Elasticsearch filter plugin v4.3.0

ES|QL returns query results in a structured tabular format, where data is organized into columns (fields) and values (entries). The plugin maps each value entry to an event, populating corresponding fields. For example, a query might produce a table like:

For this case, the plugin creates two JSON look like objects as below and places them into the target field of the event if target is defined. If target is not defined, the plugin places the only first result at the root of the event.

[
  {
    "timestamp": "2025-04-10T12:00:00",
    "user_id": 123,
    "action": "login",
    "status": {
        "code": 200,
        "desc": "Success"
    }
  },
  {
    "timestamp": "2025-04-10T12:05:00",
    "user_id": 456,
    "action": "purchase",
    "status": {
        "code": 403,
        "desc": "Forbidden (unauthorized user)"
    }
  }
]

ES|QL query fetches all parent and sub-fields fields if your Elasticsearch index has multi-fields or subobjects. Since Logstash events cannot contain parent field’s concrete value and sub-field values together, the plugin ignores sub-fields with warning and includes parent. We recommend using the RENAME (or DROP to avoid warning) keyword in your ES|QL query explicitly rename the fields to include sub-fields into the event.

This is a common occurrence if your template or mapping follows the pattern of always indexing strings as "text" (field) + " keyword" (field.keyword) multi-field. In this case it’s recommended to do KEEP field if the string is identical and there is only one subfield as the engine will optimize and retrieve the keyword, otherwise you can do KEEP field.keyword | RENAME field.keyword as field.

To illustrate the situation with example, assuming your mapping has a time time field with time.min and time.max sub-fields as following:

    "properties": {
        "time": { "type": "long" },
        "time.min": { "type": "long" },
        "time.max": { "type": "long" }
    }

The ES|QL result will contain all three fields but the plugin cannot map them into Logstash event. To avoid this, you can use the RENAME keyword to rename the time parent field to get all three fields with unique fields.

    ...
    query => 'FROM my-index | RENAME time AS time.current'
    ...

For comprehensive ES|QL syntax reference and best practices, see the ES|QL documentation.

A mapping of aggregations to copy into the target of the current event.

Example:

    filter {
      elasticsearch {
        aggregation_fields => {
          "my_agg_name" => "my_ls_field"
        }
      }
    }

Authenticate using Elasticsearch API key. Note that this option also requires enabling the ssl_enabled option.

Format is id:api_key where id and api_key are as returned by the Elasticsearch Create API key API.

The SHA-256 fingerprint of an SSL Certificate Authority to trust, such as the autogenerated self-signed CA for an Elasticsearch cluster.

Cloud authentication string ("<username>:<password>" format) is an alternative for the user/password pair.

For more info, check out the Logstash-to-Cloud documentation.

Cloud ID, from the Elastic Cloud web console. If set hosts should not be used.

For more info, check out the Logstash-to-Cloud documentation.

Pass a set of key value pairs as the headers sent in each request to Elasticsearch. These custom headers will override any headers previously set by the plugin such as the User Agent or Authorization headers.

A mapping of docinfo (_source) fields to copy into the target of the current event.

Example:

    filter {
      elasticsearch {
        docinfo_fields => {
          "_id" => "document_id"
          "_index" => "document_index"
        }
      }
    }

Whether results should be sorted or not

A mapping of indexed fields to copy into the target of the current event.

In the following example, the values of @timestamp and event_id on the event found via elasticsearch are copied to the current event’s started and start_id fields, respectively:

fields => {
  "@timestamp" => "started"
  "event_id" => "start_id"
}

List of elasticsearch hosts to use for querying.

Comma-delimited list of index names to search; use _all or empty string to perform the operation on all indices. Field substitution (e.g. index-name-%{date_field}) is available

Basic Auth - password

Set the address of a forward HTTP proxy. An empty string is treated as if proxy was not set, and is useful when using environment variables e.g. proxy => '${LS_PROXY:}'.

The query to be executed. The accepted query shape is DSL query string or ES|QL. For the DSL query string, use either query or query_template. Read the Elasticsearch query string documentation or Elasticsearch ES|QL documentation for more information.

Defines the query shape. When dsl, the query shape must be valid Elasticsearch JSON-style string. When esql, the query shape must be a valid ES|QL string and index, query_template and sort parameters are not allowed.

Named parameters in ES|QL to send to Elasticsearch together with query. Visit passing parameters to query page for more information.

File path to elasticsearch query in DSL format. More information is available in the Elasticsearch query documentation. Use either query or query_template.

How many results to return

How many times to retry an individual failed request.

When enabled, retry requests that result in connection errors or an HTTP status code included in retry_on_status

Which HTTP Status codes to consider for retries (in addition to connection errors) when using retry_on_failure,

Comma-delimited list of <field>:<direction> pairs that define the sort order

SSL certificate to use to authenticate the client. This certificate should be an OpenSSL-style X.509 certificate file.

The .cer or .pem files to validate the server’s certificate.

The list of cipher suites to use, listed by priorities. Supported cipher suites vary depending on the Java and protocol versions.

Enable SSL/TLS secured communication to Elasticsearch cluster. Leaving this unspecified will use whatever scheme is specified in the URLs listed in hosts or extracted from the cloud_id. If no explicit protocol is specified plain HTTP will be used.

OpenSSL-style RSA private key that corresponds to the ssl_certificate.

Set the keystore password

The keystore used to present a certificate to the server. It can be either .jks or .p12

The format of the keystore file. It must be either jks or pkcs12.

List of allowed SSL/TLS versions to use when establishing a connection to the Elasticsearch cluster.

For Java 8 'TLSv1.3' is supported only since 8u262 (AdoptOpenJDK), but requires that you set the LS_JAVA_OPTS="-Djdk.tls.client.protocols=TLSv1.3" system property in Logstash.

Set the truststore password

The truststore to validate the server’s certificate. It can be either .jks or .p12.

The format of the truststore file. It must be either jks or pkcs12.

Defines how to verify the certificates presented by another party in the TLS connection:

full validates that the server certificate has an issue date that’s within the not_before and not_after dates; chains to a trusted Certificate Authority (CA), and has a hostname or IP address that matches the names within the certificate.

none performs no certificate validation.

Tags the event on failure to look up previous log event information. This can be used in later analysis.

Define the target field for placing the result data. If this setting is omitted, the target will be the root (top level) of the event. It is highly recommended to set when using query_type=>'esql' to set all query results into the event.

When query_type=>'dsl', the destination fields specified in fields, aggregation_fields, and docinfo_fields are relative to this target.

For example, if you want the data to be put in the operation field:

if [type] == "end" {
    filter {
      query => "type:start AND transaction:%{[transactionId]}"
      elasticsearch {
        target => "transaction"
        fields => {
          "@timestamp" => "started"
          "transaction_id" => "id"
        }
      }
    }
}

fields fields will be expanded into a data structure in the target field, overall shape looks like this:

    {
      "transaction" => {
        "started" => "2025-04-29T12:01:46.263Z"
        "id" => "1234567890"
      }
    }

Basic Auth - username

If this filter is successful, add any arbitrary fields to this event. Field names can be dynamic and include parts of the event using the %{field}.

Example:

    filter {
      elasticsearch {
        add_field => { "foo_%{somefield}" => "Hello world, from %{host}" }
      }
    }

    # You can also add multiple fields at once:
    filter {
      elasticsearch {
        add_field => {
          "foo_%{somefield}" => "Hello world, from %{host}"
          "new_field" => "new_static_value"
        }
      }
    }

If the event has field "somefield" == "hello" this filter, on success, would add field foo_hello if it is present, with the value above and the %{host} piece replaced with that value from the event. The second example would also add a hardcoded field.

If this filter is successful, add arbitrary tags to the event. Tags can be dynamic and include parts of the event using the %{field} syntax.

Example:

    filter {
      elasticsearch {
        add_tag => [ "foo_%{somefield}" ]
      }
    }

    # You can also add multiple tags at once:
    filter {
      elasticsearch {
        add_tag => [ "foo_%{somefield}", "taggedy_tag"]
      }
    }

If the event has field "somefield" == "hello" this filter, on success, would add a tag foo_hello (and the second example would of course add a taggedy_tag tag).

Disable or enable metric logging for this specific plugin instance by default we record all the metrics we can, but you can disable metrics collection for a specific plugin.

Add a unique ID to the plugin configuration. If no ID is specified, Logstash will generate one. It is strongly recommended to set this ID in your configuration. This is particularly useful when you have two or more plugins of the same type, for example, if you have 2 elasticsearch filters. Adding a named ID in this case will help in monitoring Logstash when using the monitoring APIs.

    filter {
      elasticsearch {
        id => "ABC"
      }
    }

Call the filter flush method at regular interval. Optional.

If this filter is successful, remove arbitrary fields from this event. Fields names can be dynamic and include parts of the event using the %{field} Example:

    filter {
      elasticsearch {
        remove_field => [ "foo_%{somefield}" ]
      }
    }

    # You can also remove multiple fields at once:
    filter {
      elasticsearch {
        remove_field => [ "foo_%{somefield}", "my_extraneous_field" ]
      }
    }

If the event has field "somefield" == "hello" this filter, on success, would remove the field with name foo_hello if it is present. The second example would remove an additional, non-dynamic field.

If this filter is successful, remove arbitrary tags from the event. Tags can be dynamic and include parts of the event using the %{field} syntax.

Example:

    filter {
      elasticsearch {
        remove_tag => [ "foo_%{somefield}" ]
      }
    }

    # You can also remove multiple tags at once:
    filter {
      elasticsearch {
        remove_tag => [ "foo_%{somefield}", "sad_unwanted_tag"]
      }
    }

If the event has field "somefield" == "hello" this filter, on success, would remove the tag foo_hello if it is present. The second example would remove a sad, unwanted tag as well.