Articles

ELK Stack Deep Dive: Logs to Insights

March 24, 2026 8 min read

The ELK stack doesn’t actually store your logs; it uses Elasticsearch to index them, which is a fundamentally different and more powerful concept.

Let’s see it in action. Imagine you have a web server generating access logs. Each line looks something like this:

192.168.1.10 - - [10/Oct/2023:13:55:36 -0700] "GET /api/users HTTP/1.1" 200 150 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"

You want to ingest this into ELK. This is where Logstash (or its lighter cousin, Beats, often Filebeat for logs) comes in. Filebeat, running on your web server, tails the log file and ships each new line to Logstash.

Here’s a simplified Logstash configuration snippet:

input {
  beats {
    port => 5044
  }
}

filter {
  grok {
    match => { "message" => "%{IPORHOST:clientip} - - \[%{HTTPDATE:timestamp}\] \"%{WORD:method} %{URIPATHPARAM:request} HTTP/%{NUMBER:protocol}\" %{NUMBER:response:int} %{NUMBER:bytes:int} \"%{DATA:referrer}\" \"%{DATA:agent}\"" }
  }
  date {
    match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ]
    target => "@timestamp"
  }
  geoip {
    source => "clientip"
  }
}

output {
  elasticsearch {
    hosts => ["http://localhost:9200"]
    index => "weblogs-%{+YYYY.MM.dd}"
  }
}

The input section tells Logstash to listen for Beats. The filter section is where the magic happens:

  • grok parses the raw log line into structured fields like clientip, method, request, response, etc.
  • date uses the extracted timestamp to set the actual event timestamp in Elasticsearch.
  • geoip enriches the clientip with geographical location data.

Finally, the output section sends the structured data to Elasticsearch, creating an index named weblogs-YYYY.MM.DD (e.g., weblogs-2023.10.10). Elasticsearch doesn’t just store the raw text; it indexes these fields. This means it creates inverted indexes, allowing for incredibly fast searching and aggregation on any of these fields.

This structured data is then ready for Kibana, the visualization layer. You can build dashboards with charts showing:

  • Top requested URLs (aggregated by request field).
  • Response status codes distribution (aggregated by response field).
  • Traffic by geographic location (using the geoip data).
  • Requests over time (using the @timestamp field).

The problem ELK solves is taking the chaotic, unstructured mess of raw log files scattered across many servers and transforming it into a searchable, analyzable, and visualizable stream of data. It allows you to move from "grep my logs" to "analyze trends, detect anomalies, and understand user behavior."

The core power comes from Elasticsearch’s indexing. Unlike a traditional database that might store records row by row, Elasticsearch builds an inverted index for each field. For a text field like request, it builds a dictionary mapping every unique word (or token) to a list of documents (log entries) that contain it. This allows it to find all log entries containing "GET /api/users" in milliseconds, even across billions of documents. The _source field, however, does store the original, raw JSON document for each log entry, allowing you to retrieve the full context of any indexed event.

Most people focus on the "store" aspect, but the real innovation is in how Elasticsearch makes that data instantly searchable and aggregatable at scale, transforming raw text into actionable intelligence.

The next step is understanding how to optimize Elasticsearch’s indexing and search performance for massive datasets.

Want structured learning?

Take the full Observability & Monitoring course →