Pipeline-to-pipeline communication with single input and output

hrak · August 16, 2018, 1:31pm

Imagine the following setup:

filebeats --> logstash concentrator --> kafka --> logstash ingest --> elasticsearch

On the 'logstash ingest' side, I am using pipeline-to-pipeline communication to start several pipelines for various log formats(using the "distributor pattern" as described here). Using a single input, I read JSON formatted events from a Kafka topic and they go to the various pipelines. This works like a charm.

Now from here, i want the parsed results to all go into the same Elasticsearch instance.

What would be the best approach here?

Defining an identical output in every individual pipeline config, so every pipeline has its own output but is effectively writing to exactly the same cluster/index
Use the "collector pattern" as described here to concentrate all pipelines again into one output

Badger · August 16, 2018, 1:41pm

Personally I would go with the collector pattern.

Christian_Dahlqvist · August 16, 2018, 1:42pm

This is useful if the data is going to different indices as each bulk request will target a smaller number of shards.

Probably the preferred option if all data is going to the same index.

system · September 13, 2018, 1:42pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Beats output to Logstash AND Elastic? Beats filebeat , packetbeat , auditbeat	7	443	September 14, 2021
Dec 13th, 2018: [EN][Elasticsearch] Chaining Ingest Pipelines Advent Calendar	1	1884	December 1, 2019
[2.1.3] Regarding Outputs to Multiple ES Clusters Logstash	6	776	July 6, 2017
[Question] Is output routing possible in Filebeat Beats filebeat	6	1494	December 13, 2017
Coupling Filebeat prospector with Logstash pipeline Beats filebeat	4	1780	December 19, 2017

Pipeline-to-pipeline communication with single input and output

Related topics