Elasticsearch input plugin
- Plugin version: v5.0.2
- Released on: 2025-04-07
- Changelog
For other versions, see theVersioned plugin docs.
For questions about the plugin, open a topic in theDiscuss forums. For bugs or feature requests, open an issue inGithub. For the list of Elastic supported plugins, please consult theElastic Support Matrix.
Read from an Elasticsearch cluster, based on search query results. This is useful for replaying test logs, reindexing, etc. You can periodically schedule ingestion using a cron syntax (seeschedule setting) or run the query one time to load data into Logstash.
Example:
input { # Read all documents from Elasticsearch matching the given query elasticsearch { hosts => "localhost" query => '{ "query": { "match": { "statuscode": 200 } }, "sort": [ "_doc" ] }' }}This would create an Elasticsearch query with the following format:
curl 'http://localhost:9200/logstash-*/_search?&scroll=1m&size=1000' -d '{ "query": { "match": { "statuscode": 200 } }, "sort": [ "_doc" ]}'Input from this plugin can be scheduled to run periodically according to a specific schedule. This scheduling syntax is powered byrufus-scheduler. The syntax is cron-like with some extensions specific to Rufus (e.g. timezone support ).
Examples:
* 5 * 1-3 * | will execute every minute of 5am every day of January through March. |
0 * * * * | will execute on the 0th minute of every hour every day. |
0 6 * * * America/Chicago | will execute at 6:00am (UTC/GMT -5) every day. |
Further documentation describing this syntax can be foundhere.
Authentication to a secure Elasticsearch cluster is possible usingone of the following options:
Authorization to a secure Elasticsearch cluster requiresread permission at index level andmonitoring permissions at cluster level. Themonitoring permission at cluster level is necessary to perform periodic connectivity checks.
When ECS compatibility is disabled,docinfo_target uses the"@metadata" field as a default, with ECS enabled the plugin uses a naming convention"[@metadata][input][elasticsearch]" as a default target for placing document information.
The plugin logs a warning when ECS is enabled andtarget isn’t set.
Set thetarget option to avoid potential schema conflicts.
When this input plugin cannot create a structuredEvent from a hit result, it will instead create anEvent that is tagged with_elasticsearch_input_failure whose[event][original] is a JSON-encoded string representation of the entire hit.
Common causes are:
- When the hit result contains top-level fields that are reserved in Logstash but do not have the expected shape.Use the
targetdirective to avoid conflicts with the top-level namespace. - When
doc-info``is enabled and the docinfo fields cannot be merged into the hit result. Combinetargetanddocinfo_target` to avoid conflict.
This plugin supports these configuration options plus theCommon options described later.
As of version5.0.0 of this plugin, a number of previously deprecated settings related to SSL have been removed. Please check outElasticsearch Input Obsolete Configuration Options for details.
| Setting | Input type | Required |
|---|---|---|
api_key | password | No |
ca_trusted_fingerprint | string | No |
cloud_auth | password | No |
cloud_id | string | No |
connect_timeout_seconds | number | No |
custom_headers | hash | No |
docinfo | boolean | No |
docinfo_fields | array | No |
docinfo_target | string | No |
ecs_compatibility | string | No |
hosts | array | No |
index | string | No |
password | password | No |
proxy | uri | No |
query | string | No |
response_type | string, one of["hits","aggregations"] | No |
request_timeout_seconds | number | No |
schedule | string | No |
scroll | string | No |
search_api | string, one of["auto", "search_after", "scroll"] | No |
size | number | No |
slices | number | No |
ssl_certificate | path | No |
ssl_certificate_authorities | list ofpath | No |
ssl_cipher_suites | list ofstring | No |
ssl_enabled | boolean | No |
ssl_key | path | No |
ssl_keystore_password | password | No |
ssl_keystore_path | path | No |
ssl_keystore_type | string | No |
ssl_supported_protocols | string | No |
ssl_truststore_password | password | No |
ssl_truststore_path | path | No |
ssl_truststore_type | string | No |
ssl_verification_mode | string, one of["full", "none"] | No |
socket_timeout_seconds | number | No |
retries | number | No |
user | string | No |
Also seeCommon options for a list of options supported by all input plugins.
- Value type ispassword
- There is no default value for this setting.
Authenticate using Elasticsearch API key. Note that this option also requires enabling thessl_enabled option.
Format isid:api_key whereid andapi_key are as returned by the ElasticsearchCreate API key API.
- Value type isstring, and must contain exactly 64 hexadecimal characters.
- There is no default value for this setting.
- Use of this optionrequires Logstash 8.3+
The SHA-256 fingerprint of an SSL Certificate Authority to trust, such as the autogenerated self-signed CA for an Elasticsearch cluster.
- Value type ispassword
- There is no default value for this setting.
Cloud authentication string ("<username>:<password>" format) is an alternative for theuser/password pair.
For more info, check out theLogstash-to-Cloud documentation.
- Value type isstring
- There is no default value for this setting.
Cloud ID, from the Elastic Cloud web console. If sethosts should not be used.
For more info, check out theLogstash-to-Cloud documentation.
- Value type isnumber
- Default value is
10
The maximum amount of time, in seconds, to wait while establishing a connection to Elasticsearch. Connect timeouts tend to occur when Elasticsearch or an intermediate proxy is overloaded with requests and has exhausted its connection pool.
- Value type ishash
- Default value is empty
Pass a set of key value pairs as the headers sent in each request to an elasticsearch node. The headers will be used for any kind of request. These custom headers will override any headers previously set by the plugin such as the User Agent or Authorization headers.
- Value type isboolean
- Default value is
false
If set, include Elasticsearch document information such as index, type, and the id in the event.
It might be important to note, with regards to metadata, that if you’re ingesting documents with the intent to re-index them (or just update them) that theaction option in the elasticsearch output wants to know how to handle those things. It can be dynamically assigned with a field added to the metadata.
Example
input { elasticsearch { hosts => "es.production.mysite.org" index => "mydata-2018.09.*" query => '{ "query": { "query_string": { "query": "*" } } }' size => 500 scroll => "5m" docinfo => true docinfo_target => "[@metadata][doc]" }}output { elasticsearch { index => "copy-of-production.%{[@metadata][doc][_index]}" document_type => "%{[@metadata][doc][_type]}" document_id => "%{[@metadata][doc][_id]}" }}If set, you can use metadata information in theadd_field common option.
Example
input { elasticsearch { docinfo => true docinfo_target => "[@metadata][doc]" add_field => { identifier => "%{[@metadata][doc][_index]}:%{[@metadata][doc][_type]}:%{[@metadata][doc][_id]}" } }}- Value type isarray
- Default value is
["_index", "_type", "_id"]
If document metadata storage is requested by enabling thedocinfo option, this option lists the metadata fields to save in the current event. SeeMeta-Fields in the Elasticsearch documentation for more information.
Value type isstring
Default value depends on whether
ecs_compatibilityis enabled:- ECS Compatibility disabled:
"@metadata" - ECS Compatibility enabled:
"[@metadata][input][elasticsearch]"
- ECS Compatibility disabled:
If document metadata storage is requested by enabling thedocinfo option, this option names the field under which to store the metadata fields as subfields.
Value type isstring
Supported values are:
disabled: CSV data added at root levelv1,v8: Elastic Common Schema compliant behavior
Default value depends on which version of Logstash is running:
- When Logstash provides a
pipeline.ecs_compatibilitysetting, its value is used as the default - Otherwise, the default value is
disabled
- When Logstash provides a
Controls this plugin’s compatibility with theElastic Common Schema (ECS).
- Value type isarray
- There is no default value for this setting.
List of one or more Elasticsearch hosts to use for querying. Each host can be either IP, HOST, IP:port, or HOST:port. The port defaults to 9200.
- Value type isstring
- Default value is
"logstash-*"
The index or alias to search. Check outMulti Indices documentation in the Elasticsearch documentation for info on referencing multiple indices.
- Value type ispassword
- There is no default value for this setting.
The password to use together with the username in theuser option when authenticating to the Elasticsearch server. If set to an empty string authentication will be disabled.
- Value type isuri
- There is no default value for this setting.
Set the address of a forward HTTP proxy. An empty string is treated as if proxy was not set, this is useful when using environment variables e.g.proxy => '${LS_PROXY:}'.
- Value type isstring
- Default value is
'{ "sort": [ "_doc" ] }'
The query to be executed. Read theElasticsearch query DSL documentation for more information.
Whensearch_api resolves tosearch_after and the query does not specifysort, the default sort'{ "sort": { "_shard_doc": "asc" } }' will be added to the query. Please refer to theElasticsearch search_after parameter to know more.
- Value can be any of:
hits,aggregations - Default value is
hits
Which part of the result to transform into Logstash events when processing the response from the query. The defaulthits will generate one event per returned document (i.e. "hit"). When set toaggregations, a single Logstash event will be generated with the contents of theaggregations object of the query’s response. In this case thehits object will be ignored. The parametersize will be always be set to 0 regardless of the default or user-defined value set in this plugin.
- Value type isnumber
- Default value is
60
The maximum amount of time, in seconds, for a single request to Elasticsearch. Request timeouts tend to occur when an individual page of data is very large, such as when it contains large-payload documents and/or thesize has been specified as a large value.
- Value type isnumber
- Default value is
0
The number of times to re-run the query after the first failure. If the query fails after all retries, it logs an error message. The default is 0 (no retry). This value should be equal to or greater than zero.
Partial failures - such as errors in a subset of all slices - can result in the entire query being retried, which can lead to duplication of data. Avoiding this would require Logstash to store the entire result set of a query in memory which is often not possible.
- Value type isstring
- There is no default value for this setting.
Schedule of when to periodically run statement, in Cron format for example: "* * * * *" (execute query every minute, on the minute)
There is no schedule by default. If no schedule is given, then the statement is run exactly once.
- Value type isstring
- Default value is
"1m"
This parameter controls the keepalive time in seconds of the scrolling request and initiates the scrolling process. The timeout applies per round trip (i.e. between the previous scroll request, to the next).
- Value can be any of:
auto,search_after,scroll - Default value is
auto
Withauto the plugin uses thesearch_after parameter for Elasticsearch version8.0.0 or higher, otherwise thescroll API is used instead.
search_after usespoint in time and sort value to search. The query requires at least onesort field, as described in thequery parameter.
scroll usesscroll API to search, which is no longer recommended.
- Value type isnumber
- Default value is
1000
This allows you to set the maximum number of hits returned per scroll.
- Value type isnumber
- There is no default value.
- Sensible values range from 2 to about 8.
In some cases, it is possible to improve overall throughput by consuming multiple distinct slices of a query simultaneously usingsliced scrolls, especially if the pipeline is spending significant time waiting on Elasticsearch to provide results.
If set, theslices parameter tells the plugin how many slices to divide the work into, and will produce events from the slices in parallel until all of them are done scrolling.
The Elasticsearch manual indicates that there can benegative performance implications to both the query and the Elasticsearch cluster when a scrolling query uses more slices than shards in the index.
If theslices parameter is left unset, the plugin willnot inject slice instructions into the query.
- Value type ispath
- There is no default value for this setting.
SSL certificate to use to authenticate the client. This certificate should be an OpenSSL-style X.509 certificate file.
This setting can be used only ifssl_key is set.
- Value type is a list ofpath
- There is no default value for this setting
The.cer or.pem files to validate the server’s certificate.
You cannot use this setting andssl_truststore_path at the same time.
- Value type is a list ofstring
- There is no default value for this setting
The list of cipher suites to use, listed by priorities. Supported cipher suites vary depending on the Java and protocol versions.
- Value type isboolean
- There is no default value for this setting.
Enable SSL/TLS secured communication to Elasticsearch cluster. Leaving this unspecified will use whatever scheme is specified in the URLs listed inhosts or extracted from thecloud_id. If no explicit protocol is specified plain HTTP will be used.
When not explicitly set, SSL will be automatically enabled if any of the specified hosts use HTTPS.
- Value type ispath
- There is no default value for this setting.
OpenSSL-style RSA private key that corresponds to thessl_certificate.
This setting can be used only ifssl_certificate is set.
- Value type ispassword
- There is no default value for this setting.
Set the keystore password
- Value type ispath
- There is no default value for this setting.
The keystore used to present a certificate to the server. It can be either.jks or.p12
You cannot use this setting andssl_certificate at the same time.
- Value can be any of:
jks,pkcs12 - If not provided, the value will be inferred from the keystore filename.
The format of the keystore file. It must be eitherjks orpkcs12.
- Value type isstring
- Allowed values are:
'TLSv1.1','TLSv1.2','TLSv1.3' - Default depends on the JDK being used. With up-to-date Logstash, the default is
['TLSv1.2', 'TLSv1.3'].'TLSv1.1'is not considered secure and is only provided for legacy applications.
List of allowed SSL/TLS versions to use when establishing a connection to the Elasticsearch cluster.
For Java 8'TLSv1.3' is supported only since8u262 (AdoptOpenJDK), but requires that you set theLS_JAVA_OPTS="-Djdk.tls.client.protocols=TLSv1.3" system property in Logstash.
If you configure the plugin to use'TLSv1.1' on any recent JVM, such as the one packaged with Logstash, the protocol is disabled by default and needs to be enabled manually by changingjdk.tls.disabledAlgorithms in the$JDK_HOME/conf/security/java.security configuration file. That is,TLSv1.1 needs to be removed from the list.
- Value type ispassword
- There is no default value for this setting.
Set the truststore password.
- Value type ispath
- There is no default value for this setting.
The truststore to validate the server’s certificate. It can be either .jks or .p12.
You cannot use this setting andssl_certificate_authorities at the same time.
- Value can be any of:
jks,pkcs12 - If not provided, the value will be inferred from the truststore filename.
The format of the truststore file. It must be eitherjks orpkcs12.
- Value can be any of:
full,none - Default value is
full
Defines how to verify the certificates presented by another party in the TLS connection:
full validates that the server certificate has an issue date that’s within the not_before and not_after dates; chains to a trusted Certificate Authority (CA), and has a hostname or IP address that matches the names within the certificate.
none performs no certificate validation.
Setting certificate verification tonone disables many security benefits of SSL/TLS, which is very dangerous. For more information on disabling certificate verification please readhttps://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
- Value type isnumber
- Default value is
60
The maximum amount of time, in seconds, to wait on an incomplete response from Elasticsearch while no additional data has been appended. Socket timeouts usually occur while waiting for the first byte of a response, such as when executing a particularly complex query.
- Value type is field reference.
- There is no default value for this setting.
Without atarget, events are created from each hit’s_source at the root level. When thetarget is set to a field reference, the_source of the hit is placed in the target field instead.
This option can be useful to avoid populating unknown fields when a downstream schema such as ECS is enforced. It is also possible to target an entry in the event’s metadata, which will be available during event processing but not exported to your outputs (e.g.,target \=> "[@metadata][_source]").
- Value type isstring
- There is no default value for this setting.
The username to use together with the password in thepassword option when authenticating to the Elasticsearch server. If set to an empty string authentication will be disabled.
As of version5.0.0 of this plugin, some configuration options have been replaced. The plugin will fail to start if it contains any of these obsolete options.
| Setting | Replaced by |
|---|---|
| ca_file | ssl_certificate_authorities |
| ssl | ssl_enabled |
| ssl_certificate_verification | ssl_verification_mode |
These configuration options are supported by all input plugins:
| Setting | Input type | Required |
|---|---|---|
add_field | hash | No |
codec | codec | No |
enable_metric | boolean | No |
id | string | No |
tags | array | No |
type | string | No |
- Value type ishash
- Default value is
{}
Add a field to an event
- Value type iscodec
- Default value is
"json"
The codec used for input data. Input codecs are a convenient method for decoding your data before it enters the input, without needing a separate filter in your Logstash pipeline.
- Value type isboolean
- Default value is
true
Disable or enable metric logging for this specific plugin instance by default we record all the metrics we can, but you can disable metrics collection for a specific plugin.
- Value type isstring
- There is no default value for this setting.
Add a uniqueID to the plugin configuration. If no ID is specified, Logstash will generate one. It is strongly recommended to set this ID in your configuration. This is particularly useful when you have two or more plugins of the same type, for example, if you have 2 elasticsearch inputs. Adding a named ID in this case will help in monitoring Logstash when using the monitoring APIs.
input { elasticsearch { id => "my_plugin_id" }}Variable substitution in theid field only supports environment variables and does not support the use of values from the secret store.
- Value type isarray
- There is no default value for this setting.
Add any number of arbitrary tags to your event.
This can help with processing later.
- Value type isstring
- There is no default value for this setting.
Add atype field to all events handled by this input.
Types are used mainly for filter activation.
The type is stored as part of the event itself, so you can also use the type to search for it in Kibana.
If you try to set a type on an event that already has one (for example when you send an event from a shipper to an indexer) then a new input will not override the existing type. A type set at the shipper stays with that event for its life even when sent to another Logstash server.