A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z

action

The rule-specific response that occurs when an alerting rule fires. A rule can have multiple actions. See {kibana-ref}/action-types.html[Connectors and actions].

administration console

A component of {ece} that provides the API server for the Cloud UI. Also syncs cluster and allocator data from ZooKeeper to {es}.

Advanced Settings

Enables you to control the appearance and behavior of {kib} by setting the date format, default index, and other attributes. Part of {kib} Stack Management. See {kibana-ref}/advanced-options.html[Advanced Settings].

Agent policy

A collection of inputs and settings that defines the data to be collected by {agent}. An agent policy can be applied to a single agent or shared by a group of agents; this makes it easier to manage many agents at scale. See {fleet-guide}/agent-policy.html[{agent} policies].

alias

Secondary name for a group of data streams or indices. Most {es} APIs accept an alias in place of a data stream or index. See {ref}/alias.html[Aliases].

allocator

Manages hosts that contain {es} and {kib} nodes. Controls the lifecycle of these nodes by creating new containers and managing the nodes within these containers when requested. Used to scale the capacity of your {ece} installation.

analysis

Process of converting unstructured text into a format optimized for search. See {ref}/analysis.html[Text analysis].

annotation

A way to augment a data display with descriptive domain knowledge.

{anomaly-job}

{anomaly-jobs-cap} contain the configuration information and metadata necessary to perform an analytics task. See {ml-docs}/ml-jobs.html[{ml-jobs-cap}] and the {ref}/ml-put-job.html[create {anomaly-job} API].

API key

Unique identifier for authentication in {es}. When {ref}/encrypting-communications.html[transport layer security (TLS)] is enabled, all requests must be authenticated using an API key or a username and password. See the {ref}/security-api-create-api-key.html[Create API key API].

APM agent

An open-source library, written in the same language as your service, which instruments your code and collects performance data and errors at runtime.

APM Server

An open-source application that receives data from APM agents and sends it to {es}.

app

A top-level {kib} component that is accessed through the side navigation. Apps include core {kib} components such as Discover and Dashboard, solutions like {observability} and Security, and special-purpose tools like Maps and {stack-manage-app}.

auto-follow pattern

Index pattern that automatically configures new indices as follower indices for {ccr}. See {ref}/ccr-auto-follow.html[Manage auto-follow patterns].

availability zone

Contains resources available to a {ece} installation that are isolated from other availability zones to safeguard against failure. Could be a rack, a server zone or some other logical constraint that creates a failure boundary. In a highly available cluster, the nodes of a cluster are spread across two or three availability zones to ensure that the cluster can survive the failure of an entire availability zone. Also see {ece-ref}/ece-ha.html[Fault Tolerance (High Availability)].

basemap

The background detail necessary to orient the location of a map.

beats runner

Used to send {filebeat} and {metricbeat} information to the logging cluster.

bucket

1. A set of documents in {kib} that have certain characteristics in common. For example, matching documents might be bucketed by color, distance, or date range.

2. The {ml-features} also use the concept of a bucket to divide the time series into batches for processing. The bucket span is part of the configuration information for {anomaly-jobs}. It defines the time interval that is used to summarize and model the data. This is typically between 5 minutes to 1 hour and it depends on your data characteristics. When you set the bucket span, take into account the granularity at which you want to analyze, the frequency of the input data, the typical duration of the anomalies, and the frequency at which alerting is required.

bucket aggregation

An aggregation that creates buckets of documents. Each bucket is associated with a criterion (depending on the aggregation type), which determines whether or not a document in the current context falls into the bucket.

Canvas

Enables you to create presentations and infographics that pull live data directly from {es}. See {kibana-ref}/canvas.html[Canvas].

Canvas expression language

A pipeline-based expression language for manipulating and visualizing data. Includes dozens of functions and other capabilities, such as table transforms, type casting, and sub-expressions. Supports TinyMath functions for complex math calculations. See {kibana-ref}/canvas-function-reference.html[Canvas function reference].

certainty

Specifies how many documents must contain a pair of terms before it is considered a useful connection in a graph.

client forwarder

Used for secure internal communications between various components of {ece} and ZooKeeper.

Cloud UI

Provides web-based access to manage your {ece} installation, supported by the administration console.

cluster

1. A group of one or more connected {es} nodes. See {ref}/scalability.html[Clusters, nodes, and shards].

2. A layer type and display option in the Maps application. Clusters display a cluster symbol across a grid on the map, one symbol per grid cluster. The cluster location is the weighted centroid for all documents in the grid cell.

codec plugin

A {ls} plugin that changes the data representation of an event. Codecs are essentially stream filters that can operate as part of an input or output. Codecs enable you to separate the transport of messages from the serialization process. Popular codecs include json, msgpack, and plain (text).

cold phase

Third possible phase in the index lifecycle. In the cold phase, data is no longer updated and seldom queried. The data still needs to be searchable, but it’s okay if those queries are slower. See {ref}/ilm-index-lifecycle.html[Index lifecycle].

cold tier

Data tier that contains nodes that hold time series data that is accessed occasionally and not normally updated. See {ref}/data-tiers.html[Data tiers].

component template

Building block for creating index templates. A component template can specify mappings, {ref}/index-modules.html[index settings], and aliases. See {ref}/index-templates.html[index templates].

condition

Specifies the circumstances that must be met to trigger an alerting rule.

conditional

A control flow that executes certain actions based on whether a statement (also called a condition) is true or false. {ls} supports if, else if, and else statements. You can use conditional statements to apply filters and send events to a specific output based on conditions that you specify.

connector

A configuration that enables integration with an external system (the destination for an action). See {kibana-ref}/action-types.html[Connectors and actions].

Console

A tool for interacting with the {es} REST API. You can send requests to {es}, view responses, view API documentation, and get your request history. See {kibana-ref}/console-kibana.html[Console].

constructor

Directs allocators to manage containers of {es} and {kib} nodes and maximizes the utilization of allocators. Monitors plan change requests from the Cloud UI and determines how to transform the existing cluster. In a highly available installation, places cluster nodes within different availability zones to ensure that the cluster can survive the failure of an entire availability zone.

container

Includes an instance of {ece} software and its dependencies. Used to provision similar environments, to assign a guaranteed share of host resources to nodes, and to simplify operational effort in {ece}.

content tier

Data tier that contains nodes that handle the indexing and query load for content, such as a product catalog. See {ref}/data-tiers.html[Data tiers].

coordinator

Consists of a logical grouping of some {ece} services and acts as a distributed coordination system and resource scheduler.

{ccr} (CCR)

Replicates data streams and indices from remote clusters in a local cluster. See {ref}/xpack-ccr.html[{ccr-cap}].

{ccs} (CCS)

Searches data streams and indices on remote clusters from a local cluster. See {ref}/modules-cross-cluster-search.html[Search across clusters].

custom rules

A set of conditions and actions that change the behavior of {anomaly-jobs}. You can also use filters to further limit the scope of the rules. See {ml-docs}/ml-rules.html[Custom rules]. {kib} refers to custom rules as job rules.

dashboard

A collection of visualizations, saved searches, and maps that provide insights into your data from multiple perspectives.

datafeed

{anomaly-jobs-cap} can analyze either a one-off batch of data or continuously in real time. {dfeeds-cap} retrieve data from {es} for analysis.

dataset

A collection of data that has the same structure. The name of a dataset typically signifies its source. See {fleet-guide}/data-streams.html[data stream naming scheme].

{dfanalytics-job}

{dfanalytics-jobs-cap} contain the configuration information and metadata necessary to perform {ml} analytics tasks on a source index and store the outcome in a destination index. See {ml-docs}/ml-dfa-overview.html[{dfanalytics-cap} overview] and the {ref}/put-dfanalytics.html[create {dfanalytics-job} API].

data source

A file, database, or service that provides the underlying data for a map, Canvas element, or visualization.

data stream

A named resource used to manage time series data. A data stream stores data across multiple backing indices. See {ref}/data-streams.html[Data streams].

data tier

Collection of nodes with the same {ref}/modules-node.html[data role] that typically share the same hardware profile. Data tiers include the content tier, hot tier, warm tier, cold tier, and frozen tier. See {ref}/data-tiers.html[Data tiers].

data view

An object that enables you to select the data that you want to use in {kib} and define the properties of the fields. A data view can point to one or more data streams, indices, or aliases. For example, a data view can point to your log data from yesterday, or all indices that contain your data.

delete phase

Last possible phase in the index lifecycle. In the delete phase, an index is no longer needed and can safely be deleted. See {ref}/ilm-index-lifecycle.html[Index lifecycle].

detector

As part of the configuration information that is associated with {anomaly-jobs}, detectors define the type of analysis that needs to be done. They also specify which fields to analyze. You can have more than one detector in a job, which is more efficient than running multiple jobs against the same data.

director

Manages the ZooKeeper datastore. This role is often shared with the coordinator, though in production deployments it can be separated.

Discover

Enables you to search and filter your data to zoom in on the information that you are interested in.

distributed tracing

The end-to-end collection of performance data throughout your microservices architecture.

drilldown

A navigation path that retains context (time range and filters) from the source to the destination, so you can view the data from a new perspective. A dashboard that shows the overall status of multiple data centers might have a drilldown to a dashboard for a single data center. See {kibana-ref}/dashboard.html[Drilldowns].

document

JSON object containing data stored in {es}. See {ref}/documents-indices.html[Documents and indices].

edge

A connection between nodes in a graph that shows that they are related. The line weight indicates the strength of the relationship. See {kibana-ref}/xpack-graph.html[Graph].

{agent}

A single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. See {fleet-guide}/fleet-overview.html[{agent} overview].

Elastic Common Schema (ECS)

A document schema for Elasticsearch, for use cases such as logging and metrics. ECS defines a common set of fields, their datatype, and gives guidance on their correct usage. ECS is used to improve uniformity of event data coming from different sources.

Elastic Maps Service (EMS)

A service that provides basemap tiles, shape files, and other key features that are essential for visualizing geospatial data.

Elastic Package Registry (EPR)

A service hosted by Elastic that stores Elastic package definitions in a central location. See the EPR GitHub repository.

element

A Canvas workpad object that displays an image, text, or visualization.

event

A single unit of information, containing a timestamp plus additional data. An event arrives via an input, and is subsequently parsed, timestamped, and passed through the {ls} pipeline.

Event Query Language (EQL)

Query language for event-based time series data, such as logs, metrics, and traces. EQL supports matching for event sequences. See {ref}/eql.html[EQL].

Feature Controls

Enables administrators to customize which features are available in each space. See {kibana-ref}//xpack-spaces.html#spaces-control-feature-visibility[Feature Controls].

feature influence

In {oldetection}, feature influence scores indicate which features of a data point contribute to its outlier behavior. See {ml-docs}/ml-dfa-finding-outliers.html#dfa-feature-influence[Feature influence].

feature importance

In supervised {ml} methods such as {regression} and {classification}, feature importance indicates the degree to which a specific feature affects a prediction. See {ml-docs}/ml-dfa-regression.html#dfa-regression-feature-importance[{regression-cap} feature importance] and {ml-docs}/ml-dfa-classification.html#dfa-classification-feature-importance[{classification-cap} feature importance].

feature state

The indices and data streams used to store configurations, history, and other data for an Elastic feature, such as {es} security or {kib}. A feature state typically includes one or more system indices or data streams. It may also include regular indices and data streams used by the feature. You can use snapshots to back up and restore feature states. See {ref}/snapshot-restore.html#feature-state[feature states].

field

1. Key-value pair in a document. See {ref}/mapping.html[Mapping].

2. In {ls}, this term refers to an event property. For example, each event in an apache access log has properties, such as a status code (200, 404), request path ("/", "index.html"), HTTP verb (GET, POST), client IP address, and so on. {ls} uses the term "fields" to refer to these properties.

field reference

A reference to an event field. This reference may appear in an output block or filter block in the {ls} config file. Field references are typically wrapped in square ([]) brackets, for example [fieldname]. If you are referring to a top-level field, you can omit the [] and simply use the field name. To refer to a nested field, you specify the full path to that field: [top-level field][nested field].

filter

Query that does not score matching documents. See {ref}/query-filter-context.html[filter context].

filter plugin

A {ls} plugin that performs intermediary processing on an event. Typically, filters act upon event data after it has been ingested via inputs, by mutating, enriching, and/or modifying the data according to configuration rules. Filters are often applied conditionally depending on the characteristics of the event. Popular filter plugins include grok, mutate, drop, clone, and geoip. Filter stages are optional.

Fleet

Fleet provides a way to centrally manage {agent}s at scale. There are two parts: The Fleet app in {kib} provides a web-based UI to add and remotely manage agents, while the {fleet-server} provides the backend service that manages agents. See {fleet-guide}/fleet-overview.html[{agent} overview].

{fleet-server}

{fleet-server} is a component used to centrally manage {agent}s. It serves as a control plane for updating agent policies, collecting status information, and coordinating actions across agents.

flush

Writes data from the {ref}/index-modules-translog.html[transaction log] to disk for permanent storage. See the {ref}/indices-flush.html[flush API].

follower index

Target index for {ccr}. A follower index exists in a local cluster and replicates a leader index. See {ref}/xpack-ccr.html[{ccr-cap}].

force merge

Manually triggers a merge to reduce the number of segments in an index’s shards. See the {ref}/indices-forcemerge.html[force merge API].

frozen phase

Fourth possible phase in the index lifecycle. In the frozen phase, an index is no longer updated and queried rarely. The information still needs to be searchable, but it’s okay if those queries are extremely slow. See {ref}/ilm-index-lifecycle.html[Index lifecycle].

frozen tier

Data tier that contains nodes that hold time series data that is accessed rarely and not normally updated. See {ref}/data-tiers.html[Data tiers].

gem

A self-contained package of code that’s hosted on RubyGems.org. {ls} plugins are packaged as Ruby Gems. You can use the {ls} plugin manager to manage {ls} gems.

GeoJSON

A format for representing geospatial data. GeoJSON is also a file-type, commonly used in the Maps application to upload a file of geospatial data. See {kibana-ref}/indexing-geojson-data-tutorial.html[GeoJSON data].

geo-point

A field type in {es}. A geo-point field accepts latitude-longitude pairs for storing point locations. The latitude-longitude format can be from a string, geohash, array, well-known text, or object. See {ref}/geo-point.html[geo-point].

geo-shape

A field type in {es}. A geo-shape field accepts arbitrary geographic primitives, like polygons, lines, or rectangles (and more). You can populate a geo-shape field from GeoJSON or well-known text. See {ref}/geo-shape.html[geo-shape].

graph

A data structure and visualization that shows interconnections between a set of entities. Each entity is represented by a node. Connections between nodes are represented by edges. See {kibana-ref}/xpack-graph.html[Graph].

Grok Debugger

A tool for building and debugging grok patterns. Grok is good for parsing syslog, Apache, and other webserver logs. See {kibana-ref}/xpack-grokdebugger.html[Debugging grok expressions].

heat map

A layer type in the Maps application. Heat maps cluster locations to show higher (or lower) densities. Heat maps describe a visualization with color-coded cells or regions to analyze patterns across multiple dimensions. See {kibana-ref}/heatmap-layer.html[Heat map layer].

hidden data stream or index

Data stream or index excluded from most index patterns by default. See {ref}/api-conventions.html#multi-hidden[Hidden data streams and indices].

hot phase

First possible phase in the index lifecycle. In the hot phase, an index is actively updated and queried. See {ref}/ilm-index-lifecycle.html[Index lifecycle].

hot thread

A Java thread that has high CPU usage and executes for a longer than normal period of time.

hot tier

Data tier that contains nodes that handle the indexing load for time series data, such as logs or metrics. This tier holds your most recent, most frequently accessed data. See {ref}/data-tiers.html[Data tiers].

ID

Identifier for a document. Document IDs must be unique within an index. See the {ref}/mapping-id-field.html[_id field].

index

1. Collection of JSON documents. See {ref}/documents-indices.html[Documents and indices].

2. To add one or more JSON documents to {es}. This process is called indexing.

index lifecycle

Five phases an index can transition through: hot, warm, cold, frozen, and delete. See {ref}/ilm-policy-definition.html[Index lifecycle].

index lifecycle policy

Specifies how an index moves between phases in the index lifecycle and what actions to perform during each phase. See {ref}/ilm-policy-definition.html[Index lifecycle].

index pattern

In {es}, a string containing a wildcard (*) pattern that can match multiple data streams, indices, or aliases. See {ref}/multi-index.html[Multi-target syntax].

index template

Automatically configures the mappings, {ref}/index-modules.html[index settings], and aliases of new indices that match its index pattern. You can also use index templates to create data streams. See {ref}/index-templates.html[Index templates].

indexer

A {ls} instance that is tasked with interfacing with an {es} cluster in order to index event data.

inference

A {ml} feature that enables you to use supervised learning processes – like {classification}, {regression}, or {nlp} – in a continuous fashion by using trained models against incoming data.

inference aggregation

A pipeline aggregation that references a trained model in an aggregation to infer on the results field of the parent bucket aggregation. It enables you to use supervised {ml} at search time.

inference processor

A processor specified in an ingest pipeline that uses a trained model to infer against the data that is being ingested in the pipeline.

influencer

Influencers are entities that might have contributed to an anomaly in a specific bucket in an {anomaly-job}. For more information, see {ml-docs}/ml-influencers.html[Influencers].

ingestion

The process of collecting and sending data from various data sources to {es}.

input plugin

A {ls} plugin that reads event data from a specific source. Input plugins are the first stage in the {ls} event processing pipeline. Popular input plugins include file, syslog, redis, and beats.

instrumentation

Extending application code to track where your application is spending time. Code is considered instrumented when it collects and reports this performance data to APM.

integration

An easy way for external systems to connect to the {stack}. Whether it’s collecting data or protecting systems from security threats, integrations provide out-of-the-box assets to make setup easy—​many with just a single click.

integration policy

An instance of an integration that is configured for a specific use case, such as collecting logs from a specific file.

job

{ml-cap} jobs contain the configuration information and metadata necessary to perform an analytics task. There are two types: {anomaly-jobs} and {dfanalytics-jobs}. See also {rollup-job}.

{kib} privileges

Enable administrators to grant users read-only, read-write, or no access to individual features within spaces in {kib}. See {kibana-ref}/kibana-privileges.html[{kib} privileges].

{kib} Query Language (KQL)

The default language for querying in {kib}. KQL provides support for scripted fields. See {kibana-ref}/kuery-query.html[Kibana Query Language].

labs

An in-progress or experimental feature in Canvas or Dashboard that you can try out and provide feedback. When enabled, you’ll see Labs in the toolbar.

leader index

Source index for {ccr}. A leader index exists on a remote cluster and is replicated to follower indices. See {ref}/xpack-ccr.html[{ccr-cap}].

Lens

Enables you to build visualizations by dragging and dropping data fields. Lens makes makes smart visualization suggestions for your data, allowing you to switch between visualization types. See {kibana-ref}/dashboard.html[Lens].

local cluster

Cluster that pulls data from a remote cluster in {ccs} or {ccr}. See {ref}/modules-remote-clusters.html[Remote clusters].

Lucene query syntax

The query syntax for {kib}’s legacy query language. The Lucene query syntax is available under the options menu in the query bar and from Advanced Settings.

machine learning node

A {ml} node is a node that has xpack.ml.enabled set to true and ml in node.roles. If you want to use {ml-features}, there must be at least one {ml} node in your cluster. See {ref}/modules-node.html#ml-node[Machine learning nodes].

map

A representation of geographic data using symbols and labels. See {kibana-ref}/maps.html[Maps].

mapping

Defines how a document, its fields, and its metadata are stored in {es}. Similar to a schema definition. See {ref}/mapping.html[Mapping].

master node

Handles write requests for the cluster and publishes changes to other nodes in an ordered fashion. Each cluster has a single master node which is chosen automatically by the cluster and is replaced if the current master node fails. Also see node.

merge

Process of combining a shard's smaller Lucene segments into a larger one. {es} manages merges automatically.

message broker

Also referred to as a message buffer or message queue, a message broker is external software (such as Redis, Kafka, or RabbitMQ) that stores messages from the {ls} shipper instance as an intermediate store, waiting to be processed by the {ls} indexer instance.

metric aggregation

An aggregation that calculates and tracks metrics for a set of documents.

@metadata

A special field for storing content that you don’t want to include in output events. For example, the @metadata field is useful for creating transient fields for use in conditional statements.

module

Out-of-the-box configurations for common data sources to simplify the collection, parsing, and visualization of logs and metrics.

monitor

A network endpoint which is monitored to track the performance and availability of applications and services.

multifactor authentication (MFA)

A security process that requires you to provide two or more verification methods to gain access to web-based user interfaces.

multi-field

A field that’s mapped in multiple ways. See the {ref}/multi-fields.html[fields mapping parameter].

namespace

A user-configurable arbitrary data grouping, such as an environment (dev, prod, or qa), a team, or a strategic business unit.

natural language processing (NLP)

A {ml} feature that enables you to perform operations such as language identification, named entity recognition (NER), text classification, or text embedding. See {ml-docs}/ml-nlp-overview.html[NLP overview].

node

A single {es} server. One or more nodes can form a cluster. See {ref}/scalability.html[Clusters, nodes, and shards].

Observability

Unifying your logs, metrics, uptime data, and application traces to provide granular insights and context into the behavior of services running in your environments.

output plugin

A {ls} plugin that writes event data to a specific destination. Outputs are the final stage in the event pipeline. Popular output plugins include elasticsearch, file, graphite, and statsd.

Painless Lab

An interactive code editor that lets you test and debug Painless scripts in real-time. See {kibana-ref}/painlesslab.html[Painless Lab].

panel

A dashboard component that contains a query element or visualization, such as a chart, table, or list.

pipeline

A term used to describe the flow of events through the {ls} workflow. A pipeline typically consists of a series of input, filter, and output stages. Input stages get data from a source and generate events, filter stages, which are optional, modify the event data, and output stages write the data to a destination. Inputs and outputs support codecs that enable you to encode or decode the data as it enters or exits the pipeline without having to use a separate filter.

plan

Specifies the configuration and topology of an {es} or {kib} cluster, such as capacity, availability, and {es} version, for example. When changing a plan, the constructor determines how to transform the existing cluster into the pending plan.

plugin

A self-contained software package that implements one of the stages in the {ls} event processing pipeline. The list of available plugins includes input plugins, output plugins, codec plugins, and filter plugins. The plugins are implemented as Ruby gems and hosted on RubyGems.org. You define the stages of an event processing pipeline by configuring plugins.

plugin manager

Accessed via the bin/logstash-plugin script, the plugin manager enables you to manage the lifecycle of plugins in your {ls} deployment. You can install, remove, and upgrade plugins by using the plugin manager Command Line Interface (CLI).

primary shard

Lucene instance containing some or all data for an index. When you index a document, {es} adds the document to primary shards before replica shards. See {ref}/scalability.html[Clusters, nodes, and shards].

proxy

A highly available, TLS-enabled proxy layer that routes user requests, mapping cluster IDs that are passed in request URLs for the container to the cluster nodes handling the user requests.

query

Request for information about your data. You can think of a query as a question, written in a way {es} understands. See {ref}/search-your-data.html[Search your data].

Query Profiler

A tool that enables you to inspect and analyze search queries to diagnose and debug poorly performing queries. See {kibana-ref}/xpack-profiler.html[Query Profiler].

Real user monitoring (RUM)

Performance monitoring, metrics, and error tracking of web applications.

recovery

Process of syncing a replica shard from a primary shard. Upon completion, the replica shard is available for searches. See the {ref}/indices-recovery.html[index recovery API].

reindex

Copies documents from a source to a destination. The source and destination can be a data stream, index, or alias. See the {ref}/docs-reindex.html[Reindex API].

remote cluster

A separate cluster, often in a different data center or locale, that contains indices that can be replicated or searched by the local cluster. The connection to a remote cluster is unidirectional. See {ref}/modules-remote-clusters.html[Remote clusters].

replica shard

Copy of a primary shard. Replica shards can improve search performance and resiliency by distributing data across multiple nodes. See {ref}/scalability.html[Clusters, nodes, and shards].

roles token

Enables a host to join an existing {ece} installation and grants permission to hosts to hold certain roles, such as the allocator role. Used when installing {ece} on additional hosts, a roles token helps secure {ece} by making sure that only authorized hosts become part of the installation.

rollover

Creates a new write index when the current one reaches a certain size, number of docs, or age. A rollover can target a data stream or an alias with a write index.

rollup

Summarizes high-granularity data into a more compressed format to maintain access to historical data in a cost-effective way. See {ref}/xpack-rollup.html[Roll up your data].

rollup index

Special type of index for storing historical data at reduced granularity. Documents are summarized and indexed into a rollup index by a rollup job. See {ref}/xpack-rollup.html[Rolling up historical data].

{rollup-job}

Background task that runs continuously to summarize documents in an index and index the summaries into a separate rollup index. The job configuration controls what data is rolled up and how often. See {ref}/xpack-rollup.html[Rolling up historical data].

routing

Process of sending and retrieving data from a specific primary shard. {es} uses a hashed routing value to choose this shard. You can provide a routing value in indexing and search requests to take advantage of caching. See the {ref}/mapping-routing-field.html[_routing field].

rule

A set of conditions, schedules, and actions that enable notifications. See {rules-ui}.

Rules and Connectors

A comprehensive view of all your alerting rules. Enables you to access and manage rules for all {kib} apps from one place. See {kibana-ref}/alerting-getting-started.html[{rules-ui}].

runner

A local control agent that runs on all hosts, used to deploy local containers based on role definitions. Ensures that containers assigned to it exist and are able to run, and creates or recreates the containers if necessary.

runtime field

Field that is evaluated at query time. You access runtime fields from the search API like any other field, and {es} sees runtime fields no differently. See {ref}/runtime.html[Runtime fields].

saved object

A representation of a dashboard, visualization, map, data view, or Canvas workpad that can be stored and reloaded.

saved search

The query text, filters, and time filter that make up a search, saved for later retrieval and reuse.

scripted field

A field that computes data on the fly from the data in {es} indices. Scripted field data is shown in Discover and used in visualizations.

search session

A group of one or more queries that are executed asynchronously. The results of the session are stored for a period of time, so you can recall the query. Search sessions are user specific.

search template

A stored search you can run with different variables. See {ref}/search-template.html[Search templates].

searchable snapshot

Snapshot of an index mounted as a searchable snapshot index. You can search this index like a regular index. See {ref}/searchable-snapshots.html[searchable snapshots].

searchable snapshot index

Index whose data is stored in a snapshot. Searchable snapshot indices do not need replica shards for resilience, since their data is reliably stored outside the cluster. See {ref}/searchable-snapshots.html[searchable snapshots].

segment

Data file in a shard's Lucene instance. {es} manages Lucene segments automatically.

services forwarder

Routes data internally in an {ece} installation.

shard

Lucene instance containing some or all data for an index. {es} automatically creates and manages these Lucene instances. There are two types of shards: primary and replica. See {ref}/scalability.html[Clusters, nodes, and shards].

shareable

A Canvas workpad that can be embedded on any webpage. Shareables enable you to display Canvas visualizations on internal wiki pages or public websites.

shipper

An instance of {ls} that send events to another instance of {ls}, or some other application.

shrink

Reduces the number of primary shards in an index. See the {ref}/indices-shrink-index.html[shrink index API].

snapshot

Backup taken of a running cluster. You can take snapshots of the entire cluster or only specific data streams and indices. See {ref}/snapshot-restore.html[Snapshot and restore].

snapshot lifecycle policy

Specifies how frequently to perform automatic backups of a cluster and how long to retain the resulting snapshots. See {ref}/snapshots-take-snapshot.html#automate-snapshots-slm[Automate snapshots with {slm-init}].

snapshot repository

Location where snapshots are stored. A snapshot repository can be a shared filesystem or a remote repository, such as Azure or Google Cloud Storage. See {ref}/snapshot-restore.html[Snapshot and restore].

source field

Original JSON object provided during indexing. See the {ref}/mapping-source-field.html[_source field].

space

A place for organizing dashboards, visualizations, and other saved objects by category. For example, you might have different spaces for each team, use case, or individual. See {kibana-ref}/xpack-spaces.html[Spaces].

span

Information about the execution of a specific code path. {apm-guide-ref}/data-model-spans.html[Spans] measure from the start to the end of an activity and can have a parent/child relationship with other spans.

split

Adds more primary shards to an index. See the {ref}/indices-split-index.html[split index API].

stack alerts

The general purpose alert types {kib} provides out of the box. Index threshold and geo alerts are currently the two stack alert types.

standalone

This mode allows manual configuration and management of {agent}s locally on the systems where they are installed. See {fleet-guide}/install-standalone-elastic-agent.html[Install standalone {agent}s].

stunnel

Securely tunnels all traffic in an {ece} installation.

system index

Index containing configurations and other data used internally by the {stack}. System index names start with a dot (.), such as .security. Do not directly access or change system indices.

tag

A keyword or label that you assign to {kib} saved objects, such as dashboards and visualizations, so you can classify them in a way that is meaningful to you. Tags makes it easier for you to manage your content. See {kibana-ref}/managing-tags.html[Tags].

term

See token.

term join

A shared key that combines vector features with the results of an {es} terms aggregation. Term joins augment vector features with properties for data-driven styling and rich tooltip content in maps.

text

Unstructured content, such as a product description or log message. You typically analyze text for better search. See {ref}/analysis.html[Text analysis].

time filter

A {kib} control that constrains the search results to a particular time period.

Timelion

A tool for building a time series visualization that analyzes data in time order. See {kibana-ref}/dashboard.html[Timelion].

time series data

A series of data points, such as logs, metrics and events, that is indexed in time order. Time series data can be indexed in a data stream, where it can be accessed as a single named resource with the data stored across multiple backing indices. A time series data stream is optimized for indexing metrics data.

time series data stream

A type of data stream optimized for indexing metrics time series data. A TSDS allows for reduced storage size and for a sequence of metrics data points to be considered efficiently as a whole. See {ref}/tsds.html[Time series data stream].

token

A chunk of unstructured text that’s been optimized for search. In most cases, tokens are individual words. Tokens are also called terms. See {ref}/analysis.html[Text analysis].

tokenization

Process of breaking unstructured text down into smaller, searchable chunks called tokens. See {ref}/analysis-overview.html#tokenization[Tokenization].

trace

Defines the amount of time an application spends on a request. Traces are made up of a collection of transactions and spans that have a common root.

tracks

A layer type in the Maps application. This layer converts a series of point locations into a line, often representing a path or route.

trained model

A {ml} model that is trained and tested against a labeled data set and can be referenced in an ingest pipeline or in a pipeline aggregation to perform {classification} or {reganalysis} or {nlp} on new data.

transaction

A special kind of span that has additional attributes associated with it. {apm-guide-ref}/data-model-transactions.html[Transactions] describe an event captured by an Elastic APM agent instrumenting a service.

TSVB

A time series data visualizer that allows you to combine an infinite number of aggregations to display complex data. See {kibana-ref}/dashboard.html[TSVB].

Upgrade Assistant

A tool that helps you prepare for an upgrade to the next major version of {es}. The assistant identifies the deprecated settings in your cluster and indices and guides you through resolving issues, including reindexing. See {kibana-ref-all}/{prev-major-last}/upgrade-assistant.html[Upgrade Assistant].

Uptime

A metric of system reliability used to monitor the status of network endpoints via HTTP/S, TCP, and ICMP.

vector data

Points, lines, and polygons used to represent a map.

Vega

A declarative language used to create interactive visualizations. See {kibana-ref}/dashboard.html[Vega].

visualization

A graphical representation of query results in {kib} (e.g., a histogram, line graph, pie chart, or heat map).

warm phase

Second possible phase in the index lifecycle. In the warm phase, an index is generally optimized for search and no longer updated. See {ref}/ilm-policy-definition.html[Index lifecycle].

warm tier

Data tier that contains nodes that hold time series data that is accessed less frequently and rarely needs to be updated. See {ref}/data-tiers.html[Data tiers].

Watcher

The original suite of alerting features. See {kibana-ref}/watcher-ui.html[Watcher].

Web Map Service (WMS)

A layer type in the Maps application. Add a WMS source to provide authoritative geographic context to your map. See the OpenGIS Web Map Service.

worker

The filter thread model used by {ls}, where each worker receives an event and applies all filters, in order, before emitting the event to the output queue. This allows scalability across CPUs because many filters are CPU intensive.

workpad

A workspace where you build presentations of your live data in Canvas. See {kibana-ref}/canvas.html[Create a workpad].

ZooKeeper

A coordination service for distributed systems used by {ece} to store the state of the installation. Responsible for discovery of hosts, resource allocation, leader election after failure and high priority notifications.