Adding template and logstash config

Author: ProTip

aws-billing-es-template.json

@@ -0,0 +1,34 @@
+{
+  "template" : "aws-billing-*",
+  "settings" : {
+    "index.refresh_interval" : "10s"
+  },
+  "mappings" : {
+    "_default_" : {
+       "_all" : {"enabled" : true},
+       "dynamic_templates" : [ {
+         "string_fields" : {
+           "match" : "*",
+           "match_mapping_type" : "string",
+           "mapping" : {
+             "type" : "string", "index" : "analyzed", "omit_norms" : true,
+               "fields" : {
+                 "raw" : {"type": "string", "index" : "not_analyzed", "ignore_above" : 256}
+               }
+           }
+         }
+       } ],
+       "properties" : {
+         "@version": { "type": "string", "index": "not_analyzed" },
+         "geoip"  : {
+           "type" : "object",
+             "dynamic": true,
+             "path": "full",
+             "properties" : {
+               "location" : { "type" : "geo_point" }
+             }
+         }
+       }
+    }
+  }
+}

logstash.conf

@@ -0,0 +1,41 @@
+input {
+  tcp {
+    port => 5140
+    codec => "line"
+  }
+}
+
+filter {
+  json {
+    source => "message"
+  }
+
+  mutate {
+    add_field => { "index" => "logstash-%{+YYYY.MM.dd}" }
+  }
+
+  if [type] == "aws_billing_hourly" or [type] == "aws_billing_monthly" {
+    if [type] == "aws_billing_hourly" {
+      date {
+        match => [ "UsageStartDate", "ISO8601" ]
+      }
+    }
+    if [type] == "aws_billing_monthly" {
+      date {
+        match => [ "BillingPeriodStartDate", "ISO8601" ]
+      }
+    }
+    mutate {
+      replace => [ "index", "aws-billing-%{+YYYY.MM}"]
+      remove_field => [ "message" ]
+    }
+  }
+
+}
+
+output {
+  elasticsearch {
+    embedded => true
+    index => "%{index}"
+  }
+}