- Logstash Reference: other versions:
- Logstash Introduction
- Getting Started with Logstash
- How Logstash Works
- Setting Up and Running Logstash
- Logstash Directory Layout
- Logstash Configuration Files
- logstash.yml
- Secrets keystore for secure settings
- Running Logstash from the Command Line
- Running Logstash as a Service on Debian or RPM
- Running Logstash on Docker
- Configuring Logstash for Docker
- Running Logstash on Windows
- Logging
- Shutting Down Logstash
- Upgrading Logstash
- Configuring Logstash
- Advanced Logstash Configurations
- Managing Logstash
- Working with Logstash Modules
- Working with Filebeat Modules
- Queues and data resiliency
- Transforming Data
- Deploying and Scaling Logstash
- Performance Tuning
- Monitoring Logstash
- Monitoring Logstash with APIs
- Working with plugins
- Integration plugins
- Input plugins
- azure_event_hubs
- beats
- cloudwatch
- couchdb_changes
- dead_letter_queue
- elastic_agent
- elasticsearch
- exec
- file
- ganglia
- gelf
- generator
- github
- google_cloud_storage
- google_pubsub
- graphite
- heartbeat
- http
- http_poller
- imap
- irc
- java_generator
- java_stdin
- jdbc
- jms
- jmx
- kafka
- kinesis
- log4j
- lumberjack
- meetup
- pipe
- puppet_facter
- rabbitmq
- redis
- relp
- rss
- s3
- s3-sns-sqs
- salesforce
- snmp
- snmptrap
- sqlite
- sqs
- stdin
- stomp
- syslog
- tcp
- udp
- unix
- varnishlog
- websocket
- wmi
- xmpp
- Output plugins
- boundary
- circonus
- cloudwatch
- csv
- datadog
- datadog_metrics
- dynatrace
- elastic_app_search
- elastic_workplace_search
- elasticsearch
- exec
- file
- ganglia
- gelf
- google_bigquery
- google_cloud_storage
- google_pubsub
- graphite
- graphtastic
- http
- influxdb
- irc
- java_stdout
- juggernaut
- kafka
- librato
- loggly
- lumberjack
- metriccatcher
- mongodb
- nagios
- nagios_nsca
- opentsdb
- pagerduty
- pipe
- rabbitmq
- redis
- redmine
- riak
- riemann
- s3
- sink
- sns
- solr_http
- sqs
- statsd
- stdout
- stomp
- syslog
- tcp
- timber
- udp
- webhdfs
- websocket
- xmpp
- zabbix
- Filter plugins
- age
- aggregate
- alter
- bytes
- cidr
- cipher
- clone
- csv
- date
- de_dot
- dissect
- dns
- drop
- elapsed
- elasticsearch
- environment
- extractnumbers
- fingerprint
- geoip
- grok
- http
- i18n
- java_uuid
- jdbc_static
- jdbc_streaming
- json
- json_encode
- kv
- memcached
- metricize
- metrics
- mutate
- prune
- range
- ruby
- sleep
- split
- syslog_pri
- threats_classifier
- throttle
- tld
- translate
- truncate
- urldecode
- useragent
- uuid
- wurfl_device_detection
- xml
- Codec plugins
- Tips and best practices
- Troubleshooting
- Contributing to Logstash
- How to write a Logstash input plugin
- How to write a Logstash codec plugin
- How to write a Logstash filter plugin
- How to write a Logstash output plugin
- Logstash Plugins Community Maintainer Guide
- Document your plugin
- Publish your plugin to RubyGems.org
- List your plugin
- Contributing a patch to a Logstash plugin
- Extending Logstash core
- Contributing a Java Plugin
- Glossary of Terms
- Breaking Changes
- Release Notes
- Logstash 7.15.2 Release Notes
- Logstash 7.15.1 Release Notes
- Logstash 7.15.0 Release Notes
- Logstash 7.14.2 Release Notes
- Logstash 7.14.1 Release Notes
- Logstash 7.14.0 Release Notes
- Logstash 7.13.4 Release Notes
- Logstash 7.13.3 Release Notes
- Logstash 7.13.2 Release Notes
- Logstash 7.13.1 Release Notes
- Logstash 7.13.0 Release Notes
- Logstash 7.12.1 Release Notes
- Logstash 7.12.0 Release Notes
- Logstash 7.11.2 Release Notes
- Logstash 7.11.1 Release Notes
- Logstash 7.11.0 Release Notes
- Logstash 7.10.2 Release Notes
- Logstash 7.10.1 Release Notes
- Logstash 7.10.0 Release Notes
- Logstash 7.9.3 Release Notes
- Logstash 7.9.2 Release Notes
- Logstash 7.9.1 Release Notes
- Logstash 7.9.0 Release Notes
- Logstash 7.8.1 Release Notes
- Logstash 7.8.0 Release Notes
- Logstash 7.7.1 Release Notes
- Logstash 7.7.0 Release Notes
- Logstash 7.6.2 Release Notes
- Logstash 7.6.1 Release Notes
- Logstash 7.6.0 Release Notes
- Logstash 7.5.2 Release Notes
- Logstash 7.5.1 Release Notes
- Logstash 7.5.0 Release Notes
- Logstash 7.4.2 Release Notes
- Logstash 7.4.1 Release Notes
- Logstash 7.4.0 Release Notes
- Logstash 7.3.2 Release Notes
- Logstash 7.3.1 Release Notes
- Logstash 7.3.0 Release Notes
- Logstash 7.2.1 Release Notes
- Logstash 7.2.0 Release Notes
- Logstash 7.1.1 Release Notes
- Logstash 7.1.0 Release Notes
- Logstash 7.0.1 Release Notes
- Logstash 7.0.0 Release Notes
- Logstash 7.0.0-rc2 Release Notes
- Logstash 7.0.0-rc1 Release Notes
- Logstash 7.0.0-beta1 Release Notes
- Logstash 7.0.0-alpha2 Release Notes
- Logstash 7.0.0-alpha1 Release Notes
Pipeline Viewer UI
editPipeline Viewer UI
editThe pipeline viewer UI offers additional visibility into the behavior and performance of complex pipeline configurations. Use the pipeline viewer to visualize and monitor the behavior of complex Logstash pipeline configurations. You can see and interact with a tree view that illustrates the pipeline topology, data flow, and branching logic.
The pipeline viewer highlights CPU% and event latency in cases where the values are anomalous. This information helps you quickly identify processing that is disproportionately slow.
Prerequisites
editBefore using the pipeline viewer:
- Configure Logstash monitoring.
- Start the Logstash pipeline that you want to monitor.
Logstash begins shipping metrics to the monitoring cluster.
View the pipeline
editTo view the pipeline:
- Kibana → Monitoring → Logstash → Pipelines
Each pipeline is identified by a pipeline ID (main
by default). For each
pipeline, you see the pipeline’s throughput and the number
of nodes on which the pipeline is running during the selected time range.
Many elements in the tree are clickable. For example, you can click the plugin name to expand the detail view.
Click the arrow beside a branch name to collapse or expand it.
Notes and best practices
editUse semantic IDs.
Specify semantic IDs when you configure the stages in your Logstash pipeline.
Otherwise, Logstash generates them for you. Semantic IDs help you identify
configurations that are causing bottlenecks. For example, you may have several
grok filters running in your pipeline. If you have specified semantic IDs, you
can tell at a glance which filters are slow. Semantic IDs, such as
apacheParsingGrok
and cloudwatchGrok
, point you to the grok filters that are
causing bottlenecks.
Outliers. Values and stats that are anomalously slow or otherwise out of line are highlighted. This doesn’t necessarily indicate a problem, but it highlights potential bottle necks so that you can find them quickly.
Some plugins are slower than others due to the nature of the work they do. For instance, you may find that a grok filter that uses a complicated regexp runs a lot slower than a mutate filter that simply adds a field. The grok filter might be highlighted in this case, though it may not be possible to further optimize its work.
Versioning. Version information is available from the dropdown list beside the pipeline ID. Logstash generates a new version each time you modify a pipeline, and stores multiple versions of the pipeline stats. Use this information to see how changes over time affect throughput and other metrics. Logstash does not store multiple versions of the pipeline configurations.