logstash-output-elasticsearch 10.8.1-java → 11.0.0-java

Sign up to get free protection for your applications and to get access to all the features.
Files changed (33) hide show
  1. checksums.yaml +4 -4
  2. data/CHANGELOG.md +24 -0
  3. data/README.md +1 -1
  4. data/docs/index.asciidoc +282 -114
  5. data/lib/logstash/outputs/elasticsearch.rb +125 -65
  6. data/lib/logstash/outputs/elasticsearch/data_stream_support.rb +233 -0
  7. data/lib/logstash/outputs/elasticsearch/http_client.rb +59 -21
  8. data/lib/logstash/outputs/elasticsearch/http_client/pool.rb +47 -34
  9. data/lib/logstash/outputs/elasticsearch/ilm.rb +11 -12
  10. data/lib/logstash/outputs/elasticsearch/license_checker.rb +19 -22
  11. data/lib/logstash/outputs/elasticsearch/template_manager.rb +3 -5
  12. data/lib/logstash/plugin_mixins/elasticsearch/api_configs.rb +157 -153
  13. data/lib/logstash/plugin_mixins/elasticsearch/common.rb +80 -60
  14. data/logstash-output-elasticsearch.gemspec +2 -2
  15. data/spec/es_spec_helper.rb +3 -6
  16. data/spec/integration/outputs/data_stream_spec.rb +61 -0
  17. data/spec/integration/outputs/ilm_spec.rb +22 -18
  18. data/spec/integration/outputs/ingest_pipeline_spec.rb +4 -2
  19. data/spec/integration/outputs/retry_spec.rb +14 -2
  20. data/spec/integration/outputs/sniffer_spec.rb +0 -1
  21. data/spec/spec_helper.rb +14 -0
  22. data/spec/unit/http_client_builder_spec.rb +9 -9
  23. data/spec/unit/outputs/elasticsearch/data_stream_support_spec.rb +542 -0
  24. data/spec/unit/outputs/elasticsearch/http_client/manticore_adapter_spec.rb +1 -0
  25. data/spec/unit/outputs/elasticsearch/http_client/pool_spec.rb +27 -13
  26. data/spec/unit/outputs/elasticsearch/http_client_spec.rb +59 -41
  27. data/spec/unit/outputs/elasticsearch/template_manager_spec.rb +1 -3
  28. data/spec/unit/outputs/elasticsearch_proxy_spec.rb +4 -5
  29. data/spec/unit/outputs/elasticsearch_spec.rb +228 -38
  30. data/spec/unit/outputs/elasticsearch_ssl_spec.rb +1 -2
  31. data/spec/unit/outputs/error_whitelist_spec.rb +4 -3
  32. data/spec/unit/outputs/license_check_spec.rb +0 -16
  33. metadata +23 -16
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 9c547ba2082e8d6ee23bca31219922bef90ea367665e8693488c0a2af918355d
4
- data.tar.gz: 83a8e5c3261f551fb2cb116cfa16db6db7534c3eea1859f14d32c0ce9fa6d858
3
+ metadata.gz: dd0e368ed484aa214da94fcdc6978f919b3139cf90f8db462aba17f9c1e86670
4
+ data.tar.gz: 67b475fdd703d50d7bbb806adebd46c3b6657ead3019e76c7517e3c2428335be
5
5
  SHA512:
6
- metadata.gz: fd0df72d793640fffae40ace04c528e06af52b7a24381bd52e29677ed3da3e2bd82db9521b73695746ef55322f95bc919d374c29e19d85f22a1dbcdc9f1c4123
7
- data.tar.gz: d043c430f6bfcf652e5ca85f9f1e90103b1a64650c003fcb5651235784c008c981dc0b18e898df166c1a194ef89e57e655a3f0224bf4fc958d4df277b2972e4d
6
+ metadata.gz: f1e85fea62c9173d0ffdbf739487d8bcbbcfb41f304893e37333d22a8f42b0f527506d926c9f983480ef1c76eee43869ded32b84df98e19fdd999b9d5a26baa9
7
+ data.tar.gz: 0d1df95d541fa6e1d1161763051a3b4dc8fed10f62d878e7b4aa556d00c17bf6daf44a2fdc0c356c14c9c5431457112da601942dcf34dbf5386b05235933146e
data/CHANGELOG.md CHANGED
@@ -1,3 +1,27 @@
1
+ ## 11.0.0
2
+ - Feat: Data stream support [#988](https://github.com/logstash-plugins/logstash-output-elasticsearch/pull/988)
3
+ - Refactor: reviewed logging format + restored ES (initial) setup error logging
4
+ - Feat: always check ES license [#1005](https://github.com/logstash-plugins/logstash-output-elasticsearch/pull/1005)
5
+
6
+ Since Elasticsearch no longer provides an OSS artifact the plugin will no longer skip the license check on OSS Logstash.
7
+
8
+ ## 10.8.6
9
+ - Fixed an issue where a single over-size event being rejected by Elasticsearch would cause the entire entire batch to be retried indefinitely. The oversize event will still be retried on its own and logging has been improved to include payload sizes in this situation [#972](https://github.com/logstash-plugins/logstash-output-elasticsearch/pull/972)
10
+ - Fixed an issue with `http_compression => true` where a well-compressed payload could fit under our outbound 20MB limit but expand beyond Elasticsearch's 100MB limit, causing bulk failures. Bulk grouping is now determined entirely by the decompressed payload size [#823](https://github.com/logstash-plugins/logstash-output-elasticsearch/issues/823)
11
+ - Improved debug-level logging about bulk requests.
12
+
13
+ ## 10.8.5
14
+ - Feat: assert returned item count from _bulk [#997](https://github.com/logstash-plugins/logstash-output-elasticsearch/pull/997)
15
+
16
+ ## 10.8.4
17
+ - Fixed an issue where a retried request would drop "update" parameters [#800](https://github.com/logstash-plugins/logstash-output-elasticsearch/pull/800)
18
+
19
+ ## 10.8.3
20
+ - Avoid to implicitly set deprecated type to `_doc` when connects to Elasticsearch version 7.x [#994](https://github.com/logstash-plugins/logstash-output-elasticsearch/pull/994)
21
+
22
+ ## 10.8.2
23
+ - [DOC] Update links to use shared attributes [#985](https://github.com/logstash-plugins/logstash-output-elasticsearch/pull/985)
24
+
1
25
  ## 10.8.1
2
26
  - Fixed an issue when assigning the no-op license checker [#984](https://github.com/logstash-plugins/logstash-output-elasticsearch/pull/984)
3
27
 
data/README.md CHANGED
@@ -1,6 +1,6 @@
1
1
  # Logstash Plugin
2
2
 
3
- [![Travis Build Status](https://travis-ci.org/logstash-plugins/logstash-output-elasticsearch.svg)](https://travis-ci.org/logstash-plugins/logstash-output-elasticsearch)
3
+ [![Travis Build Status](https://travis-ci.com/logstash-plugins/logstash-output-elasticsearch.svg)](https://travis-ci.com/logstash-plugins/logstash-output-elasticsearch)
4
4
 
5
5
  This is a plugin for [Logstash](https://github.com/elastic/logstash).
6
6
 
data/docs/index.asciidoc CHANGED
@@ -21,26 +21,19 @@ include::{include_path}/plugin_header.asciidoc[]
21
21
 
22
22
  ==== Description
23
23
 
24
- If you plan to use the Kibana web interface to analyze data transformed by
25
- Logstash, use the Elasticsearch output plugin to get your data into
26
- Elasticsearch.
24
+ Elasticsearch provides near real-time search and analytics for all types of
25
+ data. The Elasticsearch output plugin can store both time series datasets (such
26
+ as logs, events, and metrics) and non-time series data in Elasticsearch.
27
27
 
28
- This output only speaks the HTTP protocol as it is the preferred protocol for
29
- interacting with Elasticsearch. In previous versions it was possible to
30
- communicate with Elasticsearch through the transport protocol, which is now
31
- reserved for internal cluster communication between nodes
32
- https://www.elastic.co/guide/en/elasticsearch/reference/current/modules-transport.html[communication between nodes].
33
- Using the https://www.elastic.co/guide/en/elasticsearch/reference/current/java-clients.html[transport protocol]
34
- to communicate with the cluster has been deprecated in Elasticsearch 7.0.0 and
35
- will be removed in 8.0.0
36
-
37
- You can learn more about Elasticsearch at <https://www.elastic.co/products/elasticsearch>
28
+ You can https://www.elastic.co/elasticsearch/[learn more about Elasticsearch] on
29
+ the website landing page or in the {ref}[Elasticsearch documentation].
38
30
 
39
31
  .Compatibility Note
40
32
  [NOTE]
41
33
  ================================================================================
42
34
  When connected to Elasticsearch 7.x, modern versions of this plugin
43
- use the required `_doc` document-type when inserting documents.
35
+ don't use the document-type when inserting documents, unless the user
36
+ explicitly sets <<plugins-{type}s-{plugin}-document_type>>.
44
37
 
45
38
  If you are using an earlier version of Logstash and wish to connect to
46
39
  Elasticsearch 7.x, first upgrade Logstash to version 6.8 to ensure it
@@ -69,6 +62,59 @@ By having an ECS-compatible template in place, we can ensure that Elasticsearch
69
62
  is prepared to create and index fields in a way that is compatible with ECS,
70
63
  and will correctly reject events with fields that conflict and cannot be coerced.
71
64
 
65
+ [id="plugins-{type}s-{plugin}-data-streams"]
66
+ ==== Data streams
67
+
68
+ The {es} output plugin can store both time series datasets (such
69
+ as logs, events, and metrics) and non-time series data in Elasticsearch.
70
+
71
+ The data stream options are recommended for indexing time series datasets (such
72
+ as logs, metrics, and events) into {es}:
73
+
74
+ * <<plugins-{type}s-{plugin}-data_stream>> |<<string,string>>
75
+ * <<plugins-{type}s-{plugin}-data_stream_auto_routing>>
76
+ * <<plugins-{type}s-{plugin}-data_stream_dataset>>
77
+ * <<plugins-{type}s-{plugin}-data_stream_namespace>>
78
+ * <<plugins-{type}s-{plugin}-data_stream_sync_fields>>
79
+ * <<plugins-{type}s-{plugin}-data_stream_type>>
80
+
81
+ [id="plugins-{type}s-{plugin}-ds-examples"]
82
+ ===== Data stream configuration examples
83
+
84
+ **Example: Basic default configuration**
85
+
86
+ [source,sh]
87
+ -----
88
+ output {
89
+ elasticsearch {
90
+ hosts => "hostname"
91
+ data_stream => "true"
92
+ }
93
+ }
94
+ -----
95
+
96
+ This example shows the minimal settings for processing data streams. Events
97
+ with `data_stream.*`` fields are routed to the appropriate data streams. If the
98
+ fields are missing, routing defaults to `logs-generic-logstash`.
99
+
100
+ **Example: Customize data stream name**
101
+
102
+ [source,sh]
103
+ -----
104
+ output {
105
+ elasticsearch {
106
+ hosts => "hostname"
107
+ data_stream => "true"
108
+ data_stream_type => "metrics"
109
+ data_stream_dataset => "foo"
110
+ data_stream_namespace => "bar"
111
+ }
112
+ }
113
+ -----
114
+
115
+
116
+
117
+
72
118
  ==== Writing to different indices: best practices
73
119
 
74
120
  [NOTE]
@@ -103,9 +149,8 @@ Example:
103
149
 
104
150
  **What to do in case there is no field in the event containing the destination index prefix?**
105
151
 
106
- You can use the `mutate` filter and conditionals to add a `[@metadata]` field
107
- (see
108
- https://www.elastic.co/guide/en/logstash/current/event-dependent-configuration.html#metadata)
152
+ You can use the `mutate` filter and conditionals to add a
153
+ {logstash-ref}/event-dependent-configuration.html#metadata[`[@metadata]` field]
109
154
  to set the destination index for each event. The `[@metadata]` fields will not
110
155
  be sent to Elasticsearch.
111
156
 
@@ -159,30 +204,37 @@ happens, the problem is logged as a warning, and the event is dropped. See
159
204
  [id="plugins-{type}s-{plugin}-ilm"]
160
205
  ==== Index Lifecycle Management
161
206
 
162
-
163
207
  [NOTE]
164
208
  The Index Lifecycle Management feature requires plugin version `9.3.1` or higher.
165
209
 
166
210
  [NOTE]
167
211
  This feature requires an Elasticsearch instance of 6.6.0 or higher with at least a Basic license
168
212
 
169
- Logstash can use {ref}/index-lifecycle-management.html[Index Lifecycle Management] to automate the management of indices over time.
213
+ Logstash can use {ref}/index-lifecycle-management.html[Index Lifecycle
214
+ Management] to automate the management of indices over time.
170
215
 
171
216
  The use of Index Lifecycle Management is controlled by the `ilm_enabled`
172
217
  setting. By default, this setting detects whether the Elasticsearch instance
173
218
  supports ILM, and uses it if it is available. `ilm_enabled` can also be set to
174
219
  `true` or `false` to override the automatic detection, or disable ILM.
175
220
 
176
- This will overwrite the index settings and adjust the Logstash template to write the necessary settings for the template
177
- to support index lifecycle management, including the index policy and rollover alias to be used.
221
+ This will overwrite the index settings and adjust the Logstash template to write
222
+ the necessary settings for the template to support index lifecycle management,
223
+ including the index policy and rollover alias to be used.
178
224
 
179
- Logstash will create a rollover alias for the indices to be written to, including a pattern for how the actual indices will be named, and unless an ILM policy that already exists has been specified,
180
- a default policy will also be created. The default policy is configured to rollover an index when it reaches either 50 gigabytes in size, or is 30 days old, whichever happens first.
225
+ Logstash will create a rollover alias for the indices to be written to,
226
+ including a pattern for how the actual indices will be named, and unless an ILM
227
+ policy that already exists has been specified, a default policy will also be
228
+ created. The default policy is configured to rollover an index when it reaches
229
+ either 50 gigabytes in size, or is 30 days old, whichever happens first.
181
230
 
182
- The default rollover alias is called `logstash`, with a default pattern for the rollover index of `{now/d}-00001`,
183
- which will name indices on the date that the index is rolled over, followed by an incrementing number. Note that the pattern must end with a dash and a number that will be incremented.
231
+ The default rollover alias is called `logstash`, with a default pattern for the
232
+ rollover index of `{now/d}-00001`, which will name indices on the date that the
233
+ index is rolled over, followed by an incrementing number. Note that the pattern
234
+ must end with a dash and a number that will be incremented.
184
235
 
185
- See the {ref}/indices-rollover-index.html#_using_date_math_with_the_rollover_api[Rollover API documentation] for more details on naming.
236
+ See the {ref}/indices-rollover-index.html#_using_date_math_with_the_rollover_api[Rollover
237
+ API documentation] for more details on naming.
186
238
 
187
239
  The rollover alias, ilm pattern and policy can be modified.
188
240
 
@@ -198,19 +250,24 @@ See config below for an example:
198
250
 
199
251
  NOTE: Custom ILM policies must already exist on the Elasticsearch cluster before they can be used.
200
252
 
201
- NOTE: If the rollover alias or pattern is modified, the index template will need to be overwritten as the settings `index.lifecycle.name` and `index.lifecycle.rollover_alias` are automatically written to the template
253
+ NOTE: If the rollover alias or pattern is modified, the index template will need to be
254
+ overwritten as the settings `index.lifecycle.name` and
255
+ `index.lifecycle.rollover_alias` are automatically written to the template
202
256
 
203
257
  NOTE: If the index property is supplied in the output definition, it will be overwritten by the rollover alias.
204
258
 
205
259
 
206
260
  ==== Batch Sizes
207
261
 
208
- This plugin attempts to send batches of events as a single request. However, if
209
- a request exceeds 20MB we will break it up into multiple batch requests. If a single document exceeds 20MB it will be sent as a single request.
262
+ This plugin attempts to send batches of events to the {ref}/docs-bulk.html[{es}
263
+ Bulk API] as a single request. However, if a batch exceeds 20MB we break it up
264
+ into multiple bulk requests. If a single document exceeds 20MB it is sent as a
265
+ single request.
210
266
 
211
267
  ==== DNS Caching
212
268
 
213
- This plugin uses the JVM to lookup DNS entries and is subject to the value of https://docs.oracle.com/javase/7/docs/technotes/guides/net/properties.html[networkaddress.cache.ttl],
269
+ This plugin uses the JVM to lookup DNS entries and is subject to the value of
270
+ https://docs.oracle.com/javase/7/docs/technotes/guides/net/properties.html[networkaddress.cache.ttl],
214
271
  a global setting for the JVM.
215
272
 
216
273
  As an example, to set your DNS TTL to 1 second you would set
@@ -226,8 +283,7 @@ enabled by default for HTTP and for Elasticsearch versions 5.0 and later.
226
283
 
227
284
  You don't have to set any configs in Elasticsearch for it to send back a
228
285
  compressed response. For versions before 5.0, or if HTTPS is enabled,
229
- `http.compression` must be set to `true`
230
- https://www.elastic.co/guide/en/elasticsearch/reference/current/modules-http.html#modules-http[in
286
+ `http.compression` must be set to `true` {ref}/modules-http.html#modules-http[in
231
287
  Elasticsearch] to take advantage of response compression when using this plugin.
232
288
 
233
289
  For requests compression, regardless of the Elasticsearch version, enable the
@@ -235,19 +291,23 @@ For requests compression, regardless of the Elasticsearch version, enable the
235
291
 
236
292
  ==== Authentication
237
293
 
238
- Authentication to a secure Elasticsearch cluster is possible using one of the `user`/`password`, `cloud_auth` or `api_key` options.
294
+ Authentication to a secure Elasticsearch cluster is possible using one of the
295
+ `user`/`password`, `cloud_auth` or `api_key` options.
239
296
 
240
297
  [id="plugins-{type}s-{plugin}-autz"]
241
298
  ==== Authorization
242
299
 
243
- Authorization to a secure Elasticsearch cluster requires `read` permission at index level and `monitoring` permissions at cluster level.
244
- The `monitoring` permission at cluster level is necessary to perform periodic connectivity checks.
300
+ Authorization to a secure Elasticsearch cluster requires `read` permission at
301
+ index level and `monitoring` permissions at cluster level. The `monitoring`
302
+ permission at cluster level is necessary to perform periodic connectivity
303
+ checks.
245
304
 
246
305
 
247
306
  [id="plugins-{type}s-{plugin}-options"]
248
307
  ==== Elasticsearch Output Configuration Options
249
308
 
250
- This plugin supports the following configuration options plus the <<plugins-{type}s-{plugin}-common-options>> described later.
309
+ This plugin supports the following configuration options plus the
310
+ <<plugins-{type}s-{plugin}-common-options>> described later.
251
311
 
252
312
  [cols="<,<,<",options="header",]
253
313
  |=======================================================================
@@ -259,6 +319,12 @@ This plugin supports the following configuration options plus the <<plugins-{typ
259
319
  | <<plugins-{type}s-{plugin}-cloud_auth>> |<<password,password>>|No
260
320
  | <<plugins-{type}s-{plugin}-cloud_id>> |<<string,string>>|No
261
321
  | <<plugins-{type}s-{plugin}-custom_headers>> |<<hash,hash>>|No
322
+ | <<plugins-{type}s-{plugin}-data_stream>> |<<string,string>>, one of `["true", "false", "auto"]`|No
323
+ | <<plugins-{type}s-{plugin}-data_stream_auto_routing>> |<<boolean,boolean>>|No
324
+ | <<plugins-{type}s-{plugin}-data_stream_dataset>> |<<string,string>>|No
325
+ | <<plugins-{type}s-{plugin}-data_stream_namespace>> |<<string,string>>|No
326
+ | <<plugins-{type}s-{plugin}-data_stream_sync_fields>> |<<boolean,boolean>>|No
327
+ | <<plugins-{type}s-{plugin}-data_stream_type>> |<<string,string>>|No
262
328
  | <<plugins-{type}s-{plugin}-doc_as_upsert>> |<<boolean,boolean>>|No
263
329
  | <<plugins-{type}s-{plugin}-document_id>> |<<string,string>>|No
264
330
  | <<plugins-{type}s-{plugin}-document_type>> |<<string,string>>|No
@@ -320,22 +386,20 @@ output plugins.
320
386
  ===== `action`
321
387
 
322
388
  * Value type is <<string,string>>
323
- * Default value is `"index"`
389
+ * Default value is `create` for data streams, and `index` for non-time series data.
324
390
 
325
- Protocol agnostic (i.e. non-http, non-java specific) configs go here
326
- Protocol agnostic methods
327
391
  The Elasticsearch action to perform. Valid actions are:
328
392
 
329
- - index: indexes a document (an event from Logstash).
330
- - delete: deletes a document by id (An id is required for this action)
331
- - create: indexes a document, fails if a document by that id already exists in the index.
332
- - update: updates a document by id. Update has a special case where you can upsert -- update a
393
+ - `index`: indexes a document (an event from Logstash).
394
+ - `delete`: deletes a document by id (An id is required for this action)
395
+ - `create`: indexes a document, fails if a document by that id already exists in the index.
396
+ - `update`: updates a document by id. Update has a special case where you can upsert -- update a
333
397
  document if not already present. See the `doc_as_upsert` option. NOTE: This does not work and is not supported
334
398
  in Elasticsearch 1.x. Please upgrade to ES 2.x or greater to use this feature with Logstash!
335
399
  - A sprintf style string to change the action based on the content of the event. The value `%{[foo]}`
336
400
  would use the foo field for the action
337
401
 
338
- For more details on actions, check out the http://www.elastic.co/guide/en/elasticsearch/reference/current/docs-bulk.html[Elasticsearch bulk API documentation]
402
+ For more details on actions, check out the {ref}/docs-bulk.html[Elasticsearch bulk API documentation].
339
403
 
340
404
  [id="plugins-{type}s-{plugin}-api_key"]
341
405
  ===== `api_key`
@@ -343,9 +407,11 @@ For more details on actions, check out the http://www.elastic.co/guide/en/elasti
343
407
  * Value type is <<password,password>>
344
408
  * There is no default value for this setting.
345
409
 
346
- Authenticate using Elasticsearch API key. Note that this option also requires enabling the `ssl` option.
410
+ Authenticate using Elasticsearch API key. Note that this option also requires
411
+ enabling the `ssl` option.
347
412
 
348
- Format is `id:api_key` where `id` and `api_key` are as returned by the Elasticsearch https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-create-api-key.html[Create API key API].
413
+ Format is `id:api_key` where `id` and `api_key` are as returned by the
414
+ Elasticsearch {ref}/security-api-create-api-key.html[Create API key API].
349
415
 
350
416
  [id="plugins-{type}s-{plugin}-bulk_path"]
351
417
  ===== `bulk_path`
@@ -362,7 +428,7 @@ this defaults to a concatenation of the path parameter and "_bulk"
362
428
  * Value type is <<path,path>>
363
429
  * There is no default value for this setting.
364
430
 
365
- The .cer or .pem file to validate the server's certificate
431
+ The .cer or .pem file to validate the server's certificate.
366
432
 
367
433
  [id="plugins-{type}s-{plugin}-cloud_auth"]
368
434
  ===== `cloud_auth`
@@ -370,9 +436,11 @@ The .cer or .pem file to validate the server's certificate
370
436
  * Value type is <<password,password>>
371
437
  * There is no default value for this setting.
372
438
 
373
- Cloud authentication string ("<username>:<password>" format) is an alternative for the `user`/`password` pair.
439
+ Cloud authentication string ("<username>:<password>" format) is an alternative
440
+ for the `user`/`password` pair.
374
441
 
375
- For more details, check out the https://www.elastic.co/guide/en/logstash/current/connecting-to-cloud.html[Logstash-to-Cloud documentation]
442
+ For more details, check out the
443
+ {logstash-ref}/connecting-to-cloud.html[Logstash-to-Cloud documentation].
376
444
 
377
445
  [id="plugins-{type}s-{plugin}-cloud_id"]
378
446
  ===== `cloud_id`
@@ -382,7 +450,71 @@ For more details, check out the https://www.elastic.co/guide/en/logstash/current
382
450
 
383
451
  Cloud ID, from the Elastic Cloud web console. If set `hosts` should not be used.
384
452
 
385
- For more details, check out the https://www.elastic.co/guide/en/logstash/current/connecting-to-cloud.html[Logstash-to-Cloud documentation]
453
+ For more details, check out the
454
+ {logstash-ref}/connecting-to-cloud.html[Logstash-to-Cloud documentation].
455
+
456
+ [id="plugins-{type}s-{plugin}-data_stream"]
457
+ ===== `data_stream`
458
+
459
+ * Value can be any of: `true`, `false` and `auto`
460
+ * Default is `false` in Logstash 7.x and `auto` starting in Logstash 8.0.
461
+
462
+ Defines whether data will be indexed into an Elasticsearch data stream.
463
+ The other `data_stream_*` settings will be used only if this setting is enabled.
464
+
465
+ Logstash handles the output as a data stream when the supplied configuration
466
+ is compatible with data streams and this value is set to `auto`.
467
+
468
+ [id="plugins-{type}s-{plugin}-data_stream_auto_routing"]
469
+ ===== `data_stream_auto_routing`
470
+
471
+ * Value type is <<boolean,boolean>>
472
+ * Default value is `true`.
473
+
474
+ Automatically routes events by deriving the data stream name using specific event
475
+ fields with the `%{[data_stream][type]}-%{[data_stream][dataset]}-%{[data_stream][namespace]}` format.
476
+
477
+ If enabled, the `data_stream.*` event fields will take precedence over the
478
+ `data_stream_type`, `data_stream_dataset`, and `data_stream_namespace` settings,
479
+ but will fall back to them if any of the fields are missing from the event.
480
+
481
+ [id="plugins-{type}s-{plugin}-data_stream_dataset"]
482
+ ===== `data_stream_dataset`
483
+
484
+ * Value type is <<string,string>>
485
+ * Default value is `generic`.
486
+
487
+ The data stream dataset used to construct the data stream at index time.
488
+
489
+ [id="plugins-{type}s-{plugin}-data_stream_namespace"]
490
+ ===== `data_stream_namespace`
491
+
492
+ * Value type is <<string,string>>
493
+ * Default value is `default`.
494
+
495
+ The data stream namespace used to construct the data stream at index time.
496
+
497
+ [id="plugins-{type}s-{plugin}-data_stream_sync_fields"]
498
+ ===== `data_stream_sync_fields`
499
+
500
+ * Value type is <<boolean,boolean>>
501
+ * Default value is `true`
502
+
503
+ Automatically adds and syncs the `data_stream.*` event fields if they are missing from the
504
+ event. This ensures that fields match the name of the data stream that is receiving events.
505
+
506
+ NOTE: If existing `data_stream.*` event fields do not match the data stream name
507
+ and `data_stream_auto_routing` is disabled, the event fields will be
508
+ overwritten with a warning.
509
+
510
+ [id="plugins-{type}s-{plugin}-data_stream_type"]
511
+ ===== `data_stream_type`
512
+
513
+ * Value type is <<string,string>>
514
+ * Default value is `logs`.
515
+
516
+ The data stream type used to construct the data stream at index time.
517
+ Currently, only `logs` and `metrics`are supported.
386
518
 
387
519
  [id="plugins-{type}s-{plugin}-doc_as_upsert"]
388
520
  ===== `doc_as_upsert`
@@ -391,7 +523,7 @@ For more details, check out the https://www.elastic.co/guide/en/logstash/current
391
523
  * Default value is `false`
392
524
 
393
525
  Enable `doc_as_upsert` for update mode.
394
- Create a new document with source if `document_id` doesn't exist in Elasticsearch
526
+ Create a new document with source if `document_id` doesn't exist in Elasticsearch.
395
527
 
396
528
  [id="plugins-{type}s-{plugin}-document_id"]
397
529
  ===== `document_id`
@@ -399,7 +531,8 @@ Create a new document with source if `document_id` doesn't exist in Elasticsearc
399
531
  * Value type is <<string,string>>
400
532
  * There is no default value for this setting.
401
533
 
402
- The document ID for the index. Useful for overwriting existing entries in Elasticsearch with the same ID.
534
+ The document ID for the index. Useful for overwriting existing entries in
535
+ Elasticsearch with the same ID.
403
536
 
404
537
  [id="plugins-{type}s-{plugin}-document_type"]
405
538
  ===== `document_type`
@@ -408,8 +541,10 @@ The document ID for the index. Useful for overwriting existing entries in Elasti
408
541
  * There is no default value for this setting.
409
542
  * This option is deprecated
410
543
 
411
- NOTE: This option is deprecated due to the https://www.elastic.co/guide/en/elasticsearch/reference/6.0/removal-of-types.html[removal of types in Elasticsearch 6.0].
412
- It will be removed in the next major version of Logstash.
544
+ NOTE: This option is deprecated due to the
545
+ https://www.elastic.co/guide/en/elasticsearch/reference/6.0/removal-of-types.html[removal
546
+ of types in Elasticsearch 6.0]. It will be removed in the next major version of
547
+ Logstash.
413
548
 
414
549
  NOTE: This value is ignored and has no effect for Elasticsearch clusters `8.x`.
415
550
 
@@ -433,9 +568,9 @@ If you don't set a value for this option:
433
568
  ** When Logstash provides a `pipeline.ecs_compatibility` setting, its value is used as the default
434
569
  ** Otherwise, the default value is `disabled`.
435
570
 
436
- Controls this plugin's compatibility with the https://www.elastic.co/guide/en/ecs/current/index.html[Elastic Common Schema (ECS)],
437
- including the installation of ECS-compatible index templates.
438
- The value of this setting affects the _default_ values of:
571
+ Controls this plugin's compatibility with the {ecs-ref}[Elastic Common Schema
572
+ (ECS)], including the installation of ECS-compatible index templates. The value
573
+ of this setting affects the _default_ values of:
439
574
 
440
575
  * <<plugins-{type}s-{plugin}-index>>
441
576
  * <<plugins-{type}s-{plugin}-template_name>>
@@ -479,8 +614,10 @@ If you have custom firewall rules you may need to change this
479
614
  * Value type is <<uri,uri>>
480
615
  * Default value is `[//127.0.0.1]`
481
616
 
482
- Sets the host(s) of the remote instance. If given an array it will load balance requests across the hosts specified in the `hosts` parameter.
483
- Remember the `http` protocol uses the http://www.elastic.co/guide/en/elasticsearch/reference/current/modules-http.html#modules-http[http] address (eg. 9200, not 9300).
617
+ Sets the host(s) of the remote instance. If given an array it will load balance
618
+ requests across the hosts specified in the `hosts` parameter. Remember the
619
+ `http` protocol uses the {ref}/modules-http.html#modules-http[http] address (eg.
620
+ 9200, not 9300).
484
621
 
485
622
  Examples:
486
623
 
@@ -490,11 +627,9 @@ Examples:
490
627
  `["https://127.0.0.1:9200"]`
491
628
  `["https://127.0.0.1:9200/mypath"]` (If using a proxy on a subpath)
492
629
 
493
- Exclude
494
- http://www.elastic.co/guide/en/elasticsearch/reference/current/modules-node.html[dedicated
495
- master nodes] from the `hosts` list to prevent Logstash from sending bulk
496
- requests to the master nodes. This parameter should reference only data or
497
- client nodes in Elasticsearch.
630
+ Exclude {ref}/modules-node.html[dedicated master nodes] from the `hosts` list to
631
+ prevent Logstash from sending bulk requests to the master nodes. This parameter
632
+ should reference only data or client nodes in Elasticsearch.
498
633
 
499
634
  Any special characters present in the URLs here MUST be URL escaped! This means
500
635
  `#` should be put in as `%23` for instance.
@@ -505,7 +640,8 @@ Any special characters present in the URLs here MUST be URL escaped! This means
505
640
  * Value type is <<boolean,boolean>>
506
641
  * Default value is `false`
507
642
 
508
- Enable gzip compression on requests. Note that response compression is on by default for Elasticsearch v5.0 and beyond
643
+ Enable gzip compression on requests. Note that response compression is on by
644
+ default for Elasticsearch v5.0 and beyond
509
645
 
510
646
  [id="plugins-{type}s-{plugin}-ilm_enabled"]
511
647
  ===== `ilm_enabled`
@@ -513,14 +649,19 @@ Enable gzip compression on requests. Note that response compression is on by def
513
649
  * Value can be any of: `true`, `false`, `auto`
514
650
  * Default value is `auto`
515
651
 
516
- The default setting of `auto` will automatically enable the Index Lifecycle Management feature, if the Elasticsearch
517
- cluster is running Elasticsearch version `7.0.0` or higher with the ILM feature enabled, and disable it otherwise.
652
+ The default setting of `auto` will automatically enable
653
+ {ref}/index-lifecycle-management.html[Index Lifecycle Management], if the
654
+ Elasticsearch cluster is running Elasticsearch version `7.0.0` or higher with
655
+ the ILM feature enabled, and disable it otherwise.
518
656
 
519
- Setting this flag to `false` will disable the Index Lifecycle Management feature, even if the Elasticsearch cluster supports ILM.
520
- Setting this flag to `true` will enable Index Lifecycle Management feature, if the Elasticsearch cluster supports it. This is required
521
- to enable Index Lifecycle Management on a version of Elasticsearch earlier than version `7.0.0`.
657
+ Setting this flag to `false` will disable the Index Lifecycle Management
658
+ feature, even if the Elasticsearch cluster supports ILM.
659
+ Setting this flag to `true` will enable Index Lifecycle Management feature, if
660
+ the Elasticsearch cluster supports it. This is required to enable Index
661
+ Lifecycle Management on a version of Elasticsearch earlier than version `7.0.0`.
522
662
 
523
- NOTE: This feature requires a Basic License or above to be installed on an Elasticsearch cluster version 6.6.0 or later
663
+ NOTE: This feature requires a Basic License or above to be installed on an
664
+ Elasticsearch cluster version 6.6.0 or later.
524
665
 
525
666
  [id="plugins-{type}s-{plugin}-ilm_pattern"]
526
667
  ===== `ilm_pattern`
@@ -528,17 +669,24 @@ NOTE: This feature requires a Basic License or above to be installed on an Elast
528
669
  * Value type is <<string,string>>
529
670
  * Default value is `{now/d}-000001`
530
671
 
531
- Pattern used for generating indices managed by Index Lifecycle Management. The value specified in the pattern will be appended to
532
- the write alias, and incremented automatically when a new index is created by ILM.
672
+ Pattern used for generating indices managed by
673
+ {ref}/index-lifecycle-management.html[Index Lifecycle Management]. The value
674
+ specified in the pattern will be appended to the write alias, and incremented
675
+ automatically when a new index is created by ILM.
533
676
 
534
- Date Math can be used when specifying an ilm pattern, see {ref}/indices-rollover-index.html#_using_date_math_with_the_rollover_api[Rollover API docs] for details
677
+ Date Math can be used when specifying an ilm pattern, see
678
+ {ref}/indices-rollover-index.html#_using_date_math_with_the_rollover_api[Rollover
679
+ API docs] for details.
535
680
 
536
- NOTE: Updating the pattern will require the index template to be rewritten
681
+ NOTE: Updating the pattern will require the index template to be rewritten.
537
682
 
538
- NOTE: The pattern must finish with a dash and a number that will be automatically incremented when indices rollover.
683
+ NOTE: The pattern must finish with a dash and a number that will be automatically
684
+ incremented when indices rollover.
539
685
 
540
- NOTE: The pattern is a 6-digit string padded by zeros, regardless of prior index name. Example: 000001.
541
- See {ref}/indices-rollover-index.html#rollover-index-api-path-params[Rollover path parameters API docs] for details.
686
+ NOTE: The pattern is a 6-digit string padded by zeros, regardless of prior index name.
687
+ Example: 000001. See
688
+ {ref}/indices-rollover-index.html#rollover-index-api-path-params[Rollover path
689
+ parameters API docs] for details.
542
690
 
543
691
  [id="plugins-{type}s-{plugin}-ilm_policy"]
544
692
  ===== `ilm_policy`
@@ -546,10 +694,12 @@ See {ref}/indices-rollover-index.html#rollover-index-api-path-params[Rollover pa
546
694
  * Value type is <<string,string>>
547
695
  * Default value is `logstash-policy`
548
696
 
549
- Modify this setting to use a custom Index Lifecycle Management policy, rather than the default. If this value is not set, the default policy will
550
- be automatically installed into Elasticsearch
697
+ Modify this setting to use a custom Index Lifecycle Management policy, rather
698
+ than the default. If this value is not set, the default policy will be
699
+ automatically installed into Elasticsearch
551
700
 
552
- NOTE: If this setting is specified, the policy must already exist in Elasticsearch cluster.
701
+ NOTE: If this setting is specified, the policy must already exist in Elasticsearch
702
+ cluster.
553
703
 
554
704
  [id="plugins-{type}s-{plugin}-ilm_rollover_alias"]
555
705
  ===== `ilm_rollover_alias`
@@ -559,13 +709,17 @@ NOTE: If this setting is specified, the policy must already exist in Elasticsear
559
709
  ** ECS Compatibility disabled: `logstash`
560
710
  ** ECS Compatibility enabled: `ecs-logstash`
561
711
 
562
- The rollover alias is the alias where indices managed using Index Lifecycle Management will be written to.
712
+ The rollover alias is the alias where indices managed using Index Lifecycle
713
+ Management will be written to.
563
714
 
564
- NOTE: If both `index` and `ilm_rollover_alias` are specified, `ilm_rollover_alias` takes precedence.
715
+ NOTE: If both `index` and `ilm_rollover_alias` are specified,
716
+ `ilm_rollover_alias` takes precedence.
565
717
 
566
- NOTE: Updating the rollover alias will require the index template to be rewritten
718
+ NOTE: Updating the rollover alias will require the index template to be
719
+ rewritten.
567
720
 
568
- NOTE: `ilm_rollover_alias` does NOT support dynamic variable substitution as `index` does.
721
+ NOTE: `ilm_rollover_alias` does NOT support dynamic variable substitution as
722
+ `index` does.
569
723
 
570
724
  [id="plugins-{type}s-{plugin}-index"]
571
725
  ===== `index`
@@ -580,8 +734,10 @@ The default value will partition your indices by day so you can more easily
580
734
  delete old data or only search specific date ranges.
581
735
  Indexes may not contain uppercase characters.
582
736
  For weekly indexes ISO 8601 format is recommended, eg. logstash-%{+xxxx.ww}.
583
- LS uses Joda to format the index pattern from event timestamp.
584
- Joda formats are defined http://www.joda.org/joda-time/apidocs/org/joda/time/format/DateTimeFormat.html[here].
737
+ Logstash uses
738
+ http://www.joda.org/joda-time/apidocs/org/joda/time/format/DateTimeFormat.html[Joda
739
+ formats] for the index pattern from event timestamp.
740
+
585
741
 
586
742
  [id="plugins-{type}s-{plugin}-keystore"]
587
743
  ===== `keystore`
@@ -653,8 +809,9 @@ Password to authenticate to a secure Elasticsearch cluster
653
809
  * Value type is <<string,string>>
654
810
  * There is no default value for this setting.
655
811
 
656
- HTTP Path at which the Elasticsearch server lives. Use this if you must run Elasticsearch behind a proxy that remaps
657
- the root path for the Elasticsearch HTTP API lives.
812
+ HTTP Path at which the Elasticsearch server lives. Use this if you must run
813
+ Elasticsearch behind a proxy that remaps the root path for the Elasticsearch
814
+ HTTP API lives.
658
815
  Note that if you use paths as components of URLs in the 'hosts' field you may
659
816
  not also set this field. That will raise an error at startup
660
817
 
@@ -664,8 +821,10 @@ not also set this field. That will raise an error at startup
664
821
  * Value type is <<string,string>>
665
822
  * Default value is `nil`
666
823
 
667
- Set which ingest pipeline you wish to execute for an event. You can also use event dependent configuration here
668
- like `pipeline => "%{[@metadata][pipeline]}"`. The pipeline parameter won't be set if the value resolves to empty string ("").
824
+ Set which ingest pipeline you wish to execute for an event. You can also use
825
+ event dependent configuration here like `pipeline =>
826
+ "%{[@metadata][pipeline]}"`. The pipeline parameter won't be set if the value
827
+ resolves to empty string ("").
669
828
 
670
829
  [id="plugins-{type}s-{plugin}-pool_max"]
671
830
  ===== `pool_max`
@@ -716,7 +875,8 @@ to see if they have come back to life
716
875
  * Value type is <<number,number>>
717
876
  * Default value is `2`
718
877
 
719
- Set initial interval in seconds between bulk retries. Doubled on each retry up to `retry_max_interval`
878
+ Set initial interval in seconds between bulk retries. Doubled on each retry up
879
+ to `retry_max_interval`
720
880
 
721
881
  [id="plugins-{type}s-{plugin}-retry_max_interval"]
722
882
  ===== `retry_max_interval`
@@ -765,8 +925,9 @@ Example:
765
925
  * Value type is <<string,string>>
766
926
  * Default value is `"painless"`
767
927
 
768
- Set the language of the used script. If not set, this defaults to painless in ES 5.0.
769
- When using indexed (stored) scripts on Elasticsearch 6 and higher, you must set this parameter to `""` (empty string).
928
+ Set the language of the used script.
929
+ When using indexed (stored) scripts on Elasticsearch 6.0 and higher, you must set
930
+ this parameter to `""` (empty string).
770
931
 
771
932
  [id="plugins-{type}s-{plugin}-script_type"]
772
933
  ===== `script_type`
@@ -801,9 +962,10 @@ if enabled, script is in charge of creating non-existent document (scripted upda
801
962
  * Value type is <<boolean,boolean>>
802
963
  * Default value is `false`
803
964
 
804
- This setting asks Elasticsearch for the list of all cluster nodes and adds them to the hosts list.
805
- For Elasticsearch 1.x and 2.x any nodes with `http.enabled` (on by default) will be added to the hosts list, including master-only nodes!
806
- For Elasticsearch 5.x and 6.x any nodes with `http.enabled` (on by default) will be added to the hosts list, excluding master-only nodes.
965
+ This setting asks Elasticsearch for the list of all cluster nodes and adds them
966
+ to the hosts list.
967
+ For Elasticsearch 5.x and 6.x any nodes with `http.enabled` (on by default) will
968
+ be added to the hosts list, excluding master-only nodes.
807
969
 
808
970
  [id="plugins-{type}s-{plugin}-sniffing_delay"]
809
971
  ===== `sniffing_delay`
@@ -830,9 +992,11 @@ do not use full URL here, only paths, e.g. "/sniff/_nodes/http"
830
992
  * Value type is <<boolean,boolean>>
831
993
  * There is no default value for this setting.
832
994
 
833
- Enable SSL/TLS secured communication to Elasticsearch cluster. Leaving this unspecified will use whatever scheme
834
- is specified in the URLs listed in 'hosts'. If no explicit protocol is specified plain HTTP will be used.
835
- If SSL is explicitly disabled here the plugin will refuse to start if an HTTPS URL is given in 'hosts'
995
+ Enable SSL/TLS secured communication to Elasticsearch cluster. Leaving this
996
+ unspecified will use whatever scheme is specified in the URLs listed in 'hosts'.
997
+ If no explicit protocol is specified plain HTTP will be used. If SSL is
998
+ explicitly disabled here the plugin will refuse to start if an HTTPS URL is
999
+ given in 'hosts'
836
1000
 
837
1001
  [id="plugins-{type}s-{plugin}-ssl_certificate_verification"]
838
1002
  ===== `ssl_certificate_verification`
@@ -937,14 +1101,16 @@ Username to authenticate to a secure Elasticsearch cluster
937
1101
  * Value type is <<number,number>>
938
1102
  * Default value is `10000`
939
1103
 
940
- How long to wait before checking if the connection is stale before executing a request on a connection using keepalive.
941
- You may want to set this lower, if you get connection errors regularly
942
- Quoting the Apache commons docs (this client is based Apache Commmons):
943
- 'Defines period of inactivity in milliseconds after which persistent connections must
944
- be re-validated prior to being leased to the consumer. Non-positive value passed to
945
- this method disables connection validation. This check helps detect connections that
946
- have become stale (half-closed) while kept inactive in the pool.'
947
- See https://hc.apache.org/httpcomponents-client-ga/httpclient/apidocs/org/apache/http/impl/conn/PoolingHttpClientConnectionManager.html#setValidateAfterInactivity(int)[these docs for more info]
1104
+ How long to wait before checking for a stale connection to determine if a keepalive request is needed.
1105
+ Consider setting this value lower than the default, possibly to 0, if you get connection errors regularly.
1106
+
1107
+ This client is based on Apache Commons. Here's how the
1108
+ https://hc.apache.org/httpcomponents-client-ga/httpclient/apidocs/org/apache/http/impl/conn/PoolingHttpClientConnectionManager.html#setValidateAfterInactivity(int)[Apache
1109
+ Commons documentation] describes this option: "Defines period of inactivity in
1110
+ milliseconds after which persistent connections must be re-validated prior to
1111
+ being leased to the consumer. Non-positive value passed to this method disables
1112
+ connection validation. This check helps detect connections that have become
1113
+ stale (half-closed) while kept inactive in the pool."
948
1114
 
949
1115
  [id="plugins-{type}s-{plugin}-version"]
950
1116
  ===== `version`
@@ -952,8 +1118,10 @@ See https://hc.apache.org/httpcomponents-client-ga/httpclient/apidocs/org/apache
952
1118
  * Value type is <<string,string>>
953
1119
  * There is no default value for this setting.
954
1120
 
955
- The version to use for indexing. Use sprintf syntax like `%{my_version}` to use a field value here.
956
- See https://www.elastic.co/blog/elasticsearch-versioning-support.
1121
+ The version to use for indexing. Use sprintf syntax like `%{my_version}` to use
1122
+ a field value here. See the
1123
+ https://www.elastic.co/blog/elasticsearch-versioning-support[versioning support
1124
+ blog] for more information.
957
1125
 
958
1126
  [id="plugins-{type}s-{plugin}-version_type"]
959
1127
  ===== `version_type`
@@ -961,10 +1129,10 @@ See https://www.elastic.co/blog/elasticsearch-versioning-support.
961
1129
  * Value can be any of: `internal`, `external`, `external_gt`, `external_gte`, `force`
962
1130
  * There is no default value for this setting.
963
1131
 
964
- The version_type to use for indexing.
965
- See https://www.elastic.co/blog/elasticsearch-versioning-support.
966
- See also https://www.elastic.co/guide/en/elasticsearch/reference/current/docs-index_.html#_version_types
967
-
1132
+ The version_type to use for indexing. See the
1133
+ https://www.elastic.co/blog/elasticsearch-versioning-support[versioning support
1134
+ blog] and {ref}/docs-index_.html#_version_types[Version types] in the
1135
+ Elasticsearch documentation.
968
1136
 
969
1137
 
970
1138
  [id="plugins-{type}s-{plugin}-common-options"]