Elastic Agent to Logstash (for enrichment) to Elasticsearch

Ingest models

• Elastic Agent to Elasticsearch using Logstash to enrich the data
• Elastic Agent to Logstash for enrichment based on fields in the Elastic Agent data to {es}

Use when

• Data enrichment in Elasticsearch is not practical for business or technical reasons
• Your use case requires data enrichment based on fields in the Elastic Agent data. Logstash can collect enrichment data based on those fields, and then send the data to Elasticsearch.

Examples

• Data that changes frequently and is updated using an external source, such as stock ticker data
• Enrichment data is proprietary and cannot be stored elsewhere.
• Enrichment is done with an HTTP API whose return depends on values from the document.
  Example: An API that takes geo points with the collected data and returns available real estate in the region, and then passes to Logstash enrichment for enrichment between agents and Elasticsearch.

Resources

Info on configuring Elastic Agent:

• Fleet and Elastic Agent Guide
• Configuring outputs for Elastic Agent

For info on Logstash for enriching data, check out these sections in the Logstash Reference:

• Logstash {agent} input
• Logstash plugins for enriching data
• Logstash filter plugins
• Logstash {es} output

Info on Elasticsearch:

• Elasticsearch Guide