add Streams 9.2 updates

mdbirnstiehl · mdbirnstiehl · commit a59928c0abdb · 2025-10-06T16:34:11.000-05:00
diff --git a/solutions/images/logs-streams-patterns.png b/solutions/images/logs-streams-patterns.png
diff --git a/solutions/observability/streams/management/advanced.md b/solutions/observability/streams/management/advanced.md
@@ -6,6 +6,4 @@ navigation_title: Configure advanced settings
 ---
 # Configure advanced settings for streams [streams-advanced-settings]
 
-The **Advanced** tab on the **Manage stream** page shows the underlying configuration details of your stream. While Streams simplifies many configurations, it doesn't support modifying all pipelines and templates. From the **Advanced** tab, you can manually interact with the index or component templates or modify other ingest pipelines that used by the stream.
-
-This UI is intended for advanced users.
+The **Advanced** tab shows the underlying {{es}} configuration details of your stream. While Streams simplifies many configurations, it doesn't support modifying all pipelines and templates. From the **Advanced** tab, you can manually interact with the index or component templates or modify other ingest pipelines that used by the stream.
diff --git a/solutions/observability/streams/management/data-quality.md b/solutions/observability/streams/management/data-quality.md
@@ -0,0 +1,15 @@
+---
+applies_to:
+  serverless: preview
+  stack: preview 9.1, ga 9.2
+---
+
+# Manage data quality [streams-data-retention]
+
+Use the **Data quality** tab to find failed and degraded documents in your stream. The **Data quality** tab is made up of the following components:
+
+- **Degraded documents**: Documents with the `ignored` property usually because of malformed fields or exceeding the limit of total fields when `ignore_above:false`. This component shows the total number of degraded documents, the percentage, and status (**Good**, **Degraded**, **Poor**).
+- **Failed documents**: Documents that were rejected during ingestion.
+- **Issues**: {applies_to}`stack: preview 9.2`Find issues with specific fields, how often they've occurred, and when they've occurred.
+
+For more information on data quality, refer to the [data set quality](../../data-set-quality-monitoring.md) documentation.
diff --git a/solutions/observability/streams/management/extract.md b/solutions/observability/streams/management/extract.md
@@ -15,21 +15,24 @@ The UI also shows indexing problems, such as mapping conflicts, so you can addre
 Applied changes aren't retroactive and only affect *future ingested data*.
 :::
 
+## Supported processors
+Streams supports the following processors:
+
+- [Date](./extract/date.md): convert date strings into timestamps with options for timezone, locale, and output format settings.
+- [Dissect](./extract/dissect.md): extract fields from structured log messages using defined delimiters instead of patterns, making it faster than Grok and ideal for consistently formatted logs.
+- [Grok](./extract/grok.md): extract fields from unstructured log messages using predefined or custom patterns, supports multiple match attempts in sequence, and can automatically generate patterns with an LLM connector.
+- [Set](./extract/set.md): assign a specific value to a field, creating the field if it doesn’t exist or overwriting its value if it does.
+- [Rename](./extract/rename.md): change the name of a field, moving its value to a new field name and removing the original.
+- [Append](./extract/append.md): add a value to an existing array field, or create the field as an array if it doesn’t exist.
+
 ## Add a processor [streams-add-processors]
 
 Streams uses {{es}} ingest pipelines to process your data. Ingest pipelines are made up of processors that transform your data.
 
 To add a processor:
 
 1. Select **Add processor** to open a list of supported processors.
-1. Select a processor from the list:
-    - [Date](./extract/date.md)
-    - [Dissect](./extract/dissect.md)
-    - [Grok](./extract/grok.md)
-    - GeoIP
-    - Rename
-    - Set
-    - URL Decode
+1. Select a processor from the list.
 1. Select **Add Processor** to save the processor.
 
 :::{note}
@@ -39,7 +42,10 @@ Editing processors with JSON is planned for a future release, and additional pro
 ### Add conditions to processors [streams-add-processor-conditions]
 
 You can provide a condition for each processor under **Optional fields**. Conditions are boolean expressions that are evaluated for each document. Provide a field, a value, and a comparator.
-Processors support these comparators:
+
+:::{dropdown} Supported comparators
+Streams processors support the following comparators:
+
 - equals
 - not equals
 - less than
@@ -51,6 +57,7 @@ Processors support these comparators:
 - ends with
 - exists
 - not exists
+:::
 
 ### Preview changes [streams-preview-changes]
 
diff --git a/solutions/observability/streams/management/extract/append.md b/solutions/observability/streams/management/extract/append.md
@@ -0,0 +1,16 @@
+---
+applies_to:
+  serverless: ga
+  stack: preview 9.1, ga 9.2
+---
+# Append processor [streams-append-processor]
+% Need use cases
+
+Use the append processor to add a value to an existing array field, or create the field as an array if it doesn’t exist.
+
+To use an append processor:
+
+1. Set **Source Field** to the field you want append values to.
+1. Set **Target field** to the values you want to append to the **Source Field**.
+
+This functionality uses the {{es}} rename pipeline processor. Refer to the [rename processor](elasticsearch://reference/enrich-processor/rename-processor.md) {{es}} documentation for more information.
diff --git a/solutions/observability/streams/management/extract/date.md b/solutions/observability/streams/management/extract/date.md
@@ -8,9 +8,14 @@ applies_to:
 
 The date processor parses date strings and uses them as the timestamp of the document.
 
+To parse a date string using the date processor:
+
+1. Set the **Source Field** to the field containing the timestamp.
+1. Set the **Format** field to one of the accepted date formats (ISO8602, UNIX, UNIX_MS, or TAI64N) or use a Java time pattern. Refer to the [example formats](#streams-date-examples) for more information.
+
 This functionality uses the {{es}} date pipeline processor. Refer to the [date processor](elasticsearch://reference/enrich-processor/date-processor.md) {{es}} documentation for more information.
 
-## Examples
+## Example formats [streams-date-examples]
 
 The following list provides some common examples of date formats and how to parse them.
 
@@ -34,9 +39,8 @@ Sunday, October 15, 2023 => EEEE, MMMM dd, yyyy
 2023-10-15 14:30:00 => yyyy-MM-dd HH:mm:ss
 ```
 
-
 ## Optional fields [streams-date-optional-fields]
-The following fields are optional for the date processor:
+You can set the following optional fields for the date processor in the **Advanced settings**:
 
 | Field | Description|
 | ------- | --------------- |
diff --git a/solutions/observability/streams/management/extract/dissect.md b/solutions/observability/streams/management/extract/dissect.md
@@ -5,20 +5,26 @@ applies_to:
 ---
 # Dissect processor [streams-dissect-processor]
 
-The dissect processor parses structured log messages and extracts fields from them. Unlike Grok, it does not use a set of predefined patterns to match the log messages. Instead, it uses a set of delimiters to split the log message into fields.
-Dissect is much faster than Grok and is ideal for log messages that follow a consistent, structured format.
+The dissect processor parses structured log messages and extracts fields from them. It uses a set of delimiters to split the log message into fields instead of predefined patterns to match the log messages.
+
+Dissect is much faster than Grok, and is recommend for log messages that follow a consistent, structured format.
+
+To parse a log message with a dissect processor:
+1. Set the **Source Field** to the field you want to dissect
+1. Set the delimiters you want to use in the **Pattern** field. Refer to the [example pattern](#streams-dissect-example) for more information on setting delimiters.
 
 This functionality uses the {{es}} dissect pipeline processor. Refer to the [dissect processor](elasticsearch://reference/enrich-processor/dissect-processor.md) {{es}} documentation for more information.
 
-To parse a log message, simply name the field and list the delimiters you want to use. The dissect processor will then split the log message into fields based on the delimiters provided.
+## Example dissect pattern [streams-dissect-example]
 
-Example:
+The following example shows the dissect pattern for an unstructured log message.
 
-Log Message
+**Log message:**
 ```
 2025-04-04T09:04:45+00:00 ERROR 160.200.87.105 127.79.135.127 21582
 ```
-Dissect Pattern
+
+**Dissect Pattern:**
 ```
 %{timestamp} %{log.level} %{source.ip} %{destination.ip} %{destination.port}
 ```
diff --git a/solutions/observability/streams/management/extract/grok.md b/solutions/observability/streams/management/extract/grok.md
@@ -5,18 +5,26 @@ applies_to:
 ---
 # Grok processor [streams-grok-processor]
 
-The Grok processor parses unstructured log messages and extracts fields from them. It uses a set of predefined patterns to match the log messages and extract the fields. The Grok processor is very powerful and can parse a wide variety of log formats.
+The grok processor parses unstructured log messages using a set of predefined patterns to match the log messages and extract the fields. The Grok processor is very powerful and can parse a wide variety of log formats.
 
-You can provide multiple patterns to the Grok processor. The Grok processor will try to match the log message against each pattern in the order they are provided. If a pattern matches, the fields will be extracted and the remaining patterns will not be used.
-If a pattern does not match, the Grok processor will try the next pattern. If no patterns match, the Grok processor will fail and you can troubleshoot the issue. Refer to [generate patterns](#streams-grok-patterns) for more information.
+You can provide multiple patterns to the grok processor. The Grok processor will try to match the log message against each pattern in the order they are provided. If a pattern matches, the fields will be extracted and the remaining patterns will not be used.
 
-Start with the most common patterns first and then add more specific patterns later. This reduces the number of runs the Grok processor has to do and improves the performance of the pipeline.
+If a pattern doesn't match, the grok processor will try the next pattern. If no patterns match, the Grok processor will fail and you can troubleshoot the issue. Instead of writing grok patterns, you can have streams generate patterns for you. Refer to [generate patterns](#streams-grok-patterns) for more information.
+
+:::{tip}
+To improve pipeline performance, start with the most common patterns first, then add more specific patterns. This reduces the number times the grok processor has to run.
+:::
+
+To parse a log message with a dissect processor:
+
+1. Set the **Source Field** to the field you want to search for grok matches.
+1. Set the patterns you want to use in the **Grok patterns** field. Refer to the [example pattern](#streams-grok-example) for more information on patterns.
 
 This functionality uses the {{es}} Grok pipeline processor. Refer to the [Grok processor](elasticsearch://reference/enrich-processor/grok-processor.md) {{es}} documentation for more information.
 
-The Grok processor uses a set of predefined patterns to match the log messages and extract the fields.
-You can also define your own pattern definitions by expanding the `Optional fields` section. You can then define your own patterns and use them in the Grok processor.
-The patterns are defined in the following format:
+## Example grok pattern [streams-grok-example]
+
+Grok patterns are defined in the following format:
 
 ```
 {
@@ -33,15 +41,15 @@ The previous pattern can then be used in the processor.
 Requires an LLM Connector to be configured.
 Instead of writing the Grok patterns by hand, you can use the **Generate Patterns** button to generate the patterns for you.
 
-% TODO Elastic LLM?
-
 ![generated patterns](<../../../../images/logs-streams-patterns.png>)
 
-Click the plus icon next to the pattern to accept it and add it to the list of patterns used by the Grok processor.
+Select **Accept** to add a generated pattern to the list of patterns used by the grok processor.
+
+### How does **Generate patterns** work? [streams-grok-pattern-generation]
+% need to check to make sure this is still accurate.
 
-### How does the pattern generation work? [streams-grok-pattern-generation]
 Under the hood, the 100 samples on the right side are grouped into categories of similar messages. For each category, a Grok pattern is generated by sending a few samples to the LLM. Matching patterns are then shown in the UI.
 
 :::{note}
-This can incur additional costs, depending on the LLM connector you are using. Typically a single iteration uses between 1000 and 5000 tokens, depending on the number of identified categories and the length of the messages.
+This can incur additional costs, depending on the LLM connector you are using. Typically a single iteration uses between 1000 and 5000 tokens depending on the number of identified categories and the length of the messages.
 :::
diff --git a/solutions/observability/streams/management/extract/manual-pipeline-configuration.md b/solutions/observability/streams/management/extract/manual-pipeline-configuration.md
@@ -0,0 +1,6 @@
+---
+applies_to:
+  serverless: ga
+  stack: preview 9.1, ga 9.2
+---
+# Manual pipeline configuration [streams-manual-pipeline-configuration]
diff --git a/solutions/observability/streams/management/extract/rename.md b/solutions/observability/streams/management/extract/rename.md
@@ -0,0 +1,16 @@
+---
+applies_to:
+  serverless: ga
+  stack: preview 9.1, ga 9.2
+---
+# Rename processor [streams-rename-processor]
+% need use cases
+
+Use the rename processor to change the name of a field, moving its value to a new field name and removing the original.
+
+To use a rename processor:
+
+1. Set **Source Field** to the field you want to rename.
+1. Set **Target field** to the new name you want to use for the **Source Field**.
+
+This functionality uses the {{es}} rename pipeline processor. Refer to the [rename processor](elasticsearch://reference/enrich-processor/rename-processor.md) {{es}} documentation for more information.
diff --git a/solutions/observability/streams/management/extract/set.md b/solutions/observability/streams/management/extract/set.md
@@ -0,0 +1,16 @@
+---
+applies_to:
+  serverless: ga
+  stack: preview 9.1, ga 9.2
+---
+# Set processor [streams-set-processor]
+% need use cases
+
+Use the set processor to assign a specific value to a field, creating the field if it doesn’t exist or overwriting its value if it does.
+
+To use a set processor:
+
+1. Set **Source Field** to the field you want to insert, upsert, or update
+1. Set **Value** to the value you want the source field to be set to.
+
+This functionality uses the {{es}} set pipeline processor. Refer to the [set processor](elasticsearch://reference/enrich-processor/set-processor.md) {{es}} documentation for more information.
diff --git a/solutions/observability/streams/management/retention.md b/solutions/observability/streams/management/retention.md
@@ -5,40 +5,43 @@ applies_to:
   stack: preview 9.1
 ---
 
-# Manage data retention for log streams [streams-data-retention]
+# Manage data retention for streams [streams-data-retention]
 
-Use the **Data retention** tab on the **Manage stream** page to set how long your stream retains data and to get insight into your stream's data ingestion and storage size.
+Use the **Retention** tab to set how long your stream retains data and to get insight into your stream's data ingestion and storage size.
 
-![Screenshot of the data retention UI](<../../../images/logs-streams-retention.png>)
+The **Retention** tab contains the following components to help you determine how long you want your stream to retain data:
 
-The **Data retention** page is made up of the following components that can help you determine how long you want your stream to retain data:
+- **Retention**: The current retention policy, including the source of the policy.
+- **Storage size**: The total size and number of documents in the stream.
+- **Ingestion averages**: Estimated ingestion per day and month, calculated based on the total size of all data in the stream  divided by the stream's age.
+- **ILM policy data tiers**: {applies_to}`stack: preview 9.1, ga 9.2` The amount of data in each data tier (**Hot**, **Warm**, **Cold**).
+- **Ingestion over time**: Estimated ingestion rate per time bucket. The bucket interval is dynamic and adjusts based on the selected time range. The ingestion rate is calculated using the average document size in the stream multiplied by the number of documents in each bucket. This is an estimate, and the actual ingestion rate may vary.
 
-- **Retention period**: The minimum number of days after which the data is deleted
-- **Source**: The origin of the data retention policy.
-- **Last updated**: When data retention was last updated for the selected stream.
-- **Ingestion**: Estimated ingestion per day and month, calculated based on the total size of all data in the stream  divided by the stream's age. This is an estimate, and the actual ingestion may vary.
-- **Total doc count**: The total number of documents in the stream.
-- **Ingestion Rate**: Estimated ingestion rate per time bucket. The bucket interval is dynamic and adjusts based on the selected time range. The ingestion rate is calculated using the average document size in the stream multiplied by the number of documents in each bucket. This is an estimate, and the actual ingestion rate may vary.
-- **Policy summary**: {applies_to}`stack: preview 9.1` The amount of data ingested per phase (hot, warm, cold).
+For more information on data retention, refer to [Data stream lifecycle](../../../../manage-data/lifecycle/data-stream.md).
 
 ## Edit the data retention [streams-update-data-retention]
-From any stream page, select **Edit data retention** to change how long your data stream retains data.
+From the **Retention** tab, select **Edit data retention** to change how long your data stream retains data.
+
+### Inherit from index template
+When enabled, your stream uses the retention configuration from its index template.
 
 ### Set a specific retention period
 The **Retention period** is the minimum number of days after which the data is deleted. To set data retention to a specific time period:
 
-1. Select **Edit data retention** → **Set specific retention days**.
-1. From here, set the period of time you want to retain data for this stream.
+1. From the **Retention** tab, select **Edit data retention**.
+1. Turn off **Inherit from index template** if enabled.
+1. Select **Custom period**.
+1. Set the period of time you want to retain data for this stream.
 
 To define a global default retention policy, refer to [project settings](../../../../deploy-manage/deploy/elastic-cloud/project-settings.md).
 
 ### Follow an ILM policy
 ```{applies_to}
-stack: ga 9.1
+stack: preview 9.1, ga 9.2
 ```
 [ILM policies](../../../../manage-data/lifecycle/index-lifecycle-management.md) let you automate and standardize data retention across streams and other data streams. To have your streams follow an existing policy:
 
-1. Select **Edit data retention** → **Use a lifecycle policy**.
+1. From the **Retention** tab, select **Edit data retention**.
 1. Select a pre-defined ILM policy from the list.
 
 You can also create a new ILM policy. Refer to [Configure a lifecycle policy](../../../../manage-data/lifecycle/index-lifecycle-management/configure-lifecycle-policy.md) for more information.
diff --git a/solutions/observability/streams/management/schema.md b/solutions/observability/streams/management/schema.md
@@ -0,0 +1,8 @@
+---
+navigation_title: Manage field mapping
+applies_to:
+  serverless: preview
+  stack: preview 9.1, ga 9.2
+---
+
+# Manage field mapping using the Schema tab [streams-data-retention]
diff --git a/solutions/observability/streams/streams.md b/solutions/observability/streams/streams.md
diff --git a/solutions/toc.yml b/solutions/toc.yml
