Observability Pipelines

Observability Pipelines allows you to collect and process logs within your own infrastructure, and then route them to downstream integrations.

GET https://api.ap1.datadoghq.com/api/v2/obs-pipelines/pipelineshttps://api.ap2.datadoghq.com/api/v2/obs-pipelines/pipelineshttps://api.datadoghq.eu/api/v2/obs-pipelines/pipelineshttps://api.ddog-gov.com/api/v2/obs-pipelines/pipelineshttps://api.datadoghq.com/api/v2/obs-pipelines/pipelineshttps://api.us3.datadoghq.com/api/v2/obs-pipelines/pipelineshttps://api.us5.datadoghq.com/api/v2/obs-pipelines/pipelines

Overview

Retrieve a list of pipelines. This endpoint requires the observability_pipelines_read permission.

Arguments

Query Strings

Name

Type

Description

page[size]

integer

Size for a given page. The maximum allowed value is 100.

page[number]

integer

Specific page number to return.

Response

OK

Represents the response payload containing a list of pipelines and associated metadata.

Expand All

Field

Type

Description

data [required]

[object]

The schema data.

attributes [required]

object

Defines the pipeline’s name and its components (sources, processors, and destinations).

config [required]

object

Specifies the pipeline's configuration, including its sources, processors, and destinations.

destinations [required]

[ <oneOf>]

A list of destination components where processed logs are sent.

Option 1

object

The elasticsearch destination writes logs or metrics to an Elasticsearch cluster.

Supported pipeline types: logs, metrics

api_version

enum

The Elasticsearch API version to use. Set to auto to auto-detect. Allowed enum values: auto,v6,v7,v8

auth

object

Authentication settings for the Elasticsearch destination. When strategy is basic, use username_key and password_key to reference credentials stored in environment variables or secrets.

password_key

string

Name of the environment variable or secret that holds the Elasticsearch password (used when strategy is basic).

strategy [required]

enum

The authentication strategy to use. Allowed enum values: basic,aws

username_key

string

Name of the environment variable or secret that holds the Elasticsearch username (used when strategy is basic).

buffer

 <oneOf>

Configuration for buffer settings on destination components.

Option 1

object

Options for configuring a disk buffer.

max_size [required]

int64

Maximum size of the disk buffer.

type

enum

The type of the buffer that will be configured, a disk buffer. Allowed enum values: disk

default: disk

when_full

enum

Behavior when the buffer is full (block and stop accepting new events, or drop new events) Allowed enum values: block,drop_newest

default: block

Option 2

object

Options for configuring a memory buffer by byte size.

max_size [required]

int64

Maximum size of the memory buffer.

type

enum

The type of the buffer that will be configured, a memory buffer. Allowed enum values: memory

default: memory

when_full

enum

Behavior when the buffer is full (block and stop accepting new events, or drop new events) Allowed enum values: block,drop_newest

default: block

Option 3

object

Options for configuring a memory buffer by queue length.

max_events [required]

int64

Maximum events for the memory buffer.

type

enum

The type of the buffer that will be configured, a memory buffer. Allowed enum values: memory

default: memory

when_full

enum

Behavior when the buffer is full (block and stop accepting new events, or drop new events) Allowed enum values: block,drop_newest

default: block

bulk_index

string

The name of the index to write events to in Elasticsearch.

compression

object

Compression configuration for the Elasticsearch destination.

algorithm [required]

enum

The compression algorithm applied when sending data to Elasticsearch. Allowed enum values: none,gzip,zlib,zstd,snappy

level

int64

The compression level. Only applicable for gzip, zlib, and zstd algorithms.

data_stream

object

Configuration options for writing to Elasticsearch Data Streams instead of a fixed index.

auto_routing

boolean

When true, automatically routes events to the appropriate data stream based on the event content.

dataset

string

The data stream dataset. This groups events by their source or application.

dtype

string

The data stream type. This determines how events are categorized within the data stream.

namespace

string

The data stream namespace. This separates events into different environments or domains.

sync_fields

boolean

When true, synchronizes data stream fields with the Elasticsearch index mapping.

endpoint_url_key

string

Name of the environment variable or secret that holds the Elasticsearch endpoint URL.

id [required]

string

The unique identifier for this component.

id_key

string

The name of the field used as the document ID in Elasticsearch.

inputs [required]

[string]

A list of component IDs whose output is used as the input for this component.

pipeline

string

The name of an Elasticsearch ingest pipeline to apply to events before indexing.

request_retry_partial

boolean

When true, retries failed partial bulk requests when some events in a batch fail while others succeed.

tls

object

Configuration for enabling TLS encryption between the pipeline component and external services.

ca_file

string

Path to the Certificate Authority (CA) file used to validate the server’s TLS certificate.

crt_file [required]

string

Path to the TLS client certificate file used to authenticate the pipeline component with upstream or downstream services.

key_file

string

Path to the private key file associated with the TLS client certificate. Used for mutual TLS authentication.

key_pass_key

string

Name of the environment variable or secret that holds the passphrase for the private key file.

type [required]

enum

The destination type. The value should always be elasticsearch. Allowed enum values: elasticsearch

default: elasticsearch

Option 2

object

The http_client destination sends data to an HTTP endpoint.

Supported pipeline types: logs, metrics

auth_strategy

enum

HTTP authentication strategy. Allowed enum values: none,basic,bearer

compression

object

Compression configuration for HTTP requests.

algorithm [required]

enum

Compression algorithm. Allowed enum values: gzip

custom_key

string

Name of the environment variable or secret that holds a custom header value (used with custom auth strategies).

encoding [required]

enum

Encoding format for log events. Allowed enum values: json

id [required]

string

The unique identifier for this component.

inputs [required]

[string]

A list of component IDs whose output is used as the input for this component.

password_key

string

Name of the environment variable or secret that holds the password (used when auth_strategy is basic).

tls

object

Configuration for enabling TLS encryption between the pipeline component and external services.

ca_file

string

Path to the Certificate Authority (CA) file used to validate the server’s TLS certificate.

crt_file [required]

string

Path to the TLS client certificate file used to authenticate the pipeline component with upstream or downstream services.

key_file

string

Path to the private key file associated with the TLS client certificate. Used for mutual TLS authentication.

key_pass_key

string

Name of the environment variable or secret that holds the passphrase for the private key file.

token_key

string

Name of the environment variable or secret that holds the bearer token (used when auth_strategy is bearer).

type [required]

enum

The destination type. The value should always be http_client. Allowed enum values: http_client

default: http_client

uri_key

string

Name of the environment variable or secret that holds the HTTP endpoint URI.

username_key

string

Name of the environment variable or secret that holds the username (used when auth_strategy is basic).

Option 3

object

The amazon_opensearch destination writes logs to Amazon OpenSearch.

Supported pipeline types: logs

auth [required]

object

Authentication settings for the Amazon OpenSearch destination. The strategy field determines whether basic or AWS-based authentication is used.

assume_role

string

The ARN of the role to assume (used with aws strategy).

aws_region

string

AWS region

external_id

string

External ID for the assumed role (used with aws strategy).

session_name

string

Session name for the assumed role (used with aws strategy).

strategy [required]

enum

The authentication strategy to use. Allowed enum values: basic,aws

buffer

 <oneOf>

Configuration for buffer settings on destination components.

Option 1

object

Options for configuring a disk buffer.

max_size [required]

int64

Maximum size of the disk buffer.

type

enum

The type of the buffer that will be configured, a disk buffer. Allowed enum values: disk

default: disk

when_full

enum

Behavior when the buffer is full (block and stop accepting new events, or drop new events) Allowed enum values: block,drop_newest

default: block

Option 2

object

Options for configuring a memory buffer by byte size.

max_size [required]

int64

Maximum size of the memory buffer.

type

enum

The type of the buffer that will be configured, a memory buffer. Allowed enum values: memory

default: memory

when_full

enum

Behavior when the buffer is full (block and stop accepting new events, or drop new events) Allowed enum values: block,drop_newest

default: block

Option 3

object

Options for configuring a memory buffer by queue length.

max_events [required]

int64

Maximum events for the memory buffer.

type

enum

The type of the buffer that will be configured, a memory buffer. Allowed enum values: memory

default: memory

when_full

enum

Behavior when the buffer is full (block and stop accepting new events, or drop new events) Allowed enum values: block,drop_newest

default: block

bulk_index

string

The index to write logs to.

id [required]

string

The unique identifier for this component.

inputs [required]

[string]

A list of component IDs whose output is used as the input for this component.

type [required]

enum

The destination type. The value should always be amazon_opensearch. Allowed enum values: amazon_opensearch

default: amazon_opensearch

Option 4

object

The amazon_s3 destination sends your logs in Datadog-rehydratable format to an Amazon S3 bucket for archiving.

Supported pipeline types: logs

auth

object

AWS authentication credentials used for accessing AWS services such as S3. If omitted, the system’s default credentials are used (for example, the IAM role and environment variables).

assume_role

string

The Amazon Resource Name (ARN) of the role to assume.

external_id

string

A unique identifier for cross-account role assumption.

session_name

string

A session identifier used for logging and tracing the assumed role session.

bucket [required]

string

S3 bucket name.

buffer

 <oneOf>

Configuration for buffer settings on destination components.

Option 1

object

Options for configuring a disk buffer.

max_size [required]

int64

Maximum size of the disk buffer.

type

enum

The type of the buffer that will be configured, a disk buffer. Allowed enum values: disk

default: disk

when_full

enum

Behavior when the buffer is full (block and stop accepting new events, or drop new events) Allowed enum values: block,drop_newest

default: block

Option 2

object

Options for configuring a memory buffer by byte size.

max_size [required]

int64

Maximum size of the memory buffer.

type

enum

The type of the buffer that will be configured, a memory buffer. Allowed enum values: memory

default: memory

when_full

enum

Behavior when the buffer is full (block and stop accepting new events, or drop new events) Allowed enum values: block,drop_newest

default: block

Option 3

object

Options for configuring a memory buffer by queue length.

max_events [required]

int64

Maximum events for the memory buffer.

type

enum

The type of the buffer that will be configured, a memory buffer. Allowed enum values: memory

default: memory

when_full

enum

Behavior when the buffer is full (block and stop accepting new events, or drop new events) Allowed enum values: block,drop_newest

default: block

id [required]

string

Unique identifier for the destination component.

inputs [required]

[string]

A list of component IDs whose output is used as the input for this component.

key_prefix

string

Optional prefix for object keys.

region [required]

string

AWS region of the S3 bucket.

storage_class [required]

enum

S3 storage class. Allowed enum values: STANDARD,REDUCED_REDUNDANCY,INTELLIGENT_TIERING,STANDARD_IA,EXPRESS_ONEZONE,ONEZONE_IA,GLACIER,GLACIER_IR,DEEP_ARCHIVE

tls

object

Configuration for enabling TLS encryption between the pipeline component and external services.

ca_file

string

Path to the Certificate Authority (CA) file used to validate the server’s TLS certificate.

crt_file [required]

string

Path to the TLS client certificate file used to authenticate the pipeline component with upstream or downstream services.

key_file

string

Path to the private key file associated with the TLS client certificate. Used for mutual TLS authentication.

key_pass_key

string

Name of the environment variable or secret that holds the passphrase for the private key file.

type [required]

enum

The destination type. Always amazon_s3. Allowed enum values: amazon_s3

default: amazon_s3

Option 5

object

The amazon_s3_generic destination sends your logs to an Amazon S3 bucket.

Supported pipeline types: logs

auth

object

AWS authentication credentials used for accessing AWS services such as S3. If omitted, the system’s default credentials are used (for example, the IAM role and environment variables).

assume_role

string

The Amazon Resource Name (ARN) of the role to assume.

external_id

string

A unique identifier for cross-account role assumption.

session_name

string

A session identifier used for logging and tracing the assumed role session.

batch_settings

object

Event batching settings

batch_size

int64

Maximum batch size in bytes.

timeout_secs

int64

Maximum number of seconds to wait before flushing the batch.

bucket [required]

string

S3 bucket name.

compression [required]

 <oneOf>

Compression algorithm applied to encoded logs.

Option 1

object

Zstd compression.

algorithm [required]

enum

The compression type. Always zstd. Allowed enum values: zstd

default: zstd

level [required]

int64

Zstd compression level.

Option 2

object

Gzip compression.

algorithm [required]

enum

The compression type. Always gzip. Allowed enum values: gzip

default: gzip

level [required]

int64

Gzip compression level.

Option 3

object

Snappy compression.

algorithm [required]

enum

The compression type. Always snappy. Allowed enum values: snappy

default: snappy

encoding [required]

 <oneOf>

Encoding format for the destination.

Option 1

object

JSON encoding.

type [required]

enum

The encoding type. Always json. Allowed enum values: json

default: json

Option 2

object

Parquet encoding.

type [required]

enum

The encoding type. Always parquet. Allowed enum values: parquet

default: parquet

id [required]

string

Unique identifier for the destination component.

inputs [required]

[string]

A list of component IDs whose output is used as the input for this component.

key_prefix

string

Optional prefix for object keys.

region [required]

string

AWS region of the S3 bucket.

storage_class [required]

enum

S3 storage class. Allowed enum values: STANDARD,REDUCED_REDUNDANCY,INTELLIGENT_TIERING,STANDARD_IA,EXPRESS_ONEZONE,ONEZONE_IA,GLACIER,GLACIER_IR,DEEP_ARCHIVE

type [required]

enum

The destination type. Always amazon_s3_generic. Allowed enum values: amazon_s3_generic

default: amazon_s3_generic

Option 6

object

The amazon_security_lake destination sends your logs to Amazon Security Lake.

Supported pipeline types: logs

auth

object

AWS authentication credentials used for accessing AWS services such as S3. If omitted, the system’s default credentials are used (for example, the IAM role and environment variables).

assume_role

string

The Amazon Resource Name (ARN) of the role to assume.

external_id

string

A unique identifier for cross-account role assumption.

session_name

string

A session identifier used for logging and tracing the assumed role session.

bucket [required]

string

Name of the Amazon S3 bucket in Security Lake (3-63 characters).

buffer

 <oneOf>

Configuration for buffer settings on destination components.

Option 1

object

Options for configuring a disk buffer.

max_size [required]

int64

Maximum size of the disk buffer.

type

enum

The type of the buffer that will be configured, a disk buffer. Allowed enum values: disk

default: disk

when_full

enum

Behavior when the buffer is full (block and stop accepting new events, or drop new events) Allowed enum values: block,drop_newest

default: block

Option 2

object

Options for configuring a memory buffer by byte size.

max_size [required]

int64

Maximum size of the memory buffer.

type

enum

The type of the buffer that will be configured, a memory buffer. Allowed enum values: memory

default: memory

when_full

enum

Behavior when the buffer is full (block and stop accepting new events, or drop new events) Allowed enum values: block,drop_newest

default: block

Option 3

object

Options for configuring a memory buffer by queue length.

max_events [required]

int64

Maximum events for the memory buffer.

type

enum

The type of the buffer that will be configured, a memory buffer. Allowed enum values: memory

default: memory

when_full

enum

Behavior when the buffer is full (block and stop accepting new events, or drop new events) Allowed enum values: block,drop_newest

default: block

custom_source_name [required]

string

Custom source name for the logs in Security Lake.

id [required]

string

Unique identifier for the destination component.

inputs [required]

[string]

A list of component IDs whose output is used as the input for this component.

region [required]

string

AWS region of the S3 bucket.

tls

object

Configuration for enabling TLS encryption between the pipeline component and external services.

ca_file

string

Path to the Certificate Authority (CA) file used to validate the server’s TLS certificate.

crt_file [required]

string

Path to the TLS client certificate file used to authenticate the pipeline component with upstream or downstream services.

key_file

string

Path to the private key file associated with the TLS client certificate. Used for mutual TLS authentication.

key_pass_key

string

Name of the environment variable or secret that holds the passphrase for the private key file.

type [required]

enum

The destination type. Always amazon_security_lake. Allowed enum values: amazon_security_lake

default: amazon_security_lake

Option 7

object

The azure_storage destination forwards logs to an Azure Blob Storage container.

Supported pipeline types: logs

blob_prefix

string

Optional prefix for blobs written to the container.

buffer

 <oneOf>

Configuration for buffer settings on destination components.

Option 1

object

Options for configuring a disk buffer.

max_size [required]

int64

Maximum size of the disk buffer.

type

enum

The type of the buffer that will be configured, a disk buffer. Allowed enum values: disk

default: disk

when_full

enum

Behavior when the buffer is full (block and stop accepting new events, or drop new events) Allowed enum values: block,drop_newest

default: block

Option 2

object

Options for configuring a memory buffer by byte size.

max_size [required]

int64

Maximum size of the memory buffer.

type

enum

The type of the buffer that will be configured, a memory buffer. Allowed enum values: memory

default: memory

when_full

enum

Behavior when the buffer is full (block and stop accepting new events, or drop new events) Allowed enum values: block,drop_newest

default: block

Option 3

object

Options for configuring a memory buffer by queue length.

max_events [required]

int64

Maximum events for the memory buffer.

type

enum

The type of the buffer that will be configured, a memory buffer. Allowed enum values: memory

default: memory

when_full

enum

Behavior when the buffer is full (block and stop accepting new events, or drop new events) Allowed enum values: block,drop_newest

default: block

connection_string_key

string

Name of the environment variable or secret that holds the Azure Storage connection string.

container_name [required]

string

The name of the Azure Blob Storage container to store logs in.

id [required]

string

The unique identifier for this component.

inputs [required]

[string]

A list of component IDs whose output is used as the input for this component.

type [required]

enum

The destination type. The value should always be azure_storage. Allowed enum values: azure_storage

default: azure_storage

Option 8

object

The cloud_prem destination sends logs to Datadog CloudPrem.

Supported pipeline types: logs

endpoint_url_key

string

Name of the environment variable or secret that holds the CloudPrem endpoint URL.

id [required]

string

The unique identifier for this component.

inputs [required]

[string]

A list of component IDs whose output is used as the input for this component.

type [required]

enum

The destination type. The value should always be cloud_prem. Allowed enum values: cloud_prem

default: cloud_prem

Option 9

object

The crowdstrike_next_gen_siem destination forwards logs to CrowdStrike Next Gen SIEM.

Supported pipeline types: logs

buffer

 <oneOf>

Configuration for buffer settings on destination components.

Option 1

object

Options for configuring a disk buffer.

max_size [required]

int64

Maximum size of the disk buffer.

type

enum

The type of the buffer that will be configured, a disk buffer. Allowed enum values: disk

default: disk

when_full

enum

Behavior when the buffer is full (block and stop accepting new events, or drop new events) Allowed enum values: block,drop_newest

default: block

Option 2

object

Options for configuring a memory buffer by byte size.

max_size [required]

int64

Maximum size of the memory buffer.

type

enum

The type of the buffer that will be configured, a memory buffer. Allowed enum values: memory

default: memory

when_full

enum

Behavior when the buffer is full (block and stop accepting new events, or drop new events) Allowed enum values: block,drop_newest

default: block

Option 3

object

Options for configuring a memory buffer by queue length.

max_events [required]

int64

Maximum events for the memory buffer.

type

enum

The type of the buffer that will be configured, a memory buffer. Allowed enum values: memory

default: memory

when_full

enum

Behavior when the buffer is full (block and stop accepting new events, or drop new events) Allowed enum values: block,drop_newest

default: block

compression

object

Compression configuration for log events.

algorithm [required]

enum

Compression algorithm for log events. Allowed enum values: gzip,zlib

level

int64

Compression level.

encoding [required]

enum

Encoding format for log events. Allowed enum values: json,raw_message

endpoint_url_key

string

Name of the environment variable or secret that holds the CrowdStrike endpoint URL.

id [required]

string

The unique identifier for this component.

inputs [required]

[string]

A list of component IDs whose output is used as the input for this component.

tls

object

Configuration for enabling TLS encryption between the pipeline component and external services.

ca_file

string

Path to the Certificate Authority (CA) file used to validate the server’s TLS certificate.

crt_file [required]

string

Path to the TLS client certificate file used to authenticate the pipeline component with upstream or downstream services.

key_file

string

Path to the private key file associated with the TLS client certificate. Used for mutual TLS authentication.

key_pass_key

string

Name of the environment variable or secret that holds the passphrase for the private key file.

token_key

string

Name of the environment variable or secret that holds the CrowdStrike API token.

type [required]

enum

The destination type. The value should always be crowdstrike_next_gen_siem. Allowed enum values: crowdstrike_next_gen_siem

default: crowdstrike_next_gen_siem

Option 10

object

The datadog_logs destination forwards logs to Datadog Log Management.

Supported pipeline types: logs

buffer

 <oneOf>

Configuration for buffer settings on destination components.

Option 1

object

Options for configuring a disk buffer.

max_size [required]

int64

Maximum size of the disk buffer.

type

enum

The type of the buffer that will be configured, a disk buffer. Allowed enum values: disk

default: disk

when_full

enum

Behavior when the buffer is full (block and stop accepting new events, or drop new events) Allowed enum values: block,drop_newest

default: block

Option 2

object

Options for configuring a memory buffer by byte size.

max_size [required]

int64

Maximum size of the memory buffer.

type

enum

The type of the buffer that will be configured, a memory buffer. Allowed enum values: memory

default: memory

when_full

enum

Behavior when the buffer is full (block and stop accepting new events, or drop new events) Allowed enum values: block,drop_newest

default: block

Option 3

object

Options for configuring a memory buffer by queue length.

max_events [required]

int64

Maximum events for the memory buffer.

type

enum

The type of the buffer that will be configured, a memory buffer. Allowed enum values: memory

default: memory

when_full

enum

Behavior when the buffer is full (block and stop accepting new events, or drop new events) Allowed enum values: block,drop_newest

default: block

id [required]

string

The unique identifier for this component.

inputs [required]

[string]

A list of component IDs whose output is used as the input for this component.

routes

[object]

A list of routing rules that forward matching logs to Datadog using dedicated API keys.

api_key_key

string

Name of the environment variable or secret that stores the Datadog API key used by this route.

include

string

A Datadog search query that determines which logs are forwarded using this route.

route_id

string

Unique identifier for this route within the destination.

site

string

Datadog site where matching logs are sent (for example, us1).

type [required]

enum

The destination type. The value should always be datadog_logs. Allowed enum values: datadog_logs

default: datadog_logs

Option 11

object

The google_chronicle destination sends logs to Google Chronicle.

Supported pipeline types: logs

auth

object

Google Cloud credentials used to authenticate with Google Cloud Storage.

credentials_file [required]

string

Path to the Google Cloud service account key file.

buffer

 <oneOf>

Configuration for buffer settings on destination components.

Option 1

object

Options for configuring a disk buffer.

max_size [required]

int64

Maximum size of the disk buffer.

type

enum

The type of the buffer that will be configured, a disk buffer. Allowed enum values: disk

default: disk

when_full

enum

Behavior when the buffer is full (block and stop accepting new events, or drop new events) Allowed enum values: block,drop_newest

default: block

Option 2

object

Options for configuring a memory buffer by byte size.

max_size [required]

int64

Maximum size of the memory buffer.

type

enum

The type of the buffer that will be configured, a memory buffer. Allowed enum values: memory

default: memory

when_full

enum

Behavior when the buffer is full (block and stop accepting new events, or drop new events) Allowed enum values: block,drop_newest

default: block

Option 3

object

Options for configuring a memory buffer by queue length.

max_events [required]

int64

Maximum events for the memory buffer.

type

enum

The type of the buffer that will be configured, a memory buffer. Allowed enum values: memory

default: memory

when_full

enum

Behavior when the buffer is full (block and stop accepting new events, or drop new events) Allowed enum values: block,drop_newest

default: block

customer_id [required]

string

The Google Chronicle customer ID.

encoding

enum

The encoding format for the logs sent to Chronicle. Allowed enum values: json,raw_message

endpoint_url_key

string

Name of the environment variable or secret that holds the Google Chronicle endpoint URL.

id [required]

string

The unique identifier for this component.

inputs [required]

[string]

A list of component IDs whose output is used as the input for this component.

log_type

string

The log type metadata associated with the Chronicle destination.

type [required]

enum

The destination type. The value should always be google_chronicle. Allowed enum values: google_chronicle

default: google_chronicle

Option 12

object

The google_cloud_storage destination stores logs in a Google Cloud Storage (GCS) bucket. It requires a bucket name, Google Cloud authentication, and metadata fields.

Supported pipeline types: logs

acl

enum

Access control list setting for objects written to the bucket. Allowed enum values: private,project-private,public-read,authenticated-read,bucket-owner-read,bucket-owner-full-control

auth

object

Google Cloud credentials used to authenticate with Google Cloud Storage.

credentials_file [required]

string

Path to the Google Cloud service account key file.

bucket [required]

string

Name of the GCS bucket.

buffer

 <oneOf>

Configuration for buffer settings on destination components.

Option 1

object

Options for configuring a disk buffer.

max_size [required]

int64

Maximum size of the disk buffer.

type

enum

The type of the buffer that will be configured, a disk buffer. Allowed enum values: disk

default: disk

when_full

enum

Behavior when the buffer is full (block and stop accepting new events, or drop new events) Allowed enum values: block,drop_newest

default: block

Option 2

object

Options for configuring a memory buffer by byte size.

max_size [required]

int64

Maximum size of the memory buffer.

type

enum

The type of the buffer that will be configured, a memory buffer. Allowed enum values: memory

default: memory

when_full

enum

Behavior when the buffer is full (block and stop accepting new events, or drop new events) Allowed enum values: block,drop_newest

default: block

Option 3

object

Options for configuring a memory buffer by queue length.

max_events [required]

int64

Maximum events for the memory buffer.

type

enum

The type of the buffer that will be configured, a memory buffer. Allowed enum values: memory

default: memory

when_full

enum

Behavior when the buffer is full (block and stop accepting new events, or drop new events) Allowed enum values: block,drop_newest

default: block

id [required]

string

Unique identifier for the destination component.

inputs [required]

[string]

A list of component IDs whose output is used as the input for this component.

key_prefix

string

Optional prefix for object keys within the GCS bucket.

metadata

[object]

Custom metadata to attach to each object uploaded to the GCS bucket.

name [required]

string

The metadata key.

value [required]

string

The metadata value.

storage_class [required]

enum

Storage class used for objects stored in GCS. Allowed enum values: STANDARD,NEARLINE,COLDLINE,ARCHIVE

type [required]

enum

The destination type. Always google_cloud_storage. Allowed enum values: google_cloud_storage

default: google_cloud_storage

Option 13

object

The google_pubsub destination publishes logs to a Google Cloud Pub/Sub topic.

Supported pipeline types: logs

auth

object

Google Cloud credentials used to authenticate with Google Cloud Storage.

credentials_file [required]

string

Path to the Google Cloud service account key file.

buffer

 <oneOf>

Configuration for buffer settings on destination components.

Option 1

object

Options for configuring a disk buffer.

max_size [required]

int64

Maximum size of the disk buffer.

type

enum

The type of the buffer that will be configured, a disk buffer. Allowed enum values: disk

default: disk

when_full

enum

Behavior when the buffer is full (block and stop accepting new events, or drop new events) Allowed enum values: block,drop_newest

default: block

Option 2

object

Options for configuring a memory buffer by byte size.

max_size [required]

int64

Maximum size of the memory buffer.

type

enum

The type of the buffer that will be configured, a memory buffer. Allowed enum values: memory

default: memory

when_full

enum

Behavior when the buffer is full (block and stop accepting new events, or drop new events) Allowed enum values: block,drop_newest

default: block

Option 3

object

Options for configuring a memory buffer by queue length.

max_events [required]

int64

Maximum events for the memory buffer.

type

enum

The type of the buffer that will be configured, a memory buffer. Allowed enum values: memory

default: memory

when_full

enum

Behavior when the buffer is full (block and stop accepting new events, or drop new events) Allowed enum values: block,drop_newest

default: block

encoding [required]

enum

Encoding format for log events. Allowed enum values: json,raw_message

endpoint_url_key

string

Name of the environment variable or secret that holds the Google Cloud Pub/Sub endpoint URL.

id [required]

string

The unique identifier for this component.

inputs [required]

[string]

A list of component IDs whose output is used as the input for this component.

project [required]

string

The Google Cloud project ID that owns the Pub/Sub topic.

tls

object

Configuration for enabling TLS encryption between the pipeline component and external services.

ca_file

string

Path to the Certificate Authority (CA) file used to validate the server’s TLS certificate.

crt_file [required]

string

Path to the TLS client certificate file used to authenticate the pipeline component with upstream or downstream services.

key_file

string

Path to the private key file associated with the TLS client certificate. Used for mutual TLS authentication.

key_pass_key

string

Name of the environment variable or secret that holds the passphrase for the private key file.

topic [required]

string

The Pub/Sub topic name to publish logs to.

type [required]

enum

The destination type. The value should always be google_pubsub. Allowed enum values: google_pubsub

default: google_pubsub

Option 14

object

The kafka destination sends logs to Apache Kafka topics.

Supported pipeline types: logs

bootstrap_servers_key

string

Name of the environment variable or secret that holds the Kafka bootstrap servers list.

compression

enum

Compression codec for Kafka messages. Allowed enum values: none,gzip,snappy,lz4,zstd

encoding [required]

enum

Encoding format for log events. Allowed enum values: json,raw_message

headers_key

string

The field name to use for Kafka message headers.

id [required]

string

The unique identifier for this component.

inputs [required]

[string]

A list of component IDs whose output is used as the input for this component.

key_field

string

The field name to use as the Kafka message key.

librdkafka_options

[object]

Optional list of advanced Kafka producer configuration options, defined as key-value pairs.

name [required]

string

The name of the librdkafka configuration option to set.

value [required]

string

The value assigned to the specified librdkafka configuration option.

message_timeout_ms

int64

Maximum time in milliseconds to wait for message delivery confirmation.

rate_limit_duration_secs

int64

Duration in seconds for the rate limit window.

rate_limit_num

int64

Maximum number of messages allowed per rate limit duration.

sasl

object

Specifies the SASL mechanism for authenticating with a Kafka cluster.

mechanism

enum

SASL mechanism used for Kafka authentication. Allowed enum values: PLAIN,SCRAM-SHA-256,SCRAM-SHA-512

password_key

string

Name of the environment variable or secret that holds the SASL password.

username_key

string

Name of the environment variable or secret that holds the SASL username.

socket_timeout_ms

int64

Socket timeout in milliseconds for network requests.

tls

object

Configuration for enabling TLS encryption between the pipeline component and external services.

ca_file

string

Path to the Certificate Authority (CA) file used to validate the server’s TLS certificate.

crt_file [required]

string

Path to the TLS client certificate file used to authenticate the pipeline component with upstream or downstream services.

key_file

string

Path to the private key file associated with the TLS client certificate. Used for mutual TLS authentication.

key_pass_key

string

Name of the environment variable or secret that holds the passphrase for the private key file.

topic [required]

string

The Kafka topic name to publish logs to.

type [required]

enum

The destination type. The value should always be kafka. Allowed enum values: kafka

default: kafka

Option 15

object

The microsoft_sentinel destination forwards logs to Microsoft Sentinel.

Supported pipeline types: logs

buffer

 <oneOf>

Configuration for buffer settings on destination components.

Option 1

object

Options for configuring a disk buffer.

max_size [required]

int64

Maximum size of the disk buffer.

type

enum

The type of the buffer that will be configured, a disk buffer. Allowed enum values: disk

default: disk

when_full

enum

Behavior when the buffer is full (block and stop accepting new events, or drop new events) Allowed enum values: block,drop_newest

default: block

Option 2

object

Options for configuring a memory buffer by byte size.

max_size [required]

int64

Maximum size of the memory buffer.

type

enum

The type of the buffer that will be configured, a memory buffer. Allowed enum values: memory

default: memory

when_full

enum

Behavior when the buffer is full (block and stop accepting new events, or drop new events) Allowed enum values: block,drop_newest

default: block

Option 3

object

Options for configuring a memory buffer by queue length.

max_events [required]

int64

Maximum events for the memory buffer.

type

enum

The type of the buffer that will be configured, a memory buffer. Allowed enum values: memory

default: memory

when_full

enum

Behavior when the buffer is full (block and stop accepting new events, or drop new events) Allowed enum values: block,drop_newest

default: block

client_id [required]

string

Azure AD client ID used for authentication.

client_secret_key

string

Name of the environment variable or secret that holds the Azure AD client secret.

dce_uri_key

string

Name of the environment variable or secret that holds the Data Collection Endpoint (DCE) URI.

dcr_immutable_id [required]

string

The immutable ID of the Data Collection Rule (DCR).

id [required]

string

The unique identifier for this component.

inputs [required]

[string]

A list of component IDs whose output is used as the input for this component.

table [required]

string

The name of the Log Analytics table where logs are sent.

tenant_id [required]

string

Azure AD tenant ID.

type [required]

enum

The destination type. The value should always be microsoft_sentinel. Allowed enum values: microsoft_sentinel

default: microsoft_sentinel

Option 16

object

The new_relic destination sends logs to the New Relic platform.

Supported pipeline types: logs

account_id_key

string

Name of the environment variable or secret that holds the New Relic account ID.

buffer

 <oneOf>

Configuration for buffer settings on destination components.

Option 1

object

Options for configuring a disk buffer.

max_size [required]

int64

Maximum size of the disk buffer.

type

enum

The type of the buffer that will be configured, a disk buffer. Allowed enum values: disk

default: disk

when_full

enum

Behavior when the buffer is full (block and stop accepting new events, or drop new events) Allowed enum values: block,drop_newest

default: block

Option 2

object

Options for configuring a memory buffer by byte size.

max_size [required]

int64

Maximum size of the memory buffer.

type

enum

The type of the buffer that will be configured, a memory buffer. Allowed enum values: memory

default: memory

when_full

enum

Behavior when the buffer is full (block and stop accepting new events, or drop new events) Allowed enum values: block,drop_newest

default: block

Option 3

object

Options for configuring a memory buffer by queue length.

max_events [required]

int64

Maximum events for the memory buffer.

type

enum

The type of the buffer that will be configured, a memory buffer. Allowed enum values: memory

default: memory

when_full

enum

Behavior when the buffer is full (block and stop accepting new events, or drop new events) Allowed enum values: block,drop_newest

default: block

id [required]

string

The unique identifier for this component.

inputs [required]

[string]

A list of component IDs whose output is used as the input for this component.

license_key_key

string

Name of the environment variable or secret that holds the New Relic license key.

region [required]

enum

The New Relic region. Allowed enum values: us,eu

type [required]

enum

The destination type. The value should always be new_relic. Allowed enum values: new_relic

default: new_relic

Option 17

object

The opensearch destination writes logs to an OpenSearch cluster.

Supported pipeline types: logs

auth

object

Authentication settings for the Elasticsearch destination. When strategy is basic, use username_key and password_key to reference credentials stored in environment variables or secrets.

password_key

string

Name of the environment variable or secret that holds the Elasticsearch password (used when strategy is basic).

strategy [required]

enum

The authentication strategy to use. Allowed enum values: basic,aws

username_key

string

Name of the environment variable or secret that holds the Elasticsearch username (used when strategy is basic).

buffer

 <oneOf>

Configuration for buffer settings on destination components.

Option 1

object

Options for configuring a disk buffer.

max_size [required]

int64

Maximum size of the disk buffer.

type

enum

The type of the buffer that will be configured, a disk buffer. Allowed enum values: disk

default: disk

when_full

enum

Behavior when the buffer is full (block and stop accepting new events, or drop new events) Allowed enum values: block,drop_newest

default: block

Option 2

object

Options for configuring a memory buffer by byte size.

max_size [required]

int64

Maximum size of the memory buffer.

type

enum

The type of the buffer that will be configured, a memory buffer. Allowed enum values: memory

default: memory

when_full

enum

Behavior when the buffer is full (block and stop accepting new events, or drop new events) Allowed enum values: block,drop_newest

default: block

Option 3

object

Options for configuring a memory buffer by queue length.

max_events [required]

int64

Maximum events for the memory buffer.

type

enum

The type of the buffer that will be configured, a memory buffer. Allowed enum values: memory

default: memory

when_full

enum

Behavior when the buffer is full (block and stop accepting new events, or drop new events) Allowed enum values: block,drop_newest

default: block

bulk_index

string

The index to write logs to.

data_stream

object

Configuration options for writing to OpenSearch Data Streams instead of a fixed index.

dataset

string

The data stream dataset for your logs. This groups logs by their source or application.

dtype

string

The data stream type for your logs. This determines how logs are categorized within the data stream.

namespace

string

The data stream namespace for your logs. This separates logs into different environments or domains.

endpoint_url_key

string

Name of the environment variable or secret that holds the OpenSearch endpoint URL.

id [required]

string

The unique identifier for this component.

inputs [required]

[string]

A list of component IDs whose output is used as the input for this component.

type [required]

enum

The destination type. The value should always be opensearch. Allowed enum values: opensearch

default: opensearch

Option 18

object

The rsyslog destination forwards logs to an external rsyslog server over TCP or UDP using the syslog protocol.

Supported pipeline types: logs

buffer

 <oneOf>

Configuration for buffer settings on destination components.

Option 1

object

Options for configuring a disk buffer.

max_size [required]

int64

Maximum size of the disk buffer.

type

enum

The type of the buffer that will be configured, a disk buffer. Allowed enum values: disk

default: disk

when_full

enum

Behavior when the buffer is full (block and stop accepting new events, or drop new events) Allowed enum values: block,drop_newest

default: block

Option 2

object

Options for configuring a memory buffer by byte size.

max_size [required]

int64

Maximum size of the memory buffer.

type

enum

The type of the buffer that will be configured, a memory buffer. Allowed enum values: memory

default: memory

when_full

enum

Behavior when the buffer is full (block and stop accepting new events, or drop new events) Allowed enum values: block,drop_newest

default: block

Option 3

object

Options for configuring a memory buffer by queue length.

max_events [required]

int64

Maximum events for the memory buffer.

type

enum

The type of the buffer that will be configured, a memory buffer. Allowed enum values: memory

default: memory

when_full

enum

Behavior when the buffer is full (block and stop accepting new events, or drop new events) Allowed enum values: block,drop_newest

default: block

endpoint_url_key

string

Name of the environment variable or secret that holds the syslog server endpoint URL.

id [required]

string

The unique identifier for this component.

inputs [required]

[string]

A list of component IDs whose output is used as the input for this component.

keepalive

int64

Optional socket keepalive duration in milliseconds.

tls

object

Configuration for enabling TLS encryption between the pipeline component and external services.

ca_file

string

Path to the Certificate Authority (CA) file used to validate the server’s TLS certificate.

crt_file [required]

string

Path to the TLS client certificate file used to authenticate the pipeline component with upstream or downstream services.

key_file

string

Path to the private key file associated with the TLS client certificate. Used for mutual TLS authentication.

key_pass_key

string

Name of the environment variable or secret that holds the passphrase for the private key file.

type [required]

enum

The destination type. The value should always be rsyslog. Allowed enum values: rsyslog

default: rsyslog

Option 19

object

The sentinel_one destination sends logs to SentinelOne.

Supported pipeline types: logs

buffer

 <oneOf>

Configuration for buffer settings on destination components.

Option 1

object

Options for configuring a disk buffer.

max_size [required]

int64

Maximum size of the disk buffer.

type

enum

The type of the buffer that will be configured, a disk buffer. Allowed enum values: disk

default: disk

when_full

enum

Behavior when the buffer is full (block and stop accepting new events, or drop new events) Allowed enum values: block,drop_newest

default: block

Option 2

object

Options for configuring a memory buffer by byte size.

max_size [required]

int64

Maximum size of the memory buffer.

type

enum

The type of the buffer that will be configured, a memory buffer. Allowed enum values: memory

default: memory

when_full

enum

Behavior when the buffer is full (block and stop accepting new events, or drop new events) Allowed enum values: block,drop_newest

default: block

Option 3

object

Options for configuring a memory buffer by queue length.

max_events [required]

int64

Maximum events for the memory buffer.

type

enum

The type of the buffer that will be configured, a memory buffer. Allowed enum values: memory

default: memory

when_full

enum

Behavior when the buffer is full (block and stop accepting new events, or drop new events) Allowed enum values: block,drop_newest

default: block

id [required]

string

The unique identifier for this component.

inputs [required]

[string]

A list of component IDs whose output is used as the input for this component.

region [required]

enum

The SentinelOne region to send logs to. Allowed enum values: us,eu,ca,data_set_us

token_key

string

Name of the environment variable or secret that holds the SentinelOne API token.

type [required]

enum

The destination type. The value should always be sentinel_one. Allowed enum values: sentinel_one

default: sentinel_one

Option 20

object

The socket destination sends logs over TCP or UDP to a remote server.

Supported pipeline types: logs

address_key

string

Name of the environment variable or secret that holds the socket address (host:port).

buffer

 <oneOf>

Configuration for buffer settings on destination components.

Option 1

object

Options for configuring a disk buffer.

max_size [required]

int64

Maximum size of the disk buffer.

type

enum

The type of the buffer that will be configured, a disk buffer. Allowed enum values: disk

default: disk

when_full

enum

Behavior when the buffer is full (block and stop accepting new events, or drop new events) Allowed enum values: block,drop_newest

default: block

Option 2

object

Options for configuring a memory buffer by byte size.

max_size [required]

int64

Maximum size of the memory buffer.

type

enum

The type of the buffer that will be configured, a memory buffer. Allowed enum values: memory

default: memory

when_full

enum

Behavior when the buffer is full (block and stop accepting new events, or drop new events) Allowed enum values: block,drop_newest

default: block

Option 3

object

Options for configuring a memory buffer by queue length.

max_events [required]

int64

Maximum events for the memory buffer.

type

enum

The type of the buffer that will be configured, a memory buffer. Allowed enum values: memory

default: memory

when_full

enum

Behavior when the buffer is full (block and stop accepting new events, or drop new events) Allowed enum values: block,drop_newest

default: block

encoding [required]

enum

Encoding format for log events. Allowed enum values: json,raw_message

framing [required]

 <oneOf>

Framing method configuration.

Option 1

object

Each log event is delimited by a newline character.

method [required]

enum

The definition of ObservabilityPipelineSocketDestinationFramingNewlineDelimitedMethod object. Allowed enum values: newline_delimited

Option 2

object

Event data is not delimited at all.

method [required]

enum

The definition of ObservabilityPipelineSocketDestinationFramingBytesMethod object. Allowed enum values: bytes

Option 3

object

Each log event is separated using the specified delimiter character.

delimiter [required]

string

A single ASCII character used as a delimiter.

method [required]

enum

The definition of ObservabilityPipelineSocketDestinationFramingCharacterDelimitedMethod object. Allowed enum values: character_delimited

id [required]

string

The unique identifier for this component.

inputs [required]

[string]

A list of component IDs whose output is used as the input for this component.

mode [required]

enum

Protocol used to send logs. Allowed enum values: tcp,udp

tls

object

TLS configuration. Relevant only when mode is tcp.

ca_file

string

Path to the Certificate Authority (CA) file used to validate the server’s TLS certificate.

crt_file [required]

string

Path to the TLS client certificate file used to authenticate the pipeline component with upstream or downstream services.

key_file

string

Path to the private key file associated with the TLS client certificate. Used for mutual TLS authentication.

key_pass_key

string

Name of the environment variable or secret that holds the passphrase for the private key file.

type [required]

enum

The destination type. The value should always be socket. Allowed enum values: socket

default: socket

Option 21

object

The splunk_hec destination forwards logs to Splunk using the HTTP Event Collector (HEC).

Supported pipeline types: logs

auto_extract_timestamp

boolean

If true, Splunk tries to extract timestamps from incoming log events. If false, Splunk assigns the time the event was received.

buffer

 <oneOf>

Configuration for buffer settings on destination components.

Option 1

object

Options for configuring a disk buffer.

max_size [required]

int64

Maximum size of the disk buffer.

type

enum

The type of the buffer that will be configured, a disk buffer. Allowed enum values: disk

default: disk

when_full

enum

Behavior when the buffer is full (block and stop accepting new events, or drop new events) Allowed enum values: block,drop_newest

default: block

Option 2

object

Options for configuring a memory buffer by byte size.

max_size [required]

int64

Maximum size of the memory buffer.

type

enum

The type of the buffer that will be configured, a memory buffer. Allowed enum values: memory

default: memory

when_full

enum

Behavior when the buffer is full (block and stop accepting new events, or drop new events) Allowed enum values: block,drop_newest

default: block

Option 3

object

Options for configuring a memory buffer by queue length.

max_events [required]

int64

Maximum events for the memory buffer.

type

enum

The type of the buffer that will be configured, a memory buffer. Allowed enum values: memory

default: memory

when_full

enum

Behavior when the buffer is full (block and stop accepting new events, or drop new events) Allowed enum values: block,drop_newest

default: block

encoding

enum