Configure the Elasticsearch outputedit

When you specify Elasticsearch for the output, APM Server sends the transactions directly to Elasticsearch by using the Elasticsearch HTTP API.

Example configuration:

output.elasticsearch:
  hosts: ["https://localhost:9200"]
  index: "apm-%{[observer.version]}-%{+yyyy.MM.dd}"
  ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
  ssl.certificate: "/etc/pki/client/cert.pem"
  ssl.key: "/etc/pki/client/cert.key"

Notes about the previous example and client based PKI authentication:

  • The ssl.certificate and ssl.key settings are ONLY needed if Elasticsearch is configured to require client based PKI authentication (with xpack.security.http.ssl.client_authentication: required or xpack.security.http.ssl.client_authentication: optional).
  • The ssl.certificate_authorities setting needs to include the CA used to sign the remote server certificate, not the client cert.
  • If client PKI is used, the remote server (Elasticsearch) should include the CA used for signing the client cert in the xpack.security.http.ssl.certificate_authorities: [] list.

To enable SSL, just add https to all URLs defined under hosts.

output.elasticsearch:
  hosts: ["https://localhost:9200"]
  username: "apm-server_internal"
  password: "YOUR_PASSWORD"

To use an API key to connect to Elasticsearch, use api_key.

output.elasticsearch:
  hosts: ["https://localhost:9200"]
  api_key: "KnR6yE41RrSowb0kQ0HWoA"

If the Elasticsearch nodes are defined by IP:PORT, then add protocol: https to the yaml file.

output.elasticsearch:
  hosts: ["localhost"]
  protocol: "https"
  username: "apm-server_internal"
  password: "YOUR_PASSWORD"

For more information about securing APM Server, see Secure.

Compatibilityedit

This output works with all compatible versions of Elasticsearch. See the Elastic Support Matrix.

Configuration optionsedit

You can specify the following options in the elasticsearch section of the apm-server.yml config file:

enablededit

The enabled config is a boolean setting to enable or disable the output. If set to false, the output is disabled.

The default value is true.

hostsedit

The list of Elasticsearch nodes to connect to. The events are distributed to these nodes in round robin order. If one node becomes unreachable, the event is automatically sent to another node. Each Elasticsearch node can be defined as a URL or IP:PORT. For example: http://192.15.3.2, https://es.found.io:9230 or 192.24.3.2:9300. If no port is specified, 9200 is used.

When a node is defined as an IP:PORT, the scheme and path are taken from the protocol and path config options.

output.elasticsearch:
  hosts: ["10.45.3.2:9220", "10.45.3.1:9230"]
  protocol: https
  path: /elasticsearch

In the previous example, the Elasticsearch nodes are available at https://10.45.3.2:9220/elasticsearch and https://10.45.3.1:9230/elasticsearch.

compression_leveledit

The gzip compression level. Setting this value to 0 disables compression. The compression level must be in the range of 1 (best speed) to 9 (best compression).

Increasing the compression level will reduce the network usage but will increase the cpu usage.

The default value is 0.

escape_htmledit

Configure escaping of HTML in strings. Set to true to enable escaping.

The default value is false.

workeredit

The number of workers per configured host publishing events to Elasticsearch. This is best used with load balancing mode enabled. Example: If you have 2 hosts and 3 workers, in total 6 workers are started (3 for each host).

The default value is 1.

api_keyedit

Instead of using usernames and passwords, you can use API keys to secure communication with Elasticsearch. For more information, see Grant access using API keys.

usernameedit

The basic authentication username for connecting to Elasticsearch.

passwordedit

The basic authentication password for connecting to Elasticsearch.

parametersedit

Dictionary of HTTP parameters to pass within the url with index operations.

protocoledit

The name of the protocol Elasticsearch is reachable on. The options are: http or https. The default is http. However, if you specify a URL for hosts, the value of protocol is overridden by whatever scheme you specify in the URL.

pathedit

An HTTP path prefix that is prepended to the HTTP API calls. This is useful for the cases where Elasticsearch listens behind an HTTP reverse proxy that exports the API under a custom prefix.

headersedit

Custom HTTP headers to add to each request created by the Elasticsearch output. Example:

output.elasticsearch.headers:
  X-My-Header: Header contents

It is generally possible to specify multiple header values for the same header name by separating them with a comma.

proxy_urledit

The URL of the proxy to use when connecting to the Elasticsearch servers. The value may be either a complete URL or a "host[:port]", in which case the "http" scheme is assumed. If a value is not specified through the configuration file then proxy environment variables are used. See the Go documentation for more information about the environment variables.

indexedit

The index name to write events to. The default is "apm-%{[observer.version]}-{type}-%{+yyyy.MM.dd}" (for example, "apm-7.8.1-transaction-2023-12-07"). See Exploring data in Elasticsearch for more information on default index configuration.

If you change this setting, you need to configure the setup.template.name and setup.template.pattern options (see Elasticsearch index template). You also must set the default index configuration in the apm-server.yml file.

observer.version is a field managed by Beats that is added to every document. It holds the current version of APM Server.

You can set the index dynamically by using a format string to access any event field. For example, this configuration uses the field, processor.event, to set the index:

output.elasticsearch:
  hosts: ["http://localhost:9200"]
  index: "apm-%{[observer.version]}-%{[processor.event]}-%{+yyyy.MM.dd}\" 

observer refers to APM Server. We recommend including observer.version in the name to avoid mapping issues when you upgrade APM Server.

With this configuration, all events are separated by their processor.event into different indices.

To learn how to add custom fields to events, see the fields option.

See the indices setting for other ways to set the index dynamically.

indicesedit

An array of index selector rules. Each rule specifies the index to use for events that match the rule. During publishing, APM Server uses the first matching rule in the array. Rules can contain conditionals, format string-based fields, and name mappings. If the indices setting is missing or no rule matches, the index setting is used.

Rule settings:

index
The index format string to use. If this string contains field references, such as %{[fields.name]}, the fields must exist, or the rule fails.
mappings
A dictionary that takes the value returned by index and maps it to a new name.
default
The default string value to use if mappings does not find a match.
when
A condition that must succeed in order to execute the current rule.

The following example sets the index based on whether the processor.event field contains the specified string:

output.elasticsearch:
  hosts: ["http://localhost:9200"]
  indices:
   - index: "apm-%{[observer.version]}-sourcemap"
      when.contains:
        processor.event: "sourcemap"

   - index: "apm-%{[observer.version]}-error-%{+yyyy.MM.dd}"
      when.contains:
        processor.event: "error"

   - index: "apm-%{[observer.version]}-transaction-%{+yyyy.MM.dd}"
      when.contains:
        processor.event: "transaction"

   - index: "apm-%{[observer.version]}-span-%{+yyyy.MM.dd}"
      when.contains:
        processor.event: "span"

   - index: "apm-%{[observer.version]}-metric-%{+yyyy.MM.dd}"
      when.contains:
        processor.event: "metric"

   - index: "apm-%{[observer.version]}-onboarding-%{+yyyy.MM.dd}"
      when.contains:
        processor.event: "onboarding"

observer refers to APM Server. We recommend including observer.version in the name to avoid mapping issues when you upgrade APM Server.

This is the default configuration for APM Server and results in indices named in the following format: "apm-%{[observer.version]}-{type}-%{+yyyy.MM.dd}" For example: "apm-7.8.1-transaction-2023-12-07".

The following example sets the index by taking the name returned by the index format string and mapping it to a new name that’s used for the index:

output.elasticsearch:
  hosts: ["http://localhost:9200"]
  indices:
    - index: "%{[processor.event]}"
      mappings:
        sourcemap:    "apm-sourcemap"
        error:        "apm-error"
        transaction:  "apm-transaction"
        span:         "apm-span"
        metric:       "apm-metric"
        onboarding:   "apm-onboarding"
      default:        "apm"

This configuration results in indices named apm-sourcemap, apm-error, etc.

The mappings setting simplifies the configuration, but is limited to string values. You cannot specify format strings within the mapping pairs.

pipelineedit

A format string value that specifies the ingest node pipeline to write events to.

output.elasticsearch:
  hosts: ["http://localhost:9200"]
  pipeline: my_pipeline_id

For more information, see Parse data using ingest node pipelines.

You can set the ingest node pipeline dynamically by using a format string to access any event field. For example, this configuration uses the field, processor.event, to set the pipeline for each event:

output.elasticsearch:
  hosts: ["http://localhost:9200"]
  pipeline: "%{[processor.event]}_pipeline"

With this configuration, all events with processor.event: transaction are sent to a pipeline named transaction_pipeline. Similarly, all events with processor.event: error are sent to a pipeline named error_pipeline.

The default pipeline is apm. It adds user agent and geo ip information to events. To disable this, or any other pipeline, set output.elasticsearch.pipeline: _none.

To learn how to add custom fields to events, see the fields option.

See the pipelines setting for other ways to set the ingest node pipeline dynamically.

pipelinesedit

An array of pipeline selector rules. Each rule specifies the ingest node pipeline to use for events that match the rule. During publishing, APM Server uses the first matching rule in the array. Rules can contain conditionals, format string-based fields, and name mappings. If the pipelines setting is missing or no rule matches, the pipeline setting is used.

Rule settings:

pipeline
The pipeline format string to use. If this string contains field references, such as %{[fields.name]}, the fields must exist, or the rule fails.
mappings
A dictionary that takes the value returned by pipeline and maps it to a new name.
default
The default string value to use if mappings does not find a match.
when
A condition that must succeed in order to execute the current rule.

The following example sends events to a specific pipeline based on whether the processor.event field contains the specified string:

output.elasticsearch:
  hosts: ["http://localhost:9200"]
  pipelines:
    - pipeline: "sourcemap_pipeline"
      when.contains:
        processor.event: "sourcemap"

    - pipeline: "error_pipeline"
      when.contains:
        processor.event: "error"

    - pipeline: "transaction_pipeline"
      when.contains:
        processor.event: "transaction"

    - pipeline: "span_pipeline"
      when.contains:
        processor.event: "span"

    - pipeline: "metric_pipeline"
      when.contains:
        processor.event: "metric"

    - pipeline: "onboarding_pipeline"
      when.contains:
        processor.event: "onboarding"

The following example sets the pipeline by taking the name returned by the pipeline format string and mapping it to a new name that’s used for the pipeline:

output.elasticsearch:
  hosts: ["http://localhost:9200"]
  pipelines:
    - pipeline: "%{[processor.event]}"
      mappings:
        sourcemap:    "sourcemap_pipeline"
        error:        "error_pipeline"
        transaction:  "transaction_pipeline"
        span:         "span_pipeline"
        metric:       "metric_pipeline"
        onboarding:   "onboarding_pipeline"
      default: "apm_pipeline"

With this configuration, all events with processor.event: transaction are sent to a pipeline named transaction_pipeline, all events with processor.event: error are sent to a pipeline named error_pipeline, etc.

Defining any pipeline will deactivate the default apm pipeline.

For more information about ingest node pipelines, see Parse data using ingest node pipelines.

max_retriesedit

The number of times to retry publishing an event after a publishing failure. After the specified number of retries, the events are typically dropped.

Set max_retries to a value less than 0 to retry until all events are published.

The default is 3.

bulk_max_sizeedit

The maximum number of events to bulk in a single Elasticsearch bulk API index request. The default is 50.

Events can be collected into batches. APM Server will split batches larger than bulk_max_size into multiple batches.

Specifying a larger batch size can improve performance by lowering the overhead of sending events. However big batch sizes can also increase processing times, which might result in API errors, killed connections, timed-out publishing requests, and, ultimately, lower throughput.

Setting bulk_max_size to values less than or equal to 0 disables the splitting of batches. When splitting is disabled, the queue decides on the number of events to be contained in a batch.

backoff.initedit

The number of seconds to wait before trying to reconnect to Elasticsearch after a network error. After waiting backoff.init seconds, APM Server tries to reconnect. If the attempt fails, the backoff timer is increased exponentially up to backoff.max. After a successful connection, the backoff timer is reset. The default is 1s.

backoff.maxedit

The maximum number of seconds to wait before attempting to connect to Elasticsearch after a network error. The default is 60s.

timeoutedit

The http request timeout in seconds for the Elasticsearch request. The default is 90.

ssledit

Configuration options for SSL parameters like the certificate authority to use for HTTPS-based connections. If the ssl section is missing, the host CAs are used for HTTPS connections to Elasticsearch.

See SSL output settings for more information.

kebrerosedit

Configuration options for Kerberos authentication.

See Kerberos for more information.