Wired streams

Wired streams send your documents to a wired streams endpoint, from which you can route data into child streams based on partitioning rules you set up manually or with the help of AI suggestions.

Wired streams use the following endpoints:

logs.otel: Normalizes data to OpenTelemetry format (field mapping shown in field naming table)
logs.ecs: Preserves original ECS field names without transformation

Warning

The /logs endpoint is deprecated in Elastic Stack 9.4. Reenable wired streams to update your deployment or project to use the logs.otel and logs.ecs endpoints.

Send logs to the /logs endpoint, which normalizes data to OpenTelemetry format.

For more on wired streams, refer to:

Wired streams field naming
Turn on wired streams
Send data to wired streams
View wired streams in Discover

Wired streams field naming

Field naming depends on the endpoint you use.

`logs.ecs` endpoint

Data ingested into the logs.ecs endpoint is stored in the original ECS field names without being transformed. The fields remain as shown in the "ECS field" column in the field naming table.

Data ingested into the logs.otel endpoint is stored and processed in a normalized OpenTelemetry (OTel)–compatible format. This format aligns ECS fields with OTel semantic conventions so all data is consistently structured and OTTL-expressible.

When data is ingested into a wired stream, it’s automatically translated into this normalized format:

Standard ECS documents are converted to OTel fields (message → body.text, log.level → severity_text, host.name → resource.attributes.host.name, and so on).
Custom fields are stored under attributes.*.

To preserve backward-compatible querying, Streams creates aliases that mirror existing logs-*.otel-* data streams behavior. This allows queries to use either ECS or OTel field names interchangeably.

Refer to the following table for ECS fields and corresponding OTel fields.

Data ingested into the /logs endpoint is stored and processed in a normalized OpenTelemetry (OTel)–compatible format. This format aligns ECS fields with OTel semantic conventions so all data is consistently structured and OTTL-expressible.

Data ingested into a wired stream is automatically translated into this normalized format:

Streams converts standard ECS documents to OTel fields (message → body.text, log.level → severity_text, host.name → resource.attributes.host.name, and so on).
Streams stores custom fields under attributes.*.

Refer to the following table for ECS fields and corresponding OTel fields.

Field naming table

The following table lists the ECS fields and the corresponding OTel fields.

ECS field	OTel field
`message`	`body.text`
`log.level`	`severity_text`
`span.id`	`span_id`
`trace.id`	`trace_id`
`host.name`	`resource.attributes.host.name`
`host.ip`	`resource.attributes.host.ip`
`custom_field`	`attributes.custom_field`

Turn on wired streams

To turn on wired streams:

Go to the Streams page using the navigation menu or the global search field, then open Settings.
Turn on Enable wired streams.

Ship data to streams

To send data to wired streams, configure your shippers to send data to the appropriate wired streams endpoint. To do this, complete the following configurations for your shipper:

OpenTelemetry

Note

Set the index in the following configuration based on your Elastic Stack version:

Set the index to logs. Only the logs endpoint is available in these versions.
Set the index to logs.otel or logs.ecs, depending on which endpoint you want to use.

		processors:
  transform/logs-streams:
    log_statements:
      - context: resource
        statements:
          - set(attributes["elasticsearch.index"], "logs.otel")
service:
  pipelines:
    logs:
      receivers: [myreceiver]
      processors: [transform/logs-streams]
      exporters: [elasticsearch, otlp]
		
	

Set to `logs.otel` or `logs.ecs` (serverless and stack 9.4+), or `logs` (stack 9.2–9.3)
works with any logs receiver
works with either

Filebeat

Note

Set the index in the following configuration based on your Elastic Stack version:

Set the index to logs. Only the logs endpoint is available in these versions.
Set the index to logs.otel or logs.ecs, depending on which endpoint you want to use.

		filebeat.inputs:
  - type: filestream
    id: my-filestream-id
    index: logs.otel
    enabled: true
    paths:
      - /var/log/*.log

# No need to install templates for wired streams
setup:
  template:
    enabled: false

output.elasticsearch:
  hosts: ["<elasticsearch-host>"]
  api_key: "<your-api-key>"
		
	

Set to `logs.otel` or `logs.ecs` (serverless and stack 9.4+), or logs (stack 9.2–9.3)

Logstash

Note

Set the index in the following configuration based on your Elastic Stack version:

Set the index to logs. Only the logs endpoint is available in these versions.
Set the index to logs.otel or logs.ecs, depending on which endpoint you want to use.

		output {
  elasticsearch {
    hosts => ["<elasticsearch-host>"]
    api_key => "<your-api-key>"
    index => "logs.otel"
    action => "create"
  }
}
		
	

Set to `logs.otel` or `logs.ecs` (serverless and stack 9.4+), or `logs` (stack 9.2–9.3)

Fleet

Use the Custom Logs (Filestream) integration to send data to wired streams:

Find Fleet in the navigation menu or use the global search field.
Select the Settings tab.
Under Outputs, find the output you want to use to send data to streams, and select the icon.
Turn on Write to logs streams.
Add the Custom Logs (Filestream) integration to an agent policy.
Enable the Use the "logs" data stream setting in the integration configuration under Change defaults.
Under Where to add this integration, select an agent policy that uses the output you configured in step 4.

API

Note

Set the endpoint in the following configuration based on your Elastic Stack version:

Set the endpoint to logs. Only the logs endpoint is available in these versions.
Set the endpoint to logs.otel or logs.ecs, depending on which endpoint you want to use.

Send data to the endpoint using the Bulk API. Refer to the following example for more information:

		POST /logs.otel/_bulk
{ "create": {} }
{ "@timestamp": "2025-05-05T12:12:12", "body": { "text": "Hello world!" }, "resource": { "attributes": { "host.name": "my-host-name" } } }
{ "create": {} }
{ "@timestamp": "2025-05-05T12:12:12", "message": "Hello world!", "host.name": "my-host-name" }
		
	

Set to `logs.otel` or `logs.ecs` (serverless or stack 9.4+), or `logs` (stack 9.2–9.3)

View wired streams in Discover

To view wired log streams in Discover:

Manually create a data view for the wired streams index pattern (logs,logs.*).
add the wireds streams index pattern (logs,logs.*) to the observability:logSources Kibana advanced setting, which you can open from the navigation menu or by using the global search field.

Next steps

After sending your data to wired streams:

Partition data: Use the Partitioning tab to send data into meaningful child streams.
Extract fields: Use the Processing tab to filter and analyze your data effectively.
Map fields: Use the Schema tab to make fields easier to query.