How does logstash generate '_id' when the outputting to elastic search?

Matthew_Laue · June 23, 2016, 2:02am

The elasticsearch _id parameter is set to some hash value. e.g.

"_id": "AVVpVdoIEU8QqcRWkA9P",

How is this calculated? And where?

matt@elk:~$ cat /etc/logstash/conf.d/apache.conf 
input {
    file {
        path => '/var/log/apache2/access.log'
    }
}
    
filter {
    grok {
        match => { "message" => "%{COMBINEDAPACHELOG}" }
    }
}
    
output {
    elasticsearch { 
    }
}

val · June 23, 2016, 4:49am

ES will automatically create an ID in case you don't specify any.

In this case, the Logstash elasticsearch output plugin will send the events to the _bulk endpoint without any _id and hence ES will create IDs for your newly indexed documents automatically. If you want to provide your own IDs from within Logstash, you can do so by specifying the document_id setting:

output {
    elasticsearch { 
        document_id => "%{some_id_field}"
    }
}

Topic		Replies	Views
How to generate _id field manually Logstash	9	2743	August 6, 2020
Elastic document_id Logstash	6	1544	April 27, 2023
How to create custom document _id in logstash? Logstash	7	10678	February 20, 2018
How To read in logstash the response from elasticsearch using elasticsearch output plugin Logstash	6	967	November 29, 2021
Logstash elasticsearch output plugin upsert without document_id Logstash	2	599	November 2, 2018

How does logstash generate '_id' when the outputting to elastic search?

Related Topics