elasticsearch

The Elasticsearch action to perform. Valid actions are:

For more details on actions, check out the Elasticsearch bulk API documentation

The .cer or .pem file to validate the server’s certificate

The codec used for output data. Output codecs are a convenient method for encoding your data before it leaves the output, without needing a separate filter in your Logstash pipeline.

Enable doc_as_upsert for update mode. Create a new document with source if document_id doesn’t exist in Elasticsearch

The document ID for the index. Useful for overwriting existing entries in Elasticsearch with the same ID.

The document type to write events to. Generally you should try to write only similar events to the same type. String expansion %{foo} works here. Unless you set document_type, the event type will be used if it exists otherwise the document type will be assigned the value of logs

This plugin uses the bulk index API for improved indexing performance. To make efficient bulk API calls, we will buffer a certain number of events before flushing that out to Elasticsearch. This setting controls how many events will be buffered before sending a batch of events. Increasing the flush_size has an effect on Logstash’s heap size. Remember to also increase the heap size using LS_HEAP_SIZE if you are sending big documents or have increased the flush_size to a higher value.

Sets the host(s) of the remote instance. If given an array it will load balance requests across the hosts specified in the hosts parameter. Remember the http protocol uses the http address (eg. 9200, not 9300). "127.0.0.1" ["127.0.0.1:9200","127.0.0.2:9200"] It is important to exclude dedicated master nodes from the hosts list to prevent LS from sending bulk requests to the master nodes. So this parameter should only reference either data or client nodes in Elasticsearch.

The amount of time since last flush before a flush is forced.

This setting helps ensure slow event rates don’t get stuck in Logstash. For example, if your flush_size is 100, and you have received 10 events, and it has been more than idle_flush_time seconds since the last flush, Logstash will flush those 10 events automatically.

This helps keep both fast and slow log streams moving along in near-real-time.

The index to write events to. This can be dynamic using the %{foo} syntax. The default value will partition your indices by day so you can more easily delete old data or only search specific date ranges. Indexes may not contain uppercase characters. For weekly indexes ISO 8601 format is recommended, eg. logstash-%{+xxxx.ww}

The index type to write events to. Generally you should try to write only similar events to the same type. String expansion %{foo} works here.

Deprecated in favor of document_type field.

The keystore used to present a certificate to the server. It can be either .jks or .p12

Set the truststore password

Starting in Logstash 1.3 (unless you set option manage_template to false) a default mapping template for Elasticsearch will be applied, if you do not already have one set to match the index pattern defined (default of logstash-%{+YYYY.MM.dd}), minus any variables. For example, in this case the template will be applied to all indices starting with logstash-*

If you have dynamic templating (e.g. creating indices based on field names) then you should set manage_template to false and use the REST API to upload your templates manually.

Set max retry for each event

Password to authenticate to a secure Elasticsearch cluster

HTTP Path at which the Elasticsearch server lives. Use this if you must run Elasticsearch behind a proxy that remaps the root path for the Elasticsearch HTTP API lives.

<li> Value type is <<string,string>>
* There is no default value for this setting.

Set the address of a forward HTTP proxy. Can be either a string, such as http://localhost:123 or a hash in the form of {host: 'proxy.org' port: 80 scheme: 'http'}. Note, this is NOT a SOCKS proxy, but a plain HTTP proxy

Set max interval between bulk retries

Set retry policy for events that failed to send

A routing override to be applied to all processed events. This can be dynamic using the %{foo} syntax.

This setting asks Elasticsearch for the list of all cluster nodes and adds them to the hosts list. Note: This will return ALL nodes with HTTP enabled (including master nodes!). If you use this with master nodes, you probably want to disable HTTP on them by setting http.enabled to false in their elasticsearch.yml. You can either use the sniffing option or manually enter multiple Elasticsearch hosts using the hosts paramater.

How long to wait, in seconds, between sniffing attempts

Enable SSL/TLS secured communication to Elasticsearch cluster

Option to validate the server’s certificate. Disabling this severely compromises security. For more information on disabling certificate verification please read https://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf

You can set the path to your own template here, if you so desire. If not set, the included template will be used.

This configuration option defines how the template is named inside Elasticsearch. Note that if you have used the template management features and subsequently change this, you will need to prune the old template manually, e.g.

curl -XDELETE <http://localhost:9200/_template/OldTemplateName?pretty>

where OldTemplateName is whatever the former setting was.

Overwrite the current template with whatever is configured in the template and template_name directives.

Set the timeout for network operations and requests sent Elasticsearch. If a timeout occurs, the request will be retried.

The JKS truststore to validate the server’s certificate. Use either :truststore or :cacert

Set the truststore password

Set upsert content for update mode. Create a new document with this parameter as json string if document_id doesn’t exists

Username to authenticate to a secure Elasticsearch cluster

The number of workers to use for this output. Note that this setting may not be useful for all outputs.