Find the structure of a text file
Added in 7.13.0
The text file must contain data that is suitable to be ingested into Elasticsearch.
This API provides a starting point for ingesting data into Elasticsearch in a format that is suitable for subsequent use with other Elastic Stack functionality. Unlike other Elasticsearch endpoints, the data that is posted to this endpoint does not need to be UTF-8 encoded and in JSON format. It must, however, be text; binary text formats are not currently supported. The size is limited to the Elasticsearch HTTP receive buffer size, which defaults to 100 Mb.
The response from the API contains:
- A couple of messages from the beginning of the text.
- Statistics that reveal the most common values for all fields detected within the text and basic numeric statistics for numeric fields.
- Information about the structure of the text, which is useful when you write ingest configurations to index it or similarly formatted text.
- Appropriate mappings for an Elasticsearch index, which you could use to ingest the text.
All this information can be calculated by the structure finder with no guidance. However, you can optionally override some of the decisions about the text structure by specifying one or more query parameters.
Query parameters
-
charset
string The text's character set. It must be a character set that is supported by the JVM that Elasticsearch uses. For example,
UTF-8,UTF-16LE,windows-1252, orEUC-JP. If this parameter is not specified, the structure finder chooses an appropriate character set. -
column_names
string If you have set format to
delimited, you can specify the column names in a comma-separated list. If this parameter is not specified, the structure finder uses the column names from the header row of the text. If the text does not have a header role, columns are named "column1", "column2", "column3", for example. -
delimiter
string If you have set
formattodelimited, you can specify the character used to delimit the values in each row. Only a single character is supported; the delimiter cannot have multiple characters. By default, the API considers the following possibilities: comma, tab, semi-colon, and pipe (|). In this default scenario, all rows must have the same number of fields for the delimited format to be detected. If you specify a delimiter, up to 10% of the rows can have a different number of columns than the first row. -
ecs_compatibility
string The mode of compatibility with ECS compliant Grok patterns. Use this parameter to specify whether to use ECS Grok patterns instead of legacy ones when the structure finder creates a Grok pattern. Valid values are
disabledandv1. This setting primarily has an impact when a whole message Grok pattern such as%{CATALINALOG}matches the input. If the structure finder identifies a common structure but has no idea of meaning then generic field names such aspath,ipaddress,field1, andfield2are used in thegrok_patternoutput, with the intention that a user who knows the meanings rename these fields before using it. -
explain
boolean If this parameter is set to
true, the response includes a field named explanation, which is an array of strings that indicate how the structure finder produced its result. If the structure finder produces unexpected results for some text, use this query parameter to help you determine why the returned structure was chosen. -
format
string The high level structure of the text. Valid values are
ndjson,xml,delimited, andsemi_structured_text. By default, the API chooses the format. In this default scenario, all rows must have the same number of fields for a delimited format to be detected. If the format is set todelimitedand the delimiter is not set, however, the API tolerates up to 5% of rows that have a different number of columns than the first row. -
grok_pattern
string If you have set
formattosemi_structured_text, you can specify a Grok pattern that is used to extract fields from every message in the text. The name of the timestamp field in the Grok pattern must match what is specified in thetimestamp_fieldparameter. If that parameter is not specified, the name of the timestamp field in the Grok pattern must match "timestamp". Ifgrok_patternis not specified, the structure finder creates a Grok pattern. -
has_header_row
boolean If you have set
formattodelimited, you can use this parameter to indicate whether the column names are in the first row of the text. If this parameter is not specified, the structure finder guesses based on the similarity of the first row of the text to other rows. -
line_merge_size_limit
number The maximum number of characters in a message when lines are merged to form messages while analyzing semi-structured text. If you have extremely long messages you may need to increase this, but be aware that this may lead to very long processing times if the way to group lines into messages is misdetected.
-
lines_to_sample
number The number of lines to include in the structural analysis, starting from the beginning of the text. The minimum is 2. If the value of this parameter is greater than the number of lines in the text, the analysis proceeds (as long as there are at least two lines in the text) for all of the lines.
NOTE: The number of lines and the variation of the lines affects the speed of the analysis. For example, if you upload text where the first 1000 lines are all variations on the same message, the analysis will find more commonality than would be seen with a bigger sample. If possible, however, it is more efficient to upload sample text with more variety in the first 1000 lines than to request analysis of 100000 lines to achieve some variety.
-
quote
string If you have set
formattodelimited, you can specify the character used to quote the values in each row if they contain newlines or the delimiter character. Only a single character is supported. If this parameter is not specified, the default value is a double quote ("). If your delimited text format does not use quoting, a workaround is to set this argument to a character that does not appear anywhere in the sample. -
should_trim_fields
boolean If you have set
formattodelimited, you can specify whether values between delimiters should have whitespace trimmed from them. If this parameter is not specified and the delimiter is pipe (|), the default value istrue. Otherwise, the default value isfalse. -
timeout
string The maximum amount of time that the structure analysis can take. If the analysis is still running when the timeout expires then it will be stopped.
-
timestamp_field
string The name of the field that contains the primary timestamp of each record in the text. In particular, if the text were ingested into an index, this is the field that would be used to populate the
@timestampfield.If the
formatissemi_structured_text, this field must match the name of the appropriate extraction in thegrok_pattern. Therefore, for semi-structured text, it is best not to specify this parameter unlessgrok_patternis also specified.For structured text, if you specify this parameter, the field must exist within the text.
If this parameter is not specified, the structure finder makes a decision about which field (if any) is the primary timestamp field. For structured text, it is not compulsory to have a timestamp in the text.
-
timestamp_format
string The Java time format of the timestamp field in the text.
Only a subset of Java time format letter groups are supported:
adddEEEEEEEHHHhMMMMMMMMMMmmssXXXXXyyyyyyzzz
Additionally
Sletter groups (fractional seconds) of length one to nine are supported providing they occur afterssand separated from thessby a.,,or:. Spacing and punctuation is also permitted with the exception of?, newline and carriage return, together with literal text enclosed in single quotes. For example,MM/dd HH.mm.ss,SSSSSS 'in' yyyyis a valid override format.One valuable use case for this parameter is when the format is semi-structured text, there are multiple timestamp formats in the text, and you know which format corresponds to the primary timestamp, but you do not want to specify the full
grok_pattern. Another is when the timestamp format is one that the structure finder does not consider by default.If this parameter is not specified, the structure finder chooses the best format from a built-in set.
If the special value
nullis specified the structure finder will not look for a primary timestamp in the text. When the format is semi-structured text this will result in the structure finder treating the text as single-line messages.
curl \
--request POST 'http://api.example.com/_text_structure/find_structure' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--data '"{\"name\": \"Leviathan Wakes\", \"author\": \"James S.A. Corey\", \"release_date\": \"2011-06-02\", \"page_count\": 561}\n{\"name\": \"Hyperion\", \"author\": \"Dan Simmons\", \"release_date\": \"1989-05-26\", \"page_count\": 482}\n{\"name\": \"Dune\", \"author\": \"Frank Herbert\", \"release_date\": \"1965-06-01\", \"page_count\": 604}\n{\"name\": \"Dune Messiah\", \"author\": \"Frank Herbert\", \"release_date\": \"1969-10-15\", \"page_count\": 331}\n{\"name\": \"Children of Dune\", \"author\": \"Frank Herbert\", \"release_date\": \"1976-04-21\", \"page_count\": 408}\n{\"name\": \"God Emperor of Dune\", \"author\": \"Frank Herbert\", \"release_date\": \"1981-05-28\", \"page_count\": 454}\n{\"name\": \"Consider Phlebas\", \"author\": \"Iain M. Banks\", \"release_date\": \"1987-04-23\", \"page_count\": 471}\n{\"name\": \"Pandora's Star\", \"author\": \"Peter F. Hamilton\", \"release_date\": \"2004-03-02\", \"page_count\": 768}\n{\"name\": \"Revelation Space\", \"author\": \"Alastair Reynolds\", \"release_date\": \"2000-03-15\", \"page_count\": 585}\n{\"name\": \"A Fire Upon the Deep\", \"author\": \"Vernor Vinge\", \"release_date\": \"1992-06-01\", \"page_count\": 613}\n{\"name\": \"Ender's Game\", \"author\": \"Orson Scott Card\", \"release_date\": \"1985-06-01\", \"page_count\": 324}\n{\"name\": \"1984\", \"author\": \"George Orwell\", \"release_date\": \"1985-06-01\", \"page_count\": 328}\n{\"name\": \"Fahrenheit 451\", \"author\": \"Ray Bradbury\", \"release_date\": \"1953-10-15\", \"page_count\": 227}\n{\"name\": \"Brave New World\", \"author\": \"Aldous Huxley\", \"release_date\": \"1932-06-01\", \"page_count\": 268}\n{\"name\": \"Foundation\", \"author\": \"Isaac Asimov\", \"release_date\": \"1951-06-01\", \"page_count\": 224}\n{\"name\": \"The Giver\", \"author\": \"Lois Lowry\", \"release_date\": \"1993-04-26\", \"page_count\": 208}\n{\"name\": \"Slaughterhouse-Five\", \"author\": \"Kurt Vonnegut\", \"release_date\": \"1969-06-01\", \"page_count\": 275}\n{\"name\": \"The Hitchhiker's Guide to the Galaxy\", \"author\": \"Douglas Adams\", \"release_date\": \"1979-10-12\", \"page_count\": 180}\n{\"name\": \"Snow Crash\", \"author\": \"Neal Stephenson\", \"release_date\": \"1992-06-01\", \"page_count\": 470}\n{\"name\": \"Neuromancer\", \"author\": \"William Gibson\", \"release_date\": \"1984-07-01\", \"page_count\": 271}\n{\"name\": \"The Handmaid's Tale\", \"author\": \"Margaret Atwood\", \"release_date\": \"1985-06-01\", \"page_count\": 311}\n{\"name\": \"Starship Troopers\", \"author\": \"Robert A. Heinlein\", \"release_date\": \"1959-12-01\", \"page_count\": 335}\n{\"name\": \"The Left Hand of Darkness\", \"author\": \"Ursula K. Le Guin\", \"release_date\": \"1969-06-01\", \"page_count\": 304}\n{\"name\": \"The Moon is a Harsh Mistress\", \"author\": \"Robert A. Heinlein\", \"release_date\": \"1966-04-01\", \"page_count\": 288}"'{"name": "Leviathan Wakes", "author": "James S.A. Corey", "release_date": "2011-06-02", "page_count": 561}
{"name": "Hyperion", "author": "Dan Simmons", "release_date": "1989-05-26", "page_count": 482}
{"name": "Dune", "author": "Frank Herbert", "release_date": "1965-06-01", "page_count": 604}
{"name": "Dune Messiah", "author": "Frank Herbert", "release_date": "1969-10-15", "page_count": 331}
{"name": "Children of Dune", "author": "Frank Herbert", "release_date": "1976-04-21", "page_count": 408}
{"name": "God Emperor of Dune", "author": "Frank Herbert", "release_date": "1981-05-28", "page_count": 454}
{"name": "Consider Phlebas", "author": "Iain M. Banks", "release_date": "1987-04-23", "page_count": 471}
{"name": "Pandora's Star", "author": "Peter F. Hamilton", "release_date": "2004-03-02", "page_count": 768}
{"name": "Revelation Space", "author": "Alastair Reynolds", "release_date": "2000-03-15", "page_count": 585}
{"name": "A Fire Upon the Deep", "author": "Vernor Vinge", "release_date": "1992-06-01", "page_count": 613}
{"name": "Ender's Game", "author": "Orson Scott Card", "release_date": "1985-06-01", "page_count": 324}
{"name": "1984", "author": "George Orwell", "release_date": "1985-06-01", "page_count": 328}
{"name": "Fahrenheit 451", "author": "Ray Bradbury", "release_date": "1953-10-15", "page_count": 227}
{"name": "Brave New World", "author": "Aldous Huxley", "release_date": "1932-06-01", "page_count": 268}
{"name": "Foundation", "author": "Isaac Asimov", "release_date": "1951-06-01", "page_count": 224}
{"name": "The Giver", "author": "Lois Lowry", "release_date": "1993-04-26", "page_count": 208}
{"name": "Slaughterhouse-Five", "author": "Kurt Vonnegut", "release_date": "1969-06-01", "page_count": 275}
{"name": "The Hitchhiker's Guide to the Galaxy", "author": "Douglas Adams", "release_date": "1979-10-12", "page_count": 180}
{"name": "Snow Crash", "author": "Neal Stephenson", "release_date": "1992-06-01", "page_count": 470}
{"name": "Neuromancer", "author": "William Gibson", "release_date": "1984-07-01", "page_count": 271}
{"name": "The Handmaid's Tale", "author": "Margaret Atwood", "release_date": "1985-06-01", "page_count": 311}
{"name": "Starship Troopers", "author": "Robert A. Heinlein", "release_date": "1959-12-01", "page_count": 335}
{"name": "The Left Hand of Darkness", "author": "Ursula K. Le Guin", "release_date": "1969-06-01", "page_count": 304}
{"name": "The Moon is a Harsh Mistress", "author": "Robert A. Heinlein", "release_date": "1966-04-01", "page_count": 288}{
"num_lines_analyzed" : 24,
"num_messages_analyzed" : 24,
"sample_start" : "{\"name\": \"Leviathan Wakes\", \"author\": \"James S.A. Corey\", \"release_date\": \"2011-06-02\", \"page_count\": 561}\n{\"name\": \"Hyperion\", \"author\": \"Dan Simmons\", \"release_date\": \"1989-05-26\", \"page_count\": 482}\n",
"charset" : "UTF-8",
"has_byte_order_marker" : false,
"format" : "ndjson",
"ecs_compatibility" : "disabled",
"timestamp_field" : "release_date",
"joda_timestamp_formats" : [
"ISO8601"
],
"java_timestamp_formats" : [
"ISO8601"
],
"need_client_timezone" : true,
"mappings" : {
"properties" : {
"@timestamp" : {
"type" : "date"
},
"author" : {
"type" : "keyword"
},
"name" : {
"type" : "keyword"
},
"page_count" : {
"type" : "long"
},
"release_date" : {
"type" : "date",
"format" : "iso8601"
}
}
},
"ingest_pipeline" : {
"description" : "Ingest pipeline created by text structure finder",
"processors" : [
{
"date" : {
"field" : "release_date",
"timezone" : "{{ event.timezone }}",
"formats" : [
"ISO8601"
]
}
}
]
},
"field_stats" : {
"author" : {
"count" : 24,
"cardinality" : 20,
"top_hits" : [
{
"value" : "Frank Herbert",
"count" : 4
},
{
"value" : "Robert A. Heinlein",
"count" : 2
},
{
"value" : "Alastair Reynolds",
"count" : 1
},
{
"value" : "Aldous Huxley",
"count" : 1
},
{
"value" : "Dan Simmons",
"count" : 1
},
{
"value" : "Douglas Adams",
"count" : 1
},
{
"value" : "George Orwell",
"count" : 1
},
{
"value" : "Iain M. Banks",
"count" : 1
},
{
"value" : "Isaac Asimov",
"count" : 1
},
{
"value" : "James S.A. Corey",
"count" : 1
}
]
},
"name" : {
"count" : 24,
"cardinality" : 24,
"top_hits" : [
{
"value" : "1984",
"count" : 1
},
{
"value" : "A Fire Upon the Deep",
"count" : 1
},
{
"value" : "Brave New World",
"count" : 1
},
{
"value" : "Children of Dune",
"count" : 1
},
{
"value" : "Consider Phlebas",
"count" : 1
},
{
"value" : "Dune",
"count" : 1
},
{
"value" : "Dune Messiah",
"count" : 1
},
{
"value" : "Ender's Game",
"count" : 1
},
{
"value" : "Fahrenheit 451",
"count" : 1
},
{
"value" : "Foundation",
"count" : 1
}
]
},
"page_count" : {
"count" : 24,
"cardinality" : 24,
"min_value" : 180,
"max_value" : 768,
"mean_value" : 387.0833333333333,
"median_value" : 329.5,
"top_hits" : [
{
"value" : 180,
"count" : 1
},
{
"value" : 208,
"count" : 1
},
{
"value" : 224,
"count" : 1
},
{
"value" : 227,
"count" : 1
},
{
"value" : 268,
"count" : 1
},
{
"value" : 271,
"count" : 1
},
{
"value" : 275,
"count" : 1
},
{
"value" : 288,
"count" : 1
},
{
"value" : 304,
"count" : 1
},
{
"value" : 311,
"count" : 1
}
]
},
"release_date" : {
"count" : 24,
"cardinality" : 20,
"earliest" : "1932-06-01",
"latest" : "2011-06-02",
"top_hits" : [
{
"value" : "1985-06-01",
"count" : 3
},
{
"value" : "1969-06-01",
"count" : 2
},
{
"value" : "1992-06-01",
"count" : 2
},
{
"value" : "1932-06-01",
"count" : 1
},
{
"value" : "1951-06-01",
"count" : 1
},
{
"value" : "1953-10-15",
"count" : 1
},
{
"value" : "1959-12-01",
"count" : 1
},
{
"value" : "1965-06-01",
"count" : 1
},
{
"value" : "1966-04-01",
"count" : 1
},
{
"value" : "1969-10-15",
"count" : 1
}
]
}
}
}