Elasticsearch API
http://api.example.comElasticsearch provides REST APIs that are used by the UI components and can be called directly to configure and access Elasticsearch features.
Documentation source and versions
This documentation is derived from the 8.18 branch of the elasticsearch-specification repository. It is provided under license Attribution-NonCommercial-NoDerivatives 4.0 International.
This documentation contains work-in-progress information for future Elastic Stack releases.
Last update on Apr 15, 2025.
This API is provided under license Apache 2.0.
Get datafeeds
Added in 7.7.0
Get configuration and usage information about datafeeds.
This API returns a maximum of 10,000 datafeeds.
If the Elasticsearch security features are enabled, you must have monitor_ml, monitor, manage_ml, or manage
cluster privileges to use this API.
IMPORTANT: CAT APIs are only intended for human consumption using the Kibana console or command line. They are not intended for use by applications. For application consumption, use the get datafeed statistics API.
Path parameters
-
datafeed_id
string Required A numerical character string that uniquely identifies the datafeed.
Query parameters
-
allow_no_match
boolean Specifies what to do when the request:
- Contains wildcard expressions and there are no datafeeds that match.
- Contains the
_allstring or no identifiers and there are no matches. - Contains wildcard expressions and there are only partial matches.
If
true, the API returns an empty datafeeds array when there are no matches and the subset of results when there are partial matches. Iffalse, the API returns a 404 status code when there are no matches or only partial matches. -
h
string | array[string] Comma-separated list of column names to display.
-
s
string | array[string] Comma-separated list of column names or column aliases used to sort the response.
-
time
string The unit used to display time values.
Values are
nanos,micros,ms,s,m,h, ord.
curl \
--request GET 'http://api.example.com/_cat/ml/datafeeds/{datafeed_id}' \
--header "Authorization: $API_KEY"[
{
"id": "datafeed-high_sum_total_sales",
"state": "stopped",
"buckets.count": "743",
"search.count": "7"
},
{
"id": "datafeed-low_request_rate",
"state": "stopped",
"buckets.count": "1457",
"search.count": "3"
},
{
"id": "datafeed-response_code_rates",
"state": "stopped",
"buckets.count": "1460",
"search.count": "18"
},
{
"id": "datafeed-url_scanning",
"state": "stopped",
"buckets.count": "1460",
"search.count": "18"
}
]
Clear cluster voting config exclusions
Added in 7.0.0
Remove master-eligible nodes from the voting configuration exclusion list.
Query parameters
-
master_timeout
string Period to wait for a connection to the master node.
-
wait_for_removal
boolean Specifies whether to wait for all excluded nodes to be removed from the cluster before clearing the voting configuration exclusions list. Defaults to true, meaning that all excluded nodes must be removed from the cluster before this API takes any action. If set to false then the voting configuration exclusions list is cleared even if some excluded nodes are still in the cluster.
curl \
--request DELETE 'http://api.example.com/_cluster/voting_config_exclusions' \
--header "Authorization: $API_KEY"
Convert an index alias to a data stream
Added in 7.9.0
Converts an index alias to a data stream.
You must have a matching index template that is data stream enabled.
The alias must meet the following criteria:
The alias must have a write index;
All indices for the alias must have a @timestamp field mapping of a date or date_nanos field type;
The alias must not have any filters;
The alias must not use custom routing.
If successful, the request removes the alias and creates a data stream with the same name.
The indices for the alias become hidden backing indices for the stream.
The write index for the alias becomes the write index for the stream.
Path parameters
-
name
string Required Name of the index alias to convert to a data stream.
Query parameters
-
master_timeout
string Period to wait for a connection to the master node. If no response is received before the timeout expires, the request fails and returns an error.
-
timeout
string Period to wait for a response. If no response is received before the timeout expires, the request fails and returns an error.
curl \
--request POST 'http://api.example.com/_data_stream/_migrate/{name}' \
--header "Authorization: $API_KEY"{
"acknowledged": true
}
Update documents
Added in 2.4.0
Updates documents that match the specified query. If no query is specified, performs an update on every document in the data stream or index without modifying the source, which is useful for picking up mapping changes.
If the Elasticsearch security features are enabled, you must have the following index privileges for the target data stream, index, or alias:
readindexorwrite
You can specify the query criteria in the request URI or the request body using the same syntax as the search API.
When you submit an update by query request, Elasticsearch gets a snapshot of the data stream or index when it begins processing the request and updates matching documents using internal versioning.
When the versions match, the document is updated and the version number is incremented.
If a document changes between the time that the snapshot is taken and the update operation is processed, it results in a version conflict and the operation fails.
You can opt to count version conflicts instead of halting and returning by setting conflicts to proceed.
Note that if you opt to count version conflicts, the operation could attempt to update more documents from the source than max_docs until it has successfully updated max_docs documents or it has gone through every document in the source query.
NOTE: Documents with a version equal to 0 cannot be updated using update by query because internal versioning does not support 0 as a valid version number.
While processing an update by query request, Elasticsearch performs multiple search requests sequentially to find all of the matching documents. A bulk update request is performed for each batch of matching documents. Any query or update failures cause the update by query request to fail and the failures are shown in the response. Any update requests that completed successfully still stick, they are not rolled back.
Throttling update requests
To control the rate at which update by query issues batches of update operations, you can set requests_per_second to any positive decimal number.
This pads each batch with a wait time to throttle the rate.
Set requests_per_second to -1 to turn off throttling.
Throttling uses a wait time between batches so that the internal scroll requests can be given a timeout that takes the request padding into account.
The padding time is the difference between the batch size divided by the requests_per_second and the time spent writing.
By default the batch size is 1000, so if requests_per_second is set to 500:
target_time = 1000 / 500 per second = 2 seconds
wait_time = target_time - write_time = 2 seconds - .5 seconds = 1.5 seconds
Since the batch is issued as a single _bulk request, large batch sizes cause Elasticsearch to create many requests and wait before starting the next set. This is "bursty" instead of "smooth".
Slicing
Update by query supports sliced scroll to parallelize the update process. This can improve efficiency and provide a convenient way to break the request down into smaller parts.
Setting slices to auto chooses a reasonable number for most data streams and indices.
This setting will use one slice per shard, up to a certain limit.
If there are multiple source data streams or indices, it will choose the number of slices based on the index or backing index with the smallest number of shards.
Adding slices to _update_by_query just automates the manual process of creating sub-requests, which means it has some quirks:
- You can see these requests in the tasks APIs. These sub-requests are "child" tasks of the task for the request with slices.
- Fetching the status of the task for the request with
slicesonly contains the status of completed slices. - These sub-requests are individually addressable for things like cancellation and rethrottling.
- Rethrottling the request with
sliceswill rethrottle the unfinished sub-request proportionally. - Canceling the request with slices will cancel each sub-request.
- Due to the nature of slices each sub-request won't get a perfectly even portion of the documents. All documents will be addressed, but some slices may be larger than others. Expect larger slices to have a more even distribution.
- Parameters like
requests_per_secondandmax_docson a request with slices are distributed proportionally to each sub-request. Combine that with the point above about distribution being uneven and you should conclude that usingmax_docswithslicesmight not result in exactlymax_docsdocuments being updated. - Each sub-request gets a slightly different snapshot of the source data stream or index though these are all taken at approximately the same time.
If you're slicing manually or otherwise tuning automatic slicing, keep in mind that:
- Query performance is most efficient when the number of slices is equal to the number of shards in the index or backing index. If that number is large (for example, 500), choose a lower number as too many slices hurts performance. Setting slices higher than the number of shards generally does not improve efficiency and adds overhead.
- Update performance scales linearly across available resources with the number of slices.
Whether query or update performance dominates the runtime depends on the documents being reindexed and cluster resources.
Update the document source
Update by query supports scripts to update the document source.
As with the update API, you can set ctx.op to change the operation that is performed.
Set ctx.op = "noop" if your script decides that it doesn't have to make any changes.
The update by query operation skips updating the document and increments the noop counter.
Set ctx.op = "delete" if your script decides that the document should be deleted.
The update by query operation deletes the document and increments the deleted counter.
Update by query supports only index, noop, and delete.
Setting ctx.op to anything else is an error.
Setting any other field in ctx is an error.
This API enables you to only modify the source of matching documents; you cannot move them.
Path parameters
-
index
string | array[string] Required A comma-separated list of data streams, indices, and aliases to search. It supports wildcards (
*). To search all data streams or indices, omit this parameter or use*or_all.
Query parameters
-
allow_no_indices
boolean If
false, the request returns an error if any wildcard expression, index alias, or_allvalue targets only missing or closed indices. This behavior applies even if the request targets other open indices. For example, a request targetingfoo*,bar*returns an error if an index starts withfoobut no index starts withbar. -
analyzer
string The analyzer to use for the query string. This parameter can be used only when the
qquery string parameter is specified. -
analyze_wildcard
boolean If
true, wildcard and prefix queries are analyzed. This parameter can be used only when theqquery string parameter is specified. -
conflicts
string The preferred behavior when update by query hits version conflicts:
abortorproceed.Values are
abortorproceed. -
default_operator
string The default operator for query string query:
ANDorOR. This parameter can be used only when theqquery string parameter is specified.Values are
and,AND,or, orOR. -
df
string The field to use as default where no field prefix is given in the query string. This parameter can be used only when the
qquery string parameter is specified. -
expand_wildcards
string | array[string] The type of index that wildcard patterns can match. If the request can target data streams, this argument determines whether wildcard expressions match hidden data streams. It supports comma-separated values, such as
open,hidden. Valid values are:all,open,closed,hidden,none. -
from
number Skips the specified number of documents.
-
lenient
boolean If
true, format-based query failures (such as providing text to a numeric field) in the query string will be ignored. This parameter can be used only when theqquery string parameter is specified. -
max_docs
number The maximum number of documents to process. It defaults to all documents. When set to a value less then or equal to
scroll_sizethen a scroll will not be used to retrieve the results for the operation. -
pipeline
string The ID of the pipeline to use to preprocess incoming documents. If the index has a default ingest pipeline specified, then setting the value to
_nonedisables the default ingest pipeline for this request. If a final pipeline is configured it will always run, regardless of the value of this parameter. -
preference
string The node or shard the operation should be performed on. It is random by default.
-
q
string A query in the Lucene query string syntax.
-
refresh
boolean If
true, Elasticsearch refreshes affected shards to make the operation visible to search after the request completes. This is different than the update API'srefreshparameter, which causes just the shard that received the request to be refreshed. -
request_cache
boolean If
true, the request cache is used for this request. It defaults to the index-level setting. -
requests_per_second
number The throttle for this request in sub-requests per second.
-
routing
string A custom value used to route operations to a specific shard.
-
scroll
string The period to retain the search context for scrolling.
-
scroll_size
number The size of the scroll request that powers the operation.
-
search_timeout
string An explicit timeout for each search request. By default, there is no timeout.
-
search_type
string The type of the search operation. Available options include
query_then_fetchanddfs_query_then_fetch.Values are
query_then_fetchordfs_query_then_fetch. -
slices
number | string The number of slices this task should be divided into.
-
sort
array[string] A comma-separated list of : pairs.
-
stats
array[string] The specific
tagof the request for logging and statistical purposes. -
terminate_after
number The maximum number of documents to collect for each shard. If a query reaches this limit, Elasticsearch terminates the query early. Elasticsearch collects documents before sorting.
IMPORTANT: Use with caution. Elasticsearch applies this parameter to each shard handling the request. When possible, let Elasticsearch perform early termination automatically. Avoid specifying this parameter for requests that target data streams with backing indices across multiple data tiers.
-
timeout
string The period each update request waits for the following operations: dynamic mapping updates, waiting for active shards. By default, it is one minute. This guarantees Elasticsearch waits for at least the timeout before failing. The actual wait time could be longer, particularly when multiple waits occur.
-
version
boolean If
true, returns the document version as part of a hit. -
version_type
boolean Should the document increment the version number (internal) on hit or not (reindex)
-
wait_for_active_shards
number | string The number of shard copies that must be active before proceeding with the operation. Set to
allor any positive integer up to the total number of shards in the index (number_of_replicas+1). Thetimeoutparameter controls how long each write request waits for unavailable shards to become available. Both work exactly the way they work in the bulk API. -
wait_for_completion
boolean If
true, the request blocks until the operation is complete. Iffalse, Elasticsearch performs some preflight checks, launches the request, and returns a task ID that you can use to cancel or get the status of the task. Elasticsearch creates a record of this task as a document at.tasks/task/${taskId}.
curl \
--request POST 'http://api.example.com/{index}/_update_by_query' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--data '"{\n \"query\": { \n \"term\": {\n \"user.id\": \"kimchy\"\n }\n }\n}"'{
"query": {
"term": {
"user.id": "kimchy"
}
}
}{
"script": {
"source": "ctx._source.count++",
"lang": "painless"
},
"query": {
"term": {
"user.id": "kimchy"
}
}
}{
"slice": {
"id": 0,
"max": 2
},
"script": {
"source": "ctx._source['extra'] = 'test'"
}
}{
"script": {
"source": "ctx._source['extra'] = 'test'"
}
}{
"batches": 42.0,
"failures": [
{
"cause": {
"type": "string",
"reason": "string",
"stack_trace": "string",
"caused_by": {},
"root_cause": [
{}
],
"suppressed": [
{}
]
},
"id": "string",
"index": "string",
"status": 42.0
}
],
"noops": 42.0,
"deleted": 42.0,
"requests_per_second": 42.0,
"retries": {
"bulk": 42.0,
"search": 42.0
},
"": 42.0,
"timed_out": true,
"total": 42.0,
"updated": 42.0,
"version_conflicts": 42.0,
"throttled": "string",
"throttled_until": "string"
}
Get async EQL search results
Added in 7.9.0
Get the current status and available results for an async EQL search or a stored synchronous EQL search.
Path parameters
-
id
string Required Identifier for the search.
Query parameters
-
keep_alive
string Period for which the search and its results are stored on the cluster. Defaults to the keep_alive value set by the search’s EQL search API request.
-
wait_for_completion_timeout
string Timeout duration to wait for the request to finish. Defaults to no timeout, meaning the request waits for complete search results.
curl \
--request GET 'http://api.example.com/_eql/search/{id}' \
--header "Authorization: $API_KEY"{
"id": "string",
"is_partial": true,
"is_running": true,
"": 42.0,
"timed_out": true,
"hits": {
"total": {
"relation": "eq",
"value": 42.0
},
"events": [
{
"_index": "string",
"_id": "string",
"_source": {},
"missing": true,
"fields": {
"additionalProperty1": [
{}
],
"additionalProperty2": [
{}
]
}
}
],
"sequences": [
{
"events": [
{
"_index": "string",
"_id": "string",
"_source": {},
"missing": true,
"fields": {}
}
],
"join_keys": [
{}
]
}
]
},
"shard_failures": [
{
"index": "string",
"node": "string",
"reason": {
"type": "string",
"reason": "string",
"stack_trace": "string",
"caused_by": {},
"root_cause": [
{}
],
"suppressed": [
{}
]
},
"shard": 42.0,
"status": "string"
}
]
}Get index settings
Get setting information for one or more indices. For data streams, it returns setting information for the stream's backing indices.
Path parameters
-
name
string | array[string] Required Comma-separated list or wildcard expression of settings to retrieve.
Query parameters
-
allow_no_indices
boolean If
false, the request returns an error if any wildcard expression, index alias, or_allvalue targets only missing or closed indices. This behavior applies even if the request targets other open indices. For example, a request targetingfoo*,bar*returns an error if an index starts with foo but no index starts withbar. -
expand_wildcards
string | array[string] Type of index that wildcard patterns can match. If the request can target data streams, this argument determines whether wildcard expressions match hidden data streams. Supports comma-separated values, such as
open,hidden. -
flat_settings
boolean If
true, returns settings in flat format. -
include_defaults
boolean If
true, return all default settings in the response. -
local
boolean If
true, the request retrieves information from the local node only. Iffalse, information is retrieved from the master node. -
master_timeout
string Period to wait for a connection to the master node. If no response is received before the timeout expires, the request fails and returns an error.
curl \
--request GET 'http://api.example.com/_settings/{name}' \
--header "Authorization: $API_KEY"{
"*": {
"aliases": {
"additionalProperty1": {
"filter": {},
"index_routing": "string",
"is_hidden": true,
"is_write_index": true,
"routing": "string",
"search_routing": "string"
},
"additionalProperty2": {
"filter": {},
"index_routing": "string",
"is_hidden": true,
"is_write_index": true,
"routing": "string",
"search_routing": "string"
}
},
"mappings": {
"all_field": {
"analyzer": "string",
"enabled": true,
"omit_norms": true,
"search_analyzer": "string",
"similarity": "string",
"store": true,
"store_term_vector_offsets": true,
"store_term_vector_payloads": true,
"store_term_vector_positions": true,
"store_term_vectors": true
},
"date_detection": true,
"dynamic": "strict",
"dynamic_date_formats": [
"string"
],
"dynamic_templates": [
{}
],
"_field_names": {
"enabled": true
},
"index_field": {
"enabled": true
},
"_meta": {
"additionalProperty1": {},
"additionalProperty2": {}
},
"numeric_detection": true,
"properties": {},
"_routing": {
"required": true
},
"_size": {
"enabled": true
},
"_source": {
"compress": true,
"compress_threshold": "string",
"enabled": true,
"excludes": [
"string"
],
"includes": [
"string"
],
"mode": "disabled"
},
"runtime": {
"additionalProperty1": {
"fields": {
"additionalProperty1": {},
"additionalProperty2": {}
},
"fetch_fields": [
{}
],
"format": "string",
"input_field": "string",
"target_field": "string",
"target_index": "string",
"script": {
"source": "string",
"id": "string",
"params": {},
"options": {}
},
"type": "boolean"
},
"additionalProperty2": {
"fields": {
"additionalProperty1": {},
"additionalProperty2": {}
},
"fetch_fields": [
{}
],
"format": "string",
"input_field": "string",
"target_field": "string",
"target_index": "string",
"script": {
"source": "string",
"id": "string",
"params": {},
"options": {}
},
"type": "boolean"
}
},
"enabled": true,
"subobjects": "true",
"_data_stream_timestamp": {
"enabled": true
}
},
"settings": {
"index": {},
"mode": "string",
"routing_path": "string",
"soft_deletes": {
"enabled": true,
"retention_lease": {
"period": "string"
}
},
"sort": {
"field": "string",
"order": "asc",
"mode": "min",
"missing": "_last"
},
"number_of_shards": 42.0,
"number_of_replicas": 42.0,
"number_of_routing_shards": 42.0,
"check_on_startup": "true",
"codec": "string",
"": "string",
"load_fixed_bitset_filters_eagerly": true,
"hidden": true,
"auto_expand_replicas": "string",
"merge": {
"scheduler": {
"": 42.0
}
},
"search": {
"idle": {
"after": "string"
},
"slowlog": {
"level": "string",
"source": 42.0,
"reformat": true,
"threshold": {
"query": {},
"fetch": {}
}
}
},
"refresh_interval": "string",
"max_result_window": 42.0,
"max_inner_result_window": 42.0,
"max_rescore_window": 42.0,
"max_docvalue_fields_search": 42.0,
"max_script_fields": 42.0,
"max_ngram_diff": 42.0,
"max_shingle_diff": 42.0,
"blocks": {
"": true
},
"max_refresh_listeners": 42.0,
"analyze": {
"": 42.0
},
"highlight": {
"max_analyzed_offset": 42.0
},
"max_terms_count": 42.0,
"max_regex_length": 42.0,
"routing": {
"allocation": {
"enable": "all",
"include": {
"_tier_preference": "string",
"_id": "string"
},
"initial_recovery": {
"_id": "string"
},
"disk": {}
},
"rebalance": {
"enable": "all"
}
},
"gc_deletes": "string",
"default_pipeline": "string",
"final_pipeline": "string",
"lifecycle": {
"name": "string",
"": true,
"origination_date": 42.0,
"parse_origination_date": true,
"step": {
"wait_time_threshold": "string"
},
"rollover_alias": "string",
"prefer_ilm": true
},
"provided_name": "string",
"uuid": "string",
"version": {
"created": "string",
"created_string": "string"
},
"verified_before_close": true,
"format": "string",
"max_slices_per_scroll": 42.0,
"translog": {
"sync_interval": "string",
"durability": "request",
"": 42.0,
"retention": {
"": 42.0,
"age": "string"
}
},
"query_string": {
"": true
},
"priority": 42.0,
"top_metrics_max_size": 42.0,
"analysis": {
"analyzer": {},
"char_filter": {},
"filter": {},
"normalizer": {},
"tokenizer": {}
},
"settings": {},
"time_series": {
"": "string"
},
"queries": {
"cache": {
"enabled": true
}
},
"similarity": {},
"mapping": {
"coerce": true,
"total_fields": {
"limit": 42.0,
"ignore_dynamic_beyond_limit": true
},
"depth": {
"limit": 42.0
},
"nested_fields": {
"limit": 42.0
},
"nested_objects": {
"limit": 42.0
},
"field_name_length": {
"limit": 42.0
},
"dimension_fields": {
"limit": 42.0
},
"source": {
"mode": "disabled"
},
"ignore_malformed": true
},
"indexing.slowlog": {
"level": "string",
"source": 42.0,
"reformat": true,
"threshold": {
"index": {
"warn": "string",
"info": "string",
"debug": "string",
"trace": "string"
}
}
},
"indexing_pressure": {
"memory": {
"limit": 42.0
}
},
"store": {
"": "fs",
"allow_mmap": true
}
},
"defaults": {
"index": {},
"mode": "string",
"routing_path": "string",
"soft_deletes": {
"enabled": true,
"retention_lease": {
"period": "string"
}
},
"sort": {
"field": "string",
"order": "asc",
"mode": "min",
"missing": "_last"
},
"number_of_shards": 42.0,
"number_of_replicas": 42.0,
"number_of_routing_shards": 42.0,
"check_on_startup": "true",
"codec": "string",
"": "string",
"load_fixed_bitset_filters_eagerly": true,
"hidden": true,
"auto_expand_replicas": "string",
"merge": {
"scheduler": {
"": 42.0
}
},
"search": {
"idle": {
"after": "string"
},
"slowlog": {
"level": "string",
"source": 42.0,
"reformat": true,
"threshold": {
"query": {},
"fetch": {}
}
}
},
"refresh_interval": "string",
"max_result_window": 42.0,
"max_inner_result_window": 42.0,
"max_rescore_window": 42.0,
"max_docvalue_fields_search": 42.0,
"max_script_fields": 42.0,
"max_ngram_diff": 42.0,
"max_shingle_diff": 42.0,
"blocks": {
"": true
},
"max_refresh_listeners": 42.0,
"analyze": {
"": 42.0
},
"highlight": {
"max_analyzed_offset": 42.0
},
"max_terms_count": 42.0,
"max_regex_length": 42.0,
"routing": {
"allocation": {
"enable": "all",
"include": {
"_tier_preference": "string",
"_id": "string"
},
"initial_recovery": {
"_id": "string"
},
"disk": {}
},
"rebalance": {
"enable": "all"
}
},
"gc_deletes": "string",
"default_pipeline": "string",
"final_pipeline": "string",
"lifecycle": {
"name": "string",
"": true,
"origination_date": 42.0,
"parse_origination_date": true,
"step": {
"wait_time_threshold": "string"
},
"rollover_alias": "string",
"prefer_ilm": true
},
"provided_name": "string",
"uuid": "string",
"version": {
"created": "string",
"created_string": "string"
},
"verified_before_close": true,
"format": "string",
"max_slices_per_scroll": 42.0,
"translog": {
"sync_interval": "string",
"durability": "request",
"": 42.0,
"retention": {
"": 42.0,
"age": "string"
}
},
"query_string": {
"": true
},
"priority": 42.0,
"top_metrics_max_size": 42.0,
"analysis": {
"analyzer": {},
"char_filter": {},
"filter": {},
"normalizer": {},
"tokenizer": {}
},
"settings": {},
"time_series": {
"": "string"
},
"queries": {
"cache": {
"enabled": true
}
},
"similarity": {},
"mapping": {
"coerce": true,
"total_fields": {
"limit": 42.0,
"ignore_dynamic_beyond_limit": true
},
"depth": {
"limit": 42.0
},
"nested_fields": {
"limit": 42.0
},
"nested_objects": {
"limit": 42.0
},
"field_name_length": {
"limit": 42.0
},
"dimension_fields": {
"limit": 42.0
},
"source": {
"mode": "disabled"
},
"ignore_malformed": true
},
"indexing.slowlog": {
"level": "string",
"source": 42.0,
"reformat": true,
"threshold": {
"index": {
"warn": "string",
"info": "string",
"debug": "string",
"trace": "string"
}
}
},
"indexing_pressure": {
"memory": {
"limit": 42.0
}
},
"store": {
"": "fs",
"allow_mmap": true
}
},
"data_stream": "string",
"lifecycle": {
"data_retention": "string",
"downsampling": {
"rounds": [
{
"after": "string",
"config": {}
}
]
},
"enabled": true
}
}
}Get index shard stores
Get store information about replica shards in one or more indices. For data streams, the API retrieves store information for the stream's backing indices.
The index shard stores API returns the following information:
- The node on which each replica shard exists.
- The allocation ID for each replica shard.
- A unique ID for each replica shard.
- Any errors encountered while opening the shard index or from an earlier failure.
By default, the API returns store information only for primary shards that are unassigned or have one or more unassigned replica shards.
Path parameters
-
index
string | array[string] Required List of data streams, indices, and aliases used to limit the request.
Query parameters
-
allow_no_indices
boolean If false, the request returns an error if any wildcard expression, index alias, or _all value targets only missing or closed indices. This behavior applies even if the request targets other open indices.
-
expand_wildcards
string | array[string] Type of index that wildcard patterns can match. If the request can target data streams, this argument determines whether wildcard expressions match hidden data streams.
-
status
string | array[string] List of shard health statuses used to limit the request.
curl \
--request GET 'http://api.example.com/{index}/_shard_stores' \
--header "Authorization: $API_KEY"{
"indices": {
"my-index-000001": {
"shards": {
"0": {
"stores": [
{
"sPa3OgxLSYGvQ4oPs-Tajw": {
"name": "node_t0",
"ephemeral_id": "9NlXRFGCT1m8tkvYCMK-8A",
"transport_address": "local[1]",
"external_id": "node_t0",
"attributes": {},
"roles": [],
"version": "8.10.0",
"min_index_version": 7000099,
"max_index_version": 8100099
},
"allocation_id": "2iNySv_OQVePRX-yaRH_lQ",
"allocation": "primary",
"store_exception": {}
}
]
}
}
}
}
}
Simulate a pipeline
Added in 5.0.0
Run an ingest pipeline against a set of provided documents. You can either specify an existing pipeline to use with the provided documents or supply a pipeline definition in the body of the request.
Query parameters
-
verbose
boolean If
true, the response includes output data for each processor in the executed pipeline.
curl \
--request GET 'http://api.example.com/_ingest/pipeline/_simulate' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--data '"{\n \"pipeline\" :\n {\n \"description\": \"_description\",\n \"processors\": [\n {\n \"set\" : {\n \"field\" : \"field2\",\n \"value\" : \"_value\"\n }\n }\n ]\n },\n \"docs\": [\n {\n \"_index\": \"index\",\n \"_id\": \"id\",\n \"_source\": {\n \"foo\": \"bar\"\n }\n },\n {\n \"_index\": \"index\",\n \"_id\": \"id\",\n \"_source\": {\n \"foo\": \"rab\"\n }\n }\n ]\n}"'{
"pipeline" :
{
"description": "_description",
"processors": [
{
"set" : {
"field" : "field2",
"value" : "_value"
}
}
]
},
"docs": [
{
"_index": "index",
"_id": "id",
"_source": {
"foo": "bar"
}
},
{
"_index": "index",
"_id": "id",
"_source": {
"foo": "rab"
}
}
]
}{
"docs": [
{
"doc": {
"_id": "id",
"_index": "index",
"_version": "-3",
"_source": {
"field2": "_value",
"foo": "bar"
},
"_ingest": {
"timestamp": "2017-05-04T22:30:03.187Z"
}
}
},
{
"doc": {
"_id": "id",
"_index": "index",
"_version": "-3",
"_source": {
"field2": "_value",
"foo": "rab"
},
"_ingest": {
"timestamp": "2017-05-04T22:30:03.188Z"
}
}
}
]
}
Clear trained model deployment cache
Added in 8.5.0
Cache will be cleared on all nodes where the trained model is assigned. A trained model deployment may have an inference cache enabled. As requests are handled by each allocated node, their responses may be cached on that individual node. Calling this API clears the caches without restarting the deployment.
Path parameters
-
model_id
string Required The unique identifier of the trained model.
curl \
--request POST 'http://api.example.com/_ml/trained_models/{model_id}/deployment/cache/_clear' \
--header "Authorization: $API_KEY"{
"cleared": true
}
Get the field capabilities
Added in 5.4.0
Get information about the capabilities of fields among multiple indices.
For data streams, the API returns field capabilities among the stream’s backing indices.
It returns runtime fields like any other field.
For example, a runtime field with a type of keyword is returned the same as any other field that belongs to the keyword family.
Query parameters
-
allow_no_indices
boolean If false, the request returns an error if any wildcard expression, index alias, or
_allvalue targets only missing or closed indices. This behavior applies even if the request targets other open indices. For example, a request targetingfoo*,bar*returns an error if an index starts with foo but no index starts with bar. -
expand_wildcards
string | array[string] The type of index that wildcard patterns can match. If the request can target data streams, this argument determines whether wildcard expressions match hidden data streams. Supports comma-separated values, such as
open,hidden. -
fields
string | array[string] A comma-separated list of fields to retrieve capabilities for. Wildcard (
*) expressions are supported. -
include_unmapped
boolean If true, unmapped fields are included in the response.
-
filters
string A comma-separated list of filters to apply to the response.
-
types
array[string] A comma-separated list of field types to include. Any fields that do not match one of these types will be excluded from the results. It defaults to empty, meaning that all field types are returned.
-
include_empty_fields
boolean If false, empty fields are not included in the response.
Body
-
fields
string | array[string] -
index_filter
object An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
External documentation -
runtime_mappings
object
curl \
--request POST 'http://api.example.com/_field_caps' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--data '"{\n \"index_filter\": {\n \"range\": {\n \"@timestamp\": {\n \"gte\": \"2018\"\n }\n }\n }\n}"'{
"index_filter": {
"range": {
"@timestamp": {
"gte": "2018"
}
}
}
}{
"indices": [ "index1", "index2", "index3", "index4", "index5" ],
"fields": {
"rating": {
"long": {
"metadata_field": false,
"searchable": true,
"aggregatable": false,
"indices": [ "index1", "index2" ],
"non_aggregatable_indices": [ "index1" ]
},
"keyword": {
"metadata_field": false,
"searchable": false,
"aggregatable": true,
"indices": [ "index3", "index4" ],
"non_searchable_indices": [ "index4" ]
}
},
"title": {
"text": {
"metadata_field": false,
"searchable": true,
"aggregatable": false
}
}
}
}{
"indices": [ "index1", "index2", "index3", "index4", "index5" ],
"fields": {
"rating": {
"long": {
"metadata_field": false,
"searchable": true,
"aggregatable": false,
"indices": [ "index1", "index2" ],
"non_aggregatable_indices": [ "index1" ]
},
"keyword": {
"metadata_field": false,
"searchable": false,
"aggregatable": true,
"indices": [ "index3", "index4" ],
"non_searchable_indices": [ "index4" ]
}
},
"title": {
"text": {
"metadata_field": false,
"searchable": true,
"aggregatable": false
}
}
}
}
Get the field capabilities
Added in 5.4.0
Get information about the capabilities of fields among multiple indices.
For data streams, the API returns field capabilities among the stream’s backing indices.
It returns runtime fields like any other field.
For example, a runtime field with a type of keyword is returned the same as any other field that belongs to the keyword family.
Path parameters
-
index
string | array[string] Required A comma-separated list of data streams, indices, and aliases used to limit the request. Supports wildcards (*). To target all data streams and indices, omit this parameter or use * or _all.
Query parameters
-
allow_no_indices
boolean If false, the request returns an error if any wildcard expression, index alias, or
_allvalue targets only missing or closed indices. This behavior applies even if the request targets other open indices. For example, a request targetingfoo*,bar*returns an error if an index starts with foo but no index starts with bar. -
expand_wildcards
string | array[string] The type of index that wildcard patterns can match. If the request can target data streams, this argument determines whether wildcard expressions match hidden data streams. Supports comma-separated values, such as
open,hidden. -
fields
string | array[string] A comma-separated list of fields to retrieve capabilities for. Wildcard (
*) expressions are supported. -
include_unmapped
boolean If true, unmapped fields are included in the response.
-
filters
string A comma-separated list of filters to apply to the response.
-
types
array[string] A comma-separated list of field types to include. Any fields that do not match one of these types will be excluded from the results. It defaults to empty, meaning that all field types are returned.
-
include_empty_fields
boolean If false, empty fields are not included in the response.
Body
-
fields
string | array[string] -
index_filter
object An Elasticsearch Query DSL (Domain Specific Language) object that defines a query.
External documentation -
runtime_mappings
object
curl \
--request POST 'http://api.example.com/{index}/_field_caps' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--data '"{\n \"index_filter\": {\n \"range\": {\n \"@timestamp\": {\n \"gte\": \"2018\"\n }\n }\n }\n}"'{
"index_filter": {
"range": {
"@timestamp": {
"gte": "2018"
}
}
}
}{
"indices": [ "index1", "index2", "index3", "index4", "index5" ],
"fields": {
"rating": {
"long": {
"metadata_field": false,
"searchable": true,
"aggregatable": false,
"indices": [ "index1", "index2" ],
"non_aggregatable_indices": [ "index1" ]
},
"keyword": {
"metadata_field": false,
"searchable": false,
"aggregatable": true,
"indices": [ "index3", "index4" ],
"non_searchable_indices": [ "index4" ]
}
},
"title": {
"text": {
"metadata_field": false,
"searchable": true,
"aggregatable": false
}
}
}
}{
"indices": [ "index1", "index2", "index3", "index4", "index5" ],
"fields": {
"rating": {
"long": {
"metadata_field": false,
"searchable": true,
"aggregatable": false,
"indices": [ "index1", "index2" ],
"non_aggregatable_indices": [ "index1" ]
},
"keyword": {
"metadata_field": false,
"searchable": false,
"aggregatable": true,
"indices": [ "index3", "index4" ],
"non_searchable_indices": [ "index4" ]
}
},
"title": {
"text": {
"metadata_field": false,
"searchable": true,
"aggregatable": false
}
}
}
}Get the search shards
Get the indices and shards that a search request would be run against.
This information can be useful for working out issues or planning optimizations with routing and shard preferences.
When filtered aliases are used, the filter is returned as part of the indices section.
If the Elasticsearch security features are enabled, you must have the view_index_metadata or manage index privilege for the target data stream, index, or alias.
Path parameters
-
index
string | array[string] Required A comma-separated list of data streams, indices, and aliases to search. It supports wildcards (
*). To search all data streams and indices, omit this parameter or use*or_all.
Query parameters
-
allow_no_indices
boolean If
false, the request returns an error if any wildcard expression, index alias, or_allvalue targets only missing or closed indices. This behavior applies even if the request targets other open indices. For example, a request targetingfoo*,bar*returns an error if an index starts withfoobut no index starts withbar. -
expand_wildcards
string | array[string] Type of index that wildcard patterns can match. If the request can target data streams, this argument determines whether wildcard expressions match hidden data streams. Supports comma-separated values, such as
open,hidden. Valid values are:all,open,closed,hidden,none. -
local
boolean If
true, the request retrieves information from the local node only. -
master_timeout
string The period to wait for a connection to the master node. If the master node is not available before the timeout expires, the request fails and returns an error. IT can also be set to
-1to indicate that the request should never timeout. -
preference
string The node or shard the operation should be performed on. It is random by default.
-
routing
string A custom value used to route operations to a specific shard.
curl \
--request POST 'http://api.example.com/{index}/_search_shards' \
--header "Authorization: $API_KEY"{
"nodes": {},
"indices": {
"my-index-000001": { }
},
"shards": [
[
{
"index": "my-index-000001",
"node": "JklnKbD7Tyqi9TP3_Q_tBg",
"relocating_node": null,
"primary": true,
"shard": 0,
"state": "STARTED",
"allocation_id": {"id":"0TvkCyF7TAmM1wHP4a42-A"},
"relocation_failure_info" : {
"failed_attempts" : 0
}
}
],
[
{
"index": "my-index-000001",
"node": "JklnKbD7Tyqi9TP3_Q_tBg",
"relocating_node": null,
"primary": true,
"shard": 1,
"state": "STARTED",
"allocation_id": {"id":"fMju3hd1QHWmWrIgFnI4Ww"},
"relocation_failure_info" : {
"failed_attempts" : 0
}
}
],
[
{
"index": "my-index-000001",
"node": "JklnKbD7Tyqi9TP3_Q_tBg",
"relocating_node": null,
"primary": true,
"shard": 2,
"state": "STARTED",
"allocation_id": {"id":"Nwl0wbMBTHCWjEEbGYGapg"},
"relocation_failure_info" : {
"failed_attempts" : 0
}
}
],
[
{
"index": "my-index-000001",
"node": "JklnKbD7Tyqi9TP3_Q_tBg",
"relocating_node": null,
"primary": true,
"shard": 3,
"state": "STARTED",
"allocation_id": {"id":"bU_KLGJISbW0RejwnwDPKw"},
"relocation_failure_info" : {
"failed_attempts" : 0
}
}
],
[
{
"index": "my-index-000001",
"node": "JklnKbD7Tyqi9TP3_Q_tBg",
"relocating_node": null,
"primary": true,
"shard": 4,
"state": "STARTED",
"allocation_id": {"id":"DMs7_giNSwmdqVukF7UydA"},
"relocation_failure_info" : {
"failed_attempts" : 0
}
}
]
]
}Change passwords
Change the passwords of users in the native realm and built-in users.
Query parameters
-
refresh
string If
true(the default) then refresh the affected shards to make this operation visible to search, ifwait_forthen wait for a refresh to make this operation visible to search, iffalsethen do nothing with refreshes.Values are
true,false, orwait_for.
Body
Required
-
password
string -
password_hash
string A hash of the new password value. This must be produced using the same hashing algorithm as has been configured for password storage. For more details, see the explanation of the
xpack.security.authc.password_hashing.algorithmsetting.
curl \
--request POST 'http://api.example.com/_security/user/_password' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--data '"{\n \"password\" : \"new-test-password\"\n}"'{
"password" : "new-test-password"
}{}
Get API key information
Added in 6.7.0
Retrieves information for one or more API keys.
NOTE: If you have only the manage_own_api_key privilege, this API returns only the API keys that you own.
If you have read_security, manage_api_key or greater privileges (including manage_security), this API returns all API keys regardless of ownership.
Query parameters
-
id
string An API key id. This parameter cannot be used with any of
name,realm_nameorusername. -
name
string An API key name. This parameter cannot be used with any of
id,realm_nameorusername. It supports prefix search with wildcard. -
owner
boolean A boolean flag that can be used to query API keys owned by the currently authenticated user. The
realm_nameorusernameparameters cannot be specified when this parameter is set totrueas they are assumed to be the currently authenticated ones. -
realm_name
string The name of an authentication realm. This parameter cannot be used with either
idornameor whenownerflag is set totrue. -
username
string The username of a user. This parameter cannot be used with either
idornameor whenownerflag is set totrue. -
with_limited_by
boolean Return the snapshot of the owner user's role descriptors associated with the API key. An API key's actual permission is the intersection of its assigned role descriptors and the owner user's role descriptors.
-
active_only
boolean A boolean flag that can be used to query API keys that are currently active. An API key is considered active if it is neither invalidated, nor expired at query time. You can specify this together with other parameters such as
ownerorname. Ifactive_onlyis false, the response will include both active and inactive (expired or invalidated) keys. -
with_profile_uid
boolean Determines whether to also retrieve the profile uid, for the API key owner principal, if it exists.
curl \
--request GET 'http://api.example.com/_security/api_key' \
--header "Authorization: $API_KEY"{
"api_keys": [
{
"id": "VuaCfGcBCdbkQm-e5aOx",
"name": "my-api-key",
"creation": 1548550550158,
"expiration": 1548551550158,
"invalidated": false,
"username": "myuser",
"realm": "native1",
"realm_type": "native",
"metadata": {
"application": "myapp"
},
"role_descriptors": { },
"limited_by": [
{
"role-power-user": {
"cluster": [
"monitor"
],
"indices": [
{
"names": [
"*"
],
"privileges": [
"read"
],
"allow_restricted_indices": false
}
],
"applications": [ ],
"run_as": [ ],
"metadata": { },
"transient_metadata": {
"enabled": true
}
}
}
]
}
]
}{
"api_keys": [
{
"id": "0GF5GXsBCXxz2eDxWwFN",
"name": "hadoop_myuser_key",
"creation": 1548550550158,
"expiration": 1548551550158,
"invalidated": false,
"username": "myuser",
"realm": "native1",
"realm_type": "native",
"metadata": {
"application": "myapp"
},
"role_descriptors": {
"role-a": {
"cluster": [
"monitor"
],
"indices": [
{
"names": [
"index-a"
],
"privileges": [
"read"
],
"allow_restricted_indices": false
}
],
"applications": [ ],
"run_as": [ ],
"metadata": { },
"transient_metadata": {
"enabled": true
}
}
}
},
{
"id": "6wHJmcQpReKBa42EHV5SBw",
"name": "api-key-name-2",
"creation": 1548550550158,
"invalidated": false,
"username": "user-y",
"realm": "realm-2",
"metadata": {},
"role_descriptors": { }
}
]
}Create a service account token
Create a service accounts token for access without requiring basic authentication.
NOTE: Service account tokens never expire. You must actively delete them if they are no longer needed.
Path parameters
-
namespace
string Required The name of the namespace, which is a top-level grouping of service accounts.
-
service
string Required The name of the service.
-
name
string Required The name for the service account token. If omitted, a random name will be generated.
Token names must be at least one and no more than 256 characters. They can contain alphanumeric characters (a-z, A-Z, 0-9), dashes (
-), and underscores (_), but cannot begin with an underscore.NOTE: Token names must be unique in the context of the associated service account. They must also be globally unique with their fully qualified names, which are comprised of the service account principal and token name, such as
<namespace>/<service>/<token-name>.
Query parameters
-
refresh
string If
truethen refresh the affected shards to make this operation visible to search, ifwait_for(the default) then wait for a refresh to make this operation visible to search, iffalsethen do nothing with refreshes.Values are
true,false, orwait_for.
curl \
--request POST 'http://api.example.com/_security/service/{namespace}/{service}/credential/token/{name}' \
--header "Authorization: $API_KEY"{
"created": true,
"token": {
"name": "token1",
"value": "AAEAAWVsYXN0aWM...vZmxlZXQtc2VydmVyL3Rva2VuMTo3TFdaSDZ"
}
}
Get application privileges
Added in 6.4.0
To use this API, you must have one of the following privileges:
- The
read_securitycluster privilege (or a greater privilege such asmanage_securityorall). - The "Manage Application Privileges" global privilege for the application being referenced in the request.
Path parameters
-
application
string Required The name of the application. Application privileges are always associated with exactly one application. If you do not specify this parameter, the API returns information about all privileges for all applications.
-
name
string | array[string] Required The name of the privilege. If you do not specify this parameter, the API returns information about all privileges for the requested application.
curl \
--request GET 'http://api.example.com/_security/privilege/{application}/{name}' \
--header "Authorization: $API_KEY"{
"myapp": {
"read": {
"application": "myapp",
"name": "read",
"actions": [
"data:read/*",
"action:login"
],
"metadata": {
"description": "Read access to myapp"
}
}
}
}Query parameters
-
allow_no_match
boolean Specifies what to do when the request:
- Contains wildcard expressions and there are no transforms that match.
- Contains the _all string or no identifiers and there are no matches.
- Contains wildcard expressions and there are only partial matches.
If this parameter is false, the request returns a 404 status code when there are no matches or only partial matches.
-
from
number Skips the specified number of transforms.
-
size
number Specifies the maximum number of transforms to obtain.
-
exclude_generated
boolean Excludes fields that were automatically added when creating the transform. This allows the configuration to be in an acceptable format to be retrieved and then added to another cluster.
curl \
--request GET 'http://api.example.com/_transform' \
--header "Authorization: $API_KEY"{
"count": 1,
"transforms": [
{
"id": "ecommerce_transform1",
"authorization": {
"roles": [
"superuser"
]
},
"version": "8.4.0",
"create_time": 1656023416565,
"source": {
"index": [
"kibana_sample_data_ecommerce"
],
"query": {
"term": {
"geoip.continent_name": {
"value": "Asia"
}
}
}
},
"dest": {
"index": "kibana_sample_data_ecommerce_transform1",
"pipeline": "add_timestamp_pipeline"
},
"frequency": "5m",
"sync": {
"time": {
"field": "order_date",
"delay": "60s"
}
},
"pivot": {
"group_by": {
"customer_id": {
"terms": {
"field": "customer_id"
}
}
},
"aggregations": {
"max_price": {
"max": {
"field": "taxful_total_price"
}
}
}
},
"description": "Maximum priced ecommerce data by customer_id in Asia",
"settings": {},
"retention_policy": {
"time": {
"field": "order_date",
"max_age": "30d"
}
}
}
]
}