Elasticsearch
ElasticSearch is a search and observability suite for unstructured data. Tenzir can send events to Elasticsearch.
When sending data to Elasticsearch, Tenzir uses the Bulk
API
and attempts to maximally batch events for throughput, accumulating multiple
events before shipping them within a single API call. You can control batching
behavior with the max_content_length and send_timeout options.
Tenzir can also present an Elasticsearch-compatible REST API via the
from_opensearch operator.
For more details and possible configuration, see the documentation for the
from_opensearch and
to_opensearch operators. When you
use to with the elasticsearch:// URL scheme,
the pipeline uses the to_opensearch operator under the hood. Similarly,
from uses the from_opensearch operator.
Examples
Send events to an Elasticsearch index
from {event: "example"}
to "elasticsearch://localhost:9200", action="create", index="main"
Replace localhost with the IP address of your Elasticsearch instance.
Selectively specify metadata and document
Instead of treating the entire event as document to be indexed by Elasticsearch, you can designate a nested record as document:
from {category: "qux", doc_id: "XXX", event: {foo: "bar"}}
to "elasticsearch://localhost:9200", id=doc_id, doc=event, action="update", index=category
The above example updates the document with ID XXX with the contents from the
nested field event.