[Observability Docs][Streams] Add access to Streams in Stack (#2156)

Author: mdbirnstiehl

solutions/images/logs-streams-retention.png

@@ -1,10 +1,10 @@
 ---
 applies_to:
   serverless: preview
+  stack: preview 9.1
 ---
 # Configure advanced settings [streams-advanced-settings]
 
-The **Advanced** tab on the **Manage stream** page shows the lower-level details of your stream. While Streams simplifies many configurations, it doesn't currently support modifying all pipelines and templates. From the **Advanced** tab, you can manually interact with the index or component templates, or modify any of the other ingest pipelines that are being used.
-This UI is intended for more advanced users.
+The **Advanced** tab on the **Manage stream** page shows the underlying configuration details of your stream. While Streams simplifies many configurations, it doesn't support modifying all pipelines and templates. From the **Advanced** tab, you can manually interact with the index or component templates or modify other ingest pipelines that used by the stream.
 
-![Screenshot of the Advanced tab](<../../../../images/logs-streams-advanced.png>)
+This UI is intended for advanced users.

solutions/observability/logs/streams/management/advanced.md

@@ -1,17 +1,18 @@
 ---
 applies_to:
   serverless: preview
+  stack: preview 9.1
 ---
 # Extract fields [streams-extract-fields]
 
-Unstructured log messages need to be parsed into meaningful fields so you can filter and analyze them quickly. Common fields to extract include timestamp and the log level, but you can also extract information like IP addresses, usernames, or ports.
+Unstructured log messages must be parsed into meaningful fields before you can filter and analyze them effectively. Commonly extracted fields include `@timestamp` and the `log.level`, but you can also extract information like IP addresses, usernames, and ports.
 
-Use the **Extract field** tab on the **Manage stream** page to process your data. The UI simulates your changes and provides an immediate preview that's tested end-to-end.
+Use the **Processing** tab on the **Manage stream** page to process your data. The UI simulates your changes and provides an immediate preview that's tested end-to-end.
 
 The UI also shows indexing problems, such as mapping conflicts, so you can address them before applying changes.
 
 :::{note}
-Applied changes aren't retroactive and only affect *future data ingested*.
+Applied changes aren't retroactive and only affect *future ingested data*.
 :::
 
 ## Add a processor [streams-add-processors]
@@ -33,7 +34,7 @@ To add a processor:
 1. Select **Add Processor** to save the processor.
 
 :::{note}
-Editing processors with JSON is planned for a future release. More processors may be added over time.
+Editing processors with JSON is planned for a future release, and additional processors may be supported over time.
 :::
 
 ### Add conditions to processors [streams-add-processor-conditions]
@@ -59,12 +60,12 @@ Under **Processors for field extraction**, when you set pipeline processors to m
 When you add or edit processors, the **Data preview** updates automatically.
 
 :::{note}
-To avoid unexpected results, focus on adding processors rather than removing or reordering existing processors.
+To avoid unexpected results, we recommend adding processors rather than removing or reordering existing processors.
 :::
 
 **Data preview** loads 100 documents from your existing data and runs your changes using them.
 For any newly added processors, this simulation is reliable. You can save individual processors during the preview, and even reorder them.
-Selecting 'Save changes' applies your changes to the data stream.
+Selecting **Save changes** applies your changes to the data stream.
 
 If you edit the stream again, note the following:
 - Adding more processors to the end of the list will work as expected.
@@ -85,29 +86,31 @@ Turn on **Ignore missing fields** to ignore the processor if the field is not pr
 
 Documents fail processing for different reasons. Streams helps you to easily find and handle failures before deploying changes.
 
-The following example shows not all messages matched the provided Grok pattern:
+In the following screenshot, the **Failed** percentage shows that not all messages matched the provided Grok pattern:
 
 ![Screenshot showing some failed documents](<../../../../images/logs-streams-parsed.png>)
 
-You can filter your documents by selecting **Parsed** or **Failed** at the top of the table. Select **Failed** to see the documents that failed:
+You can filter your documents by selecting **Parsed** or **Failed** at the top of the table. Select **Failed** to see the documents that weren't parsed correctly:
 
 ![Screenshot showing the documents UI with Failed selected](<../../../../images/logs-streams-failures.png>)
 
 Failures are displayed at the bottom of the process editor:
 
 ![Screenshot showing failure notifications](<../../../../images/logs-streams-processor-failures.png>)
 
-These failures may be something you should address, but in some cases they also act as more of a warning.
+These failures may require action, but in some cases, they serve more as warnings.
 
-### Mapping Conflicts
+### Mapping conflicts
 
-As part of processing, Streams also checks for mapping conflicts by simulating the change end to end. If a mapping conflict is detected, Streams marks the processor as failed and displays a failure message:
+As part of processing, Streams also checks for mapping conflicts by simulating the change end to end. If a mapping conflict is detected, Streams marks the processor as failed and displays a failure message like the following:
 
 ![Screenshot showing mapping conflict notifications](<../../../../images/logs-streams-mapping-conflicts.png>)
 
+You can then use the information in the failure message to find and troubleshoot mapping issues going forward.
+
 ## Processor statistics and detected fields [streams-stats-and-detected-fields]
 
-Once saved, the processor also gives you a quick look at how successful the processing was for this step and which fields were added.
+Once saved, the processor provides a quick look at the processor's success rate and the fields that it added.
 
 ![Screenshot showing field stats](<../../../../images/logs-streams-field-stats.png>)
 
@@ -143,12 +146,12 @@ Streams then creates and manages the `<data_stream_name>@stream.processing` pipe
 ### User interaction with pipelines
 
 Do not manually modify the `<data_stream_name>@stream.processing` pipeline created by Streams.
-You can still add your own processors manually to the `@custom` pipeline if needed. Adding processors before the pipeline processor crated by Streams may cause unexpected behavior.
+You can still add your own processors manually to the `@custom` pipeline if needed. Adding processors before the pipeline processor created by Streams may cause unexpected behavior.
 
 ## Known limitations [streams-known-limitations]
 
 - Streams does not support all processors. We are working on adding more processors in the future.
 - Streams does not support all processor options. We are working on adding more options in the future.
 - The data preview simulation may not accurately reflect the changes to the existing data when editing existing processors or re-ordering them.
-- Dots in field names are not supported. You can use the dot expand processor in the `@custom` pipeline as a workaround. You need to manually add the dot processor.
-- Providing any arbitrary JSON in the Streams UI is not supported. We are working on adding this in the future.
+- Dots in field names are not supported. You can use the dot expand processor in the `@custom` pipeline as a workaround. You need to manually add the dot expand processor.
+- Providing any arbitrary JSON in the Streams UI is not supported. We are working on adding this in the future.

solutions/observability/logs/streams/management/extract.md

@@ -1,13 +1,14 @@
 ---
 applies_to:
   serverless: preview
+  stack: preview 9.1
 ---
 
 # Date processor [streams-date-processor]
 
 The date processor parses date strings and uses them as the timestamp of the document.
 
-This functionality uses the {{es}} date pipeline processor. Refer to [date processor](elasticsearch://reference/enrich-processor/date-processor.md) in the {{es}} docs for more information.
+This functionality uses the {{es}} date pipeline processor. Refer to the [date processor](elasticsearch://reference/enrich-processor/date-processor.md) {{es}} documentation for more information.
 
 ## Examples
 
@@ -34,7 +35,7 @@ Sunday, October 15, 2023 => EEEE, MMMM dd, yyyy
 ```
 
 
-## Optional Fields [streams-date-optional-fields]
+## Optional fields [streams-date-optional-fields]
 The following fields are optional for the date processor:
 
 | Field | Description|

solutions/observability/logs/streams/management/extract/date.md

@@ -1,13 +1,14 @@
 ---
 applies_to:
   serverless: preview
+  stack: preview 9.1
 ---
 # Dissect processor [streams-dissect-processor]
 
 The dissect processor parses structured log messages and extracts fields from them. Unlike Grok, it does not use a set of predefined patterns to match the log messages. Instead, it uses a set of delimiters to split the log message into fields.
-Dissect is much faster than Grok and can parse slightly more structured log messages.
+Dissect is much faster than Grok and is ideal for log messages that follow a consistent, structured format.
 
-This functionality uses the {{es}} dissect pipeline processor. Refer to [dissect processor](elasticsearch://reference/enrich-processor/dissect-processor.md) in the {{es}} docs for more information.
+This functionality uses the {{es}} dissect pipeline processor. Refer to the [dissect processor](elasticsearch://reference/enrich-processor/dissect-processor.md) {{es}} documentation for more information.
 
 To parse a log message, simply name the field and list the delimiters you want to use. The dissect processor will then split the log message into fields based on the delimiters provided.
 

solutions/observability/logs/streams/management/extract/dissect.md

@@ -1,6 +1,7 @@
 ---
 applies_to:
   serverless: preview
+  stack: preview 9.1
 ---
 # Grok processor [streams-grok-processor]
 
@@ -11,10 +12,10 @@ If a pattern does not match, the Grok processor will try the next pattern. If no
 
 Start with the most common patterns first and then add more specific patterns later. This reduces the number of runs the Grok processor has to do and improves the performance of the pipeline.
 
-This functionality uses the {{es}} Grok pipeline processor. Refer to [Grok processor](elasticsearch://reference/enrich-processor/grok-processor.md) in the {{es}} docs for more information.
+This functionality uses the {{es}} Grok pipeline processor. Refer to the [Grok processor](elasticsearch://reference/enrich-processor/grok-processor.md) {{es}} documentation for more information.
 
 The Grok processor uses a set of predefined patterns to match the log messages and extract the fields.
-You can also define your own pattern definitions by expanding the `Optional fields` section. This will allow you to define your own patterns and use them in the Grok processor.
+You can also define your own pattern definitions by expanding the `Optional fields` section. You can then define your own patterns and use them in the Grok processor.
 The patterns are defined in the following format:
 
 ```
@@ -23,23 +24,23 @@ The patterns are defined in the following format:
 }
 ```
 Where `MY_DATE` is the name of the pattern.
-The above pattern can then be used in the processor
+The previous pattern can then be used in the processor.
 ```
 %{MY_DATE:date}
 ```
 
-## Generate Patterns [streams-grok-patterns]
+## Generate patterns [streams-grok-patterns]
 Requires an LLM Connector to be configured.
 Instead of writing the Grok patterns by hand, you can use the **Generate Patterns** button to generate the patterns for you.
 
 % TODO Elastic LLM?
 
 ![generated patterns](<../../../../../images/logs-streams-patterns.png>)
 
-Patterns can be accepted by clicking the plus icon next to the pattern. This will add the pattern to the list of patterns to be used in the Grok processor.
+Click the plus icon next to the pattern to accept it and add it to the list of patterns used by the Grok processor.
 
 ### How does the pattern generation work? [streams-grok-pattern-generation]
-Under the hood, the 100 samples on the right hand side are grouped into categories of similar messages. For each category, a Grok pattern is generated by sending a few samples to the LLM. Matching patterns are then shown in the UI.
+Under the hood, the 100 samples on the right side are grouped into categories of similar messages. For each category, a Grok pattern is generated by sending a few samples to the LLM. Matching patterns are then shown in the UI.
 
 :::{note}
 This can incur additional costs, depending on the LLM connector you are using. Typically a single iteration uses between 1000 and 5000 tokens, depending on the number of identified categories and the length of the messages.

solutions/observability/logs/streams/management/extract/grok.md

@@ -2,12 +2,13 @@
 navigation_title: KV processor
 applies_to:
   serverless: preview
+  stack: preview 9.1
 ---
 # Key value processor [streams-kv-processor]
 
 The key value (KV) processor allows you to extract key-value pairs from a field and assign them to a target field or the root of the document.
 
-This functionality uses the {{es}} kv pipeline processor. Refer to [KV processor](elasticsearch://reference/enrich-processor/kv-processor.md) in the {{es}} docs for more information.
+This functionality uses the {{es}} KV pipeline processor. Refer to the [KV processor](elasticsearch://reference/enrich-processor/kv-processor.md) {{es}} documentation for more information.
 
 ## Required fields [streams-kv-required-fields]
 
@@ -17,7 +18,7 @@ The KV processor requires the following fields:
 | ------- | --------------- |
 | Field | The field to be parsed.|
 | Field split | Regex pattern used to delimit the key-value pairs. Typically a space character (" "). |
-| Value split | Regex pattern used to delimit the key from the value. Typically an equals sign (=). |
+| Value split | Regex pattern used to delimit the key from the value. Typically an equals sign (`=`). |
 
 ## Optional fields [streams-kv-optional-fields]
 
@@ -31,4 +32,4 @@ The following fields are optional for the KV processor:
 | Prefix | A prefix to add to extracted keys. |
 | Trim key | A string of characters to trim from extracted keys. |
 | Trim value | A string of characters to trim from extracted values. |
-| Strip brackets | Removes brackets ( (), <>, []) and quotes (', ") from extracted values.|
+| Strip brackets | Removes brackets (`(), <>, []`) and quotes (`', "`) from extracted values.|

solutions/observability/logs/streams/management/extract/key-value.md

@@ -1,6 +1,7 @@
 ---
 applies_to:
   serverless: preview
+  stack: preview 9.1
 ---
 
 # Manage data retention [streams-data-retention]
@@ -13,11 +14,30 @@ The **Data retention** page is made up of the following components that can help
 
 - **Retention period**: The minimum number of days after which the data is deleted
 - **Source**: The origin of the data retention policy.
-- **Ingestion**: Estimated ingestion per day and month calculated based on the size of all data in the stream and divided by the age of the stream. This is an estimate, and the actual ingestion may vary.
+- **Last updated**: When data retention was last updated for the selected stream.
+- **Ingestion**: Estimated ingestion per day and month, calculated based on the total size of all data in the stream  divided by the stream's age. This is an estimate, and the actual ingestion may vary.
 - **Total doc count**: The total number of documents in the stream.
-- **Ingestion Rate**: Estimated ingestion rate per time bucket. The bucket interval is dynamic and adjusts based on the selected time range. The ingestion rate is calculated based on the average document size in a stream, multiplied by the number of documents in the bucket. This is an estimate, and the actual ingestion rate may vary.
+- **Ingestion Rate**: Estimated ingestion rate per time bucket. The bucket interval is dynamic and adjusts based on the selected time range. The ingestion rate is calculated using the average document size in the stream multiplied by the number of documents in each bucket. This is an estimate, and the actual ingestion rate may vary.
+- **Policy summary**: {applies_to}`stack: preview 9.1` The amount of data ingested per phase (hot, warm, cold).
 
-## Edit the data retention period [streams-update-data-retention]
-Select `Edit data retention` to change how long data for your stream is retained. The **Retention period** is the minimum number of days after which the data is deleted.
+## Edit the data retention [streams-update-data-retention]
+From any stream page, select **Edit data retention** to change how long your data stream retains data.
 
-To define a global default retention policy, refer to [project settings](../../../../../deploy-manage/deploy/elastic-cloud/project-settings.md).
+### Set a specific retention period
+The **Retention period** is the minimum number of days after which the data is deleted. To set data retention to a specific time period:
+
+1. Select **Edit data retention** → **Set specific retention days**.
+1. From here, set the period of time you want to retain data for this stream.
+
+To define a global default retention policy, refer to [project settings](../../../../../deploy-manage/deploy/elastic-cloud/project-settings.md).
+
+### Follow an ILM policy
+```{applies_to}
+stack: ga 9.1
+```
+[ILM policies](../../../../../manage-data/lifecycle/index-lifecycle-management.md) let you automate and standardize data retention across streams and other data streams. To have your streams follow an existing policy:
+
+1. Select **Edit data retention** → **Use a lifecycle policy**.
+1. Select a pre-defined ILM policy from the list.
+
+You can also create a new ILM policy. Refer to [Configure a lifecycle policy](../../../../../manage-data/lifecycle/index-lifecycle-management/configure-lifecycle-policy.md) for more information.

solutions/observability/logs/streams/management/retention.md

@@ -1,6 +1,7 @@
 ---
 applies_to:
   serverless: preview
+  stack: preview 9.1
 ---
 
 :::{warning}
@@ -15,25 +16,31 @@ Streams provides a single, centralized UI within {{kib}} that streamlines common
 
 A Stream directly corresponds to an {{es}} data stream (for example, `logs-myapp-default`). Operations performed in the Streams UI configure that specific data stream.
 
-
 ## Required permissions
 
 Streams requires the following Elastic Cloud Serverless roles:
 
 - Admin: ability to manage all Streams.
 - Editor/Viewer: limited access, unable to perform all actions.
 
-## Access Streams
+## Access the Streams UI
+
+In {{obs-serverless}}, Streams is automatically available.
+
+In {{stack}} version 9.1 and later, you can enable Streams in the {{observability}} Advanced Settings. To do this:
+
+1. Go to **Management** > **Stack Management** > **Advanced Settings**, or search for "Advanced Settings" in the [global search field](../../../../explore-analyze/find-and-organize/find-apps-and-objects.md).
+1. Enable **Streams UI** under **Observability**.
 
-Access streams in one of the following ways:
+In {{serverless-short}} or after enabling Streams in {{stack}}, access the UI in one of the following ways:
 
-- From the navigation menu, select **Streams**.
+- Select **Streams** from the navigation menu or use the [global search field](../../../../explore-analyze/find-and-organize/find-apps-and-objects.md).
 
 - From **Discover**, expand a document's details flyout and select **Stream** or an action associated with the document's data stream. Streams will open filtered to only the selected stream. This only works for documents stored in a data stream.
 
-## Manage stream [streams-management-tab]
+## Manage individual streams [streams-management-tab]
 
-Interact with and configure your stream in the following ways:
+Interact with and configure your streams in the following ways:
 
 - [Data retention](./management/retention.md): Manage how your stream retains data and get insight into data ingestion and storage size under the **Data retention** tab.
 - [Processing](./management/extract.md): Parse and extract information from log messages into dedicated fields under the **Processing** tab.