save_es command saves data to Elasticsearch.

SAVE_ES(uri:uri_str, index:idx_str)
SAVE_ES(uri:uri_str, index:idx_str, credentials:creds_tuple, type:type_str)
SAVE_ES(uri:uri_str, index:idx_str, credentials:creds_tuple, type:type_str,
        _insecure_tls:tls_type_boolean, _rows_per_batch:row_count_int)


  • uri_str - ElasticSearch endpoint root uri.

  • idx_str - index(es) to read from. Comma separated (no whitespaces), wildcards allowed.

  • type_str - Elasticsearch index mapping type. Required for Elasticsearch versions prior to 6.0.0

  • _insecure_tls - whether to skip server certificate chain & host validation, default false. Optional.

  • _rows_per_batch - how many rows to send per batched request to ES, default 1000. Optional.

  • creds_tuple - authentication attributes for different schemes (expressed as tuple):

    • credentials:{type:'basic', user::STRING, password::STRING}
    • credentials:{type:'xpack', user::STRING, password::STRING}
    • credentials:{type:'token', token::STRING} - OAuth2 Bearer token obtained via Get token API
    • credentials:{type:'aws', accessKeyId::STRING, secretKey::STRING, region::STRING} - AWS IAM user credentials for using Elasticsearch Service
    • credentials:{type:'ec2'} - use when accessing AWS Elasticsearch Service from AWS EC2 role (credentials are retrieved from instance metadata)

When Elasticsearch is configured to accept anonymous commands then credentials can be omitted.

Example: Insert 100 records of generated data to Elasticsearch index example.

| select(time:t, desc:s, ipaddr:ip)
| save_es(uri:"", index:"example")


In order for this example to work an Elasticsearch 6.0 (or later) must run at localhost accepting anonymous commands