--- title: Classic vs wired streams description: Wired streams receive log data through a dedicated endpoint and route it into child streams based on partitioning rules. url: https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/6665/solutions/observability/streams/classic-wired-streams products: - Elastic Cloud Serverless - Elastic Observability applies_to: - Elastic Cloud Serverless: Preview - Elastic Stack: Preview since 9.2 --- # Classic vs wired streams Streams can operate in two modes: wired and classic. Both manage data streams in Elasticsearch, but differ in configuration, inheritance, and field mapping. ## Classic streams Classic streams work with existing Elasticsearch data streams. Use classic streams when you want the ease of extracting fields and configuring data retention while working with data that's already being ingested into Elasticsearch. Classic streams: - Are based on existing data streams, index templates, and component templates. - Can follow the data retention policy set in the existing index template. - Do not support hierarchical inheritance or cascading configuration updates. A skill is available to help AI agents with this topic. ## Wired streams Wired streams send your documents to a wired streams endpoint, from which you can route data into child streams based on [partitioning](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/6665/solutions/observability/streams/management/partitioning) rules you set up manually or with the help of AI suggestions.

Wired streams use the following endpoints: - **`logs.otel`**: Normalizes data to OpenTelemetry format (field mapping shown in [field naming table](#streams-wired-streams-field-naming)) - **`logs.ecs`**: Preserves original ECS field names without transformation

Send logs to the `/logs` endpoint, which normalizes data to OpenTelemetry format.

The `/logs` endpoint is deprecated and replaced by the `logs.otel` and `logs.ecs` endpoints. For more on wired streams, refer to: - [Wired streams field naming](#streams-wired-streams-field-naming) - [Manage wired streams](#streams-wired-streams-enable) - [Send data to wired streams](#streams-wired-streams-ship) - [View wired streams in Discover](#streams-wired-streams-discover) ### Wired streams field naming

Field naming depends on the endpoint you use. #### `logs.ecs` endpointData ingested into the `logs.ecs` endpoint is stored in the original ECS field names without being transformed. The fields remain as shown in the "ECS field" column in the [field naming table](#streams-wired-streams-field-name-table). #### `logs.otel` endpointData ingested into the `logs.otel` endpoint is stored and processed in a normalized OpenTelemetry (OTel)–compatible format. This format aligns ECS fields with OTel semantic conventions so all data is consistently structured and OTTL-expressible. When data is ingested into a wired stream, it’s automatically translated into this normalized format: - Standard ECS documents are converted to OTel fields (`message → body.text`, `log.level → severity_text`, `host.name → resource.attributes.host.name`, and so on). - Custom fields are stored under `attributes.*`. To preserve backward-compatible querying, Streams creates aliases that mirror existing `logs-*.otel-*` data streams behavior. This allows queries to use either ECS or OTel field names interchangeably.Refer to the following table for ECS fields and corresponding OTel fields.

Data ingested into the `/logs` endpoint is stored and processed in a normalized OpenTelemetry (OTel)–compatible format. This format aligns ECS fields with OTel semantic conventions so all data is consistently structured and OTTL-expressible.Data ingested into a wired stream is automatically translated into this normalized format: - Streams converts standard ECS documents to OTel fields (`message → body.text`, `log.level → severity_text`, `host.name → resource.attributes.host.name`, and so on). - Streams stores custom fields under `attributes.*`. To preserve backward-compatible querying, Streams creates aliases that mirror existing `logs-*.otel-*` data streams behavior. This allows queries to use either ECS or OTel field names interchangeably.Refer to the following table for ECS fields and corresponding OTel fields.

#### Field naming table The following table lists the ECS fields and the corresponding OTel fields. | ECS field | OTel field | |----------------|---------------------------------| | `message` | `body.text` | | `log.level` | `severity_text` | | `span.id` | `span_id` | | `trace.id` | `trace_id` | | `host.name` | `resource.attributes.host.name` | | `host.ip` | `resource.attributes.host.ip` | | `custom_field` | `attributes.custom_field` | ### Manage wired streams

Wired streams are on by default. To disable wired streams: 1. Go to the **Streams** page using the navigation menu or the [global search field](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/6665/explore-analyze/find-and-organize/find-apps-and-objects), then open **Settings**. 2. Turn off **Enable wired streams**. To re-enable, repeat these steps and turn on **Enable wired streams**.

To turn on wired streams: 1. Go to the **Streams** page using the navigation menu or the [global search field](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/6665/explore-analyze/find-and-organize/find-apps-and-objects), then open **Settings**. 2. Turn on **Enable wired streams**.

## Ship data to streams Elastic Cloud Serverless: Preview Elastic Stack: Preview since 9.4 You can send data to wired streams using the Observability quickstart flows. When adding data from the **Add Data** page, select **Wired Streams** as the ingestion mode and the generated commands will include all necessary routing configuration. For more information, refer to [Get started with Elastic Observability](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/6665/solutions/observability/get-started). To manually configure your shippers to send data to the appropriate wired streams endpoint, complete the following configurations for your shipper:

Set the index in the following configuration based on your Elastic Stack version: - Elastic Stack: Preview from 9.2 to 9.3 Set the index to `logs`. Only the `logs` endpoint is available in these versions. - Elastic Cloud Serverless: Preview Elastic Stack: Preview since 9.4 Set the index to `logs.otel` or `logs.ecs`, depending on which endpoint you want to use. ```yaml processors: transform/logs-streams: log_statements: - context: resource statements: - set(attributes["elasticsearch.index"], "logs.otel") service: pipelines: logs: receivers: [myreceiver] processors: [transform/logs-streams] exporters: [elasticsearch, otlp] ```

Set the index in the following configuration based on your Elastic Stack version: - Elastic Stack: Preview from 9.2 to 9.3 Set the index to `logs`. Only the `logs` endpoint is available in these versions. - Elastic Cloud Serverless: Preview Elastic Stack: Preview since 9.4 Set the index to `logs.otel` or `logs.ecs`, depending on which endpoint you want to use. ```yaml filebeat.inputs: - type: filestream id: my-filestream-id index: logs.otel enabled: true paths: - /var/log/*.log # No need to install templates for wired streams setup: template: enabled: false output.elasticsearch: hosts: [""] api_key: "" ```

Set the index in the following configuration based on your Elastic Stack version: - Elastic Stack: Preview from 9.2 to 9.3 Set the index to `logs`. Only the `logs` endpoint is available in these versions. - Elastic Cloud Serverless: Preview Elastic Stack: Preview since 9.4 Set the index to `logs.otel` or `logs.ecs`, depending on which endpoint you want to use. ```json output { elasticsearch { hosts => [""] api_key => "" index => "logs.otel" action => "create" } } ```

Use the **Custom Logs (Filestream)** integration to send data to wired streams: 1. Find **Fleet** in the navigation menu or use the [global search field](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/6665/explore-analyze/find-and-organize/find-apps-and-objects). 2. Select the **Settings** tab. 3. Under **Outputs**, find the output you want to use to send data to streams, and select the `pencil` icon. 4. Turn on **Write to logs streams**. 5. Add the **Custom Logs (Filestream)** integration to an agent policy. 6. Enable the **Use the "logs" data stream** setting in the integration configuration under **Change defaults**. 7. Under **Where to add this integration**, select an agent policy that uses the output you configured in step 4.

Set the endpoint in the following configuration based on your Elastic Stack version: - Elastic Stack: Preview from 9.2 to 9.3 Set the endpoint to `logs`. Only the `logs` endpoint is available in these versions. - Elastic Cloud Serverless: Preview Elastic Stack: Preview since 9.4 Set the endpoint to `logs.otel` or `logs.ecs`, depending on which endpoint you want to use. Send data to the endpoint using the [Bulk API](https://www.elastic.co/docs/api/doc/elasticsearch/operation/operation-bulk). Refer to the following example for more information: ```json POST /logs.otel/_bulk { "create": {} } { "@timestamp": "2025-05-05T12:12:12", "body": { "text": "Hello world!" }, "resource": { "attributes": { "host.name": "my-host-name" } } } { "create": {} } { "@timestamp": "2025-05-05T12:12:12", "message": "Hello world!", "host.name": "my-host-name" } ```

### View wired streams in Discover To view wired log streams in Discover: 1. Manually [create a data view](/elastic/docs-content/pull/6665/explore-analyze/find-and-organize/data-views#settings-create-pattern) for the wired streams index pattern (`logs,logs.*`). 2. Add the wired streams index pattern (`logs,logs.*`) to the `observability:logSources` Kibana advanced setting, which you can open from the navigation menu or by using the [global search field](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/6665/explore-analyze/find-and-organize/find-apps-and-objects). ### Query unmapped fields - Elastic Cloud Serverless: Preview - Elastic Stack: Preview since 9.4 Wired streams can contain fields stored in `_source` that are not explicitly mapped. By default, ES|QL returns an error when a query references an unmapped field. To make unmapped fields queryable, add `SET unmapped_fields = "LOAD";` at the start of your ES|QL query: ```esql SET unmapped_fields = "LOAD"; FROM logs.otel | WHERE my_custom_field == "value" ``` When `LOAD` is set, unmapped fields are loaded from `_source` as `keyword` fields, or treated as null if absent from `_source`. Elastic Stack: Planned When you query a wired stream and the ES|QL editor detects an unknown column error, a **Load unmapped fields** quick fix action is available. Select it to apply this setting automatically. For more details, refer to [Handle unmapped fields with `SET unmapped_fields`](/elastic/docs-content/pull/6665/explore-analyze/query-filter/languages/esql-kibana#esql-kibana-unmapped-fields). ### Next steps After sending your data to wired streams: - [Partition data](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/6665/solutions/observability/streams/management/partitioning): Use the **Partitioning** tab to send data into meaningful child streams. - [Extract fields](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/6665/solutions/observability/streams/management/extract): Use the **Processing** tab to filter and analyze your data effectively. - [Map fields](https://docs-v3-preview.elastic.dev/elastic/docs-content/pull/6665/solutions/observability/streams/management/schema): Use the **Schema** tab to make fields easier to query.