  tokenizer object
  
  settings object Additional properties
  
  time_series object
  
  Hide time_series attributes Show time_series attributes object
  
  end_time string | number
  
  A date and time, either as a string whose format can depend on the context (defaulting to ISO 8601), or a number of milliseconds since the Epoch. Elasticsearch accepts both as input, but will generally output a string representation.
  
  One of:
  DateTime string UnitMillis number
  
  start_time string | number
  
  A date and time, either as a string whose format can depend on the context (defaulting to ISO 8601), or a number of milliseconds since the Epoch. Elasticsearch accepts both as input, but will generally output a string representation.
  
  One of:
  DateTime string UnitMillis number
  
  queries object
  
  Hide queries attribute Show queries attribute object
  
  cache object
  
  Hide cache attribute Show cache attribute object
  
  enabled boolean Required
  
  similarity object
  
  Configure custom similarity settings to customize how search results are scored.
  
  mapping object
  
  Hide mapping attributes Show mapping attributes object
  
  coerce boolean
  
  total_fields object
  
  Hide total_fields attributes Show total_fields attributes object
  
  limit number | string
  
  The maximum number of fields in an index. Field and object mappings, as well as field aliases count towards this limit. The limit is in place to prevent mappings and searches from becoming too large. Higher values can lead to performance degradations and memory issues, especially in clusters with a high load or few resources.
  
  One of:
  number-1 number string-2 string
  
  ignore_dynamic_beyond_limit boolean | string
  
  This setting determines what happens when a dynamically mapped field would exceed the total fields limit. When set to false (the default), the index request of the document that tries to add a dynamic field to the mapping will fail with the message Limit of total fields [X] has been exceeded. When set to true, the index request will not fail. Instead, fields that would exceed the limit are not added to the mapping, similar to dynamic: false. The fields that were not added to the mapping will be added to the _ignored field.
  
  One of:
  boolean-1 boolean string-2 string
  
  depth object
  
  Hide depth attribute Show depth attribute object
  
  limit number
  
  The maximum depth for a field, which is measured as the number of inner objects. For instance, if all fields are defined at the root object level, then the depth is 1. If there is one object mapping, then the depth is 2, etc.
  
  nested_fields object
  
  Hide nested_fields attribute Show nested_fields attribute object
  
  limit number
  
  The maximum number of distinct nested mappings in an index. The nested type should only be used in special cases, when arrays of objects need to be queried independently of each other. To safeguard against poorly designed mappings, this setting limits the number of unique nested types per index.
  
  nested_objects object
  
  Hide nested_objects attribute Show nested_objects attribute object
  
  limit number
  
  The maximum number of nested JSON objects that a single document can contain across all nested types. This limit helps to prevent out of memory errors when a document contains too many nested objects.
  
  field_name_length object
  
  Hide field_name_length attribute Show field_name_length attribute object
  
  limit number
  
  Setting for the maximum length of a field name. This setting isn’t really something that addresses mappings explosion but might still be useful if you want to limit the field length. It usually shouldn’t be necessary to set this setting. The default is okay unless a user starts to add a huge number of fields with really long names. Default is Long.MAX_VALUE (no limit).
  
  dimension_fields object
  
  Hide dimension_fields attribute Show dimension_fields attribute object
  
  limit number
  
  [preview] This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.
  
  source object
  
  Hide source attribute Show source attribute object
  
  mode string Required
  
  Values are disabled, stored, or synthetic.
  
  ignore_malformed boolean | string
  
  One of:
  boolean-1 boolean string-2 string
  
  indexing.slowlog object
  
  Hide indexing.slowlog attributes Show indexing.slowlog attributes object
  
  level string
  
  source number
  
  reformat boolean
  
  threshold object
  
  Hide threshold attribute Show threshold attribute object
  
  index object
  
  Hide index attributes Show index attributes object
  
  warn string
  
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
  
  info string
  
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
  
  debug string
  
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
  
  trace string
  
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
  
  indexing_pressure object
  
  Hide indexing_pressure attribute Show indexing_pressure attribute object
  
  memory object Required
  
  Hide memory attribute Show memory attribute object
  
  limit number
  
  Number of outstanding bytes that may be consumed by indexing requests. When this limit is reached or exceeded, the node will reject new coordinating and primary operations. When replica operations consume 1.5x this limit, the node will reject new replica operations. Defaults to 10% of the heap.
  
  store object
  
  Hide store attributes Show store attributes object
  
  type string Required
  
  Any of:
  StorageType string StorageType string
  
  Values are fs, niofs, mmapfs, or hybridfs.
  
  allow_mmap boolean
  
  You can restrict the use of the mmapfs and the related hybridfs store type via the setting node.store.allow_mmap. This is a boolean setting indicating whether or not memory-mapping is allowed. The default is to allow it. This setting is useful, for example, if you are in an environment where you can not control the ability to create a lot of memory maps so you need disable the ability to use memory-mapping.
  
  data_stream string
  
  lifecycle object
  
  Hide lifecycle attributes Show lifecycle attributes object
  
  data_retention string
  
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
  
  downsampling object
  
  Hide downsampling attribute Show downsampling attribute object
  
  rounds array[object] Required
  
  The list of downsampling rounds to execute as part of this downsampling configuration
  
  Hide rounds attributes Show rounds attributes object
  
  after string Required
  
  A duration. Units can be nanos, micros, ms (milliseconds), s (seconds), m (minutes), h (hours) and d (days). Also accepts "0" without a unit and "-1" to indicate an unspecified value.
  
  config object Required
  
  enabled boolean
  
  If defined, it turns data stream lifecycle on/off (true/false) for this data stream. A data stream lifecycle that's disabled (enabled: false) will have no effect on the data stream.
- preview array[object] Required

POST /_transform/{transform_id}/_preview

curl \
 --request POST 'http://api.example.com/_transform/{transform_id}/_preview' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '"{\n  \"source\": {\n    \"index\": \"kibana_sample_data_ecommerce\"\n  },\n  \"pivot\": {\n    \"group_by\": {\n      \"customer_id\": {\n        \"terms\": {\n          \"field\": \"customer_id\",\n          \"missing_bucket\": true\n        }\n      }\n    },\n    \"aggregations\": {\n      \"max_price\": {\n        \"max\": {\n          \"field\": \"taxful_total_price\"\n        }\n      }\n    }\n  }\n}"'

Request example

Run `POST _transform/_preview` to preview a transform that uses the pivot method.

{
  "source": {
    "index": "kibana_sample_data_ecommerce"
  },
  "pivot": {
    "group_by": {
      "customer_id": {
        "terms": {
          "field": "customer_id",
          "missing_bucket": true
        }
      }
    },
    "aggregations": {
      "max_price": {
        "max": {
          "field": "taxful_total_price"
        }
      }
    }
  }
}

Response examples (200)

An abbreviated response from `POST _transform/_preview` that contains a preview a transform that uses the pivot method.

{
  "preview": [
    {
      "max_price": 171,
      "customer_id": "10"
    },
    {
      "max_price": 233,
      "customer_id": "11"
    },
    {
      "max_price": 200,
      "customer_id": "12"
    },
    {
      "max_price": 301,
      "customer_id": "13"
    },
    {
      "max_price": 176,
      "customer_id": "14"
    },
    {
      "max_price": 2250,
      "customer_id": "15"
    },
    {
      "max_price": 170,
      "customer_id": "16"
    },
    {
      "max_price": 243,
      "customer_id": "17"
    },
    {
      "max_price": 154,
      "customer_id": "18"
    },
    {
      "max_price": 393,
      "customer_id": "19"
    },
    {
      "max_price": 165,
      "customer_id": "20"
    },
    {
      "max_price": 115,
      "customer_id": "21"
    },
    {
      "max_price": 192,
      "customer_id": "22"
    },
    {
      "max_price": 169,
      "customer_id": "23"
    },
    {
      "max_price": 230,
      "customer_id": "24"
    },
    {
      "max_price": 278,
      "customer_id": "25"
    },
    {
      "max_price": 200,
      "customer_id": "26"
    },
    {
      "max_price": 344,
      "customer_id": "27"
    },
    {
      "max_price": 175,
      "customer_id": "28"
    },
    {
      "max_price": 177,
      "customer_id": "29"
    },
    {
      "max_price": 190,
      "customer_id": "30"
    },
    {
      "max_price": 190,
      "customer_id": "31"
    },
    {
      "max_price": 205,
      "customer_id": "32"
    },
    {
      "max_price": 215,
      "customer_id": "33"
    },
    {
      "max_price": 270,
      "customer_id": "34"
    },
    {
      "max_price": 184,
      "customer_id": "36"
    },
    {
      "max_price": 222,
      "customer_id": "37"
    },
    {
      "max_price": 370,
      "customer_id": "38"
    },
    {
      "max_price": 240,
      "customer_id": "39"
    },
    {
      "max_price": 230,
      "customer_id": "4"
    },
    {
      "max_price": 229,
      "customer_id": "41"
    },
    {
      "max_price": 190,
      "customer_id": "42"
    },
    {
      "max_price": 150,
      "customer_id": "43"
    },
    {
      "max_price": 175,
      "customer_id": "44"
    },
    {
      "max_price": 190,
      "customer_id": "45"
    },
    {
      "max_price": 150,
      "customer_id": "46"
    },
    {
      "max_price": 310,
      "customer_id": "48"
    },
    {
      "max_price": 223,
      "customer_id": "49"
    },
    {
      "max_price": 283,
      "customer_id": "5"
    },
    {
      "max_price": 185,
      "customer_id": "50"
    },
    {
      "max_price": 190,
      "customer_id": "51"
    },
    {
      "max_price": 333,
      "customer_id": "52"
    },
    {
      "max_price": 165,
      "customer_id": "6"
    },
    {
      "max_price": 144,
      "customer_id": "7"
    },
    {
      "max_price": 198,
      "customer_id": "8"
    },
    {
      "max_price": 210,
      "customer_id": "9"
    }
  ],
  "generated_dest_index": {
    "mappings": {
      "_meta": {
        "_transform": {
          "transform": "transform-preview",
          "version": {
            "created": "10.0.0"
          },
          "creation_date_in_millis": 1712948905889
        },
        "created_by": "transform"
      },
      "properties": {
        "max_price": {
          "type": "half_float"
        },
        "customer_id": {
          "type": "keyword"
        }
      }
    },
    "settings": {
      "index": {
        "number_of_shards": "1",
        "auto_expand_replicas": "0-1"
      }
    },
    "aliases": {}
  }
}

Delete a behavioral analytics collection Deprecated Technical preview

Get behavioral analytics collections Deprecated Technical preview

epoch number | string

Get data frame analytics jobs Added in 7.7.0

Get datafeeds Added in 7.7.0

Get anomaly detection jobs Added in 7.7.0

data.input_bytes number | string

model.bytes number | string

model.bytes_exceeded number | string

Get trained models Added in 7.7.0

heap_size number | string

create_time string | number

Get trained models Added in 7.7.0

heap_size number | string

create_time string | number

Get transform information Added in 7.7.0

checkpoint_progress string | null

last_search_time string | null

changes_last_detection_time string | null

Get transform information Added in 7.7.0

checkpoint_progress string | null

last_search_time string | null

changes_last_detection_time string | null

Check in a connector Technical preview

Create or update a connector Beta

Delete a connector Beta

Cancel a connector sync job Beta

Create a connector sync job Beta

Body Required

Update the connector name and description Beta

Body Required

Create a data stream Added in 7.9.0

Get the status for a data stream lifecycle Added in 8.11.0

Convert an index alias to a data stream Added in 7.9.0

Get multiple documents Added in 1.3.0

Body Required

_source boolean | object

ids string | array[string]

Run an enrich policy Added in 7.5.0

task string | number

Get an enrich policy Added in 7.5.0

Get async EQL search results Added in 7.9.0

Get component templates Added in 7.8.0

Delete component templates Added in 7.8.0