Module: Elasticsearch::API::TextStructure::Actions

Defined in:
lib/elasticsearch/api/actions/text_structure/find_structure.rb,
lib/elasticsearch/api/actions/text_structure/test_grok_pattern.rb,
lib/elasticsearch/api/actions/text_structure/find_field_structure.rb,
lib/elasticsearch/api/actions/text_structure/find_message_structure.rb

Instance Method Summary collapse

Instance Method Details

#find_field_structure(arguments = {}) ⇒ Object

Find the structure of a text field. Find the structure of a text field in an Elasticsearch index. This API provides a starting point for extracting further information from log messages already ingested into Elasticsearch. For example, if you have ingested data into a very simple index that has just @timestamp and message fields, you can use this API to see what common structure exists in the message field. The response from the API contains:

  • Sample messages.

  • Statistics that reveal the most common values for all fields detected within the text and basic numeric statistics for numeric fields.

  • Information about the structure of the text, which is useful when you write ingest configurations to index it or similarly formatted text.

  • Appropriate mappings for an Elasticsearch index, which you could use to ingest the text.

All this information can be calculated by the structure finder with no guidance. However, you can optionally override some of the decisions about the text structure by specifying one or more query parameters. If the structure finder produces unexpected results, specify the explain query parameter and an explanation will appear in the response. It helps determine why the returned structure was chosen.

Parameters:

  • arguments (Hash) (defaults to: {})

    a customizable set of options

Options Hash (arguments):

  • :column_names (String)

    If format is set to delimited, you can specify the column names in a comma-separated list. If this parameter is not specified, the structure finder uses the column names from the header row of the text. If the text does not have a header row, columns are named “column1”, “column2”, “column3”, for example.

  • :delimiter (String)

    If you have set format to delimited, you can specify the character used to delimit the values in each row. Only a single character is supported; the delimiter cannot have multiple characters. By default, the API considers the following possibilities: comma, tab, semi-colon, and pipe (+|+). In this default scenario, all rows must have the same number of fields for the delimited format to be detected. If you specify a delimiter, up to 10% of the rows can have a different number of columns than the first row.

  • :documents_to_sample (Integer)

    The number of documents to include in the structural analysis. The minimum value is 2. Server default: 1000.

  • :ecs_compatibility (String)

    The mode of compatibility with ECS compliant Grok patterns. Use this parameter to specify whether to use ECS Grok patterns instead of legacy ones when the structure finder creates a Grok pattern. This setting primarily has an impact when a whole message Grok pattern such as %{CATALINALOG} matches the input. If the structure finder identifies a common structure but has no idea of the meaning then generic field names such as path, ipaddress, field1, and field2 are used in the grok_pattern output. The intention in that situation is that a user who knows the meanings will rename the fields before using them. Server default: disabled.

  • :explain (Boolean)

    If true, the response includes a field named explanation, which is an array of strings that indicate how the structure finder produced its result.

  • :field (String)

    The field that should be analyzed. (Required)

  • :format (String)

    The high level structure of the text. By default, the API chooses the format. In this default scenario, all rows must have the same number of fields for a delimited format to be detected. If the format is set to delimited and the delimiter is not set, however, the API tolerates up to 5% of rows that have a different number of columns than the first row.

  • :grok_pattern (String)

    If the format is semi_structured_text, you can specify a Grok pattern that is used to extract fields from every message in the text. The name of the timestamp field in the Grok pattern must match what is specified in the timestamp_field parameter. If that parameter is not specified, the name of the timestamp field in the Grok pattern must match “timestamp”. If grok_pattern is not specified, the structure finder creates a Grok pattern.

  • :index (String)

    The name of the index that contains the analyzed field. (Required)

  • :quote (String)

    If the format is delimited, you can specify the character used to quote the values in each row if they contain newlines or the delimiter character. Only a single character is supported. If this parameter is not specified, the default value is a double quote (+“+). If your delimited text format does not use quoting, a workaround is to set this argument to a character that does not appear anywhere in the sample.

  • :should_trim_fields (Boolean)

    If the format is delimited, you can specify whether values between delimiters should have whitespace trimmed from them. If this parameter is not specified and the delimiter is pipe (+|+), the default value is true. Otherwise, the default value is false.

  • :timeout (Time)

    The maximum amount of time that the structure analysis can take. If the analysis is still running when the timeout expires, it will be stopped. Server default: 25s.

  • :timestamp_field (String)

    The name of the field that contains the primary timestamp of each record in the text. In particular, if the text was ingested into an index, this is the field that would be used to populate the @timestamp field.If the format is semi_structured_text, this field must match the name of the appropriate extraction in the grok_pattern. Therefore, for semi-structured text, it is best not to specify this parameter unless grok_pattern is also specified.For structured text, if you specify this parameter, the field must exist within the text.If this parameter is not specified, the structure finder makes a decision about which field (if any) is the primary timestamp field. For structured text, it is not compulsory to have a timestamp in the text.

  • :timestamp_format (String)

    The Java time format of the timestamp field in the text. Only a subset of Java time format letter groups are supported:

    • a

    • d

    • dd

    • EEE

    • EEEE

    • H

    • HH

    • h

    • M

    • MM

    • MMM

    • MMMM

    • mm

    • ss

    • XX

    • XXX

    • yy

    • yyyy

    • zzz

    Additionally S letter groups (fractional seconds) of length one to nine are supported providing they occur after ss and are separated from the ss by a period (.), comma (+,+), or colon (:). Spacing and punctuation is also permitted with the exception a question mark (+?+), newline, and carriage return, together with literal text enclosed in single quotes. For example, MM/dd HH.mm.ss,SSSSSS ‘in’ yyyy is a valid override format.One valuable use case for this parameter is when the format is semi-structured text, there are multiple timestamp formats in the text, and you know which format corresponds to the primary timestamp, but you do not want to specify the full grok_pattern. Another is when the timestamp format is one that the structure finder does not consider by default.If this parameter is not specified, the structure finder chooses the best format from a built-in set.If the special value null is specified, the structure finder will not look for a primary timestamp in the text. When the format is semi-structured text, this will result in the structure finder treating the text as single-line messages.

  • :headers (Hash)

    Custom HTTP headers

See Also:



108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
 
# File 'lib/elasticsearch/api/actions/text_structure/find_field_structure.rb', line 108

def find_field_structure(arguments = {})
  request_opts = { endpoint: arguments[:endpoint] || 'text_structure.find_field_structure' }

  arguments = arguments.clone
  headers = arguments.delete(:headers) || {}

  body = nil

  method = Elasticsearch::API::HTTP_GET
  path   = '_text_structure/find_field_structure'
  params = Utils.process_params(arguments)

  Elasticsearch::API::Response.new(
    perform_request(method, path, params, body, headers, request_opts)
  )
end

#find_message_structure(arguments = {}) ⇒ Object

Find the structure of text messages. Find the structure of a list of text messages. The messages must contain data that is suitable to be ingested into Elasticsearch. This API provides a starting point for ingesting data into Elasticsearch in a format that is suitable for subsequent use with other Elastic Stack functionality. Use this API rather than the find text structure API if your input text has already been split up into separate messages by some other process. The response from the API contains:

  • Sample messages.

  • Statistics that reveal the most common values for all fields detected within the text and basic numeric statistics for numeric fields.

  • Information about the structure of the text, which is useful when you write ingest configurations to index it or similarly formatted text.

Appropriate mappings for an Elasticsearch index, which you could use to ingest the text. All this information can be calculated by the structure finder with no guidance. However, you can optionally override some of the decisions about the text structure by specifying one or more query parameters. If the structure finder produces unexpected results, specify the explain query parameter and an explanation will appear in the response. It helps determine why the returned structure was chosen.

Parameters:

  • arguments (Hash) (defaults to: {})

    a customizable set of options

Options Hash (arguments):

  • :column_names (String)

    If the format is delimited, you can specify the column names in a comma-separated list. If this parameter is not specified, the structure finder uses the column names from the header row of the text. If the text does not have a header role, columns are named “column1”, “column2”, “column3”, for example.

  • :delimiter (String)

    If you the format is delimited, you can specify the character used to delimit the values in each row. Only a single character is supported; the delimiter cannot have multiple characters. By default, the API considers the following possibilities: comma, tab, semi-colon, and pipe (+|+). In this default scenario, all rows must have the same number of fields for the delimited format to be detected. If you specify a delimiter, up to 10% of the rows can have a different number of columns than the first row.

  • :ecs_compatibility (String)

    The mode of compatibility with ECS compliant Grok patterns. Use this parameter to specify whether to use ECS Grok patterns instead of legacy ones when the structure finder creates a Grok pattern. This setting primarily has an impact when a whole message Grok pattern such as %{CATALINALOG} matches the input. If the structure finder identifies a common structure but has no idea of meaning then generic field names such as path, ipaddress, field1, and field2 are used in the grok_pattern output, with the intention that a user who knows the meanings rename these fields before using it. Server default: disabled.

  • :explain (Boolean)

    If this parameter is set to true, the response includes a field named explanation, which is an array of strings that indicate how the structure finder produced its result.

  • :format (String)

    The high level structure of the text. By default, the API chooses the format. In this default scenario, all rows must have the same number of fields for a delimited format to be detected. If the format is delimited and the delimiter is not set, however, the API tolerates up to 5% of rows that have a different number of columns than the first row.

  • :grok_pattern (String)

    If the format is semi_structured_text, you can specify a Grok pattern that is used to extract fields from every message in the text. The name of the timestamp field in the Grok pattern must match what is specified in the timestamp_field parameter. If that parameter is not specified, the name of the timestamp field in the Grok pattern must match “timestamp”. If grok_pattern is not specified, the structure finder creates a Grok pattern.

  • :quote (String)

    If the format is delimited, you can specify the character used to quote the values in each row if they contain newlines or the delimiter character. Only a single character is supported. If this parameter is not specified, the default value is a double quote (+“+). If your delimited text format does not use quoting, a workaround is to set this argument to a character that does not appear anywhere in the sample.

  • :should_trim_fields (Boolean)

    If the format is delimited, you can specify whether values between delimiters should have whitespace trimmed from them. If this parameter is not specified and the delimiter is pipe (+|+), the default value is true. Otherwise, the default value is false.

  • :timeout (Time)

    The maximum amount of time that the structure analysis can take. If the analysis is still running when the timeout expires, it will be stopped. Server default: 25s.

  • :timestamp_field (String)

    The name of the field that contains the primary timestamp of each record in the text. In particular, if the text was ingested into an index, this is the field that would be used to populate the @timestamp field.If the format is semi_structured_text, this field must match the name of the appropriate extraction in the grok_pattern. Therefore, for semi-structured text, it is best not to specify this parameter unless grok_pattern is also specified.For structured text, if you specify this parameter, the field must exist within the text.If this parameter is not specified, the structure finder makes a decision about which field (if any) is the primary timestamp field. For structured text, it is not compulsory to have a timestamp in the text.

  • :timestamp_format (String)

    The Java time format of the timestamp field in the text. Only a subset of Java time format letter groups are supported:

    • a

    • d

    • dd

    • EEE

    • EEEE

    • H

    • HH

    • h

    • M

    • MM

    • MMM

    • MMMM

    • mm

    • ss

    • XX

    • XXX

    • yy

    • yyyy

    • zzz

    Additionally S letter groups (fractional seconds) of length one to nine are supported providing they occur after ss and are separated from the ss by a period (.), comma (+,+), or colon (:). Spacing and punctuation is also permitted with the exception a question mark (+?+), newline, and carriage return, together with literal text enclosed in single quotes. For example, MM/dd HH.mm.ss,SSSSSS ‘in’ yyyy is a valid override format.One valuable use case for this parameter is when the format is semi-structured text, there are multiple timestamp formats in the text, and you know which format corresponds to the primary timestamp, but you do not want to specify the full grok_pattern. Another is when the timestamp format is one that the structure finder does not consider by default.If this parameter is not specified, the structure finder chooses the best format from a built-in set.If the special value null is specified, the structure finder will not look for a primary timestamp in the text. When the format is semi-structured text, this will result in the structure finder treating the text as single-line messages.

  • :headers (Hash)

    Custom HTTP headers

  • :body (Hash)

    request body

Raises:

  • (ArgumentError)

See Also:



105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
 
# File 'lib/elasticsearch/api/actions/text_structure/find_message_structure.rb', line 105

def find_message_structure(arguments = {})
  request_opts = { endpoint: arguments[:endpoint] || 'text_structure.find_message_structure' }

  raise ArgumentError, "Required argument 'body' missing" unless arguments[:body]

  arguments = arguments.clone
  headers = arguments.delete(:headers) || {}

  body = arguments.delete(:body)

  method = Elasticsearch::API::HTTP_POST
  path   = '_text_structure/find_message_structure'
  params = Utils.process_params(arguments)

  Elasticsearch::API::Response.new(
    perform_request(method, path, params, body, headers, request_opts)
  )
end

#find_structure(arguments = {}) ⇒ Object

Find the structure of a text file. The text file must contain data that is suitable to be ingested into Elasticsearch. This API provides a starting point for ingesting data into Elasticsearch in a format that is suitable for subsequent use with other Elastic Stack functionality. Unlike other Elasticsearch endpoints, the data that is posted to this endpoint does not need to be UTF-8 encoded and in JSON format. It must, however, be text; binary text formats are not currently supported. The size is limited to the Elasticsearch HTTP receive buffer size, which defaults to 100 Mb. The response from the API contains:

  • A couple of messages from the beginning of the text.

  • Statistics that reveal the most common values for all fields detected within the text and basic numeric statistics for numeric fields.

  • Information about the structure of the text, which is useful when you write ingest configurations to index it or similarly formatted text.

  • Appropriate mappings for an Elasticsearch index, which you could use to ingest the text.

All this information can be calculated by the structure finder with no guidance. However, you can optionally override some of the decisions about the text structure by specifying one or more query parameters.

Parameters:

  • arguments (Hash) (defaults to: {})

    a customizable set of options

Options Hash (arguments):

  • :charset (String)

    The text’s character set. It must be a character set that is supported by the JVM that Elasticsearch uses. For example, UTF-8, UTF-16LE, windows-1252, or EUC-JP. If this parameter is not specified, the structure finder chooses an appropriate character set.

  • :column_names (String)

    If you have set format to delimited, you can specify the column names in a comma-separated list. If this parameter is not specified, the structure finder uses the column names from the header row of the text. If the text does not have a header role, columns are named “column1”, “column2”, “column3”, for example.

  • :delimiter (String)

    If you have set format to delimited, you can specify the character used to delimit the values in each row. Only a single character is supported; the delimiter cannot have multiple characters. By default, the API considers the following possibilities: comma, tab, semi-colon, and pipe (+|+). In this default scenario, all rows must have the same number of fields for the delimited format to be detected. If you specify a delimiter, up to 10% of the rows can have a different number of columns than the first row.

  • :ecs_compatibility (String)

    The mode of compatibility with ECS compliant Grok patterns. Use this parameter to specify whether to use ECS Grok patterns instead of legacy ones when the structure finder creates a Grok pattern. Valid values are disabled and v1. This setting primarily has an impact when a whole message Grok pattern such as %{CATALINALOG} matches the input. If the structure finder identifies a common structure but has no idea of meaning then generic field names such as path, ipaddress, field1, and field2 are used in the grok_pattern output, with the intention that a user who knows the meanings rename these fields before using it. Server default: disabled.

  • :explain (Boolean)

    If this parameter is set to true, the response includes a field named explanation, which is an array of strings that indicate how the structure finder produced its result. If the structure finder produces unexpected results for some text, use this query parameter to help you determine why the returned structure was chosen.

  • :format (String)

    The high level structure of the text. Valid values are ndjson, xml, delimited, and semi_structured_text. By default, the API chooses the format. In this default scenario, all rows must have the same number of fields for a delimited format to be detected. If the format is set to delimited and the delimiter is not set, however, the API tolerates up to 5% of rows that have a different number of columns than the first row.

  • :grok_pattern (String)

    If you have set format to semi_structured_text, you can specify a Grok pattern that is used to extract fields from every message in the text. The name of the timestamp field in the Grok pattern must match what is specified in the timestamp_field parameter. If that parameter is not specified, the name of the timestamp field in the Grok pattern must match “timestamp”. If grok_pattern is not specified, the structure finder creates a Grok pattern.

  • :has_header_row (Boolean)

    If you have set format to delimited, you can use this parameter to indicate whether the column names are in the first row of the text. If this parameter is not specified, the structure finder guesses based on the similarity of the first row of the text to other rows.

  • :line_merge_size_limit (Integer)

    The maximum number of characters in a message when lines are merged to form messages while analyzing semi-structured text. If you have extremely long messages you may need to increase this, but be aware that this may lead to very long processing times if the way to group lines into messages is misdetected. Server default: 10000.

  • :lines_to_sample (Integer)

    The number of lines to include in the structural analysis, starting from the beginning of the text. The minimum is 2. If the value of this parameter is greater than the number of lines in the text, the analysis proceeds (as long as there are at least two lines in the text) for all of the lines.NOTE: The number of lines and the variation of the lines affects the speed of the analysis. For example, if you upload text where the first 1000 lines are all variations on the same message, the analysis will find more commonality than would be seen with a bigger sample. If possible, however, it is more efficient to upload sample text with more variety in the first 1000 lines than to request analysis of 100000 lines to achieve some variety. Server default: 1000.

  • :quote (String)

    If you have set format to delimited, you can specify the character used to quote the values in each row if they contain newlines or the delimiter character. Only a single character is supported. If this parameter is not specified, the default value is a double quote (+“+). If your delimited text format does not use quoting, a workaround is to set this argument to a character that does not appear anywhere in the sample.

  • :should_trim_fields (Boolean)

    If you have set format to delimited, you can specify whether values between delimiters should have whitespace trimmed from them. If this parameter is not specified and the delimiter is pipe (+|+), the default value is true. Otherwise, the default value is false.

  • :timeout (Time)

    The maximum amount of time that the structure analysis can take. If the analysis is still running when the timeout expires then it will be stopped. Server default: 25s.

  • :timestamp_field (String)

    The name of the field that contains the primary timestamp of each record in the text. In particular, if the text were ingested into an index, this is the field that would be used to populate the @timestamp field.If the format is semi_structured_text, this field must match the name of the appropriate extraction in the grok_pattern. Therefore, for semi-structured text, it is best not to specify this parameter unless grok_pattern is also specified.For structured text, if you specify this parameter, the field must exist within the text.If this parameter is not specified, the structure finder makes a decision about which field (if any) is the primary timestamp field. For structured text, it is not compulsory to have a timestamp in the text.

  • :timestamp_format (String)

    The Java time format of the timestamp field in the text.Only a subset of Java time format letter groups are supported:

    • a

    • d

    • dd

    • EEE

    • EEEE

    • H

    • HH

    • h

    • M

    • MM

    • MMM

    • MMMM

    • mm

    • ss

    • XX

    • XXX

    • yy

    • yyyy

    • zzz

    Additionally S letter groups (fractional seconds) of length one to nine are supported providing they occur after ss and separated from the ss by a ., , or :. Spacing and punctuation is also permitted with the exception of ?, newline and carriage return, together with literal text enclosed in single quotes. For example, MM/dd HH.mm.ss,SSSSSS ‘in’ yyyy is a valid override format.One valuable use case for this parameter is when the format is semi-structured text, there are multiple timestamp formats in the text, and you know which format corresponds to the primary timestamp, but you do not want to specify the full grok_pattern. Another is when the timestamp format is one that the structure finder does not consider by default.If this parameter is not specified, the structure finder chooses the best format from a built-in set.If the special value null is specified the structure finder will not look for a primary timestamp in the text. When the format is semi-structured text this will result in the structure finder treating the text as single-line messages.

  • :headers (Hash)

    Custom HTTP headers

  • :body (Hash)

    text_files

Raises:

  • (ArgumentError)

See Also:



119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
 
# File 'lib/elasticsearch/api/actions/text_structure/find_structure.rb', line 119

def find_structure(arguments = {})
  request_opts = { endpoint: arguments[:endpoint] || 'text_structure.find_structure' }

  raise ArgumentError, "Required argument 'body' missing" unless arguments[:body]

  arguments = arguments.clone
  headers = arguments.delete(:headers) || {}

  body = arguments.delete(:body)

  method = Elasticsearch::API::HTTP_POST
  path   = '_text_structure/find_structure'
  params = Utils.process_params(arguments)

  payload = if body.is_a? Array
              Elasticsearch::API::Utils.bulkify(body)
            else
              body
            end

  headers.merge!({
                   'Content-Type' => 'application/vnd.elasticsearch+x-ndjson; compatible-with=9'
                 })
  Elasticsearch::API::Response.new(
    perform_request(method, path, params, payload, headers, request_opts)
  )
end

#test_grok_pattern(arguments = {}) ⇒ Object

Test a Grok pattern. Test a Grok pattern on one or more lines of text. The API indicates whether the lines match the pattern together with the offsets and lengths of the matched substrings.

Parameters:

  • arguments (Hash) (defaults to: {})

    a customizable set of options

Options Hash (arguments):

  • :ecs_compatibility (String)

    The mode of compatibility with ECS compliant Grok patterns. Use this parameter to specify whether to use ECS Grok patterns instead of legacy ones when the structure finder creates a Grok pattern. Valid values are disabled and v1. Server default: disabled.

  • :headers (Hash)

    Custom HTTP headers

  • :body (Hash)

    request body

Raises:

  • (ArgumentError)

See Also:



37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
 
# File 'lib/elasticsearch/api/actions/text_structure/test_grok_pattern.rb', line 37

def test_grok_pattern(arguments = {})
  request_opts = { endpoint: arguments[:endpoint] || 'text_structure.test_grok_pattern' }

  raise ArgumentError, "Required argument 'body' missing" unless arguments[:body]

  arguments = arguments.clone
  headers = arguments.delete(:headers) || {}

  body = arguments.delete(:body)

  method = Elasticsearch::API::HTTP_POST
  path   = '_text_structure/test_grok_pattern'
  params = Utils.process_params(arguments)

  Elasticsearch::API::Response.new(
    perform_request(method, path, params, body, headers, request_opts)
  )
end