Set up a time series data stream
Serverless Stack
This page shows you how to manually set up a time series data stream (TSDS).
- Before you create a time series data stream, review Data streams and TSDS concepts. You can also try the quickstart for a hands-on introduction.
- Make sure you have the following permissions:
- Cluster privileges
manage_index_templatesfor creating a template to base the TSDS on-
Stack
manage_ilmif you're using index lifecycle management
- Index privileges
create_docandcreate_indexfor creating or converting a TSDSmanageto roll over a TSDS
- Cluster privileges
If you're working with OpenTelemetry data, try the OpenTelemetry quickstarts.
-
Create an index lifecycle policy (optional)
Serverless Stack
In most cases, you can use a data stream lifecycle to manage your time series data stream. If you're using data tiers in Elastic Stack, you can use index lifecycle management.
Create an ILM policyIf you're using Elastic Stack, ILM can help you manage a time series data stream's backing indices. ILM requires an index lifecycle policy.
For best results, specify a
max_agefor therolloveraction in the policy. This ensures thetimestampranges for the backing indices are consistent. For example, setting amax_ageof1dfor therolloveraction ensures your backing indices consistently contain one day's worth of data.Example:
PUT _ilm/policy/my-weather-sensor-lifecycle-policy{ "policy": { "phases": { "hot": { "actions": { "rollover": { "max_age": "1d", "max_primary_shard_size": "50gb" } } } // Additional phases (warm, cold, delete) as needed } } } } -
Create an index template
The structure of a time series data stream is defined by an index template. Create an index template with the following required elements and settings:
- Index patterns: One or more wildcard patterns matching the name of your TSDS, such as
weather-sensors-*. For best results, use the data stream naming scheme. - Data stream object: The template must include
"data_stream": {}. - Time series mode: Set
index.mode: time_series. - Field mappings: Define at least one dimension field and typically one or more metric fields:
- Dimensions: To define a dimension, set
time_series_dimensiontotrue. For details, refer to Dimensions.- To define dimensions dynamically, you can use a pass-through object. For details, refer to Defining sub-fields as time series dimensions.
- Metrics: To define a metric, use the
time_series_metricmapping parameter. For details, refer to Metrics. - Timestamp (optional): Define a
dateordate_nanosmapping for the@timestampfield. If you don't specify a mapping, Elasticsearch maps@timestampas adatefield with default options. -
Serverless
Stack
Lifecycle management: For Elastic Stack, include lifecycle settings to enable automatic rollover and prevent indices from growing too large.
- Set
"lifecycle": { "enabled": true }. - If you created an ILM policy in step 1, reference it with
index.lifecycle.name.
- Set
- Other settings (optional): Additional index settings, such as
index.number_of_replicas, for the data stream's backing indices.
- Dimensions: To define a dimension, set
- Priority: Set the priority higher than
200to avoid collisions with built-in templates.
Example index template PUT request:
PUT _index_template/my-weather-sensor-index-template{ "index_patterns": ["metrics-weather_sensors-*"], "data_stream": { }, "template": { "settings": { "index.mode": "time_series", "index.lifecycle.name": "my-lifecycle-policy", "lifecycle": { "enabled": true } }, "mappings": { "properties": { "sensor_id": { "type": "keyword", "time_series_dimension": true }, "location": { "type": "keyword", "time_series_dimension": true }, "temperature": { "type": "half_float", "time_series_metric": "gauge" }, "humidity": { "type": "half_float", "time_series_metric": "gauge" }, "@timestamp": { "type": "date" } } } }, "priority": 500, "_meta": { "description": "Template for my weather sensor data" } }- Elastic Stack only
- Elastic Stack only
Important StackWithout lifecycle management enabled, time series data streams can grow into very large indices that never roll over. This can lead to performance issues. Always configure lifecycle management for Elastic Stack production deployments.
Component templates (optional)If you're using component templates with a time series data stream, check the following requirements:
- Each component template is valid on its own
- The
index.routing_pathsetting and its referenced dimension fields are defined in the same component template - The
time_series_dimensionattribute is enabled for fields referenced inindex.routing_path
- Index patterns: One or more wildcard patterns matching the name of your TSDS, such as
-
Create the time series data stream and add data
After creating the index template, you can create a time series data stream by indexing a document. The TSDS is created automatically when you index the first document, as long as the index name matches the index template pattern. You can use a bulk API request or a POST request.
ImportantTo test the following
_bulkexample, update the timestamps to within two hours of your current time. Data added to a TSDS must fit the accepted time range.PUT metrics-weather-sensors/_bulk{ "create":{ } } { "@timestamp": "2099-05-06T16:21:15.000Z", "sensor_id": "SENSOR-001", "location": "warehouse-A", "temperature": 26.7,"humidity": 49.9 } { "create":{ } } { "@timestamp": "2099-05-06T16:25:42.000Z", "sensor_id": "SENSOR-002", "location": "warehouse-B", "temperature": 32.4, "humidity": 88.9 }POST metrics-weather-sensors/_doc{ "@timestamp": "2099-05-06T16:21:15.000Z", "sensor_id": "SENSOR-00002", "location": "warehouse-B", "temperature": 32.4, "humidity": 88.9 } -
Verify setup
To make sure your time series data stream is working, try some GET requests.
View data stream details:
GET _data_stream/metrics-prodCheck the document count in a time series data stream:
GET metrics-prod/_countQuery the time series data:
GET metrics-prod/_search{ "size": 5, "sort": ["@timestamp"] } - Update your existing index template and component templates (if any) to include time series settings. For Elastic Stack, configure lifecycle management.
- Use the rollover API to manually roll over the existing data stream's write index, to apply the changes you made in step 1:
- Use a data stream for indexing and searching
- Change data stream settings as needed
- Query time series data using the ES|QL
TScommand - Use data stream APIs
You can convert an existing regular data stream to a TSDS. Follow these steps:
POST metrics-weather-sensors/_rollover
After the rollover, new backing indices will have time series functionality. Existing backing indices are not affected by the rollover (because their index.mode cannot be changed).
To control access to a TSDS, use index privileges. Privileges set on a TSDS also apply to the backing indices.
For an example, refer to Data stream privileges.
Now that you've set up a time series data stream, you can manage and use it like a regular data stream. For more information, refer to: