home docs about wiki bugs

elasticsearch

Status: stable

This output lets you store logs in elasticsearch and is the most recommended output for logstash. If you plan on using the logstash web interface, you'll need to use this output.

NOTE: You must use the same version of elasticsearch server that logstash uses for its client. Currently we use elasticsearch 0.18.7

You can learn more about elasticsearch at http://elasticsearch.org

Synopsis

This is what it might look like in your config file: 
output {
  elasticsearch {
    bind_host => ... # string (optional)
    cluster => ... # string (optional)
    embedded => ... # boolean (optional)
    embedded_http_port => ... # string (optional), default: "9200-9300"
    host => ... # string (optional)
    index => ... # string (optional), default: "logstash-%{+YYYY.MM.dd}"
    index_type => ... # string (optional), default: "%{@type}"
    max_inflight_requests => ... # number (optional), default: 50
    port => ... # number (optional), default: 9300
    tags => ... # array (optional), default: []
    type => ... # string (optional), default: ""
  }
}

Details

bind_host

  • Value type is string
  • There is no default value for this setting.

The name/address of the host to bind to for ElasticSearch clustering

cluster

  • Value type is string
  • There is no default value for this setting.

The name of your cluster if you set it on the ElasticSearch side. Useful for discovery.

embedded

  • Value type is boolean
  • There is no default value for this setting.

Run the elasticsearch server embedded in this process. This option is useful if you want to run a single logstash process that handles log processing and indexing; it saves you from needing to run a separate elasticsearch process.

embedded_http_port

  • Value type is string
  • Default value is "9200-9300"

If you are running the embedded elasticsearch server, you can set the http port it listens on here; it is not common to need this setting changed from default.

host

  • Value type is string
  • There is no default value for this setting.

The name/address of the host to use for ElasticSearch unicast discovery This is only required if the normal multicast/cluster discovery stuff won't work in your environment.

index

  • Value type is string
  • Default value is "logstash-%{+YYYY.MM.dd}"

The index to write events to. This can be dynamic using the %{foo} syntax. The default value will partition your indices by day so you can more easily delete old data or only search specific date ranges.

index_type

  • Value type is string
  • Default value is "%{@type}"

The index type to write events to. Generally you should try to write only similar events to the same 'type'. String expansion '%{foo}' works here.

max_inflight_requests

  • Value type is number
  • Default value is 50

Configure the maximum number of in-flight requests to ElasticSearch.

Note: This setting may be removed in the future.

port

  • Value type is number
  • Default value is 9300

The port for ElasticSearch transport to use. This is not the ElasticSearch REST API port (normally 9200).

tags

  • Value type is array
  • Default value is []

Only handle events with all of these tags. Note that if you specify a type, the event must also match that type. Optional.

type

  • Value type is string
  • Default value is ""

The type to act on. If a type is given, then this output will only act on messages with the same type. See any input plugin's "type" attribute for more. Optional.

This is documentation from lib/logstash/outputs/elasticsearch.rb

Hello! I'm your friendly footer. If you're actually reading this, I'm impressed.