Elasticsearch data output
This article provides an introduction to Elasticsearch along with a guide on creating an Elasticsearch data output using Upsolver.
Last updated
Was this helpful?
This article provides an introduction to Elasticsearch along with a guide on creating an Elasticsearch data output using Upsolver.
Last updated
Was this helpful?
Elasticsearch is an open-source, RESTful, distributed search and analytics engine built on Apache Lucene. It is commonly used for log analytics, full-text search, security intelligence, business analytics, and operational intelligence use cases.
You can send data in the form of JSON documents to Elasticsearch using the API or ingestion tools such as and . Elasticsearch automatically stores the original document and adds a searchable reference to the document in the cluster’s index.
You can then search and retrieve the document using the Elasticsearch API. You can also use , an open-source visualization tool, with Elasticsearch to visualize your data and build interactive dashboards.
These are the versions supported by Upsolver for direct output into Elasticsearch:
6.x
7.x
8.x
OpenSearch is a fork of Elasticsearch. While it isn't officially supported, some versions may still function properly as targets for this output. Specifically, versions 1.3.0 and 2.3.0 have been tested successfully but future versions may not work. We recommend testing new versions of OpenSearch with a standalone output before updating existing clusters.
1. Go to the Outputs page and click New.
2. Select Elasticseaarch as your output type.
3. Name your output and select your Data Sources, then click Next.
How many of the events in this data source include this field, expressed as a percentage (e.g. 20.81%).
The percentage distribution of the field values. These distribution values can be exported by clicking Export.
The number of fields in the selected hierarchy.
8. Add any required lookups and review them under the Calculated Fields tab.
12. Click Run and fill out the following fields:
Index Name: See warning below
Index Partition Size
S3 connection: Select an intermediate storage location where Upsolver will store the intermediate bulk files before loading it into Elasticsearch
The index name must be that of a pre-existing index (Upsolver will not automatically create a new index) and the name should be suffixed with the year (e.g. upsolver → upsolver_2020).
13. Click Next and complete the following:
14. Finally, click Deploy to run the output. It will show as Running in the output panel and is now live in production and consumes compute resources.
You have now successfully outputted your data to Elasticsearch.
Upsolver writes to Elasticsearch using Bulk requests.
For versions 7 and above Upsolver does not currently report the status of the internal requests inside such bulks. The only indication recieved is if the bulk request succeeded or not. It is therefore possible for some items within these bulk requests to fail, without getting notified about this in the Upsolver UI.
4. Click the information iconin the fields tree to view information about a field. The following will be displayed:
5. Click the information iconnext to a hierarchy element (such as the overall data) to review the following metrics:
6. Click the plus iconin the fields tree to add a field from the data source to your output. This will be reflected under the Data Source Field in the Schema tab. If required, modify the Output Column Name.
You can also edit your output directly in SQL. See:
7. Add any required calculated fields and review them in the Calculated Fields tab. See:
9. Through the Filters tab, add a filter like WHERE in SQL to the data source.
See:
10. Click Make Aggregated to turn the output into an aggregated output. Read the warning before clicking OK and then add the required aggregation. This aggregation field will then be added to the Schema tab. See:
11. In the Aggregation Calculated Fields area under the Calculated Fields tab, add any required calculated fields on aggregations. See: ,
Connection:
See:
Select the compute cluster to run the calculation on. Alternatively, click the drop-down and .
