Update documentation for logstash output with the correct defaults

[lahsivjar]

The current documentation for APM-Server indicates that with logstash output the default value of @metadata.beat to apm. However, if the value of the config output.logstash.index is not set then the default value is apm-server.

[lucabelluccini]

The documentation is also broken as I think the Logstash guide should contain the "new" APM data streams with the assets installed by APM Integration and not the apm-... indices.
We should switch to the data streams output.

In addition, it seems we send out:

	"data_stream.namespace"=>"default",
	"data_stream.type"=>"metrics",
	"data_stream.dataset"=>"apm.internal”,

This format in Logstash doesn't make it kick in the data stream auto routing. Users are obliged to use index => "%{[data_stream.type]}-%{[data_stream.dataset]}-%{[data_stream.namespace]} while they shouldn't.

Hello @simitt

• the docs for Logstash output for APM Standalone is very outdated as we do not even write to the correct data streams.
• on top of that, I think APM should use the "object" notation for data_stream.* fields in order to be able to use the data stream auto routing. But if we change it now, it might break for users who already adapted the pipeline to use the . - to be honest I've always thought Logstash was converting in field references both kind of notations, but it doesn't seem the case.

[felixbarny]

Related:

• Support dotted field notations in the reroute processor elasticsearch#96243
• Support dotted field names in ingest processors elasticsearch#96648

[lucabelluccini]

Just to add more context - I would expect APM Server standalone with Logstash output to be used as any other Elastic Agent integration and benefit from Data Stream auto routing https://www.elastic.co/guide/en/fleet/current/logstash-output.html

I find it odd that we need %{[data_stream.type]}-%{[data_stream.dataset]}-%{[data_stream.namespace]} only for APM.

[felixbarny]

I agree but I think the solution is that the Logstash data stream auto routing takes into account dotted field names.

[lucabelluccini]

For the best course of actions, I would propose the following workaround as:

• it will work transparently
• it will not break in case APM Server will start publishing the data_stream fields as objects
• it will not affect Elastic Agent integrations sending data_stream fields as objects

input {
  elastic_agent {
    port => 5044
  }
}

filter {
mutate {
  rename => {
    "[data_stream.type]" => "[data_stream][type]"
    "[data_stream.dataset]" => "[data_stream][dataset]"
    "[data_stream.namespace]" => "[data_stream][namespace]"
  }
}
}
output {
  elasticsearch {
    hosts => ["http://localhost:9200"] 
    data_stream => "true"
  }
}