If I understand correctly, you ingest both logs and APM traces into your Elasticsearch and you want to correlate APM traces/errors with related log data. If this is the case, take a look at our log-correlation guide. I assume you are at step 2.
Please notice that we just lately added an experimental feature that automatically reformats your application logs into ECS-JSON and includes the APM IDs in them, so that you don't need to configure your logging formatting (step 3 in the guide) - it will already be written in the proper format, ready for ingestion. Please take a look at the new
log_ecs_reformatting configuration and see if it fits your needs. If so, you would need to use the latest snapshot, as this was not released yet.