Elasticsearch runtime fields
save mountains of time with runtime fields
Bring data into Elasticsearch in a fast and flexible way — and easily adapt to change — with runtime fields, Elastic’s implementation of schema on read. Only Elastic delivers both the blazing fast speed of schema on write and the extreme utility of schema on read.
Get the most elasticity out of your data
With runtime fields, you can start ingesting data right away. Here’s how it all works.
Get a jump start on your data
When you ingest new data, you might not know how it’ll be searched yet. And that’s okay. With runtime fields, you can skip defining fields in advance to save time and create fields on the fly. Plus, you can always apply any of your runtime fields to the next index as indexed fields for faster searches.
Help your data go with the flow
Just when your cluster has been quietly humming in the background, a log message changes and breaks your index mapping. With runtime fields, you don’t have to start over. You can keep the fields that still apply while dynamically creating new fields for the changes in your data.
Give fields a fresh coat of paint
With runtime fields, you can also define new ways of analyzing data that’s already been indexed. Create a new runtime field using any combination of existing fields to be used in a query or visualization. These changes can apply only to you, allowing you to explore data without impacting others’ work.
Reduce downtime and avoid outages
We’ve all made mistakes. Before runtime fields, you’d have to correct the index mapping and _reindex the data, prolonging the outage. Now you can shadow the incorrect field with a runtime field to immediately fix the error without a _reindex. This lets you be more agile and slashes QA time, which can reduce costs.
Get a look under the hood
Runtime fields allow you to be nimble so you can quickly react to changes in the data you are indexing. Feel free to follow along using Kibana Dev Tools to see how easy it is to dynamically create a runtime field. We’ve added a comment explaining details for each step.
#In this index template, we've defined two fields,
#timestamp and response_code, which will be created
#when we ingest the data. We've also defined a
#dynamic runtime field mapping. Any other fields
#will be runtime fields.
PUT _index_template/my_dynamic_index
{
"index_patterns": [
"my_dynamic_index-*"
],
"template": {
"mappings":{
"dynamic": "runtime",
"properties": {
"timestamp": {
"type": "date",
"format": "yyyy-MM-dd"
},
"response_code": {
"type": "integer"
}
}
}
}
}
Resources galore
Low on time? We got you. Check out these short videos to learn more about what you can do with runtime fields.
How to dynamically create runtime fields
In this 7-minute demo, learn how to create runtime fields using dynamic mappings.
How to fix errors without reindexing
In this 8-minute demo, learn how to fix errors in indexed data by shadowing them with runtime fields.
How to define a runtime day of week
In this 9-minute demo, learn how to create a runtime field that calculates the day of week and use it in Kibana.
How to create an ephemeral runtime field
In this 7-minute demo, learn how to create a runtime field that only exists within the context of a query.