Elasticsearch Bulk

Point existing Elasticsearch clients to Timber

Timber supports the Elasticsearch /_bulk endpoint protocol, allowing you to point existing Elasticsearch clients to Timber. This makes Timber a drop in replacement for Elasticsearch ingestion.

Timber supports popular Elasticsearch clients, such as Filebeat and Logstash. We recommend following those instructions if you're using one of those clients.

Installation

  1. Configure your client's URL to be https://logs.timber.io/sources/YOUR_SOURCE_ID/frames, replacing YOUR_SOURCE_ID accordingly.

  2. Configure your client's headers to include the Authorization: Bearer YOUR_API_KEY, replacing YOUR_API_KEY accordingly.

  3. Configure your client's buffer size to flush at 950kb or after 2 seconds (see limitations below).

Limitations

  1. Timber does not support the delete and update Elasticsearch bulk actions. Your log data in Timber is immutable.

  2. The _index, _type, and _id fields for the create and index actions are ignored. Timber handles the values of these attributes for you.

  3. Timber does not accept request payloads larger than 1mb in size, including headers. Timber is a real-time platform, providing real-time insight, and is designed for streaming ingestion of data.