Preview datafeeds API

Preview datafeeds API

New API reference

For the most up-to-date API details, refer to Machine learning anomaly detection APIs.

Previews a datafeed.

Request

GET _ml/datafeeds/<datafeed_id>/_preview

POST _ml/datafeeds/<datafeed_id>/_preview

GET _ml/datafeeds/_preview

POST _ml/datafeeds/_preview

Prerequisites

Requires the following privileges:

  • cluster: manage_ml (the machine_learning_admin built-in role grants this privilege)
  • source index configured in the datafeed: read.

Description

The preview datafeeds API returns the first “page” of search results from a datafeed. You can preview an existing datafeed or provide configuration details for the datafeed and anomaly detection job in the API. The preview shows the structure of the data that will be passed to the anomaly detection engine.

When Elasticsearch security features are enabled, the datafeed query is previewed using the credentials of the user calling the preview datafeed API. When the datafeed is started it runs the query using the roles of the last user to create or update it. If the two sets of roles differ then the preview may not accurately reflect what the datafeed will return when started. To avoid such problems, the same user that creates or updates the datafeed should preview it to ensure it is returning the expected data. Alternatively, use secondary authorization headers to supply the credentials.

Path parameters

<datafeed_id>

(Optional, string) A numerical character string that uniquely identifies the datafeed. This identifier can contain lowercase alphanumeric characters (a-z and 0-9), hyphens, and underscores. It must start and end with alphanumeric characters.

If you provide the <datafeed_id> as a path parameter, you cannot provide datafeed or anomaly detection job configuration details in the request body.

Query parameters

end

(Optional, string) The time that the datafeed preview should end. The preview may not go to the end of the provided value as only the first page of results are returned. The time can be specified by using one of the following formats:

  • ISO 8601 format with milliseconds, for example 2017-01-22T06:00:00.000Z
  • ISO 8601 format without milliseconds, for example 2017-01-22T06:00:00+00:00
  • Milliseconds since the epoch, for example 1485061200000

Date-time arguments using either of the ISO 8601 formats must have a time zone designator, where Z is accepted as an abbreviation for UTC time.

When a URL is expected (for example, in browsers), the + used in time zone designators must be encoded as %2B.

This value is exclusive.

start

(Optional, string) The time that the datafeed preview should begin, which can be specified by using the same formats as the end parameter. This value is inclusive.

If you don’t provide either the start or end parameter, the datafeed preview will search over the entire time of data but exclude data within cold or frozen data tiers.

Request body

datafeed_config

(Optional, object) The datafeed definition to preview. For valid definitions, see the create datafeeds API.

job_config

(Optional, object) The configuration details for the anomaly detection job that is associated with the datafeed. If the datafeed_config object does not include a job_id that references an existing anomaly detection job, you must supply this job_config object. If you include both a job_id and a job_config, the latter information is used. You cannot specify a job_config object unless you also supply a datafeed_config object. For valid definitions, see the create anomaly detection jobs API.

Examples

This is an example of providing the ID of an existing datafeed:

  1. resp = client.ml.preview_datafeed(
  2. datafeed_id="datafeed-high_sum_total_sales",
  3. )
  4. print(resp)
  1. response = client.ml.preview_datafeed(
  2. datafeed_id: 'datafeed-high_sum_total_sales'
  3. )
  4. puts response
  1. const response = await client.ml.previewDatafeed({
  2. datafeed_id: "datafeed-high_sum_total_sales",
  3. });
  4. console.log(response);
  1. GET _ml/datafeeds/datafeed-high_sum_total_sales/_preview

The data that is returned for this example is as follows:

  1. [
  2. {
  3. "order_date" : 1574294659000,
  4. "category.keyword" : "Men's Clothing",
  5. "customer_full_name.keyword" : "Sultan Al Benson",
  6. "taxful_total_price" : 35.96875
  7. },
  8. {
  9. "order_date" : 1574294918000,
  10. "category.keyword" : [
  11. "Women's Accessories",
  12. "Women's Clothing"
  13. ],
  14. "customer_full_name.keyword" : "Pia Webb",
  15. "taxful_total_price" : 83.0
  16. },
  17. {
  18. "order_date" : 1574295782000,
  19. "category.keyword" : [
  20. "Women's Accessories",
  21. "Women's Shoes"
  22. ],
  23. "customer_full_name.keyword" : "Brigitte Graham",
  24. "taxful_total_price" : 72.0
  25. }
  26. ]

The following example provides datafeed and anomaly detection job configuration details in the API:

  1. resp = client.ml.preview_datafeed(
  2. datafeed_config={
  3. "indices": [
  4. "kibana_sample_data_ecommerce"
  5. ],
  6. "query": {
  7. "bool": {
  8. "filter": [
  9. {
  10. "term": {
  11. "_index": "kibana_sample_data_ecommerce"
  12. }
  13. }
  14. ]
  15. }
  16. },
  17. "scroll_size": 1000
  18. },
  19. job_config={
  20. "description": "Find customers spending an unusually high amount in an hour",
  21. "analysis_config": {
  22. "bucket_span": "1h",
  23. "detectors": [
  24. {
  25. "detector_description": "High total sales",
  26. "function": "high_sum",
  27. "field_name": "taxful_total_price",
  28. "over_field_name": "customer_full_name.keyword"
  29. }
  30. ],
  31. "influencers": [
  32. "customer_full_name.keyword",
  33. "category.keyword"
  34. ]
  35. },
  36. "analysis_limits": {
  37. "model_memory_limit": "10mb"
  38. },
  39. "data_description": {
  40. "time_field": "order_date",
  41. "time_format": "epoch_ms"
  42. }
  43. },
  44. )
  45. print(resp)
  1. response = client.ml.preview_datafeed(
  2. body: {
  3. datafeed_config: {
  4. indices: [
  5. 'kibana_sample_data_ecommerce'
  6. ],
  7. query: {
  8. bool: {
  9. filter: [
  10. {
  11. term: {
  12. _index: 'kibana_sample_data_ecommerce'
  13. }
  14. }
  15. ]
  16. }
  17. },
  18. scroll_size: 1000
  19. },
  20. job_config: {
  21. description: 'Find customers spending an unusually high amount in an hour',
  22. analysis_config: {
  23. bucket_span: '1h',
  24. detectors: [
  25. {
  26. detector_description: 'High total sales',
  27. function: 'high_sum',
  28. field_name: 'taxful_total_price',
  29. over_field_name: 'customer_full_name.keyword'
  30. }
  31. ],
  32. influencers: [
  33. 'customer_full_name.keyword',
  34. 'category.keyword'
  35. ]
  36. },
  37. analysis_limits: {
  38. model_memory_limit: '10mb'
  39. },
  40. data_description: {
  41. time_field: 'order_date',
  42. time_format: 'epoch_ms'
  43. }
  44. }
  45. }
  46. )
  47. puts response
  1. const response = await client.ml.previewDatafeed({
  2. datafeed_config: {
  3. indices: ["kibana_sample_data_ecommerce"],
  4. query: {
  5. bool: {
  6. filter: [
  7. {
  8. term: {
  9. _index: "kibana_sample_data_ecommerce",
  10. },
  11. },
  12. ],
  13. },
  14. },
  15. scroll_size: 1000,
  16. },
  17. job_config: {
  18. description: "Find customers spending an unusually high amount in an hour",
  19. analysis_config: {
  20. bucket_span: "1h",
  21. detectors: [
  22. {
  23. detector_description: "High total sales",
  24. function: "high_sum",
  25. field_name: "taxful_total_price",
  26. over_field_name: "customer_full_name.keyword",
  27. },
  28. ],
  29. influencers: ["customer_full_name.keyword", "category.keyword"],
  30. },
  31. analysis_limits: {
  32. model_memory_limit: "10mb",
  33. },
  34. data_description: {
  35. time_field: "order_date",
  36. time_format: "epoch_ms",
  37. },
  38. },
  39. });
  40. console.log(response);
  1. POST _ml/datafeeds/_preview
  2. {
  3. "datafeed_config": {
  4. "indices" : [
  5. "kibana_sample_data_ecommerce"
  6. ],
  7. "query" : {
  8. "bool" : {
  9. "filter" : [
  10. {
  11. "term" : {
  12. "_index" : "kibana_sample_data_ecommerce"
  13. }
  14. }
  15. ]
  16. }
  17. },
  18. "scroll_size" : 1000
  19. },
  20. "job_config": {
  21. "description" : "Find customers spending an unusually high amount in an hour",
  22. "analysis_config" : {
  23. "bucket_span" : "1h",
  24. "detectors" : [
  25. {
  26. "detector_description" : "High total sales",
  27. "function" : "high_sum",
  28. "field_name" : "taxful_total_price",
  29. "over_field_name" : "customer_full_name.keyword"
  30. }
  31. ],
  32. "influencers" : [
  33. "customer_full_name.keyword",
  34. "category.keyword"
  35. ]
  36. },
  37. "analysis_limits" : {
  38. "model_memory_limit" : "10mb"
  39. },
  40. "data_description" : {
  41. "time_field" : "order_date",
  42. "time_format" : "epoch_ms"
  43. }
  44. }
  45. }

The data that is returned for this example is as follows:

  1. [
  2. {
  3. "order_date" : 1574294659000,
  4. "category.keyword" : "Men's Clothing",
  5. "customer_full_name.keyword" : "Sultan Al Benson",
  6. "taxful_total_price" : 35.96875
  7. },
  8. {
  9. "order_date" : 1574294918000,
  10. "category.keyword" : [
  11. "Women's Accessories",
  12. "Women's Clothing"
  13. ],
  14. "customer_full_name.keyword" : "Pia Webb",
  15. "taxful_total_price" : 83.0
  16. },
  17. {
  18. "order_date" : 1574295782000,
  19. "category.keyword" : [
  20. "Women's Accessories",
  21. "Women's Shoes"
  22. ],
  23. "customer_full_name.keyword" : "Brigitte Graham",
  24. "taxful_total_price" : 72.0
  25. }
  26. ]