Elasticsearch
Elasticsearch (elasticsearch)
Bulk-index events into Elasticsearch clusters.
Search binary json raw
Minimal example
output: elasticsearch: common: {}JSON
{ "output": { "elasticsearch": { "common": {} } }}Contents
Fields
| Field | Type | Required | Description |
|---|---|---|---|
common | Elastic Output Spec | ✅ | Shared Elasticsearch connection and indexing options Shared configuration applied to all Elasticsearch outputs. |
Schema
- Elastic Output Spec - Retry Fields
- Elastic Output Spec - Batch Fields
- Elastic Output Spec - Elastic Auth - Basic Fields
- Elastic Output Spec - Elastic Auth - Api Key Fields
- Elastic Output Spec - Elastic Auth - Tls Fields
- Elastic Output Spec - Elastic Auth Fields
- Elastic Output Spec - Elastic AWS SigV4 Fields
- Elastic Output Spec - Elastic Data Stream Fields
- Elastic Output Spec Fields
- Elastic Output Spec - Headers Table
- Elastic Output Spec - Query Table
- Elastic Output Spec - Mode Options
- Elastic Output Spec - Op Type Options
Elastic Output Spec - Retry Fields
| Field | Type | Required | Description |
|---|---|---|---|
timeout | time-interval (string) | ✅ | timeout (e.g. 500ms, 2s etc. - default is 30). Examples: 500ms, 2h |
retries | number (integer) | number of retries. Examples: 42, 1.2e-10 |
Elastic Output Spec - Batch Fields
| Field | Type | Required | Description |
|---|---|---|---|
uuid-field | field (string) | Field where generated uuid, the unique marker for the group, will be stored. Examples: data_field | |
invocation-time-field | field (string) | Field where invocation time will be stored. Examples: data_field | |
completion-time-field | field (string) | Field where completion (end of execution) time will be stored. Examples: data_field | |
begin-marker-field | field (string) | Field used to mark first event in the group. Examples: data_field | |
end-marker-field | field (string) | Field used to mark last event in the group. Examples: data_field | |
line-count-field | field (string) | Field used to store the line count of the batch. Examples: data_field | |
line-num-field | field (string) | Field used to store the line number of the batch. Examples: data_field |
Elastic Output Spec - Elastic Auth - Basic Fields
| Field | Type | Required | Description |
|---|---|---|---|
username ✓ | string | ||
password ✓ | string |
Elastic Output Spec - Elastic Auth - Api Key Fields
| Field | Type | Required | Description |
|---|---|---|---|
id ✓ | string | ||
key ✓ | string | ||
base64 ✓ | string |
Elastic Output Spec - Elastic Auth - Tls Fields
| Field | Type | Required | Description |
|---|---|---|---|
ca-certificate ✓ | string | PEM encoded CA certificate bundle. | |
client-certificate ✓ | string | PEM encoded client certificate for mutual TLS. | |
client-key ✓ | string | PEM encoded private key for mutual TLS. | |
insecure-skip-verify ✓ | boolean (bool) | Skip TLS certificate verification (development only). Default: false |
Elastic Output Spec - Elastic Auth Fields
| Field | Type | Required | Description |
|---|---|---|---|
basic | Basic | ||
api-key | Api Key | ||
bearer-token ✓ | string | ||
tls | Tls |
Elastic Output Spec - Elastic AWS SigV4 Fields
| Field | Type | Required | Description |
|---|---|---|---|
region ✓ | string | ✅ | AWS region used for request signing. |
service ✓ | string | Override AWS service name (default es). | |
profile ✓ | string | Optional shared credentials profile. | |
role-arn ✓ | string | AssumeRole ARN for federated access. | |
session-name ✓ | string | Session name when assuming roles. | |
access-key-id ✓ | string | Access key used for signing requests. | |
secret-access-key ✓ | string | Secret key used for signing requests. | |
session-token ✓ | string | Optional session token for temporary credentials. |
Elastic Output Spec - Elastic Data Stream Fields
| Field | Type | Required | Description |
|---|---|---|---|
r-type ✓ | string | ✅ | Data stream type (logs, metrics, traces). |
dataset ✓ | string | ✅ | Data stream dataset (e.g. service.application). |
namespace ✓ | string | ✅ | Data stream namespace (e.g. prod, staging). |
Elastic Output Spec Fields
| Field | Type | Required | Description |
|---|---|---|---|
retry | Retry | Retry policy for bulk failures. | |
batch | Batch | Logical batching hints shared with other outputs. | |
endpoint ✓ | url (string) | HTTPS endpoint for the cluster (required when cloud-id is unset). Examples: https://example.com/path | |
cloud-id ✓ | string | Elastic Cloud / Serverless Cloud ID (mutually exclusive with endpoint). | |
region ✓ | string | Optional default region used for auth helpers and logging. | |
auth | Elastic Auth | Authentication strategies (basic, API keys, bearer). | |
aws | Elastic AWS SigV4 | AWS SigV4 credentials for managed OpenSearch/Elasticsearch. | |
mode | Mode | Indexing lifecycle mode (classic index vs data stream). Allowed values: classic-index, data-stream | |
index ✓ | string | Static index/alias target when mode=classic-index. | |
index-field | field (string) | Event field that provides the target index/alias. Examples: data_field | |
index-pointer | json-pointer (string) | JSON pointer resolving to the index/alias. | |
data-stream | Elastic Data Stream | Data stream configuration when mode=data-stream. | |
document-id-field | field (string) | Event field containing the document _id. Examples: data_field | |
document-id-pointer | json-pointer (string) | JSON pointer resolving to the document _id. | |
document-id-expression | string | Expression used to compute the document _id. | |
routing-field | field (string) | Event field providing custom routing key. Examples: data_field | |
routing-pointer | json-pointer (string) | JSON pointer providing custom routing key. | |
routing-expression | string | Expression computing the routing key. | |
pipeline ✓ | string | Optional ingest pipeline to apply server-side. | |
op-type | Op Type | Bulk operation type for each event. Allowed values: index, create, update, delete | |
retry-on-conflict | number (integer) | Retry on conflict (for update/upsert operations). Examples: 42, 1.2e-10 | |
refresh ✓ | boolean (bool) | Force refresh after each batch. Default: false | |
gzip ✓ | boolean (bool) | Compress bulk payloads with gzip. Default: false | |
input-field | field (string) | Event field containing the JSON document payload. Examples: data_field | |
input-pointer | json-pointer (string) | JSON pointer for extracting the payload. | |
payload-template | string | Template expression to render the payload when not using event body. | |
headers ✓ | map (string) | Additional HTTP headers forwarded with each request. | |
query ✓ | map (string) | Static query parameters appended to bulk requests. | |
request-timeout-secs | number (integer) | Request timeout in seconds. Examples: 42, 1.2e-10 | |
connect-timeout-secs | number (integer) | Connect timeout in seconds. Examples: 42, 1.2e-10 |
Elastic Output Spec - Headers Table
| Header | Value |
|---|---|
Header-Name | value |
Value format: templated-text.
Elastic Output Spec - Query Table
| Parameter | Value |
|---|---|
param | value |
Value format: templated-text.
Elastic Output Spec - Mode Options
| Value | Name | Description |
|---|---|---|
classic-index | classic-index | Standard index or alias writes |
data-stream | data-stream | Data stream aware writes (auto-selects stream based on dataset/namespace) |
Elastic Output Spec - Op Type Options
| Value | Name | Description |
|---|---|---|
index | index | Index (create or replace) each document |
create | create | Only create new documents; fail if _id exists |
update | update | Update existing documents (requires partial document or script) |
delete | delete | Delete documents (requires _id) |