gistfile1.txt

input {
      s3 {
        bucket => "bucket_name"
        credentials => ["access_key","secret_key"]
        delete => "false"
        interval => 60
        prefix => "logs/"
        #'region' => 'us-east-1'
        region_endpoint => "us-east-1"
        type => "json"
      }
     #redis {
     #  host => "redis_server"
     #  data_type => "list"
     #  key => "cloudtrail"
     #  type => "json"
     #  #protocol => "http"
     #}
}

filter {
  #  if !("splitted" in [tags]) {
  #    json {
  #      'source' => 'message'
  #    }
  #    split {
  #      'add_tag' => ['splitted']
  #      'add_tag' => ['cloudtrail']
  #      'field' => 'Records'
  #    #  'refilter' => true
  #    #  'reuse_element' => false
  #    }
  #  }

    if ("splitted" in [tags]) {
      date {
        'match' => ['eventTime', 'ISO8601']
        'remove_tag' => ['splitted']
        'add_tag' => ['cloudtrail']
      }
      ruby {
        'code' => '["responseElements","requestParameters"].each { |field| event[field] = event[field].inspect }  '
          }
    }
}

output {
  stdout {
   }
  elasticsearch {
    cluster => "logstash"
    host => "elasticsearch_server"
    embedded => "false"
    protocol => "http"
  }
}