A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z



The rule-specific response that occurs when an alerting rule fires. A rule can have multiple actions. See Connectors and actions.

administration console
A component of Elastic Cloud Enterprise that provides the API server for the Cloud UI. Also syncs cluster and allocator data from ZooKeeper to Elasticsearch.
Advanced Settings

Enables you to control the appearance and behavior of Kibana by setting the date format, default index, and other attributes. Part of Kibana Stack Management. See Advanced Settings.

Manages hosts that contain Elasticsearch and Kibana nodes. Controls the lifecycle of these nodes by creating new containers and managing the nodes within these containers when requested. Used to scale the capacity of your Elastic Cloud Enterprise installation.

Process of converting unstructured text into a format optimized for search. See Text analysis.


A way to augment a data display with descriptive domain knowledge.

anomaly detection job
Anomaly detection jobs contain the configuration information and metadata necessary to perform an analytics task. See Machine learning jobs and the create anomaly detection job API.
API key

Unique identifier for authentication in Elasticsearch. When transport layer security (TLS) is enabled, all requests must be authenticated using an API key or a username and password. See the Create API key API.

APM agent
An open-source library, written in the same language as your service, which instruments your code and collects performance data and errors at runtime.
APM Server
An open-source application that receives data from APM agents and sends it to Elasticsearch.

A top-level Kibana component that is accessed through the side navigation. Apps include core Kibana components such as Discover and Dashboard, solutions like Observability and Security, and special-purpose tools like Maps and Stack Management.

auto-follow pattern

Index pattern that automatically configures new indices as follower indices for cross-cluster replication. See Manage auto-follow patterns.

availability zone
Contains resources available to a Elastic Cloud Enterprise installation that are isolated from other availability zones to safeguard against failure. Could be a rack, a server zone or some other logical constraint that creates a failure boundary. In a highly available cluster, the nodes of a cluster are spread across two or three availability zones to ensure that the cluster can survive the failure of an entire availability zone. Also see Fault Tolerance (High Availability).



The background detail necessary to orient the location of a map.

beats runner
Used to send Filebeat and Metricbeat information to the logging cluster.
  1. A set of documents in Kibana that have certain characteristics in common. For example, matching documents might be bucketed by color, distance, or date range.

  2. The machine learning features also use the concept of a bucket to divide the time series into batches for processing. The bucket span is part of the configuration information for anomaly detection jobs. It defines the time interval that is used to summarize and model the data. This is typically between 5 minutes to 1 hour and it depends on your data characteristics. When you set the bucket span, take into account the granularity at which you want to analyze, the frequency of the input data, the typical duration of the anomalies, and the frequency at which alerting is required.
bucket aggregation

An aggregation that creates buckets of documents. Each bucket is associated with a criterion (depending on the aggregation type), which determines whether or not a document in the current context falls into the bucket.



Enables you to create presentations and infographics that pull live data directly from Elasticsearch. See Canvas.

Canvas expression language

A pipeline-based expression language for manipulating and visualizing data. Includes dozens of functions and other capabilities, such as table transforms, type casting, and sub-expressions. Supports TinyMath functions for complex math calculations. See Canvas function reference.


Specifies how many documents must contain a pair of terms before it is considered a useful connection in a graph.

client forwarder
Used for secure internal communications between various components of Elastic Cloud Enterprise and ZooKeeper.
Cloud UI
Provides web-based access to manage your Elastic Cloud Enterprise installation, supported by the administration console.
  1. A group of one or more connected Elasticsearch nodes. See Clusters, nodes, and shards.

  2. A layer type and display option in the Maps application. Clusters display a cluster symbol across a grid on the map, one symbol per grid cluster. The cluster location is the weighted centroid for all documents in the grid cell.

codec plugin
A Logstash plugin that changes the data representation of an event. Codecs are essentially stream filters that can operate as part of an input or output. Codecs enable you to separate the transport of messages from the serialization process. Popular codecs include json, msgpack, and plain (text).
cold phase

Third possible phase in the index lifecycle. In the cold phase, data is no longer updated and seldom queried. The data still needs to be searchable, but it’s okay if those queries are slower. See Index lifecycle.

cold tier

Data tier that contains nodes that hold time series data that is accessed occasionally and not normally updated. See Data tiers.

component template

Building block for creating index templates. A component template can specify mappings, index settings, and index aliases. See index templates.


Specifies the circumstances that must be met to trigger an alerting rule.

A control flow that executes certain actions based on whether a statement (also called a condition) is true or false. Logstash supports if, else if, and else statements. You can use conditional statements to apply filters and send events to a specific output based on conditions that you specify.

A configuration that enables integration with an external system (the destination for an action). See Connectors and actions.


A tool for interacting with the Elasticsearch REST API. You can send requests to Elasticsearch, view responses, view API documentation, and get your request history. See Console.

Directs allocators to manage containers of Elasticsearch and Kibana nodes and maximizes the utilization of allocators. Monitors plan change requests from the Cloud UI and determines how to transform the existing cluster. In a highly available installation, places cluster nodes within different availability zones to ensure that the cluster can survive the failure of an entire availability zone.
Includes an instance of Elastic Cloud Enterprise software and its dependencies. Used to provision similar environments, to assign a guaranteed share of host resources to nodes, and to simplify operational effort in Elastic Cloud Enterprise.
content tier

Data tier that contains nodes that handle the indexing and query load for content, such as a product catalog. See Data tiers.

Consists of a logical grouping of some Elastic Cloud Enterprise services and acts as a distributed coordination system and resource scheduler.
cross-cluster replication (CCR)

Replicates data streams and indices from remote clusters in a local cluster. See Cross-cluster replication.

cross-cluster search (CCS)

Searches data streams and indices on remote clusters from a local cluster. See Search across clusters.

custom rules
A set of conditions and actions that change the behavior of anomaly detection jobs. You can also use filters to further limit the scope of the rules. See Custom rules. Kibana refers to custom rules as job rules.



A collection of visualizations, saved searches, and maps that provide insights into your data from multiple perspectives.

Anomaly detection jobs can analyze either a one-off batch of data or continuously in real time. Datafeeds retrieve data from Elasticsearch for analysis.
data frame analytics job
Data frame analytics jobs contain the configuration information and metadata necessary to perform machine learning analytics tasks on a source index and store the outcome in a destination index. See Data frame analytics overview and the create data frame analytics job API.
data source

A file, database, or service that provides the underlying data for a map, Canvas element, or visualization.

data stream

Named resource used to manage time series data. A data stream stores data across multiple backing indices. See Data streams.

data tier

Collection of nodes with the same data role that typically share the same hardware profile. Data tiers include the content tier, hot tier, warm tier, cold tier, and frozen tier. See Data tiers.

delete phase

Last possible phase in the index lifecycle. In the delete phase, an index is no longer needed and can safely be deleted. See Index lifecycle.

As part of the configuration information that is associated with anomaly detection jobs, detectors define the type of analysis that needs to be done. They also specify which fields to analyze. You can have more than one detector in a job, which is more efficient than running multiple jobs against the same data.
Manages the ZooKeeper datastore. This role is often shared with the coordinator, though in production deployments it can be separated.

Enables you to search and filter your data to zoom in on the information that you are interested in.

distributed tracing
The end-to-end collection of performance data throughout your microservices architecture.

A navigation path that retains context (time range and filters) from the source to the destination, so you can view the data from a new perspective. A dashboard that shows the overall status of multiple data centers might have a drilldown to a dashboard for a single data center. See Drilldowns.


JSON object containing data stored in Elasticsearch. See Documents and indices.



A connection between nodes in a graph that shows that they are related. The line weight indicates the strength of the relationship. See Graph.

Elastic Common Schema (ECS)
A document schema for Elasticsearch, for use cases such as logging and metrics. ECS defines a common set of fields, their datatype, and gives guidance on their correct usage. ECS is used to improve uniformity of event data coming from different sources.
Elastic Maps Service (EMS)

A service that provides basemap tiles, shape files, and other key features that are essential for visualizing geospatial data.


A Canvas workpad object that displays an image, text, or visualization.

A single unit of information, containing a timestamp plus additional data. An event arrives via an input, and is subsequently parsed, timestamped, and passed through the Logstash pipeline.
Event Query Language (EQL)

Query language for event-based time series data, such as logs, metrics, and traces. EQL supports matching for event sequences. See EQL.


Feature Controls

Enables administrators to customize which features are available in each space. See Feature Controls.

feature influence
In outlier detection, feature influence scores indicate which features of a data point contribute to its outlier behavior. See Feature influence.
feature importance
In supervised machine learning methods such as regression and classification, feature importance indicates the degree to which a specific feature affects a prediction. See Regression feature importance and Classification feature importance.
  1. Key-value pair in a document. See Mapping.

  2. In Logstash, this term refers to an event property. For example, each event in an apache access log has properties, such as a status code (200, 404), request path ("/", "index.html"), HTTP verb (GET, POST), client IP address, and so on. Logstash uses the term "fields" to refer to these properties.

field reference
A reference to an event field. This reference may appear in an output block or filter block in the Logstash config file. Field references are typically wrapped in square ([]) brackets, for example [fieldname]. If you are referring to a top-level field, you can omit the [] and simply use the field name. To refer to a nested field, you specify the full path to that field: [top-level field][nested field].

Query that does not score matching documents. See filter context.

filter plugin
A Logstash plugin that performs intermediary processing on an event. Typically, filters act upon event data after it has been ingested via inputs, by mutating, enriching, and/or modifying the data according to configuration rules. Filters are often applied conditionally depending on the characteristics of the event. Popular filter plugins include grok, mutate, drop, clone, and geoip. Filter stages are optional.

Writes data from the transaction log to disk for permanent storage. See the flush API.

follower index

Target index for cross-cluster replication. A follower index exists in a local cluster and replicates a leader index. See Cross-cluster replication.

force merge

Manually triggers a merge to reduce the number of segments in an index’s shards. See the force merge API.


Makes an index read-only and minimizes its memory footprint. See the freeze API.

frozen index

An index reduced to a low overhead state that still enables occasional searches. See the freeze API.

frozen phase

Fourth possible phase in the index lifecycle. In the frozen phase, an index is no longer updated and queried rarely. The information still needs to be searchable, but it’s okay if those queries are extremely slow. See Index lifecycle.

frozen tier

Data tier that contains nodes that hold time series data that is accessed rarely and not normally updated. See Data tiers.


A self-contained package of code that’s hosted on RubyGems.org. Logstash plugins are packaged as Ruby Gems. You can use the Logstash plugin manager to manage Logstash gems.

A format for representing geospatial data. GeoJSON is also a file-type, commonly used in the Maps application to upload a file of geospatial data. See GeoJSON data.


A field type in Elasticsearch. A geo-point field accepts latitude-longitude pairs for storing point locations. The latitude-longitude format can be from a string, geohash, array, well-known text, or object. See geo-point.


A field type in Elasticsearch. A geo-shape field accepts arbitrary geographic primitives, like polygons, lines, or rectangles (and more). You can populate a geo-shape field from GeoJSON or well-known text. See geo-shape.


A data structure and visualization that shows interconnections between a set of entities. Each entity is represented by a node. Connections between nodes are represented by edges. See Graph.

Grok Debugger

A tool for building and debugging grok patterns. Grok is good for parsing syslog, Apache, and other webserver logs. See Debugging grok expressions.


heat map

A layer type in the Maps application. Heat maps cluster locations to show higher (or lower) densities. Heat maps describe a visualization with color-coded cells or regions to analyze patterns across multiple dimensions. See Heat map layer.

hidden data stream or index

Data stream or index excluded from most index patterns by default. See Hidden data streams and indices.

hot phase

First possible phase in the index lifecycle. In the hot phase, an index is actively updated and queried. See Index lifecycle.

hot thread
A Java thread that has high CPU usage and executes for a longer than normal period of time.
hot tier

Data tier that contains nodes that handle the indexing load for time series data, such as logs or metrics. This tier holds your most recent, most frequently accessed data. See Data tiers.



Identifier for a document. Document IDs must be unique within an index. See the _id field.

  1. Collection of JSON documents. See Documents and indices.
  2. To add one or more JSON documents to Elasticsearch. This process is called indexing.
index alias

Secondary name for one or more indices. Most Elasticsearch APIs accept an index alias in place of an index name. See the Create or update index alias API.

index lifecycle

Five phases an index can transition through: hot, warm, cold, frozen, and delete. See Index lifecycle.

index lifecycle policy

Specifies how an index moves between phases in the index lifecycle and what actions to perform during each phase. See Index lifecycle.

index pattern

String containing a wildcard (*) pattern that can match multiple data streams, indices, or index aliases. See Multi-target syntax.

index template

Automatically configures the mappings, index settings, and aliases of new indices that match its index pattern. You can also use index templates to create data streams. See Index templates.

A Logstash instance that is tasked with interfacing with an Elasticsearch cluster in order to index event data.
A machine learning feature that enables you to use supervised learning processes – like regression and classification – in a continuous fashion by using trained models against incoming data.
inference aggregation
A pipeline aggregation that references a trained model in an aggregation to infer on the results field of the parent bucket aggregation. It enables you to use supervised machine learning at search time.
inference processor
A processor specified in an ingest pipeline that uses a trained model to infer against the data that is being ingested in the pipeline.
Influencers are entities that might have contributed to an anomaly in a specific bucket in an anomaly detection job. For more information, see Influencers.
The process of collecting and sending data from various data sources to Elasticsearch.
input plugin
A Logstash plugin that reads event data from a specific source. Input plugins are the first stage in the Logstash event processing pipeline. Popular input plugins include file, syslog, redis, and beats.
Extending application code to track where your application is spending time. Code is considered instrumented when it collects and reports this performance data to APM.
Out-of-the-box configurations for common data sources to simplify the collection, parsing, and visualization of logs and metrics. Also known as a module.


Machine learning jobs contain the configuration information and metadata necessary to perform an analytics task. There are two types: anomaly detection jobs and data frame analytics jobs. See also rollup job.


Kibana privileges

Enable administrators to grant users read-only, read-write, or no access to individual features within spaces in Kibana. See Kibana privileges.

Kibana Query Language (KQL)

The default language for querying in Kibana. KQL provides support for scripted fields. See Kibana Query Language.


leader index

Source index for cross-cluster replication. A leader index exists on a remote cluster and is replicated to follower indices. See Cross-cluster replication.


Enables you to build visualizations by dragging and dropping data fields. Lens makes makes smart visualization suggestions for your data, allowing you to switch between visualization types. See Lens.

local cluster

Cluster that pulls data from a remote cluster in cross-cluster search or cross-cluster replication. See Remote clusters.

Lucene query syntax

The query syntax for Kibana’s legacy query language. The Lucene query syntax is available under the options menu in the query bar and from Advanced Settings.


machine learning node
A machine learning node is a node that has xpack.ml.enabled set to true and ml in node.roles. If you want to use machine learning features, there must be at least one machine learning node in your cluster. See Machine learning nodes.

A representation of geographic data using symbols and labels. See Maps.


Defines how a document, its fields, and its metadata are stored in Elasticsearch. Similar to a schema definition. See Mapping.

master node
Handles write requests for the cluster and publishes changes to other nodes in an ordered fashion. Each cluster has a single master node which is chosen automatically by the cluster and is replaced if the current master node fails. Also see node.

Process of combining a shard's smaller Lucene segments into a larger one. Elasticsearch manages merges automatically.

message broker
Also referred to as a message buffer or message queue, a message broker is external software (such as Redis, Kafka, or RabbitMQ) that stores messages from the Logstash shipper instance as an intermediate store, waiting to be processed by the Logstash indexer instance.
metric aggregation

An aggregation that calculates and tracks metrics for a set of documents.

A special field for storing content that you don’t want to include in output events. For example, the @metadata field is useful for creating transient fields for use in conditional statements.
Out-of-the-box configurations for common data sources to simplify the collection, parsing, and visualization of logs and metrics. Also known as an integration.
A network endpoint which is monitored to track the performance and availability of applications and services.



A single Elasticsearch server. One or more nodes can form a cluster. See Clusters, nodes, and shards.


Unifying your logs, metrics, uptime data, and application traces to provide granular insights and context into the behavior of services running in your environments.
output plugin
A Logstash plugin that writes event data to a specific destination. Outputs are the final stage in the event pipeline. Popular output plugins include elasticsearch, file, graphite, and statsd.


Painless Lab

An interactive code editor that lets you test and debug Painless scripts in real-time. See Painless Lab.


A dashboard component that contains a query element or visualization, such as a chart, table, or list.

A term used to describe the flow of events through the Logstash workflow. A pipeline typically consists of a series of input, filter, and output stages. Input stages get data from a source and generate events, filter stages, which are optional, modify the event data, and output stages write the data to a destination. Inputs and outputs support codecs that enable you to encode or decode the data as it enters or exits the pipeline without having to use a separate filter.
Specifies the configuration and topology of an Elasticsearch or Kibana cluster, such as capacity, availability, and Elasticsearch version, for example. When changing a plan, the constructor determines how to transform the existing cluster into the pending plan.
A self-contained software package that implements one of the stages in the Logstash event processing pipeline. The list of available plugins includes input plugins, output plugins, codec plugins, and filter plugins. The plugins are implemented as Ruby gems and hosted on RubyGems.org. You define the stages of an event processing pipeline by configuring plugins.
plugin manager
Accessed via the bin/logstash-plugin script, the plugin manager enables you to manage the lifecycle of plugins in your Logstash deployment. You can install, remove, and upgrade plugins by using the plugin manager Command Line Interface (CLI).
primary shard

Lucene instance containing some or all data for an index. When you index a document, Elasticsearch adds the document to primary shards before replica shards. See Clusters, nodes, and shards.

A highly available, TLS-enabled proxy layer that routes user requests, mapping cluster IDs that are passed in request URLs for the container to the cluster nodes handling the user requests.



Request for information about your data. You can think of a query as a question, written in a way Elasticsearch understands. See Search your data.

Query Profiler

A tool that enables you to inspect and analyze search queries to diagnose and debug poorly performing queries. See Query Profiler.


Real user monitoring (RUM)
Performance monitoring, metrics, and error tracking of web applications.

Process of syncing a replica shard from a primary shard. Upon completion, the replica shard is available for searches. See the index recovery API.


Copies documents from a source to a destination. The source and destination can be a data stream, index, or index alias. See the Reindex API.

remote cluster

A separate cluster, often in a different data center or locale, that contains indices that can be replicated or searched by the local cluster. The connection to a remote cluster is unidirectional. See Remote clusters.

replica shard

Copy of a primary shard. Replica shards can improve search performance and resiliency by distributing data across multiple nodes. See Clusters, nodes, and shards.

roles token
Enables a host to join an existing Elastic Cloud Enterprise installation and grants permission to hosts to hold certain roles, such as the allocator role. Used when installing Elastic Cloud Enterprise on additional hosts, a roles token helps secure Elastic Cloud Enterprise by making sure that only authorized hosts become part of the installation.

Creates a new write index when the current one reaches a certain size, number of docs, or age. A rollover can target a data stream or an index alias with a write index.


Summarizes high-granularity data into a more compressed format to maintain access to historical data in a cost-effective way. See Roll up your data.

rollup index

Special type of index for storing historical data at reduced granularity. Documents are summarized and indexed into a rollup index by a rollup job. See Rolling up historical data.

rollup job

Background task that runs continuously to summarize documents in an index and index the summaries into a separate rollup index. The job configuration controls what data is rolled up and how often. See Rolling up historical data.


Process of sending and retrieving data from a specific primary shard. Elasticsearch uses a hashed routing value to choose this shard. You can provide a routing value in indexing and search requests to take advantage of caching. See the _routing field.


A set of conditions, schedules, and actions that enable notifications. See Rules and Connectors.

Rules and Connectors

A comprehensive view of all your alerting rules. Enables you to access and manage rules for all Kibana apps from one place. See Rules and Connectors.

A local control agent that runs on all hosts, used to deploy local containers based on role definitions. Ensures that containers assigned to it exist and are able to run, and creates or recreates the containers if necessary.
runtime field

Field that is evaluated at query time. You access runtime fields from the search API like any other field, and Elasticsearch sees runtime fields no differently. See Runtime fields.


saved object

A representation of a dashboard, visualization, map, index pattern, or Canvas workpad that can be stored and reloaded.

saved search

The query text, filters, and time filter that make up a search, saved for later retrieval and reuse.

scripted field

A field that computes data on the fly from the data in Elasticsearch indices. Scripted field data is shown in Discover and used in visualizations.

search session

A group of one or more queries that are executed asynchronously. The results of the session are stored for a period of time, so you can recall the query. Search sessions are user specific.

searchable snapshot

Snapshot of an index mounted as a searchable snapshot index. You can search this index like a regular index. See searchable snapshots.

searchable snapshot index

Index whose data is stored in a snapshot. Searchable snapshot indices do not need replica shards for resilience, since their data is reliably stored outside the cluster. See searchable snapshots.


Data file in a shard's Lucene instance. Elasticsearch manages Lucene segments automatically.

services forwarder
Routes data internally in an Elastic Cloud Enterprise installation.

Lucene instance containing some or all data for an index. Elasticsearch automatically creates and manages these Lucene instances. There are two types of shards: primary and replica. See Clusters, nodes, and shards.


A Canvas workpad that can be embedded on any webpage. Shareables enable you to display Canvas visualizations on internal wiki pages or public websites.

An instance of Logstash that send events to another instance of Logstash, or some other application.

Reduces the number of primary shards in an index. See the shrink index API.


Backup taken of a running cluster. You can take snapshots of the entire cluster or only specific data streams and indices. See Snapshot and restore.

snapshot lifecycle policy

Specifies how frequently to perform automatic backups of a cluster and how long to retain the resulting snapshots. See Manage the snapshot lifecycle

snapshot repository

Location where snapshots are stored. A snapshot repository can be a shared filesystem or a remote repository, such as Azure or Google Cloud Storage. See Snapshot and restore.

source field

Original JSON object provided during indexing. See the _source field.


A place for organizing dashboards, visualizations, and other saved objects by category. For example, you might have different spaces for each team, use case, or individual. See Spaces.

Information about the execution of a specific code path. Spans measure from the start to the end of an activity and can have a parent/child relationship with other spans.

Adds more primary shards to an index. See the split index API.

Securely tunnels all traffic in an Elastic Cloud Enterprise installation.
system index

Index containing configurations and other data used internally by the Elastic Stack. System index names start with a dot (.), such as .security. Do not directly access or change system indices.



A keyword or label that you assign to Kibana saved objects, such as dashboards and visualizations, so you can classify them in a way that is meaningful to you. Tags makes it easier for you to manage your content. See Tags.


See token.

term join

A shared key that combines vector features with the results of an Elasticsearch terms aggregation. Term joins augment vector features with properties for data-driven styling and rich tooltip content in maps.


Unstructured content, such as a product description or log message. You typically analyze text for better search. See Text analysis.

time filter

A Kibana control that constrains the search results to a particular time period.


A tool for building a time series visualization that analyzes data in time order. See Timelion.

time series data

Timestamped data such as logs, metrics, and events that is indexed on an ongoing basis.


A chunk of unstructured text that’s been optimized for search. In most cases, tokens are individual words. Tokens are also called terms. See Text analysis.


Process of breaking unstructured text down into smaller, searchable chunks called tokens. See Tokenization.

Defines the amount of time an application spends on a request. Traces are made up of a collection of transactions and spans that have a common root.

A layer type in the Maps application. This layer converts a series of point locations into a line, often representing a path or route.

trained model
A machine learning model that is trained and tested against a labelled data set and can be referenced in an ingest pipeline or in a pipeline aggregation to perform classification or regression analysis on new data. See Trained models.
A special kind of span that has additional attributes associated with it. Transactions describe an event captured by an Elastic APM agent instrumenting a service.

A time series data visualizer that allows you to combine an infinite number of aggregations to display complex data. See TSVB.


Upgrade Assistant

A tool that helps you prepare for an upgrade to the next major version of Elasticsearch. The assistant identifies the deprecated settings in your cluster and indices and guides you through resolving issues, including reindexing. See Upgrade Assistant.

A metric of system reliability used to monitor the status of network endpoints via HTTP/S, TCP, and ICMP.


vector data

Points, lines, and polygons used to represent a map.


A declarative language used to create interactive visualizations. See Vega.


A graphical representation of query results in Kibana (e.g., a histogram, line graph, pie chart, or heat map).


warm phase

Second possible phase in the index lifecycle. In the warm phase, an index is generally optimized for search and no longer updated. See Index lifecycle.

warm tier

Data tier that contains nodes that hold time series data that is accessed less frequently and rarely needs to be updated. See Data tiers.


The original suite of alerting features. See Watcher.

Web Map Service (WMS)

A layer type in the Maps application. Add a WMS source to provide authoritative geographic context to your map. See the OpenGIS Web Map Service.

The filter thread model used by Logstash, where each worker receives an event and applies all filters, in order, before emitting the event to the output queue. This allows scalability across CPUs because many filters are CPU intensive.

A workspace where you build presentations of your live data in Canvas. See Create a workpad.


A coordination service for distributed systems used by Elastic Cloud Enterprise to store the state of the installation. Responsible for discovery of hosts, resource allocation, leader election after failure and high priority notifications.