CREATE CHANGEFEED creates a new changefeed, which targets an allowlist of tables called “watched rows”. Every change to a watched row is emitted as a record in a configurable format (such as JSON, Avro, CSV, Parquet, or protobuf) to a or directly to the SQL session.
When a changefeed emits messages to a sink, it works as a . You can create, pause, resume, , or cancel a changefeed job.
To get started with changefeeds, refer to the page for important usage considerations. For details on how changefeeds emit messages, refer to the page.
The examples on this page provide the foundational syntax of the CREATE CHANGEFEED statement. For examples on more specific use cases with changefeeds, refer to the following pages:
Required privileges
As of v25.1, viewing and managing a changefeed job by users with the
CHANGEFEED privilege is deprecated. This functionality of the CHANGEFEED privilege will be removed in a future release.We recommend transitioning users that need to view and manage running changefeed jobs to that own the or them the VIEWJOB or CONTROLJOB privilege. For more details, refer to View and manage changefeed jobs.Privilege model
The following summarizes the operations users can run depending on whether the assigned privileges are at the job or table level:CHANGEFEED privilege
Viewing and managing changefeed jobs with the
CHANGEFEED privilege is deprecated as of v25.1. Instead, transition users that need to view and manage running changefeed jobs to that own the or them the VIEWJOB or CONTROLJOB privilege. For more details, refer to View and manage changefeed jobs.CHANGEFEED privilege to allow them to create changefeeds on a specific table:
CHANGEFEED privilege on a set of tables, they can create changefeeds on the target tables even if the user does not have the or the SELECT privilege on the tables.
These users will be able to create changefeeds, but they will not be able to run a SELECT query on that data directly. However, they could still read this data indirectly if they have read access to the .
You can add CHANGEFEED to the user or role’s with :
changefeed.permissions.require_external_connection_sink.enabled cluster setting. When you enable this setting, users with the on a set of tables can only create changefeeds into .
View and manage changefeed jobs
Users can and manage changefeed jobs when one of the following are met:- Job ownership: They own the job, or are a member of a role that owns a job.
- Global privileges: They are assigned .
Synopsis
Parameters
CDC query parameters
Change data capture queries allow you to define the change data emitted to your sink when you create a changefeed. See the page for detail on the functionality, syntax, and use cases for changefeeds created with queries.Sink URI
To form the URI for each sink:
For more comprehensive detail of using and configuring each sink, refer to:
- Amazon MSK
- Apache Pulsar (in Preview) (in Preview)
- Azure Event Hubs
- Cloud Storage / HTTP / HTTP
- Confluent Cloud
- Google Cloud Pub/Sub
- Kafka
- Webhook
Query parameters
Parameters should always be URI-encoded before they are included the changefeed’s URI, as they often contain special characters. Use Javascript’s encodeURIComponent function or Go language’s url.QueryEscape function to URI-encode the parameters. Other languages provide similar functions to URI-encode special characters.
For example:
CREATE CHANGEFEED FOR TABLE users INTO 'gs://...?AUTH...&partition_format=hourly' Default:
daily
S3_STORAGE_CLASS | | | Specify the Amazon S3 storage class for files created by the changefeed. See Create a changefeed with an S3 storage class for the available classes and an example. Default:
STANDARD
sasl_aws_iam_role_arn | | | The ARN for the IAM role that has the permissions to create a topic and send data to the topic. For more details on setting up an Amazon MSK cluster with an IAM role, refer to the AWS documentation.
sasl_aws_iam_session_name | | | The user-specified string that identifies the session in AWS.
sasl_aws_region | | | The region of the Amazon MSK cluster.
sasl_client_id | | | Client ID for OAuth authentication from a third-party provider. This parameter is only applicable with sasl_mechanism=OAUTHBEARER.
sasl_client_secret | | | Client secret for OAuth authentication from a third-party provider. This parameter is only applicable with sasl_mechanism=OAUTHBEARER. Note: You must base64 encode this value when passing it in as part of a sink URI.
sasl_enabled | , , , | | If true, set the authentication protocol with the sasl_mechanism parameter. You must have tls_enabled set to true to use SASL.For Confluent Cloud and Azure Event Hubs sinks, this is set to
true by default.Default:
false
sasl_grant_type | | | Override the default OAuth client credentials grant type for other implementations. This parameter is only applicable with sasl_mechanism=OAUTHBEARER.
sasl_handshake | , , | | For Confluent Cloud and Azure Event Hubs sinks, this is set to true by default.
sasl_mechanism | , , , | | Can be set to OAUTHBEARER, SCRAM-SHA-256, SCRAM-SHA-512, or PLAIN. A sasl_user and sasl_password are required for PLAIN and SCRAM authentication.For Amazon MSK clusters, set to .
sasl_aws_iam_role_arn, sasl_aws_iam_session_name, and sasl_aws_region are also required in the sink uri.Refer to the tutorial for detail setting up OAuth using Okta.
For Confluent Cloud and Azure Event Hubs sinks,
sasl_mechanism=PLAIN is required but set automatically by CockroachDB.Default:
PLAIN
sasl_scopes | | | A list of scopes that the OAuth token should have access for. This parameter is only applicable with sasl_mechanism=OAUTHBEARER.
sasl_token_url | | | Client token URL for OAuth authentication from a third-party provider. Note: You must URL encode this value before passing in a URI. This parameter is only applicable with sasl_mechanism=OAUTHBEARER.
sasl_user | , | | Your SASL username.
sasl_password | , | | Your SASL password. Note: Passwords should be URL encoded since the value can contain characters that would cause authentication to fail.
shared_access_key | | | The URL-encoded key for your Event Hub shared access policy.
shared_access_key_name | | | The name of your Event Hub shared access policy.
tls_enabled | , , | | If true, enable Transport Layer Security (TLS) on the connection to Kafka. This can be used with a ca_cert (see below).For Confluent Cloud and Azure Event Hubs sinks, this is set to
true by default.Default:
false
topic_name | , , , | | Allows arbitrary topic naming for Kafka and GC Pub/Sub topics. See the or for detail on supported characters etc. For example,
CREATE CHANGEFEED FOR foo,bar INTO 'kafka://sink?topic_name=all' will emit all records to a topic named all. Note that schemas will still be registered separately. When using Kafka, this parameter can be combined with the topic_prefix parameter (this is not supported for GC Pub/Sub). Default: table name.
topic_prefix | , , | | Adds a prefix to all topic names.For example,
CREATE CHANGEFEED FOR TABLE foo INTO 'kafka://...?topic_prefix=bar_' would emit rows under the topic bar_foo instead of foo.
Options
Using the
format=avro, envelope=key_only, and updated options together is rejected. envelope=key_only prevents any rows with updated fields from being emitted, which makes the updated option meaningless.Files
The files emitted to a sink use the following naming conventions:The timestamp format is
YYYYMMDDHHMMSSNNNNNNNNNLLLLLLLLLL.General file format
partition_format query parameter. This will result in the following file path formats:
-
daily: This is the default option and will follow the same pattern as the previous general file format. -
hourly: This will partition into an hourly directory as the changefeed emits messages, like the following: -
flat: This will result in no file partitioning. The cloud storage path you specify when creating a changefeed will store all of the message files with no additional directories created.
Resolved file format
Examples
Before running any of the examples in this section it is necessary to . If you are working on a CockroachDB Standard or Basic cluster, this cluster setting is enabled by default. The following examples show the syntax for managing changefeeds and starting changefeeds with different use cases and features. The Options table on this page provides a list of all the available options. For information on sink-specific query parameters and configurations, refer to the page. You can create an external connection to represent a changefeed sink URI. This allows you to specify the external connection’s name in statements rather than the provider-specific URI. For detail on using external connections, see the page. We recommend limiting the number of changefeeds per cluster to 80.Create a changefeed connected to a sink
- Amazon MSK
- Apache Pulsar (in Preview) (in Preview)
- Azure Event Hubs
- Cloud Storage / HTTP / HTTP
- Confluent Cloud
- Google Cloud Pub/Sub
- Kafka
- Webhook
Create a changefeed that filters and transforms change data
can filter and transform change data before emitting it to a sink or a SQL client. You can adapt a changefeed with CDC queries by includingSELECT and WHERE clauses in your CREATE statement:
Create a sinkless changefeed
You can create a changefeed that will send messages to the SQL client rather than a sink:Use an external connection to specify a changefeed sink
provide a way to define a name for a sink, which you can use instead of the provider-specific URI. To restrict a user’s access to changefeed data and sink credentials, enable thechangefeed.permissions.require_external_connection_sink.enabled cluster setting. When you enable this setting, users with the on a set of tables can only create changefeeds into .
External connections support all changefeed sinks.
Filter changefeeds for tables using row-level TTL
Use thettl_disable_changefeed_replication table storage parameter to prevent changefeeds from sending DELETE messages issued by row-level TTL jobs for a table. Include the storage parameter when you create or alter the table. For example:
sql.ttl.changefeed_replication.disabled to true. This will prevent changefeeds from emitting deletes issued by all TTL jobs on a cluster.
If you want to have a changefeed ignore the storage parameter or cluster setting that disables changefeed replication, you can set the changefeed option ignore_disable_changefeed_replication to true:
Disallow schema changes on tables to improve changefeed performance
Use theschema_locked to indicate that a is not currently ongoing on a watched table. This allows the changefeed to take a fast path that avoids checking if there are schema changes that could require synchronization between . This helps to decrease the latency between a write committing to a table and it emitting to the .
Enable schema_locked on the watched table with the statement:
schema_locked before performing many schema changes and reapplies it when done. To require manual unlocks for all DDL on schema-locked tables, set to false. Some schema changes, such as ALTER TABLE ... SET LOCALITY, cannot automatically unset schema_locked even when automatic unlocking is enabled. For these cases, you must manually unlock the table with schema_locked = false, complete the schema change, and then lock the table again with schema_locked = true. The changefeed will run as normal while schema_locked is unset, but it will not benefit from the performance optimization.
Manage a changefeed
For changefeed jobs, use to check the status:Pause a changefeed
Resume a paused changefeed
Cancel a changefeed
Modify a changefeed
To modify a changefeed, the job and then use:Configuring all changefeeds
It is useful to be able to pause all running changefeeds during troubleshooting, testing, or when a decrease in CPU load is needed. To pause all running changefeeds:paused, which can be verified with .
To resume all running changefeeds:
running.
Start a new changefeed where another ended
In some situations, you may want to start a changefeed where a previously running changefeed ended. For example, a changefeed could encounter an error it cannot recover from, such as when a , and you need to restart the changefeed.-
Use to find the for the ended changefeed:
If a changefeed has failed, you must restart the changefeed from a timestamp after the event that caused the failure.
-
Use the
high_water_timestampto start the new changefeed:
cursor option to start a changefeed, it will not perform an initial scan.
Create a changefeed with an S3 storage class
To associate the changefeed message files with a in your Amazon S3 bucket, use theS3_STORAGE_CLASS parameter with the class. For example, the following S3 connection URI specifies the INTELLIGENT_TIERING storage class:
Define a key to determine the changefeed sink partition
With thekey_column option, you can define the key used in message metadata that determines the partition for the changefeed message at your . This option overrides the default :
key_column does not preserve ordering of messages from CockroachDB to the downstream sink, therefore you must include the unordered option. It does not affect per-key or the output of key_in_value.

