Elastic Workplace Search output plugin
editElastic Workplace Search output plugin
edit- A component of the elastic_enterprise_search integration plugin
- Integration version: v3.0.0
- Released on: 2023-11-07
- Changelog
For other versions, see the Versioned plugin docs.
Getting Help
editFor questions about the plugin, open a topic in the Discuss forums. For bugs or feature requests, open an issue in Github. For the list of Elastic supported plugins, please consult the Elastic Support Matrix.
Description
editThis output lets you send events to the Elastic Workplace Search solution. On receiving a batch of events from the Logstash pipeline, the plugin converts the events into documents and uses the Workplace Search bulk API to index multiple events in one request.
Workplace Search doesn’t allow fields to begin with @timestamp
.
By default the @timestamp
and @version
fields will be removed from
each event before the event is sent to Workplace Search. If you want to keep
the @timestamp
field, you can use the
timestamp_destination option
to store the timestamp in a different field.
This gem does not support codec customization.
Workplace Search Output Configuration Options
editThis plugin supports the following configuration options plus the Common Options described later.
Setting | Input type | Required |
---|---|---|
Yes |
||
No |
||
Yes |
||
list of path |
No |
|
list of string |
No |
|
No |
||
No |
||
No |
||
No |
||
string, one of |
No |
|
No |
||
Yes |
Also see Common Options for a list of options supported by all output plugins.
access_token
edit- Value type is password
- There is no default value
The source access token. Visit the source overview page in the Workplace Search dashboard to find the token associated with your source.
document_id
edit- Value type is string
- There is no default value
The id for workplace search documents. This can be an interpolated value
like myapp-%{sequence_id}
. Reusing ids will cause documents to be rewritten.
source
edit- Value type is string
- There is no default value
The ID of the source you created in Workplace Search.
The source
field supports
sprintf format to
allow the source ID to be derived from a field value from each event, for
example %{source_id}
.
Invalid source IDs cause ingestion to stop until the field value can be resolved into a valid source ID. This situation can happen if the interpolated field value resolves to a value without a matching source, or, if the field is missing from the event and cannot be resolved at all.
Consider adding a "default" source type in the configuration to catch errors if the field is missing from the event.
Example:
input { stdin { codec => json } } filter { if ![source_id] { mutate { add_field => {"source_id" => "default"} } } } output { elastic_workplace_search { source => "%{[source_id]}" access_token => "abracadabra" url => "http://workplace.search.com:3002" } }
ssl_certificate_authorities
edit- Value type is a list of path
- There is no default value for this setting
The .cer or .pem files to validate the server’s certificate.
You cannot use this setting and ssl_truststore_path
at the same time.
ssl_cipher_suites
edit- Value type is a list of string
- There is no default value for this setting
The list of cipher suites to use, listed by priorities. Supported cipher suites vary depending on the Java and protocol versions.
ssl_supported_protocols
edit- Value type is string
-
Allowed values are:
'TLSv1.1'
,'TLSv1.2'
,'TLSv1.3'
-
Default depends on the JDK being used. With up-to-date Logstash, the default is
['TLSv1.2', 'TLSv1.3']
.'TLSv1.1'
is not considered secure and is only provided for legacy applications.
List of allowed SSL/TLS versions to use when establishing a connection to the Elasticsearch cluster.
For Java 8 'TLSv1.3'
is supported only since 8u262 (AdoptOpenJDK), but requires that you set the
LS_JAVA_OPTS="-Djdk.tls.client.protocols=TLSv1.3"
system property in Logstash.
If you configure the plugin to use 'TLSv1.1'
on any recent JVM, such as the one packaged with Logstash,
the protocol is disabled by default and needs to be enabled manually by changing jdk.tls.disabledAlgorithms
in
the $JDK_HOME/conf/security/java.security configuration file. That is, TLSv1.1
needs to be removed from the list.
ssl_truststore_password
edit- Value type is password
- There is no default value for this setting.
Set the truststore password
ssl_truststore_path
edit- Value type is path
- There is no default value for this setting.
The truststore to validate the server’s certificate.
It can be either .jks
or .p12
.
You cannot use this setting and ssl_certificate_authorities
at the same time.
ssl_truststore_type
edit-
Value can be any of:
jks
,pkcs12
- If not provided, the value will be inferred from the truststore filename.
The format of the truststore file. It must be either jks
or pkcs12
.
ssl_verification_mode
edit-
Value can be any of:
full
,none
-
Default value is
full
Defines how to verify the certificates presented by another party in the TLS connection:
full
validates that the server certificate has an issue date that’s within
the not_before and not_after dates; chains to a trusted Certificate Authority (CA), and
has a hostname or IP address that matches the names within the certificate.
none
performs no certificate validation.
Setting certificate verification to none
disables many security benefits of SSL/TLS, which is very dangerous. For more information on disabling certificate verification please read https://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
timestamp_destination
edit- Value type is string
- There is no default value
Where to move the value from the @timestamp
field.
All Logstash events contain a @timestamp
field.
Workplace Search doesn’t support fields starting with @timestamp
, and
by default, the @timestamp
field will be deleted.
To keep the timestamp field, set this value to the name of the field where you want @timestamp
copied.
Common Options
editThe following configuration options are supported by all output plugins:
Setting | Input type | Required |
---|---|---|
No |
||
No |
enable_metric
edit- Value type is boolean
-
Default value is
true
Disable or enable metric logging for this specific plugin instance. By default we record all the metrics we can, but you can disable metrics collection for a specific plugin.
id
edit- Value type is string
- There is no default value for this setting.
Add a unique ID
to the plugin configuration. If no ID is specified, Logstash will generate one.
It is strongly recommended to set this ID in your configuration. This is particularly useful
when you have two or more plugins of the same type. For example, if you have 2 elastic_workplace_search outputs.
Adding a named ID in this case will help in monitoring Logstash when using the monitoring APIs.
output { elastic_workplace_search { id => "my_plugin_id" } }
Variable substitution in the id
field only supports environment variables
and does not support the use of values from the secret store.