Elasticsearch Sink
The Vector elasticsearch sink batches log events to Elasticsearch via the _bulk API endpoint.
Configuration
- Common
- Advanced
[sinks.my_sink_id]# REQUIREDtype = "elasticsearch" # example, must be: "elasticsearch"inputs = ["my-source-id"] # example# OPTIONALhost = "http://10.24.32.122:9000" # example, no defaultindex = "vector-%Y-%m-%d" # default
Options
basic_auth
Options for basic authentication.
password
The basic authentication password.
user
The basic authentication user name.
batch_size
The maximum size of a batch before it is flushed. See Buffers & Batches for more info.
10490000batch_timeout
The maximum age of a batch before it is flushed. See Buffers & Batches for more info.
1buffer
Configures the sink specific buffer.
max_size
The maximum size of the buffer on the disk.
type
The buffer's type / location. disk buffers are persistent and will be retained between restarts.
"memory""memory" "disk" when_full
The behavior when the buffer becomes full.
"block""block" "drop_newest" doc_type
The doc_type for your index data. This is only relevant for Elasticsearch <= 6.X. If you are using >= 7.0 you do not need to set this option since Elasticsearch has removed it.
"_doc"headers
Options for custom headers.
[header-name]
A custom header to be added to each outgoing Elasticsearch request.
healthcheck
Enables/disables the sink healthcheck upon start. See Health Checks for more info.
truehost
The host of your Elasticsearch cluster. This should be the full URL as shown in the example. This is required if the provider is not "aws"
index
Index name to write events to. See Template Syntax for more info.
"vector-%F"provider
The provider of the Elasticsearch service. This is used to properly authenticate with the Elasticsearch cluster. For example, authentication for AWS Elasticsearch Service requires that we obtain AWS credentials to properly sign the request.
"default""default" "aws" query
Custom parameters to Elasticsearch query string.
[parameter-name]
A custom parameter to be added to each Elasticsearch request.
region
When using the AWS provider, the AWS region of the target Elasticsearch instance.
request_in_flight_limit
The maximum number of in-flight requests allowed at any given time. See Rate Limits for more info.
5request_rate_limit_duration_secs
The window used for the request_rate_limit_num option See Rate Limits for more info.
1request_rate_limit_num
The maximum number of requests allowed within the request_rate_limit_duration_secs window. See Rate Limits for more info.
5request_retry_attempts
The maximum number of retries to make for failed requests. See Retry Policy for more info.
5request_retry_backoff_secs
The amount of time to wait before attempting a failed request again. See Retry Policy for more info.
1request_timeout_secs
The maximum time a request can take before being aborted. It is highly recommended that you do not lower value below the service's internal timeout, as this could create orphaned requests, pile on retries, and result in deuplicate data downstream.
60tls
Configures the TLS options for connections from this sink.
ca_path
Absolute path to an additional CA certificate file, in DER or PEM format (X.509).
crt_path
Absolute path to a certificate file used to identify this connection, in DER or PEM format (X.509) or PKCS#12. If this is set and is not a PKCS#12 archive, key_path must also be set.
key_pass
Pass phrase used to unlock the encrypted key file. This has no effect unless key_pass above is set.
key_path
Absolute path to a certificate key file used to identify this connection, in DER or PEM format (PKCS#8). If this is set, crt_path must also be set.
verify_certificate
If true (the default), Vector will validate the TLS certificate of the remote host. Do NOT set this to false unless you understand the risks of not verifying the remote certificate.
trueverify_hostname
If true (the default), Vector will validate the configured remote host name against the remote host's TLS certificate. Do NOT set this to false unless you understand the risks of not verifying the remote hostname.
trueOutput
The elasticsearch sink batches log events to Elasticsearch via the _bulk API endpoint.
Batches are flushed via the batch_size or
batch_timeout options. You can learn more in the buffers &
batches section.
For example:
POST <host>/_bulk HTTP/1.1Host: <host>Content-Type: application/x-ndjsonContent-Length: <byte_size>{ "index" : { "_index" : "<index>" } }<json_encoded_log>{ "index" : { "_index" : "<index>" } }<json_encoded_log>{ "index" : { "_index" : "<index>" } }<json_encoded_log>
How It Works
Buffers & Batches
The elasticsearch sink buffers & batches data as
shown in the diagram above. You'll notice that Vector treats these concepts
differently, instead of treating them as global concepts, Vector treats them
as sink specific concepts. This isolates sinks, ensuring services disruptions
are contained and delivery guarantees are honored.
Batches are flushed when 1 of 2 conditions are met:
- The batch age meets or exceeds the configured
batch_timeout(default:1 seconds). - The batch size meets or exceeds the configured
batch_size(default:10490000 bytes).
Buffers are controlled via the buffer.* options.
Environment Variables
Environment variables are supported through all of Vector's configuration.
Simply add ${MY_ENV_VAR} in your Vector configuration file and the variable
will be replaced before being evaluated.
You can learn more in the Environment Variables section.
Health Checks
Health checks ensure that the downstream service is accessible and ready to accept data. This check is performed upon sink initialization. If the health check fails an error will be logged and Vector will proceed to start.
Require Health Checks
If you'd like to exit immediately upon a health check failure, you can
pass the --require-healthy flag:
vector --config /etc/vector/vector.toml --require-healthy
Disable Health Checks
If you'd like to disable health checks for this sink you can set the
healthcheck option to false.
Nested Documents
Vector will explode events into nested documents before writing them to Elasticsearch. Vector assumes keys with a . delimit nested fields. You can read more about how Vector handles nested documents in the Data Model document.
Rate Limits
Vector offers a few levers to control the rate and volume of requests to the
downstream service. Start with the request_rate_limit_duration_secs and
request_rate_limit_num options to ensure Vector does not exceed the specified
number of requests in the specified window. You can further control the pace at
which this window is saturated with the request_in_flight_limit option, which
will guarantee no more than the specified number of requests are in-flight at
any given time.
Please note, Vector's defaults are carefully chosen and it should be rare that you need to adjust these. If you found a good reason to do so please share it with the Vector team by opening an issie.
Retry Policy
Vector will retry failed requests (status == 429, >= 500, and != 501).
Other responses will not be retried. You can control the number of retry
attempts and backoff rate with the request_retry_attempts and
request_retry_backoff_secs options.
Template Syntax
The index options
support Vector's template syntax,
enabling dynamic values derived from the event's data. This syntax accepts
strptime specifiers as well as the
{{ field_name }} syntax for accessing event fields. For example:
[sinks.my_elasticsearch_sink_id]# ...index = "vector-%Y-%m-%d"index = "application-{{ application_id }}-%Y-%m-%d"# ...
You can read more about the complete syntax in the template syntax section.