Elastic Docs Elasticsearch Service Documentation
« Elasticsearch Service FAQ Migrating data »

Adding data to Elasticsearchedit

You have a number of options for getting data into Elasticsearch, referred to as ingesting or indexing your data. Use Elastic Agent, Beats, Logstash, Elastic language clients, Elastic connectors, or the Enterprise Search web crawler. The option (or combination) selected depends on whether you are indexing general content or timestamped data.

General content
Index content like HTML pages, catalogs and other files. Send data directly to Elasticseach from your application using an Elastic language client. Otherwise use Elastic content connectors or the Elastic web crawler.
Timestamped data

The preferred way to index timestamped data is to use Elastic Agent. Elastic Agent is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, and forward data from remote services or hardware. Each Elastic Agent based integration includes default ingestion rules, dashboards, and visualizations to start analyzing your data right away. Fleet Management enables you to centrally manage all of your deployed Elastic Agents from Kibana.

If no Elastic Agent integration is available for your data source, use Beats to collect your data. Beats are data shippers designed to collect and ship a particular type of data from a server. You install a separate Beat for each type of data to collect. Modules that provide default configurations, Elasticsearch ingest pipeline definitions, and Kibana dashboards are available for some Beats, such as Filebeat and Metricbeat. No Fleet management capabilities are provided for Beats.

If neither Elastic Agent or Beats supports your data source, use Logstash. Logstash is an open source data collection engine with real-time pipelining capabilities that supports a wide variety of data sources. You might also use Logstash to persist incoming data to ensure data is not lost if there’s an ingestion spike, or if you need to send the data to multiple destinations.

Designing a data ingestion pipelineedit

While you can send data directly to Elasticsearch, data ingestion pipelines often include additional steps to manipulate the data, ensure data integrity, or manage the data flow.

This diagram focuses on timestamped data.

Start sending data to Elasticsearch no Process data using and forward it with . Use Logstash plugins filter plugins output plugins Use with Elastic Agent or Beats. Use runtime fields runtime fields Use a pipeline for or . Use ingest pipelines Elastic Agent Beats For Elastic Agent integrations, use an . For Beats, use a . Use processors Beats processor Agent processor something else define or alter the schema at query time convert data to ECS, normalize field data, or enrich incoming data sanitize or enrich raw data at the source to enrich data using one (or more) . Use Logstash Get started input plugins no Do you need to process your data? with the Beat. Set up Beats Get started relevant yes Look for your data source in the list of and their modules. Beats Beats module Is a Beat or available? no In Kibana’s main menu, go to -> . Install the integration and set up Elastic Agent ManagementIntegrations yes the Visit and look for your data source. integration docs Is an Elastic Agent integration available?

Data manipulationedit

It’s often necessary to sanitize, normalize, transform, or enrich your data before it’s indexed and stored in Elasticsearch.

  • Elastic Agent and Beats processors enable you to manipulate the data at the edge. This is useful if you need to control what data is sent across the wire, or need to enrich the raw data with information available on the host.
  • Elasticsearch ingest pipelines enable you to manipulate the data as it comes in. This avoids putting additional processing overhead on the hosts from which you’re collecting data.
  • Logstash enables you to avoid heavyweight processing at the edge, but still manipulate the data before sending it to Elasticsearch. This also enables you to send the processed data to multiple destinations.

One reason for preprocessing your data is to control the structure of the data that’s indexed into Elasticsearch—​the data schema. For example, use an ingest pipeline to map your data to the Elastic Common Schema (ECS). Alternatively, use runtime fields at query time to:

  • Start working with your data without needing to understand how it’s structured
  • Add fields to existing documents without reindexing your data
  • Override the value returned from an indexed field
  • Define fields for a specific use without modifying the underlying schema

Data integrityedit

Logstash boosts data resiliency for important data that you don’t want to lose. Logstash offers an on-disk persistent queue (PQ) that absorbs bursts of events without an external buffering mechanism. It attempts to deliver messages stored in the PQ until delivery succeeds at least once.

The Logstash dead letter queue (DLQ) provides on-disk storage for events that Logstash can’t process, giving you a chance to evaluate them. You can use the dead_letter_queue input plugin to easily reprocess DLQ events.

Data flowedit

If you need to collect data from multiple Beats or Elastic Agents, consider using Logstash as a proxy. Logstash can receive data from multiple endpoints, even on different networks, and send the data on to Elasticsearch through a single firewall rule. You get more security for less work than if you set up individual rules for each endpoint.

Logstash can send to multiple outputs from a single pipeline to help you get the most value from your data.

Where to go from hereedit

We have guides and many hands-on tutorials to help get you started with ingesting data into your cluster.

Ingest data for Elastic solutionsedit

Get started with Elastic Observability
Use Elastic Observability to gain deeper insight into the behavior of your applications and systems. Follow our guides to ingest various data types, such as logs and metrics, traces and APM, and data from Splunk. There are also several tutorials to choose from.
Add data to Elastic Security
Use Elastic Security to quickly detect, investigate, and respond to threats and vulnerabilities across your environment. You can use Elastic Agent to ingest data into the Elastic Defend integration, or with many other Integrations that work together with Elastic Security. You can also ingest data from Splunk or from various third party collectors that ship ECS compliant security data.

Ingest data with Elastic Agent, Beats, and Logstashedit

For users who want to build their own solution, we can help you get started ingesting your data using Elasticsearch Platform products.

Elastic integrations
Elastic integrations are a streamlined way to connect your data to the Elastic Stack. Integrations are available for popular services and platforms, like Nginx, AWS, and MongoDB, as well as many generic input types like log files.
Beats and Elastic Agent comparison
Beats and Elastic Agent can both send data to Elasticsearch either directly or via Logstash. You can use this guide to determine which of these primary ingest tools best matches your use case.
Introduction to Fleet management
Fleet provides a web-based UI in Kibana for centrally managing Elastic Agents and their policies.
Logstash introduction
Use Logstash to dynamically unify data from disparate sources and normalize the data into destinations of your choice.

Ingest data with Elastic web crawler, connectorsedit

Add data with the web crawler
Use the web crawler to programmatically discover, extract, and index searchable content from websites and knowledge bases.
Add data with connectors
Sync data from an original data source to an Elasticsearch index. Connectors enable you to create searchable, read-only replicas of your data sources.

Ingest data from your applicationedit

Elasticsearch language clients
Use the Elasticsearch language clients to ingest data from an application into Elasticsearch.
Enterprise Search language clients
The Enterprise Search programming language client libraries provide native APIs for those languages to ingest data into Enterprise Search, App Search, and Workplace Search.
Application ingest tutorials
These hands-on guides demonstrate how to use the Elasticsearch language clients to ingest data from your applications.

Manipulate and pre-process your dataedit

Ingest pipelines
Elasticsearch ingest pipelines let you perform common transformations on your data before indexing.
Elastic Agent processors
Use the Elastic Agent lightweight processors to parse, filter, transform, and enrich data at the source.
Creating a Logstash pipeline
Create a Logstash pipeline by stringing together plugins—​inputs, outputs, filters, and sometimes codecs—​in order to process your data during ingestion.

Sample dataedit

If you’re just learning about Elastic and don’t have a particular use case in mind, you can load one of the sample data sets in Kibana. Complete with sample visualizations, dashboards, and more, they provide a quick way to see what’s possible with Elastic.

« Elasticsearch Service FAQ Migrating data »