Pipeline-to-pipeline communication with single input and output

hrak · August 16, 2018, 1:31pm

Imagine the following setup:

filebeats --> logstash concentrator --> kafka --> logstash ingest --> elasticsearch

On the 'logstash ingest' side, I am using pipeline-to-pipeline communication to start several pipelines for various log formats(using the "distributor pattern" as described here). Using a single input, I read JSON formatted events from a Kafka topic and they go to the various pipelines. This works like a charm.

Now from here, i want the parsed results to all go into the same Elasticsearch instance.

What would be the best approach here?

Defining an identical output in every individual pipeline config, so every pipeline has its own output but is effectively writing to exactly the same cluster/index
Use the "collector pattern" as described here to concentrate all pipelines again into one output

Badger · August 16, 2018, 1:41pm

Personally I would go with the collector pattern.

Christian_Dahlqvist · August 16, 2018, 1:42pm

This is useful if the data is going to different indices as each bulk request will target a smaller number of shards.

Probably the preferred option if all data is going to the same index.

Topic		Replies	Views
Multiple pipelines output to one cluster - only one of them picks up logs Logstash	5	1431	January 4, 2021
Best practice for multiple Logstash pipelines writing to Elasticsearch Logstash	0	121	June 13, 2024
Logstash pipeline output \| duplicate messages ending up indexes Logstash	5	1831	October 17, 2019
Multiple Logstash outputs vs pipeline-to-pipeline communcations Logstash	1	237	June 17, 2021
Logstash multiple pipelines going into same index Logstash	3	2389	May 13, 2018

Pipeline-to-pipeline communication with single input and output

Related topics