From b6e00ebffb324f98279a63f9ff7902c8f8471273 Mon Sep 17 00:00:00 2001 From: James Rodewig <40268737+jrodewig@users.noreply.github.com> Date: Thu, 1 Apr 2021 09:40:45 -0400 Subject: [PATCH 1/4] [DOCS] Add ECS and runtime fields tip to data stream tutorial --- .../set-up-a-data-stream.asciidoc | 22 ++++++++++++++----- 1 file changed, 17 insertions(+), 5 deletions(-) diff --git a/docs/reference/data-streams/set-up-a-data-stream.asciidoc b/docs/reference/data-streams/set-up-a-data-stream.asciidoc index 6a51013a97796..3e6def12d020e 100644 --- a/docs/reference/data-streams/set-up-a-data-stream.asciidoc +++ b/docs/reference/data-streams/set-up-a-data-stream.asciidoc @@ -98,6 +98,18 @@ with default options. * Your lifecycle policy in the `index.lifecycle.name` index setting. +[TIP] +==== +Use the {ecs-ref}[Elastic Common Schema (ECS)] when mapping your fields. ECS +fields integrate with several {stack} features by default. + +If you're unsure how to map your fields, use <> to extract fields from <> at a search time. For example, you can index a log message to a +`wildcard` field and later extract IP addresses and other data from this field +during a search. +==== + To create a component template in {kib}, open the main menu and go to *Stack Management > Index Management*. In the *Index Templates* view, click *Create a component template*. @@ -189,11 +201,11 @@ PUT _index_template/my-index-template [[create-data-stream]] === Step 4. Create the data stream -To automatically create the data stream, submit an -<> that targets the stream's -name. This name must match one of your index template's index patterns. The -request must use an `op_type` of `create`. Documents must include a `@timestamp` -field. +<> add documents to a data +stream. To automatically create the data stream, submit an indexing request that +targets the stream's name. This name must match one of your index template's +index patterns. The request must use an `op_type` of `create`. Documents must +include a `@timestamp` field. [source,console] ---- From 43a30ed5da9e9f50700f50e0d50082d25ea356a8 Mon Sep 17 00:00:00 2001 From: James Rodewig <40268737+jrodewig@users.noreply.github.com> Date: Thu, 1 Apr 2021 10:34:41 -0400 Subject: [PATCH 2/4] Reduce down to tip --- .../data-streams/set-up-a-data-stream.asciidoc | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/docs/reference/data-streams/set-up-a-data-stream.asciidoc b/docs/reference/data-streams/set-up-a-data-stream.asciidoc index 3e6def12d020e..eeb0b9f5368da 100644 --- a/docs/reference/data-streams/set-up-a-data-stream.asciidoc +++ b/docs/reference/data-streams/set-up-a-data-stream.asciidoc @@ -14,8 +14,8 @@ You can also <>. IMPORTANT: If you use {fleet} or {agent}, skip this tutorial. {fleet} and -{agent} set up data streams for you. See {fleet-guide}/data-streams.html[Data -streams] in the {fleet} Guide. +{agent} set up data streams for you. See {fleet}'s +{fleet-guide}/data-streams.html[data streams] documentation. [discrete] [[create-index-lifecycle-policy]] @@ -102,7 +102,6 @@ with default options. ==== Use the {ecs-ref}[Elastic Common Schema (ECS)] when mapping your fields. ECS fields integrate with several {stack} features by default. - If you're unsure how to map your fields, use <> to extract fields from <> at a search time. For example, you can index a log message to a @@ -202,10 +201,12 @@ PUT _index_template/my-index-template === Step 4. Create the data stream <> add documents to a data -stream. To automatically create the data stream, submit an indexing request that +stream. These requests must use an `op_type` of `create`. Documents must include +a `@timestamp` field. + +To automatically create your data stream, submit an indexing request that targets the stream's name. This name must match one of your index template's -index patterns. The request must use an `op_type` of `create`. Documents must -include a `@timestamp` field. +index patterns. [source,console] ---- From b62b39f8ce415adaa60f66fb08e0beec5874e4c2 Mon Sep 17 00:00:00 2001 From: James Rodewig <40268737+jrodewig@users.noreply.github.com> Date: Thu, 1 Apr 2021 10:52:13 -0400 Subject: [PATCH 3/4] Add newline --- docs/reference/data-streams/set-up-a-data-stream.asciidoc | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/reference/data-streams/set-up-a-data-stream.asciidoc b/docs/reference/data-streams/set-up-a-data-stream.asciidoc index eeb0b9f5368da..de6f1f5aed151 100644 --- a/docs/reference/data-streams/set-up-a-data-stream.asciidoc +++ b/docs/reference/data-streams/set-up-a-data-stream.asciidoc @@ -102,6 +102,7 @@ with default options. ==== Use the {ecs-ref}[Elastic Common Schema (ECS)] when mapping your fields. ECS fields integrate with several {stack} features by default. + If you're unsure how to map your fields, use <> to extract fields from <> at a search time. For example, you can index a log message to a From 19e63a896f0c9c546732fc5f56df1e07ee1bcf4c Mon Sep 17 00:00:00 2001 From: James Rodewig <40268737+jrodewig@users.noreply.github.com> Date: Thu, 1 Apr 2021 11:28:25 -0400 Subject: [PATCH 4/4] Update docs/reference/data-streams/set-up-a-data-stream.asciidoc Co-authored-by: Adam Locke --- docs/reference/data-streams/set-up-a-data-stream.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/reference/data-streams/set-up-a-data-stream.asciidoc b/docs/reference/data-streams/set-up-a-data-stream.asciidoc index de6f1f5aed151..15c77a1f2c929 100644 --- a/docs/reference/data-streams/set-up-a-data-stream.asciidoc +++ b/docs/reference/data-streams/set-up-a-data-stream.asciidoc @@ -105,7 +105,7 @@ fields integrate with several {stack} features by default. If you're unsure how to map your fields, use <> to extract fields from <> at a search time. For example, you can index a log message to a +content>> at search time. For example, you can index a log message to a `wildcard` field and later extract IP addresses and other data from this field during a search. ====