Configuring Elasticsearch as a Source
In the Sources tab, click on the “Add source” button located on the top right of your screen. Then, select the Elasticsearch option from the list of connectors. Click Next and you’ll be prompted to add your access.1. Add account access
The following configurations are available:-
Kibana URL: The base URL of your Kibana instance (e.g.
https://my-project.kb.us-central1.gcp.elastic.cloud). Search requests are routed through Kibana, so this is the only endpoint you need. - API Key: A base64-encoded Elasticsearch API key. You can create one in Kibana under Stack Management > API Keys. The same key authenticates both Kibana and Elasticsearch requests.
-
Log searches: The list of searches to extract. Each search becomes one table in your catalog, with the following options:
- Stream name: The table name for this search (letters, numbers and underscores — e.g.
checkout_api_logs). - Index pattern: The Elasticsearch index pattern to search (e.g.
logs-*). Check thedata_viewsstream or your Kibana Discover page if you’re unsure which patterns exist. - Service name (optional): An exact filter on the
service.namefield (e.g.Lastlink.Checkout.Api). - Search query (optional): A Lucene query applied to the
messagefield by default. Usefield:valuesyntax to target other fields (e.g.event.category:antifraud).
- Stream name: The table name for this search (letters, numbers and underscores — e.g.
-
Elasticsearch URL: When provided, log searches query the official Elasticsearch
_searchAPI directly instead of going through the Kibana console proxy. Recommended if your Kibana instance has the Dev Tools console disabled. -
Start Date: The earliest log timestamp (
@timestamp) to extract on the first sync. - Page size: Number of documents fetched per request (1000–5000 recommended).
2. Select streams
Choose which data streams you want to sync. For faster extractions, select only the streams that are relevant to your analysis. You can select entire groups of streams or pick specific ones.Tip: The stream can be found more easily by typing its name.Select the streams and click Next.
3. Configure data streams
Customize how you want your data to appear in your catalog. Select the desired layer where the data will be placed, a folder to organize it inside the layer, a name for each table (which will effectively contain the fetched data) and the type of sync.- Layer: choose between the existing layers on your catalog. This is where you will find your new extracted tables as the extraction runs successfully.
- Folder: a folder can be created inside the selected layer to group all tables being created from this new data source.
- Table name: we suggest a name, but feel free to customize it. You have the option to add a prefix to all tables at once and make this process faster!
- Sync Type: you can choose between INCREMENTAL and FULL_TABLE.
- Incremental: every time the extraction happens, we’ll get only the new data - which is good if, for example, you want to keep every record ever fetched.
- Full table: every time the extraction happens, we’ll get the current state of the data - which is good if, for example, you don’t want to have deleted data in your catalog.
4. Configure data source
Describe your data source for easy identification within your organization, not exceeding 140 characters. To define your Trigger, consider how often you want data to be extracted from this source. This decision usually depends on how frequently you need the new table data updated (every day, once a week, or only at specific times). Optionally, you can define some additional settings:- Configure Delta Log Retention and determine for how long we should store old states of this table as it gets updated. Read more about this resource here.
- Determine when to execute an Additional Full Sync. This will complement the incremental data extractions, ensuring that your data is completely synchronized with your source every once in a while.
5. Check your new source
You can view your new source on the Sources page. If needed, manually trigger the source extraction by clicking on the arrow button. Once executed, your data will appear in your Catalog.Streams and Fields
Below you’ll find the available data streams from Elasticsearch and their corresponding fields:Log searches (one stream per configured search)
Log searches (one stream per configured search)
Log documents matching the search’s index pattern and filters, synced incrementally by
@timestamp.| Field | Type | Description |
|---|---|---|
id | string | Elasticsearch document _id. |
index | string | Concrete index the document lives in. |
timestamp | datetime | Document @timestamp, normalized to UTC. |
service_name | string | Value of service.name, when present. |
message | string | Log message, when present. |
source | string | The full document _source as a JSON string, preserving every field. |
Data Views
Data Views
Data views registered in Kibana (formerly index patterns). Useful to discover which index patterns exist when configuring your log searches.
| Field | Type | Description |
|---|---|---|
id | string | Data view unique identifier. |
name | string | Display name of the data view. |
title | string | Index pattern the data view targets. |
type | string | Data view type, when present. |
time_field_name | string | Default time field of the data view. |
namespaces | array | Kibana spaces the data view belongs to. |