Version: 7.x-36.0.0

This is a technical preview. Technical preview features are not fully supported, may not be functionally complete, and are not suitable for deployment in production. We encourage you to try them out and provide your feedback, good and bad, on the Search Guard forum. This will help us improve and add any features you might be missing.

Index Action

Use index actions to store data in an Elasticsearch index.

Basic Functionality

A typical index action looks like this:

{
	/* ... */

	"actions": [
		{
			"type": "index",
			"checks": [
				{
					"type": "transform",
					"source": "['flight_num': data.source.FlightNum, 'dest': data.source.DestAirportID]"
				}
			],
			"index": "testindex"
		}
	]
}

Index actions write a complete snapshot of the current runtime data as one JSON document into the specified index.

Therefore, as shown in the example above, index actions are typically accompanied by transforms which can explicitly define the data to be indexed using Painless scripts - or any other installed script engine. The script should return a map which will converted to a JSON document by the action.

Specifying the Document ID

Normally, documents will be indexed with an automatically generated ID. You can however also explicitly define the ID of the document by providing an additional attribute in the runtime data called _id.

Indexing Multiple Documents

If you want to index multiple documents by one action execution, you need to prepare the runtime data in a special way: Store the documents to be indexed in an array and store this array in an attribute called _doc at the top level of the runtime data. The following example stores two documents:

{
	/* ... */

	"actions": [
		{
			"type": "index",
			"checks": [
				{
					"type": "transform",
					"source": "['_doc': [ [ 'x': 1 ], [ 'x': 2 ] ] ]"
				}
			],
			"index": "testindex"
		}
	]
}

Authorization

The index operation will be executed with the privileges the user had when creating or updating the watch. So, you must make sure to have all the privileges necessary to write to the respective indexes when creating or updating a watch.

Advanced Attributes

Further configuration attributes are:

refresh: The Elasticsearch index refresh policy. One of false, true or wait_for. Optional; default is false.

timeout: If the index operation does not complete in the specified time (in seconds), it will be aborted. Optional; default is 60 seconds.

Technical Preview Limitations

  • It’s not possible yet to write the data back to a remote Elasticsearch cluster

Not what you were looking for? Try the search.