---
title: Wired streams
description: Wired streams send your documents to a wired streams endpoint, from which you can route data into child streams based on partitioning rules you set up...
url: https://www.elastic.co/elastic/docs-builder/docs/3028/solutions/observability/streams/wired-streams
products:
  - Elastic Cloud Serverless
  - Elastic Observability
applies_to:
  - Elastic Cloud Serverless: Preview
  - Elastic Stack: Preview since 9.2
---

# Wired streams
Wired streams send your documents to a wired streams endpoint, from which you can route data into child streams based on [partitioning](https://www.elastic.co/elastic/docs-builder/docs/3028/solutions/observability/streams/management/partitioning) rules you set up manually or with the help of AI suggestions.
<applies-switch>
  <applies-item title="{ serverless: preview, stack: preview 9.4+ }" applies-to="Elastic Cloud Serverless: Preview, Elastic Stack: Planned">
    Wired streams use the following endpoints:
    - **`logs.otel`**: Normalizes data to OpenTelemetry format (field mapping shown in [field naming table](#streams-wired-streams-field-naming))
    - **`logs.ecs`**: Preserves original ECS field names without transformation
  </applies-item>

  <applies-item title="stack: preview 9.2-9.3" applies-to="Elastic Stack: Preview from 9.2 to 9.3">
    Send logs to the `/logs` endpoint, which normalizes data to OpenTelemetry format.
  </applies-item>
</applies-switch>

<warning>
  The `/logs` endpoint is deprecated in Elastic Stack 9.4. [Reenable wired streams](#streams-wired-streams-enable) to update your deployment or project to use the `logs.otel` and `logs.ecs` endpoints.
</warning>

For more on wired streams, refer to:
- [Wired streams field naming](#streams-wired-streams-field-naming)
- [Turn on wired streams](#streams-wired-streams-enable)
- [Send data to wired streams](#streams-wired-streams-ship)
- [View wired streams in Discover](#streams-wired-streams-discover)


## Wired streams field naming

<applies-switch>
  <applies-item title="{ serverless: preview, stack: preview 9.4+ }" applies-to="Elastic Cloud Serverless: Preview, Elastic Stack: Planned">
    Field naming depends on the endpoint you use.

    ### `logs.ecs` endpointData ingested into the `logs.ecs` endpoint is stored in the original ECS field names without being transformed. The fields remain as shown in the "ECS field" column in the [field naming table](#streams-wired-streams-field-name-table).


    ### `logs.otel` endpointData ingested into the `logs.otel` endpoint is stored and processed in a normalized OpenTelemetry (OTel)–compatible format. This format aligns ECS fields with OTel semantic conventions so all data is consistently structured and OTTL-expressible.
    When data is ingested into a wired stream, it’s automatically translated into this normalized format:
    - Standard ECS documents are converted to OTel fields (`message → body.text`, `log.level → severity_text`, `host.name → resource.attributes.host.name`, and so on).
    - Custom fields are stored under `attributes.*`.
    To preserve backward-compatible querying, Streams creates aliases that mirror existing `logs-*.otel-*` data streams behavior. This allows queries to use either ECS or OTel field names interchangeably.Refer to the following table for ECS fields and corresponding OTel fields.
  </applies-item>

  <applies-item title="stack: preview 9.2-9.3" applies-to="Elastic Stack: Preview from 9.2 to 9.3">
    Data ingested into the `/logs` endpoint is stored and processed in a normalized OpenTelemetry (OTel)–compatible format. This format aligns ECS fields with OTel semantic conventions so all data is consistently structured and OTTL-expressible.Data ingested into a wired stream is automatically translated into this normalized format:
    - Streams converts standard ECS documents to OTel fields (`message → body.text`, `log.level → severity_text`, `host.name → resource.attributes.host.name`, and so on).
    - Streams stores custom fields under `attributes.*`.
    To preserve backward-compatible querying, Streams creates aliases that mirror existing `logs-*.otel-*` data streams behavior. This allows queries to use either ECS or OTel field names interchangeably.Refer to the following table for ECS fields and corresponding OTel fields.
  </applies-item>
</applies-switch>


### Field naming table

The following table lists the ECS fields and the corresponding OTel fields.

| ECS field      | OTel field                      |
|----------------|---------------------------------|
| `message`      | `body.text`                     |
| `log.level`    | `severity_text`                 |
| `span.id`      | `span_id`                       |
| `trace.id`     | `trace_id`                      |
| `host.name`    | `resource.attributes.host.name` |
| `host.ip`      | `resource.attributes.host.ip`   |
| `custom_field` | `attributes.custom_field`       |


## Turn on wired streams

To turn on wired streams:
1. Go to the **Streams** page using the navigation menu or the [global search field](https://www.elastic.co/elastic/docs-builder/docs/3028/explore-analyze/find-and-organize/find-apps-and-objects), then open **Settings**.
2. Turn on **Enable wired streams**.


## Ship data to streams

<applies-to>Elastic Cloud Serverless: Preview</applies-to> <applies-to>Elastic Stack: Planned</applies-to> You can send data to wired streams using the Observability quickstart flows. When adding data from the **Add Data** page, select **Wired Streams** as the ingestion mode and the generated commands will include all necessary routing configuration. For more information, refer to [Get started with Elastic Observability](https://www.elastic.co/elastic/docs-builder/docs/3028/solutions/observability/get-started).
To manually configure your shippers to send data to the appropriate wired streams endpoint, complete the following configurations for your shipper:
<tab-set>
  <tab-item title="OpenTelemetry">
    <note>
      Set the index in the following configuration based on your Elastic Stack version:
      - <applies-to>Elastic Stack: Preview from 9.2 to 9.3</applies-to> Set the index to `logs`. Only the `logs` endpoint is available in these versions.
      - <applies-to>Elastic Cloud Serverless: Preview</applies-to> <applies-to>Elastic Stack: Planned</applies-to> Set the index to `logs.otel` or `logs.ecs`, depending on which endpoint you want to use.
    </note>

    ```yaml
    processors:
      transform/logs-streams:
        log_statements:
          - context: resource
            statements:
              - set(attributes["elasticsearch.index"], "logs.otel")
    service:
      pipelines:
        logs:
          receivers: [myreceiver]
          processors: [transform/logs-streams]
          exporters: [elasticsearch, otlp]
    ```
  </tab-item>

  <tab-item title="Filebeat">
    <note>
      Set the index in the following configuration based on your Elastic Stack version:
      - <applies-to>Elastic Stack: Preview from 9.2 to 9.3</applies-to> Set the index to `logs`. Only the `logs` endpoint is available in these versions.
      - <applies-to>Elastic Cloud Serverless: Preview</applies-to> <applies-to>Elastic Stack: Planned</applies-to> Set the index to `logs.otel` or `logs.ecs`, depending on which endpoint you want to use.
    </note>

    ```yaml
    filebeat.inputs:
      - type: filestream
        id: my-filestream-id
        index: logs.otel
        enabled: true
        paths:
          - /var/log/*.log

    # No need to install templates for wired streams
    setup:
      template:
        enabled: false

    output.elasticsearch:
      hosts: ["<elasticsearch-host>"]
      api_key: "<your-api-key>"
    ```
  </tab-item>

  <tab-item title="Logstash">
    <note>
      Set the index in the following configuration based on your Elastic Stack version:
      - <applies-to>Elastic Stack: Preview from 9.2 to 9.3</applies-to> Set the index to `logs`. Only the `logs` endpoint is available in these versions.
      - <applies-to>Elastic Cloud Serverless: Preview</applies-to> <applies-to>Elastic Stack: Planned</applies-to> Set the index to `logs.otel` or `logs.ecs`, depending on which endpoint you want to use.
    </note>

    ```json
    output {
      elasticsearch {
        hosts => ["<elasticsearch-host>"]
        api_key => "<your-api-key>"
        index => "logs.otel"
        action => "create"
      }
    }
    ```
  </tab-item>

  <tab-item title="Fleet">
    Use the **Custom Logs (Filestream)** integration to send data to wired streams:
    1. Find **Fleet** in the navigation menu or use the [global search field](https://www.elastic.co/elastic/docs-builder/docs/3028/explore-analyze/find-and-organize/find-apps-and-objects).
    2. Select the **Settings** tab.
    3. Under **Outputs**, find the output you want to use to send data to streams, and select the `pencil` icon.
    4. Turn on **Write to logs streams**.
    5. Add the **Custom Logs (Filestream)** integration to an agent policy.
    6. Enable the **Use the "logs" data stream** setting in the integration configuration under **Change defaults**.
    7. Under **Where to add this integration**, select an agent policy that uses the output you configured in step 4.
  </tab-item>

  <tab-item title="API">
    <note>
      Set the endpoint in the following configuration based on your Elastic Stack version:
      - <applies-to>Elastic Stack: Preview from 9.2 to 9.3</applies-to> Set the endpoint to `logs`. Only the `logs` endpoint is available in these versions.
      - <applies-to>Elastic Cloud Serverless: Preview</applies-to> <applies-to>Elastic Stack: Planned</applies-to> Set the endpoint to `logs.otel` or `logs.ecs`, depending on which endpoint you want to use.
    </note>
    Send data to the endpoint using the [Bulk API](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-bulk). Refer to the following example for more information:
    ```json
    POST /logs.otel/_bulk
    { "create": {} }
    { "@timestamp": "2025-05-05T12:12:12", "body": { "text": "Hello world!" }, "resource": { "attributes": { "host.name": "my-host-name" } } }
    { "create": {} }
    { "@timestamp": "2025-05-05T12:12:12", "message": "Hello world!", "host.name": "my-host-name" }
    ```
  </tab-item>
</tab-set>


## View wired streams in Discover

To view wired log streams in Discover:
1. Manually [create a data view](/elastic/docs-builder/docs/3028/explore-analyze/find-and-organize/data-views#settings-create-pattern) for the wired streams index pattern (`logs,logs.*`).
2. add the wireds streams index pattern (`logs,logs.*`) to the `observability:logSources` Kibana advanced setting, which you can open from the navigation menu or by using the [global search field](https://www.elastic.co/elastic/docs-builder/docs/3028/explore-analyze/find-and-organize/find-apps-and-objects).


## Next steps

After sending your data to wired streams:
- [Partition data](https://www.elastic.co/elastic/docs-builder/docs/3028/solutions/observability/streams/management/partitioning): Use the **Partitioning** tab to send data into meaningful child streams.
- [Extract fields](https://www.elastic.co/elastic/docs-builder/docs/3028/solutions/observability/streams/management/extract): Use the **Processing** tab to filter and analyze your data effectively.
- [Map fields](https://www.elastic.co/elastic/docs-builder/docs/3028/solutions/observability/streams/management/schema): Use the **Schema** tab to make fields easier to query.