All Products
Search

This Product

    Simple Log Service:Import Elasticsearch/OpenSearch data

    Document Center

    Simple Log Service:Import Elasticsearch/OpenSearch data

    Last Updated:Jun 16, 2026

    You can import data from Elasticsearch/OpenSearch into Simple Log Service (SLS) to query, analyze, and process the data.

    Prerequisites

    Supported versions

    Only Elasticsearch 6.3 or later and OpenSearch 1.0.0 or later are supported.

    Create a data import configuration

    1. Log on to the Simple Log Service console.

    2. In the Import Data section, click the Data Import tab, and then select ES/OpenSearch - Data Import.

    3. Select the destination project and Logstore, and then click Next.

    4. Configure the import settings.

      1. In the Import Configuration step, configure the following parameters.

        Parameter

        Description

        Task Name

        A unique name for the import job.

        Display Name

        The display name of the job.

        Job Description

        The description of the import job.

        Service Instance URL

        The URL of the Elasticsearch/OpenSearch server. Use the format http://host:port/.

        You can specify multiple URLs separated by commas (,), for example, http://host1:port1/,http://host2:port2/.

        The default service port for Elasticsearch/OpenSearch is 9200.

        Important

        If you set VPC ID, you must set host to the IPv4 address of the corresponding ECS instance.

        Index List

        The indexes to import. Separate multiple index names with commas (,), for example, index1,index2,index3.

        User Name

        The username to access the Elasticsearch/OpenSearch cluster. Required only if the cluster uses authentication.

        User Password

        The password to access the Elasticsearch/OpenSearch cluster.

        Time Field

        The field in the source index that represents time, used as the log time.

        If you do not specify a time field, SLS uses the system time when the data is imported as the log time.

        Important

        To perform an incremental import, you must set Time Field.

        Time Field Format

        The time format used to parse the value of the time field.

        • Supports time formats that follow Java's SimpleDateFormat syntax, such as yyyy-MM-dd HH:mm:ss. For more information about the syntax, see Class SimpleDateFormat. For common time formats, see Time formats.

        • Supports epoch formats. Valid values: epoch, epochMillis, epochMacro, and epochNano.

        Important

        Java's SimpleDateFormat does not support UNIX timestamps. If you want to use UNIX timestamps, you must set Time Field Format to an epoch format.

        Time Zone

        The time zone of the time field.

        You do not need to set a time zone if Time Field Format is set to an epoch format.

        Query

        The search query used to filter data. The query must follow the Elasticsearch/OpenSearch query_string format. Example: gender:male and city:Shanghai. For more information, see Query string query.

        Import Method

        The method used to import data.

        • Import Only Historical Data: The job stops automatically after importing the data.

        • Automatically Import Incremental Data: The import job runs continuously.

          Important

          If you select Automatically Import Incremental Data, you must set Time Field.

        Start At

        The start time for the import. SLS imports data only if its timestamp is on or after this time.

        Important

        This parameter takes effect only if Time Field is set.

        End Time

        The end time for the import. SLS imports data only if its timestamp is on or before this time.

        Important

        This parameter takes effect only if Time Field is set and Import Method is set to Import Only Historical Data.

        Maximum Latency in Seconds

        The maximum allowed delay, in seconds, between data generation and its ingestion into the source cluster.

        Important

        • Setting this value lower than the actual latency may cause data loss.

        • This parameter takes effect only if Time Field is set and Import Method is set to Automatically Import Incremental Data.

        Incremental Data Check Interval (Seconds)

        The interval in seconds at which to check for new data in Elasticsearch/OpenSearch. Default value: 300. Minimum value: 60.

        VPC ID

        If your source resides in a VPC (either an Alibaba Cloud Elasticsearch/OpenSearch cluster or a self-hosted cluster on an ECS instance), set this parameter so that SLS reads data over the internal network for better security and stability.

        Important

        The Elasticsearch/OpenSearch cluster must allow access from the 100.104.0.0/16 CIDR block.

      2. Click Preview to preview the import results.

      3. After you confirm the settings, click Next.

    5. Configure the settings for Preview Data and Create Index, and then click Next. Simple Log Service enables the full-text index by default. You can also manually create field indexes based on the collected logs, or click Automatic Index Generation, and Simple Log Service will automatically generate field indexes. For more information, see Create an index.

      Important

      Use a full-text index to query all log fields. To query specific fields, reduce index traffic, or perform analysis with SELECT statements, use a field index.

    6. Click Query Log. Then, you are redirected to the query and analysis page of your Logstore.

      You must wait approximately 1 minute for the indexes to take effect. Then, you can view the collected logs on the Raw Logs tab. For more information about how to query and analyze logs, see Query and analysis quick start.

    View the data import configuration

    After you create a data import configuration, you can view its details and the generated report in the console.

    1. Click the destination Project.

    2. In the navigation pane of the destination Logstore, choose Data Collection > Data Import and click the name of the configuration.

    3. On the Import Configuration Overview page, view the basic information and report for the configuration.

    More operations

    • Delete an import configuration

      On the Import Configuration Overview page, you can click Delete Configuration to delete the data import configuration.

      Warning

      This action cannot be undone. Proceed with caution.

    • Stop and restart an import job

      When you create a data import configuration, SLS creates a corresponding import job. On the Import Configuration Overview page, you can click Stop to stop the job. You can restart it later.

      Important

      A stopped job's status is retained for 24 hours. If not restarted within this period, the job becomes unavailable and will fail if you attempt to restart it later.

    FAQ

    Issue

    Possible cause

    Solution

    An Elasticsearch/OpenSearch connection error (failed to connect) occurs during preview.

    • The URL of the Elasticsearch/OpenSearch server is incorrect.

    • The IP addresses used by the import service are not added to the IP address whitelist, so the import service cannot access the Elasticsearch/OpenSearch cluster.

    • When you import data from an Elasticsearch/OpenSearch cluster deployed on Alibaba Cloud, the VPC ID is not set.

    • Make sure that the URL of the Elasticsearch/OpenSearch server is correct.

    • Add the IP addresses to the IP address whitelist to allow the import service to connect to the cluster. For more information, see IP address whitelist.

    • When importing data from an Alibaba Cloud-hosted Elasticsearch/OpenSearch cluster over the internal network, make sure the VPC ID is set.

    A timeout error (preview request timed out) occurs during preview.

    The source index is empty or contains no data that matches the filter conditions.

    • If the index contains no data, write data to the index and then preview again.

    • When you set the time field and time format, make sure they match the actual time field and format in your data.

    • When you set the Elasticsearch/OpenSearch search conditions or time range, make sure the index contains matching data.

    The log time displayed in SLS is inconsistent with the actual data time.

    The log time field was not specified, or the time format or time zone was configured incorrectly in the import configuration.

    Specify the log time field and set the correct time format and time zone. For more information, see Create a data import configuration.

    Data cannot be queried or analyzed after being imported.

    • The data is outside the query time range.

    • Indexes have not been created for the Logstore.

    • The indexes have not taken effect.

    • Check whether the time of the data you want to query is within the specified query time range.

      If not, adjust the time range and run the query again.

    • Check whether you created indexes for the Logstore.

      If not, create indexes first. For more information, see Create indexes and reindex.

    • If indexes are configured and the imported data volume shown on the Data Processing Insight dashboard matches your expectation, the likely cause is that the indexes are not in effect. Try to reindex. For more information, see reindex.

    The number of imported data entries is less than expected.

    Some Elasticsearch/OpenSearch documents are larger than 3 MB. You can confirm this on the Data Processing Insight dashboard.

    Reduce the size of individual Elasticsearch/OpenSearch documents.

    When incremental import is enabled, there is a significant delay in importing new data.

    • The value for Maximum Latency in Seconds is too large.

    • The bandwidth of the Elasticsearch/OpenSearch cluster is at its limit.

    • The network is unstable when importing data over the public network.

    • The Logstore has too few shards.

    • For more possible causes, see Performance limits.

    • Make sure you have set a reasonable value for Maximum Latency in Seconds and adjust it based on your actual latency.

    • Check whether the Elasticsearch/OpenSearch cluster traffic is reaching its bandwidth limit, especially for Alibaba Cloud-hosted clusters. If so, increase the bandwidth.

    • If you are importing Elasticsearch/OpenSearch data over the public network, ensure you have sufficient bandwidth.

    • If the Logstore has few shards, try increasing the number of shards and monitor the latency. For more information, see Manage shards.

    Error handling

    Error

    Description

    Communication error with the Elasticsearch/OpenSearch cluster

    The import job pulls Elasticsearch/OpenSearch data in scroll mode with a default keep-alive duration of 24 hours. If network connection errors or other issues prevent normal communication with Elasticsearch/OpenSearch (such as authentication failures), the import job retries automatically.

    If the connection is not restored within 24 hours, the source server clears the scroll session. The import job then fails with a "No search context found" error and must be recreated.