elasticsearchexporter

README

Elasticsearch Exporter

Status
Stability	development: metrics, profiles
	beta: traces, logs
Distributions	contrib
Issues
Code coverage
Code Owners	@JaredTan95, @carsonip, @lahsivjar

This exporter supports sending logs, metrics, traces and profiles to Elasticsearch.

The Exporter is API-compatible with Elasticsearch 7.17.x, 8.x, and 9.x. Certain features of the exporter, such as the otel mapping mode, may require newer versions of Elasticsearch. Limited effort will be made to support EOL versions of Elasticsearch -- see https://www.elastic.co/support/eol.

Configuration options

Exactly one of the following settings is required:

• endpoint (no default): The target Elasticsearch URL to which data will be sent (e.g. https://elasticsearch:9200)
• endpoints (no default): A list of Elasticsearch URLs to which data will be sent, attempted in round-robin order
• cloudid (no default): The Elastic Cloud ID of the Elastic Cloud Cluster to which data will be sent (e.g. foo:YmFyLmNsb3VkLmVzLmlvJGFiYzEyMyRkZWY0NTY=)

When the above settings are missing, endpoints will default to the comma-separated ELASTICSEARCH_URL environment variable.

Elasticsearch credentials may be configured via Authentication configuration settings. As a shortcut, the following settings are also supported:

• user (optional): Username used for HTTP Basic Authentication.
• password (optional): Password used for HTTP Basic Authentication.
• api_key (optional): Elasticsearch API Key in "encoded" format (e.g. VFR2WU41VUJIbG9SbGJUdVFrMFk6NVVhVDE3SDlSQS0wM1Rxb24xdXFldw==).

Example:

exporters:
  elasticsearch:
    endpoint: https://elastic.example.com:9200
    auth:
      authenticator: basicauth

extensions:
  basicauth:
    client_auth:
      username: elastic
      password: changeme

······

service:
  extensions: [basicauth]
  pipelines:
    logs:
      receivers: [otlp]
      exporters: [elasticsearch]
    traces:
      receivers: [otlp]
      exporters: [elasticsearch]

Advanced configuration

HTTP settings

The Elasticsearch exporter supports common HTTP Configuration Settings. Gzip compression is enabled by default. To disable compression, set compression to none. Default Compression Level is set to 1 (gzip.BestSpeed). As a consequence of supporting confighttp, the Elasticsearch exporter also supports common TLS Configuration Settings.

The Elasticsearch exporter sets timeout (HTTP request timeout) to 90s by default. All other defaults are as defined by confighttp.

Queuing and batching

The Elasticsearch exporter supports the common sending_queue settings which supports both queueing and batching. The default sending queue is configured to do async batching with the following configuration:

sending_queue:
  enabled: true
  sizer: requests
  num_consumers: 10
  queue_size: 10
  batch:
    flush_timeout: 10s
    min_size: 1e+6 // 1MB
    max_size: 5e+6 // 5MB
    sizer: bytes

The default configurations are chosen to be closer to the defaults with the exporter's previous inbuilt batching feature. The exporterhelper documentation provides more details on the sending_queue settings.

Elasticsearch document routing

Documents are statically or dynamically routed to the target index / data stream in the following order. The first routing mode that applies will be used.

1. "Static mode": Route to logs_index for log records, metrics_index for data points and traces_index for spans, if these configs are not empty respectively. [^3]
2. "Dynamic - Index attribute mode": Route to index name specified in elasticsearch.index attribute (precedence: log record / data point / span attribute > scope attribute > resource attribute) if the attribute exists. [^3]
3. "Dynamic - Data stream routing mode": Route to data stream constructed from ${data_stream.type}-${data_stream.dataset}-${data_stream.namespace}, where data_stream.type is logs for log records, metrics for data points, and traces for spans, and is static. [^3] In a special case with mapping::mode: bodymap, data_stream.type field (valid values: logs, metrics) can be dynamically set from attributes. The resulting documents will contain the corresponding data_stream.* fields, see restrictions applied to Data Stream Fields.

   1. data_stream.dataset or data_stream.namespace in attributes (precedence: log record / data point / span attribute > scope attribute > resource attribute)

   2. Otherwise, if a scope attribute with the name encoding.format exists and contains a string value, data_stream.dataset will be set to this value.

      Note that while enabled by default, this behaviour is considered experimental. Some encoding extensions set this field (e.g. awslogsencodingextension), but it is not yet part of Semantic Conventions. There is the potential that the name of this routing field evolves as the discussion progresses in SemConv.

   3. Otherwise, if scope name matches regex /receiver/(\w*receiver) or /connector/(\w*connector), data_stream.dataset will be capture group #1

   4. Otherwise, data_stream.dataset falls back to generic and data_stream.namespace falls back to default.

[^3]: See additional handling in Document routing exceptions for OTel data mode

This can be customised through the following settings:

• logs_index (optional): The index or data stream name to publish logs (and span events in OTel mapping mode) to. logs_index should be empty unless all logs should be sent to the same index.

• logs_dynamic_index (optional): uses resource, scope, or log record attributes to dynamically construct index name.

  • enabled(DEPRECATED): No-op. Documents are now always routed dynamically unless logs_index is not empty. Will be removed in a future version.

• metrics_index (optional): The index or data stream name to publish metrics to. metrics_index should be empty unless all metrics should be sent to the same index. Note that metrics support is currently in development.

• metrics_dynamic_index (optional): uses resource, scope or data point attributes to dynamically construct index name.

  • enabled(DEPRECATED): No-op. Documents are now always routed dynamically unless metrics_index is not empty. Will be removed in a future version.

• traces_index (optional): The index or data stream name to publish traces to. traces_index should be empty unless all traces should be sent to the same index.

• traces_dynamic_index (optional): uses resource, scope, or span attributes to dynamically construct index name.

  • enabled(DEPRECATED): No-op. Documents are now always routed dynamically unless traces_index is not empty. Will be removed in a future version.

• logstash_format (optional): Logstash format compatibility. Logs, metrics and traces can be written into an index in Logstash format.

  • enabled(default=false): Enable/disable Logstash format compatibility. When logstash_format::enabled is true, the index name is composed using the above dynamic routing rules as prefix and the date as suffix, e.g: If the computed index name is logs-generic-default, the resulting index will be logs-generic-default-YYYY.MM.DD. The last string appended belongs to the date when the data is being generated.
  • prefix_separator(default=-): Set a separator between logstash_prefix and date.
  • date_format(default=%Y.%m.%d): Time format (based on strftime) to generate the second part of the Index name.

• logs_dynamic_id (optional): Dynamically determines the document ID to be used in Elasticsearch based on a log record attribute.

  • enabled(default=false): Enable/Disable dynamic ID for log records. If elasticsearch.document_id exists and is not an empty string in the log record attributes, it will be used as the document ID. Otherwise, the document ID will be generated by Elasticsearch. The attribute elasticsearch.document_id is removed from the final document when the otel mapping mode is used. See Setting a document id dynamically.

• traces_dynamic_id (optional): Dynamically determines the document ID to be used in Elasticsearch based on a span attribute.

  • enabled(default=false): Enable/Disable dynamic ID for spans. If elasticsearch.document_id exists and is not an empty string in the span attributes, it will be used as the document ID. For span events, this only applies when using otel mapping mode (where span events are stored as separate documents). Otherwise, the document ID will be generated by Elasticsearch. The attribute elasticsearch.document_id is removed from the final document when the otel mapping mode is used. See Setting a document id dynamically.

Document routing exceptions for OTel data mode

In OTel mapping mode (mapping::mode: otel), there is special handling in addition to the above document routing rules in Elasticsearch document routing. The order to determine the routing mode is the same as Elasticsearch document routing.

1. "Static mode": Span events are separate documents routed to logs_index if non-empty.
2. "Dynamic - Index attribute mode": Span events are separate documents routed using attribute elasticsearch.index (precedence: span event attribute > scope attribute > resource attribute) if the attribute exists.
3. "Dynamic - Data stream routing mode":

• For all documents, data_stream.dataset will always be appended with .otel.
• A special case to (3)(1) in Elasticsearch document routing, span events are separate documents that have data_stream.type: logs and are routed using data stream attributes (precedence: span event attribute > scope attribute > resource attribute)

Elasticsearch document mapping

The Elasticsearch exporter supports several document schemas and preprocessing behaviours, which may be configured through the following settings:

• mapping:
  • mode (DEPRECATED): The mapping mode if supplied via config file is ignored. Use the X-Elastic-Mapping-Mode client metadata key or the elastic.mapping.mode scope attribute instead. If not specified via these methods, the default mapping mode is otel.
  • allowed_modes (defaults to all mapping modes): A list of allowed mapping modes.

The mapping mode can be controlled via the client metadata key X-Elastic-Mapping-Mode, e.g. via HTTP headers, gRPC metadata.

It is possible to restrict which mapping modes may be requested by configuring mapping::allowed_modes, which defaults to all mapping modes. Keep in mind that not all processors or exporter configurations will maintain client metadata.

The mapping mode can also be controlled via the scope attribute elastic.mapping.mode. If specified, this takes precedence over the X-Elastic-Mapping-Mode client metadata. If any scope has an invalid mapping mode, the exporter will reject the entire batch. The attribute will be excluded from the final document.

Valid mapping modes are:

• none
• ecs
• otel
• raw
• bodymap

See below for a description of each mapping mode.

Migration: Setting mapping mode via scope attribute

Since the mapping::mode config option is deprecated, use the following method to set the mapping mode:

Use scope attribute via transform processor

This approach sets the elastic.mapping.mode scope attribute on the telemetry data.

processors:
  transform:
    log_statements:
      - context: scope
        statements:
          - set(attributes["elastic.mapping.mode"], "otel")
    trace_statements:
      - context: scope
        statements:
          - set(attributes["elastic.mapping.mode"], "otel")
    metric_statements:
      - context: scope
        statements:
          - set(attributes["elastic.mapping.mode"], "otel")
exporters:
  elasticsearch:
    endpoint: https://elasticsearch:9200
service:
  pipelines:
    logs:
      receivers: [otlp]
      processors: [transform]
      exporters: [elasticsearch]

[!NOTE] The scope attribute elastic.mapping.mode takes precedence over the X-Elastic-Mapping-Mode client metadata. The attribute will be excluded from the final document sent to Elasticsearch.

[!NOTE] otel and ecs mapping modes require Elasticsearch 8.12 or above[^1]. otel mode works best with Elasticsearch 8.16 or above[^2].

[^1]: as OTel and ECS mapping modes rely on the require_data_stream bulk action metadata, available since Elasticsearch 8.12 [^2]: Elasticsearch 8.16 contains a built-in otel-data plugin

OTel mapping mode

The default and recommended "OTel-native" mapping mode.

In otel mapping mode, the Elasticsearch Exporter stores documents in Elastic's preferred "OTel-native" schema. In this mapping mode, documents use the original attribute names and closely follows the event structure from the OTLP events.

There is special treatment for the following attributes: data_stream.type, data_stream.dataset, and data_stream.namespace. Instead of serializing these values under the *attributes.* namespace, they are put at the root of the document, to conform with the conventions of the data stream naming scheme that maps these as constant_keyword fields.

data_stream.dataset will always be appended with .otel if dynamic data stream routing mode is active.

Span events are stored in separate documents. They will be routed with data_stream.type set to logs if dynamic data stream routing mode is active.

Attribute elasticsearch.index will be removed from the final document if exists.

Signal	Supported
Logs	✅
Traces	✅
Metrics	✅
Profiles	✅

ECS mapping mode

[!WARNING] The ECS mode mapping mode is currently undergoing changes, and its behaviour is unstable.

In ecs mapping mode, the Elasticsearch Exporter maps fields from OpenTelemetry Semantic Conventions (version 1.22.0) to Elastic Common Schema where possible. This mode may be used for compatibility with existing dashboards that work with ECS.

Signal	ecs
Logs	✅
Traces	✅
Metrics	✅
Profiles	🚫

Bodymap mapping mode

[!WARNING] The Bodymap mode mapping mode is currently undergoing changes, and its behaviour is unstable.

In bodymap mapping mode, the Elasticsearch Exporter supports only logs and will take the "body" of a log record as the exact content of the Elasticsearch document without any transformation. This mapping mode is intended for use cases where the client wishes to have complete control over the Elasticsearch document structure.

Signal	bodymap
Logs	✅
Traces	🚫
Metrics	🚫
Profiles	🚫

Default (none) mapping mode

In the none mapping mode the Elasticsearch Exporter produces documents with the original field names of from the OTLP data structures.

Signal	none
Logs	✅
Traces	✅
Metrics	🚫
Profiles	🚫

Raw mapping mode

The raw mapping mode is identical to none, except for two differences:

• In none mode attributes are mapped with an Attributes. prefix, while in raw mode they are not.
• In none mode span events are mapped with an Events. prefix, while in raw mode they are not.

Signal	raw
Logs	✅
Traces	✅
Metrics	🚫
Profiles	🚫

Elasticsearch ingest pipeline

Documents may be optionally passed through an Elasticsearch Ingest pipeline prior to indexing. This can be configured through the following settings:

• pipeline (optional): ID of an Elasticsearch Ingest pipeline used for processing documents published by the exporter.
• logs_dynamic_pipeline (optional): Dynamically determines the ingest pipeline to be used in Elasticsearch based on attributes in the log signal.
  • enabled(default=false): Enable/Disable dynamic pipeline. If elasticsearch.ingest_pipeline attribute exists in the log record attributes and is not an empty string, it will be used as the Elasticsearch ingest pipeline. This currently only applies to the log signal. The attribute elasticsearch.ingest_pipeline is removed from the final document when the otel mapping mode is used.

Elasticsearch bulk indexing

The Elasticsearch exporter uses the Elasticsearch Bulk API for indexing documents. The behaviour of this bulk indexing can be configured with the following settings:

• num_workers (DEPRECATED, use sending_queue::num_consumers instead): This config is deprecated and will be used to configure sending_queue::num_consumers if sending_queue::num_consumers is not explicitly defined. Number of workers publishing bulk requests concurrently.
• flush (DEPRECATED, use sending_queue instead): This config is deprecated and will be used to configure different options for sending_queue if sending_queue options are not explicitly defined. Event bulk indexer buffer flush settings
  • bytes (DEPRECATED, use sending_queue::batch::max_size instead): This config is deprecated and will be used to configure sending_queue::batch::max_size if sending_queue::batch::max_size is not explicitly defined. See the sending_queue::batch::max_size for more details.
  • interval (DEPRECATED, use sending_queue::batch::flush_timeout instead): This config is deprecated and will be used to configure sending_queue::batch::flush_timeout if sending_queue::batch::flush_timeout is not explicitly defined. See the sending_queue::batch::flush_timeout for more details.
• retry: Elasticsearch bulk request retry settings
  • enabled (default=true): Enable/Disable request retry on error. Failed requests are retried with exponential backoff.
  • max_requests (DEPRECATED, use retry::max_retries instead): Number of HTTP request retries including the initial attempt. If used, retry::max_retries will be set to max_requests - 1.
  • max_retries (default=2): Number of HTTP request retries. To disable retries, set retry::enabled to false instead of setting max_retries to 0.
  • initial_interval (default=100ms): Initial waiting time if a HTTP request failed.
  • max_interval (default=1m): Max waiting time if a HTTP request failed.
  • retry_on_status (default=[429]): Status codes that trigger request or document level retries. Request level retry and document level retry status codes are shared and cannot be configured separately. To avoid duplicates, it defaults to [429].
• sending_queue: Configures the queueing and batching behaviour. Below are the defaults (which may vary from standard defaults), for full configuration check the exporterhelper docs.
  • enabled (default=true): Enable queueing and batching behaviour.
  • num_consumers (default=10): Number of consumers that dequeue batches.
  • wait_for_result (default=false): If true, blocks incoming requests until processed.
  • block_on_overflow (default=false): If true, blocks the request until the queue has space.
  • sizer (default=requests): Measure queueing by requests.
  • queue_size (default=10): Maximum size the queue can accept.
  • batch:
    • flush_timeout (default=10s): Time after which batch is exported irrespective of other settings.
    • sizer (default=bytes): Size batches by bytes. Note that bytes here are based on the pdata model and not on the NDJSON docs that will constitute the bulk indexer requests. To address this discrepancy, the bulk indexers could also flush when their size exceeds the configured max_size due to size of pdata model being smaller than their corresponding NDJSON encoding.
    • min_size (default=1MB): Min size of the batch.
    • max_size (default=5MB): Max size of the batch. This value should be much lower than Elasticsearch's http.max_content_length config to avoid HTTP 413 Entity Too Large error. It is recommended to keep this value under 5MB.

Bulk indexing error response

With Elasticsearch 8.18+, a new query parameter include_source_on_error allows users to receive the source document in the error response, if there were any parsing errors in the bulk request. In the exporter, the equivalent configuration is also named include_source_on_error.

• include_source_on_error:
  • true: Enables bulk index responses to include source document on error. Requires Elasticsearch 8.18+. WARNING: the exporter may log error responses containing request payload, causing potential sensitive data to be exposed in logs.
  • false: Disables including source document on bulk index error responses. Requires Elasticsearch 8.18+.
  • null (default): Backward-compatible option for older Elasticsearch versions. By default, the error reason is discarded from bulk index responses entirely, i.e. only error type is returned.

Elasticsearch node discovery

The Elasticsearch Exporter will regularly check Elasticsearch for available nodes. Newly discovered nodes will automatically be used for load balancing. Settings related to node discovery are:

• discover:
  • on_start (optional): If enabled the exporter queries Elasticsearch for all known nodes in the cluster on startup.
  • interval (optional): Interval to update the list of Elasticsearch nodes.

Node discovery can be disabled by setting discover.interval to 0.

Telemetry settings

The Elasticsearch Exporter's own telemetry settings for testing and debugging purposes.

⚠️ This is experimental and may change at any time.

• telemetry:
  • log_request_body (default=false): Logs Elasticsearch client request body as a field in a log line at DEBUG level. It requires service::telemetry::logs::level to be set to debug. WARNING: Enabling this config may expose sensitive data.
  • log_response_body (default=false): Logs Elasticsearch client response body as a field in a log line at DEBUG level. It requires service::telemetry::logs::level to be set to debug. WARNING: Enabling this config may expose sensitive data.
  • log_failed_docs_input (default=false): Include the input (action line and document line) causing indexing error under input field in a log line at DEBUG level. It requires service::telemetry::logs::level to be set to debug. WARNING: Enabling this config may expose sensitive data.
  • log_failed_docs_input_rate_limit (default="1s"): Rate limiting of logs emitted by log_failed_docs_input config, e.g. "1s" means roughly 1 log line per second. A zero or negative value disables rate limiting.

Metadata keys

Metadata keys are a list of client metadata keys that the exporter uses to partition batches when sending_queue is enabled with batching support and enrich internal telemetry.

⚠️ This is experimental and may change at any time.

• metadata_keys (optional): List of metadata keys that will be used to partition the data into batches if sending_queue is enabled with batching support. With batching enabled only these metadata keys are guaranteed to be propagated. The keys will also be used to enrich the exporter's internal telemetry if defined. The keys are extracted from the client metadata available via the context and added to the internal telemetry as attributes.

NOTE: The metadata keys are converted to lower case as key lookups for client metadata is case insensitive. This means that the metric produced by internal telemetry will also have the attribute in lower case.

Exporting metrics

Metrics support is currently in development. The metric types supported are:

• Gauge
• Sum
• Histogram (Delta temporality only)
• Exponential histogram (Delta temporality only)
• Summary

Metrics dynamic templates

For metrics, the exporter sends per-document dynamic_templates with each bulk index action so that Elasticsearch can apply the correct mapping to metric fields. It uses the bulk API dynamic_templates parameter:

A map from the full name of fields to the name of dynamic templates. It defaults to an empty map. If a name matches a dynamic template, that template will be applied regardless of other match predicates defined in the template. If a field is already defined in the mapping, then this parameter won't be used.

The index template must define dynamic templates whose names match the values sent by the exporter. Behavior depends on the mapping mode:

Mapping mode	Field path in document	Template names sent	Notes
OTel	metrics.<metric name>	histogram, summary, gauge_double, gauge_long, counter_double, counter_long	The OTel data plugin defines more specific templates.
ECS	metric.<metric name>	histogram_metrics, summary_metrics, double_metrics	Relies on core templates in metrics@mappings. Intended to match the APM metrics ingest pipeline.

• OTel: Each metric is written under the metrics object; the bulk action maps full field names (e.g. metrics.my_metric) to one of the OTel template names above based on metric type (histogram, summary, gauge, or counter) and value type.
• ECS: Each metric is written as a top-level field metric.<name>; the bulk action maps that field name to one of the ECS/APM template names (histogram_metrics, summary_metrics, or double_metrics for gauges and counters).

Bulk Response Filter Path

The Elasticsearch bulk API accepts a filter_path parameter. This can be used to reduce the response returned by Elasticsearch. The exporter uses a default filter_path that is set by the go-docappender. The default is currently items.*._index,items.*.status,items.*.failure_store,items.*.error.type,items.*.error.reason and is defined by the DefaultFilterPath in the go-docappnder package.

If you want to change the filter_path you may do so by setting bulk_response_filter_path to the desired string in the configuration.

[!NOTE] If items.*._index.items is not in the BulkResponseFilterPath than for any failed documents, the exporter will not be able to log the index to which the document was being written to.

[!NOTE] If items.*._index.items is not in the BulkResponseFilterPath than the exporter will log rejection of duplicates to ".profiling-stackframes" which were previously suppressed.

Exporting profiles

Profiles support is currently in development, and should not be used in production. Profiles only support the OTel mapping mode.

Example:

exporters:
  elasticsearch:
    endpoint: https://elastic.example.com:9200
    mapping:
      mode: otel

[!IMPORTANT] For the Elasticsearch Exporter to be able to export Profiles data, Universal Profiling needs to be installed in the database. See the Universal Profiling getting started documentation You will need to use the Elasticsearch endpoint, with an Elasticsearch API key.

ECS Mapping

elasticsearchexporter follows ECS mapping defined here: https://github.com/open-telemetry/opentelemetry-specification/blob/main/specification/logs/data-model-appendix.md#elastic-common-schema

When mode is set to ecs, elasticsearchexporter performs conversions for resource-level and record-level (log or trace) attributes from their Semantic Conventions (SemConv) names to equivalent Elastic Common Schema (ECS) names.

If the target ECS field name is specified as an empty string (""), the converter will neither convert the SemConv key to the equivalent ECS name nor pass through the SemConv key as-is to become the ECS name.

When "Preserved" is true, the attribute will be preserved in the payload and duplicated as mapped to its ECS equivalent.

When more than one SemConv attribute maps to the same ECS attribute, the converter will map all attributes to the same ECS name. This is mean to support backwards compatibility for SemConv attributes that have been renamed/deprecated. The value of the last-mapped attribute will take precedence.

It is recommended to enrich events using the elasticapmprocessor to ensure index documents contain all required Elastic fields to power the Kibana UI.

Resource attribute mapping

Semantic Convention Name	ECS Name	Preserve	Skip if exists
client.address	client.ip	false	false
cloud.platform	cloud.service.name	false	false
container.image.tags	container.image.tag	false	false
deployment.environment	service.environment	false	false
deployment.environment.name	service.environment	false	false
faas.instance	faas.id	false	false
faas.trigger	faas.trigger.type	false	false
host.arch	host.architecture	false	false
host.hostname	host.hostname	true	true
k8s.cluster.name	orchestrator.cluster.name	false	false
k8s.container.name	kubernetes.container.name	false	false
k8s.cronjob.name	kubernetes.cronjob.name	false	false
k8s.daemonset.name	kubernetes.daemonset.name	false	false
k8s.deployment.name	kubernetes.deployment.name	false	false
k8s.job.name	kubernetes.job.name	false	false
k8s.namespace.name	kubernetes.namespace	false	false
k8s.node.name	kubernetes.node.name	false	false
k8s.pod.name	kubernetes.pod.name	false	false
k8s.pod.uid	kubernetes.pod.uid	false	false
k8s.replicaset.name	kubernetes.replicaset.name	false	false
k8s.statefulset.name	kubernetes.statefulset.name	false	false
os.description	host.os.full	false	false
os.name	host.os.name	false	false
os.type	host.os.platform	false	false
os.version	host.os.version	false	false
process.command_line	process.args	false	false
process.executable.name	process.title	false	false
process.executable.path	process.executable	false	false
process.parent.pid	process.parent.pid	false	false
process.runtime.name	service.runtime.name	false	false
process.runtime.version	service.runtime.version	false	false
service.instance.id	service.node.name	false	false
source.address	source.ip	false	false
telemetry.distro.name	""	false	false
telemetry.distro.version	""	false	false
telemetry.sdk.language	service.language.name	false	false
telemetry.sdk.name	""	false	false
telemetry.sdk.version	service.language.version	false	false

Log record attribute mapping

Semantic Convention Name	ECS Name	Preserve
event.name	event.action	false
exception.message	error.message	false
exception.stacktrace	error.stacktrace	false
exception.type	error.type	false
exception.escaped	event.error.exception.handled	false
http.response.body.size	http.response.encoded_body_size	false

Span attribute mapping

Semantic Convention Name	ECS Name	Preserve
db.system	span.db.type	false
db.namespace	span.db.instance	false
db.query.text	span.db.statement	false
http.response.body.size	http.response.encoded_body_size	false

Compound Mapping

There are ECS fields that are not mapped easily 1 to 1 but require more advanced logic.

host.name and host.hostname

Maintains the SemConv Value host.name as ECS Value host.name and maps it to ECS Value host.hostname, if this does not already exist.

@timestamp

In case the record contains timestamp, this value is used. Otherwise, the observed timestamp is used.

Setting a document id dynamically

The logs_dynamic_id and traces_dynamic_id settings allow users to set the document ID dynamically based on log record, span, or span event attributes. Besides the ability to control the document ID, these settings also work as a deduplication mechanism, as Elasticsearch will refuse to index a document with the same ID.

For logs, the log record attribute elasticsearch.document_id can be set explicitly by a processor based on the log record. For traces, the span attribute elasticsearch.document_id (or span event attribute for span events) can be set explicitly by a processor based on the span or span event.

As an example, the transform processor can create this attribute dynamically for logs:

processors:
  transform/es-doc-id:
    error_mode: ignore
    log_statements:
      - context: log
        condition: attributes["event_name"] != null && attributes["event_creation_time"] != null
        statements:
          - set(attributes["elasticsearch.document_id"], Concat(["log", attributes["event_name"], attributes["event_creation_time"], "-"))

For traces, you can use the transform processor to set the document ID based on trace and span IDs to ensure uniqueness:

exporters:
  elasticsearch:
    mapping:
      mode: otel  # Required for span events to be separate documents
    traces_dynamic_id:
      enabled: true

processors:
  transform/es-doc-id-traces:
    error_mode: ignore
    trace_statements:
      - context: span
        statements:
          # Set ID for spans
          - set(attributes["elasticsearch.document_id"], Concat([trace_id.string, span_id.string], "-"))
      - context: spanevent
        statements:
          # Set ID for span events (only works in otel mapping mode)
          - set(attributes["elasticsearch.document_id"], Concat([trace_id.string, span_id.string, name], "-"))

Note: Span events are only stored as separate documents in otel mapping mode. In other mapping modes (ecs, bodymap, raw), span events are embedded within the span document and will not have separate document IDs.

Known issues

version_conflict_engine_exception

Symptom: elasticsearchexporter logs an error "failed to index document" with error.type "version_conflict_engine_exception" and error.reason containing "version conflict, document already exists".

This happens when the target data stream is a TSDB metrics data stream (e.g. using OTel mapping mode sending to a 8.16+ Elasticsearch, or ECS mapping mode sending to system integration data streams).

Elasticsearch Time Series Data Streams requires that there must only be one document per timestamp with the same dimensions. The purpose is to avoid duplicate data when re-trying a batch of metrics that were previously sent but failed to be indexed. The dimensions are mostly made up of resource attributes, scope attributes, scope name, attributes, and the unit.

The exporter can only group metrics with the same dimensions into the same document if they arrive in the same batch. To ensure metrics are not dropped even if they arrive in different batches in the exporter, the exporter adds a fingerprint of the metric names to the document in the otel mapping mode. Note that this functionality requires both

• minimum Elasticsearch Exporter version 0.121.0
• minimum Elasticsearch version 8.17.6, 8.18.1, 8.19.0, 9.0.1, or 9.1.0

If you are on an earlier version of Elasticsearch, either update your cluster or install this custom component template:

PUT _component_template/metrics-otel@custom
{
  "template": {
    "mappings": {
      "properties": {
        "_metric_names_hash": {
          "type": "keyword",
          "time_series_dimension": true
        }
      }
    }
  }
}

After installing this component template, if you've previously ingested data, you'll need to wait until the old index of the time series data stream reaches its end_time. This can take up to 30 minutes by default. See time series index look-ahead time for more information.

While in most situations, this error is just a sign that Elasticsearch's duplicate detection is working as intended, the data may be classified as a duplicate while it was not. This implies data is lost.

1. If the data is not sent in otel mapping mode to metrics-*.otel-* data streams, the metrics name fingerprint is not applied. This can happen for OTel host and k8s metrics that the elasticinframetricsprocessor has translated to the format the host and k8s dashboards in Kibana can consume. If these metrics arrive in the elasticsearchexporter in different batches, they will not be grouped to the same document. This can cause the version_conflict_engine_exception error. Try to remove the batchprocessor from the pipeline (or set send_batch_max_size: 0) to ensure metrics are not split into different batches. This gives the exporter the opportunity to group all related metrics into the same document.

2. Otherwise, check your metrics pipeline setup for misconfiguration that causes an actual violation of the single writer principle. This means that the same metric with the same dimensions is sent from multiple sources, which is not allowed in the OTel metrics data model.

flush failed (400) illegal_argument_exception

Symptom: bulk indexer logs an error that indicates "bulk indexer flush error" with bulk request returning HTTP 400 and an error type of illegal_argument_exception, similar to the following.

error   elasticsearchexporter@v0.120.1/bulkindexer.go:343       bulk indexer flush error
{
  "otelcol.component.id": "elasticsearch",
  "otelcol.component.kind": "Exporter",
  "otelcol.signal": "logs",
  "error": "flush failed (400): {\"error\":{\"type\":\"illegal_argument_exception\",\"caused_by\":{}}}"
}

In this scenario, Elasticsearch may reject the bulk request because the require_data_stream bulk action metadata is not supported. This may happen when you use OTel mapping mode (the default mapping mode from v0.122.0, or explicitly by configuring mapping::mode: otel) or ECS mapping mode, and send data to Elasticsearch version < 8.12.

To resolve this, upgrade Elasticsearch to 8.12+; for OTel mapping mode, 8.16+ is recommended. Alternatively, try other mapping modes, but the document structure will be different.

"dropping cumulative temporality histogram" and "dropping cumulative temporality exponential histogram"

Symptom: elasticsearchexporter logs a warning dropping cumulative temporarily histogram similar to:

warn    elasticsearchexporter@v0.132.0/exporter.go:340  validation errors
{
  "resource": {
    "service.instance.id": "33ffe7e8-e944-4f92-8fce-9094f4b61d1d",
    "service.name": "./elastic-agent",
    "service.version": "9.1.5"
  },
  "otelcol.component.id": "elasticsearch/otel",
  "otelcol.component.kind": "exporter",
  "otelcol.signal": "metrics",
  "error": "dropping cumulative temporality histogram \"http.client.request.duration\""
}

This issue occurs because Elasticsearch does not support cumulative temporality for histograms. As a workaround, you can either:

• Export histogram metrics using delta temporality, or
• Apply a cumulativetodelta processor. For more details, see Metrics data ingestion.

Documentation

Overview

Package elasticsearchexporter contains an opentelemetry-collector exporter for Elasticsearch.

Index

• Variables
• func NewFactory() exporter.Factory
• type AuthenticationSettings
• type Config
  • func (cfg *Config) Unmarshal(conf *confmap.Conf) error
  • func (cfg *Config) Validate() error
• type DiscoverySettings
• type DynamicIDSettings
• type DynamicIndexSetting
• type DynamicPipelineSettings
• type FlushSettings
• type LogstashFormatSettings
• type MappingMode
  • func (m MappingMode) String() string
• type MappingsSettings
• type RetrySettings
• type TelemetrySettings

Variables

var ErrInvalidTypeForBodyMapMode = errors.New("invalid log record body type for 'bodymap' mapping mode")

Functions

func NewFactory

func NewFactory() exporter.Factory

NewFactory creates a factory for Elastic exporter.

Types

type AuthenticationSettings

type AuthenticationSettings struct {
	// User is used to configure HTTP Basic Authentication.
	User string `mapstructure:"user"`

	// Password is used to configure HTTP Basic Authentication.
	Password configopaque.String `mapstructure:"password"`

	// APIKey is used to configure ApiKey based Authentication.
	//
	// https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-create-api-key.html
	APIKey configopaque.String `mapstructure:"api_key"`
	// contains filtered or unexported fields
}

AuthenticationSettings defines user authentication related settings.

type Config

type Config struct {
	// QueueBatchConfig configures the sending queue and the batching done
	// by the exporter. The performed batching can further be customized by
	// configuring `metadata_keys` which will be used to partition the batches.
	QueueBatchConfig configoptional.Optional[exporterhelper.QueueBatchConfig] `mapstructure:"sending_queue"`

	// Endpoints holds the Elasticsearch URLs the exporter should send events to.
	//
	// This setting is required if CloudID is not set and if the
	// ELASTICSEARCH_URL environment variable is not set.
	Endpoints []string `mapstructure:"endpoints"`

	// CloudID holds the cloud ID to identify the Elastic Cloud cluster to send events to.
	// https://www.elastic.co/guide/en/cloud/current/ec-cloud-id.html
	//
	// This setting is required if no URL is configured.
	CloudID string `mapstructure:"cloudid"`

	// NumWorkers configures the number of workers publishing bulk requests.
	//
	// Deprecated: [v0.136.0] This config is now deprecated. Use `sending_queue::num_consumers`
	// instead. If this config is defined and `sending_queue::num_consumers` is not defined then
	// it will be used to set `sending_queue::num_consumers`.
	NumWorkers int `mapstructure:"num_workers"`

	// LogsIndex configures the static index used for document routing for logs.
	// It should be empty if dynamic document routing is preferred.
	LogsIndex        string              `mapstructure:"logs_index"`
	LogsDynamicIndex DynamicIndexSetting `mapstructure:"logs_dynamic_index"`

	// MetricsIndex configures the static index used for document routing for metrics.
	// It should be empty if dynamic document routing is preferred.
	MetricsIndex        string              `mapstructure:"metrics_index"`
	MetricsDynamicIndex DynamicIndexSetting `mapstructure:"metrics_dynamic_index"`

	// TracesIndex configures the static index used for document routing for metrics.
	// It should be empty if dynamic document routing is preferred.
	TracesIndex        string              `mapstructure:"traces_index"`
	TracesDynamicIndex DynamicIndexSetting `mapstructure:"traces_dynamic_index"`

	// LogsDynamicID configures whether log record attribute `elasticsearch.document_id` is set as the document ID in ES.
	LogsDynamicID DynamicIDSettings `mapstructure:"logs_dynamic_id"`

	// TracesDynamicID configures whether span attribute `elasticsearch.document_id` is set as the document ID in ES.
	TracesDynamicID DynamicIDSettings `mapstructure:"traces_dynamic_id"`

	// LogsDynamicPipeline configures whether log record attribute `elasticsearch.document_pipeline` is set as the document ingest pipeline for ES.
	LogsDynamicPipeline DynamicPipelineSettings `mapstructure:"logs_dynamic_pipeline"`

	// Pipeline configures the ingest node pipeline name that should be used to process the
	// events.
	//
	// https://www.elastic.co/guide/en/elasticsearch/reference/current/ingest.html
	Pipeline string `mapstructure:"pipeline"`

	confighttp.ClientConfig `mapstructure:",squash"`
	Authentication          AuthenticationSettings `mapstructure:",squash"`
	Discovery               DiscoverySettings      `mapstructure:"discover"`
	Retry                   RetrySettings          `mapstructure:"retry"`

	// Deprecated: [v0.136.0] This config is now deprecated. Use `sending_queue::batch` instead.
	// If this config is defined then it will be used to configure sending queue's batch provided
	// sending queue's config are not explicitly defined.
	Flush          FlushSettings          `mapstructure:"flush"`
	Mapping        MappingsSettings       `mapstructure:"mapping"`
	LogstashFormat LogstashFormatSettings `mapstructure:"logstash_format"`

	// SuppressConflictErrors configures whether 409 Conflict responses are logged as errors.
	// If set to true, document level version conflict exceptions (409) will not be logged.
	SuppressConflictErrors bool `mapstructure:"suppress_conflict_errors"`

	// TelemetrySettings contains settings useful for testing/debugging purposes.
	// This is experimental and may change at any time.
	TelemetrySettings `mapstructure:"telemetry"`

	// IncludeSourceOnError configures whether the bulk index responses include
	// a part of the source document on error.
	// Defaults to nil.
	//
	// This setting requires Elasticsearch 8.18+. Using it in prior versions
	// have no effect.
	//
	// NOTE: The default behavior if this configuration is not set, is to
	// discard the error reason entirely, i.e. only the error type is returned.
	//
	// WARNING: If set to true, the exporter may log error responses containing
	// request payload, causing potential sensitive data to be exposed in logs.
	// Users are expected to sanitize the responses themselves.
	IncludeSourceOnError *bool `mapstructure:"include_source_on_error"`

	// Experimental: MetadataKeys defines a list of client.Metadata keys that
	// will be used as partition keys for when batcher is enabled and will be
	// added to the exporter's telemetry if defined. The config only applies
	// when `sending_queue::batch` is defined or when the, now deprecated, batcher
	// is used (set to `true` or `false`). The metadata keys are converted to
	// lower case as key lookups for client metadata is case insensitive. This
	// means that the metric produced by internal telemetry will also have the
	// attribute in lower case.
	//
	// Keys are case-insensitive and duplicates will trigger a validation error.
	MetadataKeys []string `mapstructure:"metadata_keys"`

	// BulkResponseFilterPath sets the filter_path parameter of bulk API requests,
	// which controls what data is returned in the response from Elasticsearch.
	//
	// Note: If `items.*._index.items` is not in the BulkResponseFilterPath
	// than for any failed documents, the exporter will not be able
	// to log the index to which the document was being written
	// to.
	//
	// Note: if `items.*._index.items` is not in the BulkResponseFilterPath
	// than the export will log rejection of duplicates to
	// ".profiling-stackframes" which were previously suppressed.
	//
	// BulkResponseFilterPath defaults to
	// "items.*._index,items.*.status,items.*.failure_store,items.*.error.type,items.*.error.reason"
	BulkResponseFilterPath string `mapstructure:"bulk_response_filter_path"`
}

Config defines configuration for Elastic exporter.

func (*Config) Unmarshal

func (cfg *Config) Unmarshal(conf *confmap.Conf) error

func (*Config) Validate

func (cfg *Config) Validate() error

Validate validates the elasticsearch server configuration.

type DiscoverySettings

type DiscoverySettings struct {
	// OnStart, if set, instructs the exporter to look for available Elasticsearch
	// nodes the first time the exporter connects to the cluster.
	OnStart bool `mapstructure:"on_start"`

	// Interval instructs the exporter to renew the list of Elasticsearch URLs
	// with the given interval. URLs will not be updated if Interval is <=0.
	Interval time.Duration `mapstructure:"interval"`
	// contains filtered or unexported fields
}

DiscoverySettings defines Elasticsearch node discovery related settings. The exporter will check Elasticsearch regularly for available nodes and updates the list of hosts if discovery is enabled. Newly discovered nodes will automatically be used for load balancing.

DiscoverySettings should not be enabled when operating Elasticsearch behind a proxy or load balancer.

https://www.elastic.co/blog/elasticsearch-sniffing-best-practices-what-when-why-how

type DynamicIDSettings

type DynamicIDSettings struct {
	Enabled bool `mapstructure:"enabled"`
	// contains filtered or unexported fields
}

type DynamicIndexSetting

type DynamicIndexSetting struct {
	// Enabled enables dynamic index routing.
	//
	// Deprecated: [v0.122.0] This config is now ignored. Dynamic index routing is always done by default.
	Enabled bool `mapstructure:"enabled"`
	// contains filtered or unexported fields
}

type DynamicPipelineSettings

type DynamicPipelineSettings struct {
	Enabled bool `mapstructure:"enabled"`
	// contains filtered or unexported fields
}

type FlushSettings

type FlushSettings struct {
	// Bytes sets the send buffer flushing limit.
	// Bytes is now deprecated. Use `sending_queue::batch::{min, max}_size` with `bytes`
	// sizer to configure batching based on bytes.
	//
	// If this config option is defined then it will be used to configure `sending_queue::batch::max_size`
	// provided it is not explcitly defined.
	Bytes int `mapstructure:"bytes"`

	// Interval configures the max age of a document in the send buffer.
	// Interval is now deprecated. Use `sending-queue::batch::flush_timeout` instead.
	//
	// If this config option is defined then it will be used to configure `sending_queue::batch::flush_timeout`
	// provided it is not explcitly defined.
	Interval time.Duration `mapstructure:"interval"`
	// contains filtered or unexported fields
}

FlushSettings defines settings for configuring the write buffer flushing policy in the Elasticsearch exporter. The exporter sends a bulk request with all events already serialized into the send-buffer.

Deprecated: [v0.136.0] This config is now deprecated. Use `sending_queue::batch` instead. If this config is defined then it will be used to configure sending queue's batch provided sending queue's config are not explicitly defined.

type LogstashFormatSettings

type LogstashFormatSettings struct {
	Enabled         bool   `mapstructure:"enabled"`
	PrefixSeparator string `mapstructure:"prefix_separator"`
	DateFormat      string `mapstructure:"date_format"`
	// contains filtered or unexported fields
}

type MappingMode

type MappingMode int

const (
	MappingNone MappingMode = iota
	MappingECS
	MappingOTel
	MappingRaw
	MappingBodyMap

	// NumMappingModes remain last, it is used for sizing arrays.
	NumMappingModes
)

Enum values for MappingMode.

func (MappingMode) String

func (m MappingMode) String() string

type MappingsSettings

type MappingsSettings struct {
	// Deprecated: [v0.145.0] Mode is ignored. The default mapping mode is "otel".
	//
	// The mode may be overridden in two ways:
	//  - by the client metadata key X-Elastic-Mapping-Mode, if specified
	//  - by the scope attribute elastic.mapping.mode, if specified
	//
	// The order of precedence is:
	//   scope attribute > client metadata > default mode.
	Mode string `mapstructure:"mode"`

	// AllowedModes controls the allowed document mapping modes
	// specified through X-Elastic-Mapping-Mode client metadata.
	//
	// If unspecified, all mapping modes are allowed.
	AllowedModes []string `mapstructure:"allowed_modes"`
	// contains filtered or unexported fields
}

type RetrySettings

type RetrySettings struct {
	// Enabled allows users to disable retry without having to comment out all settings.
	Enabled bool `mapstructure:"enabled"`

	// MaxRequests configures how often an HTTP request is attempted before it is assumed to be failed.
	//
	// Deprecated: use MaxRetries instead.
	MaxRequests int `mapstructure:"max_requests"`

	// MaxRetries configures how many times an HTTP request is retried.
	MaxRetries int `mapstructure:"max_retries"`

	// InitialInterval configures the initial waiting time if a request failed.
	InitialInterval time.Duration `mapstructure:"initial_interval"`

	// MaxInterval configures the max waiting time if consecutive requests failed.
	MaxInterval time.Duration `mapstructure:"max_interval"`

	// RetryOnStatus configures the status codes that trigger request or document level retries.
	RetryOnStatus []int `mapstructure:"retry_on_status"`
}

RetrySettings defines settings for the HTTP request retries in the Elasticsearch exporter. Failed sends are retried with exponential backoff.

type TelemetrySettings

type TelemetrySettings struct {
	LogRequestBody  bool `mapstructure:"log_request_body"`
	LogResponseBody bool `mapstructure:"log_response_body"`

	LogFailedDocsInput          bool          `mapstructure:"log_failed_docs_input"`
	LogFailedDocsInputRateLimit time.Duration `mapstructure:"log_failed_docs_input_rate_limit"`
	// contains filtered or unexported fields
}