- Elastic integrations
- Integrations quick reference
- 1Password
- Abnormal Security
- ActiveMQ
- Active Directory Entity Analytics
- Admin By Request EPM integration
- Airflow
- Akamai
- Apache
- API (custom)
- Arbor Peakflow SP Logs
- Arista NG Firewall
- Atlassian
- Auditd
- Auth0
- authentik
- AWS
- Amazon CloudFront
- Amazon DynamoDB
- Amazon EBS
- Amazon EC2
- Amazon ECS
- Amazon EMR
- AWS API Gateway
- Amazon GuardDuty
- AWS Health
- Amazon Kinesis Data Firehose
- Amazon Kinesis Data Stream
- Amazon MQ
- Amazon Managed Streaming for Apache Kafka (MSK)
- Amazon NAT Gateway
- Amazon RDS
- Amazon Redshift
- Amazon S3
- Amazon S3 Storage Lens
- Amazon Security Lake
- Amazon SNS
- Amazon SQS
- Amazon VPC
- Amazon VPN
- AWS Bedrock
- AWS Billing
- AWS CloudTrail
- AWS CloudWatch
- AWS ELB
- AWS Fargate
- AWS Inspector
- AWS Lambda
- AWS Logs (custom)
- AWS Network Firewall
- AWS Route 53
- AWS Security Hub
- AWS Transit Gateway
- AWS Usage
- AWS WAF
- Azure
- Activity logs
- App Service
- Application Gateway
- Application Insights metrics
- Application Insights metrics overview
- Application State Insights metrics
- Azure logs (v2 preview)
- Azure OpenAI
- Billing metrics
- Container instance metrics
- Container registry metrics
- Container service metrics
- Custom Azure Logs
- Custom Blob Storage Input
- Database Account metrics
- Event Hub input
- Firewall logs
- Frontdoor
- Functions
- Microsoft Entra ID
- Monitor metrics
- Network Watcher VNet
- Network Watcher NSG
- Platform logs
- Resource metrics
- Spring Cloud logs
- Storage Account metrics
- Virtual machines metrics
- Virtual machines scaleset metrics
- Barracuda
- BeyondInsight and Password Safe Integration
- BitDefender
- Bitwarden
- blacklens.io
- Blue Coat Director Logs
- BBOT (Bighuge BLS OSINT Tool)
- Box Events
- Bravura Monitor
- Broadcom ProxySG
- Canva
- Cassandra
- CEL Custom API
- Ceph
- Check Point
- Cilium Tetragon
- CISA Known Exploited Vulnerabilities
- Cisco
- Cisco Meraki Metrics
- Citrix
- Claroty CTD
- Cloudflare
- Cloud Asset Inventory
- CockroachDB Metrics
- Common Event Format (CEF)
- Containerd
- CoreDNS
- Corelight
- Couchbase
- CouchDB
- Cribl
- CrowdStrike
- Cyberark
- Cybereason
- CylanceProtect Logs
- Custom Websocket logs
- Darktrace
- Data Exfiltration Detection
- DGA
- Digital Guardian
- Docker
- DomainTools Real Time Unified Feeds
- Elastic APM
- Elastic Fleet Server
- Elastic Security
- Elastic Stack monitoring
- Elasticsearch Service Billing
- Envoy Proxy
- ESET PROTECT
- ESET Threat Intelligence
- etcd
- Falco
- F5
- File Integrity Monitoring
- FireEye Network Security
- First EPSS
- Forcepoint Web Security
- ForgeRock
- Fortinet
- Gigamon
- GitHub
- GitLab
- Golang
- Google Cloud
- Custom GCS Input
- GCP
- GCP Audit logs
- GCP Billing metrics
- GCP Cloud Run metrics
- GCP CloudSQL metrics
- GCP Compute metrics
- GCP Dataproc metrics
- GCP DNS logs
- GCP Firestore metrics
- GCP Firewall logs
- GCP GKE metrics
- GCP Load Balancing metrics
- GCP Metrics Input
- GCP PubSub logs (custom)
- GCP PubSub metrics
- GCP Redis metrics
- GCP Security Command Center
- GCP Storage metrics
- GCP VPC Flow logs
- GCP Vertex AI
- GoFlow2 logs
- Hadoop
- HAProxy
- Hashicorp Vault
- HTTP Endpoint logs (custom)
- IBM MQ
- IIS
- Imperva
- InfluxDb
- Infoblox
- Iptables
- Istio
- Jamf Compliance Reporter
- Jamf Pro
- Jamf Protect
- Jolokia Input
- Journald logs (custom)
- JumpCloud
- Kafka
- Keycloak
- Kubernetes
- LastPass
- Lateral Movement Detection
- Linux Metrics
- Living off the Land Attack Detection
- Logs (custom)
- Lumos
- Lyve Cloud
- Mattermost
- Memcached
- Menlo Security
- Microsoft
- Microsoft 365
- Microsoft Defender for Cloud
- Microsoft Defender for Endpoint
- Microsoft DHCP
- Microsoft DNS Server
- Microsoft Entra ID Entity Analytics
- Microsoft Exchange Online Message Trace
- Microsoft Exchange Server
- Microsoft Graph Activity Logs
- Microsoft M365 Defender
- Microsoft Office 365 Metrics Integration
- Microsoft Sentinel
- Microsoft SQL Server
- Mimecast
- ModSecurity Audit
- MongoDB
- MongoDB Atlas
- MySQL
- Nagios XI
- NATS
- NetFlow Records
- Netskope
- Network Beaconing Identification
- Network Packet Capture
- Nginx
- Okta
- Oracle
- OpenAI
- OpenCanary
- Osquery
- Palo Alto
- pfSense
- PHP-FPM
- PingOne
- PingFederate
- Pleasant Password Server
- PostgreSQL
- Prometheus
- Proofpoint TAP
- Proofpoint On Demand
- Pulse Connect Secure
- Qualys VMDR
- QNAP NAS
- RabbitMQ Logs
- Radware DefensePro Logs
- Rapid7
- Redis
- Rubrik RSC Metrics Integration
- Sailpoint Identity Security Cloud
- Salesforce
- SentinelOne
- ServiceNow
- Slack Logs
- Snort
- Snyk
- SonicWall Firewall
- Sophos
- Spring Boot
- SpyCloud Enterprise Protection
- SQL Input
- Squid Logs
- SRX
- STAN
- Statsd Input
- Sublime Security
- Suricata
- StormShield SNS
- Symantec
- Symantec Endpoint Security
- Sysmon for Linux
- Sysdig
- Syslog Router Integration
- System
- System Audit
- Tanium
- TCP Logs (custom)
- Teleport
- Tenable
- Threat intelligence
- ThreatConnect
- Threat Map
- Thycotic Secret Server
- Tines
- Traefik
- Trellix
- Trend Micro
- TYCHON Agentless
- UDP Logs (custom)
- Universal Profiling
- Vectra Detect
- VMware
- WatchGuard Firebox
- WebSphere Application Server
- Windows
- Wiz
- Zeek
- ZeroFox
- Zero Networks
- ZooKeeper Metrics
- Zoom
- Zscaler
Elasticsearch Service Billing
editElasticsearch Service Billing
editVersion |
1.4.1 (View all) |
Compatible Kibana version(s) |
8.15.0 or higher |
Supported Serverless project types |
Security |
Subscription level |
Basic |
Level of support |
Community |
The Elasticsearch Service Billing integration allows you to monitor Elasticsearch Service usage and costs. It collects billing data from the Elasticsearch Service billing API and sends it to your target Elasticsearch cluster. Dashboards are provided out-of-the-box to help you visualize your Elasticsearch Service usage and costs.
Using this integration, you could for instance create alerts whenever a new deployment is created, or when your baseline spending exceeds a certain threshold.
Data streams
editThe Elasticsearch Service Billing integration collects the following data streams:
-
Your daily spending in the
metrics-ess_billing.billingdata stream. -
For customers with a yearly commitment with Elastic, your credit status in the
metrics-ess_billing.creditdata stream.
By default, the last year of data of billing data is collected upon first execution of the integration. The data is then collected daily, the integration will automatically collect the latest data every day.
Requirements
editYou need Elasticsearch for storing and searching your data and Kibana for visualizing and managing it. You can use our hosted Elasticsearch Service on Elastic Cloud, which is recommended, or self-manage the Elastic Stack on your own hardware.
You will need to recover the identifier of your organization, which can be seen in the cloud organization page.
You will also need to provision an API key with the Billing admin role in the API keys page.
For private cloud, or admin users, the cloud endpoint can be altered to match your requirements. You can change this in the "advanced settings" section of the integration configuration.
Setup
editFor step-by-step instructions on how to set up an integration, see the Getting started guide.
If you run in the cloud (Cloud Hosted of Serverless), this integration is available agentless from cluster version 8.17 onward - if this criteria is met, you don’t need to install an Elastic Agent to gather these metrics.
Data streams reference
editmetrics-ess_billing.billing data stream
editThe metrics-ess_billing.billing data stream collects billing data from the Elasticsearch Service billing API. This exposes information about the ECU consumption for each deployment or service provided by Elastic (serverless projects, synthetics monitors).
Example
An example event for billing looks as following:
{ "@timestamp": "2024-01-10T00:00:00.000Z", "agent": { "ephemeral_id": "fb0f134f-4261-49f2-922c-6f2785960a4e", "id": "6c2fb3e5-8b0c-4044-a920-bc47cd3ac9a3", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.15.1" }, "cloud": { "account": { "id": "3166899605" }, "geo": { "location": { "lat": 53.34979997947812, "lon": -6.260300064459443 }, "name": "gcp-europe-west1" }, "instance": { "id": "eb4bdbcfca05493bb72aa0b65cc1a2d3", "name": "monitoring" }, "machine": { "type": "es.ml.n2.68x32x45" }, "provider": "gcp", "region": "gcp-europe-west1" }, "data_stream": { "dataset": "ess_billing.billing", "namespace": "default", "type": "metrics" }, "ecs": { "version": "8.0.0" }, "elastic_agent": { "id": "6c2fb3e5-8b0c-4044-a920-bc47cd3ac9a3", "snapshot": false, "version": "8.15.1" }, "ess": { "billing": { "deployment_id": "eb4bdbcfca05493bb72aa0b65cc1a2d3", "deployment_name": "monitoring", "display_quantity": { "formatted_value": "24 hours", "type": "default", "value": 24 }, "from": "2024-01-10T00:00:00.000Z", "kind": "elasticsearch", "name": "Cloud Standard, GCP europe-west1 (Belgium), gcp.es.ml.n2.68x32x45, 8GB, 1AZ", "organization_id": "3166899605", "quantity": { "formatted_value": "24 hours", "value": 24 }, "ram_per_zone": 8192, "rate": { "formatted_value": "0.3528 per hour", "value": 0.3528 }, "sku": "gcp.es.ml.n2.68x32x45_gcp-europe-west1_8192_1", "to": "2024-01-11T00:00:00.000Z", "total_ecu": 8.4672, "type": "capacity", "unit": "hour", "zone_count": 1 } }, "event": { "agent_id_status": "verified", "created": "2024-10-28T08:41:53.653Z", "dataset": "ess_billing.billing", "ingested": "2024-10-28T08:41:53Z", "module": "ess_billing" }, "input": { "type": "cel" }, "tags": [ "billing", "forwarded" ] }
Exported fields
| Field | Description | Type |
|---|---|---|
@timestamp |
Event timestamp. |
date |
cloud.account.id |
keyword |
|
data_stream.dataset |
Data stream dataset. |
constant_keyword |
data_stream.namespace |
Data stream namespace. |
constant_keyword |
data_stream.type |
Data stream type. |
constant_keyword |
ess.billing.cloud.machine.type |
The machine type of the instance (e.g., n2.68x16x45). |
keyword |
ess.billing.deployment_id |
ID of the Elasticsearch Service deployment. |
keyword |
ess.billing.deployment_name |
Name of the Elasticsearch Service deployment. |
keyword |
ess.billing.display_quantity.formatted_value |
Human-readable representation of the quantity used (e.g., "24 hours"). |
keyword |
ess.billing.display_quantity.type |
Type of quantity displayed (default or custom). |
keyword |
ess.billing.display_quantity.value |
Actual quantity used (e.g., 24). |
float |
ess.billing.from |
Start time of the billing period. |
date |
ess.billing.kind |
Type of service being billed (e.g., elasticsearch, kibana). |
keyword |
ess.billing.name |
Description of the SKU or resource being billed. |
keyword |
ess.billing.organization_id |
ID of the organization in Elastic Cloud. |
keyword |
ess.billing.quantity.formatted_value |
Human-readable representation of the billed quantity (e.g., "24 hours"). |
keyword |
ess.billing.quantity.value |
Billed quantity. |
float |
ess.billing.ram_per_zone |
RAM size per zone in megabytes. |
integer |
ess.billing.rate.formatted_value |
Human-readable representation of the rate (e.g., "0.7992 per hour"). |
keyword |
ess.billing.rate.value |
Billed rate per unit of usage. |
float |
ess.billing.sku |
Unique identifier for the service or product (SKU). |
keyword |
ess.billing.to |
End time of the billing period. |
date |
ess.billing.total_ecu |
Total Elasticsearch Compute Units (ECU) used. |
float |
ess.billing.type |
Type of billing (e.g., capacity, usage). |
keyword |
ess.billing.unit |
Unit of the resource being billed (e.g., hour, GB). |
keyword |
ess.billing.zone_count |
Number of availability zones. |
integer |
event.module |
Event module |
constant_keyword |
input.type |
keyword |
metrics-ess_billing.credit data stream
editThe metrics-ess_billing.credit data stream collects credit data from the Elasticsearch Service billing API. This is only available for customers with a direct yearly or multi-year contract with Elastic (not marketplace or monthly subscriptions).
Example
An example event for credits looks as following:
{ "@timestamp": "2025-01-29T15:57:57.368Z", "agent": { "ephemeral_id": "3fefd74f-7a64-4bad-82e8-6c226de5d333", "id": "bb84ef9e-6cd6-4177-822a-b3a0f05644f3", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.17.0" }, "cloud": { "account": { "id": "12345678" } }, "data_stream": { "dataset": "ess_billing.credits", "namespace": "default", "type": "metrics" }, "ecs": { "version": "8.0.0" }, "elastic_agent": { "id": "bb84ef9e-6cd6-4177-822a-b3a0f05644f3", "snapshot": false, "version": "8.17.0" }, "ess": { "billing": { "active": false, "ecu_balance": 1463000, "ecu_quantity": 1463000, "start": "2025-07-01T00:00:00.000Z", "end": "2026-06-30T23:59:59.999Z", "organization_id": "12345678", "type": "prepaid_consumption" } }, "event": { "agent_id_status": "verified", "dataset": "ess_billing.credits", "ingested": "2025-01-29T15:57:58Z" }, "input": { "type": "cel" }, "tags": [ "billing", "forwarded" ] }
Exported fields
| Field | Description | Type |
|---|---|---|
@timestamp |
Event timestamp. |
date |
cloud.account.id |
keyword |
|
data_stream.dataset |
Data stream dataset. |
constant_keyword |
data_stream.namespace |
Data stream namespace. |
constant_keyword |
data_stream.type |
Data stream type. |
constant_keyword |
ess.billing.active |
Whether the credit line is active. |
boolean |
ess.billing.ecu_balance |
Balance of Elastic Consumption Units (ECUs) in the credit line. |
long |
ess.billing.ecu_quantity |
Initially purchased quantity of Elastic Consumption Units (ECUs) in the credit line. |
long |
ess.billing.end |
End date of the credit line. |
date |
ess.billing.organization_id |
ID of the organization in Elastic Cloud. |
keyword |
ess.billing.start |
Start date of the credit line. |
date |
ess.billing.type |
Type of the credit line. |
keyword |
input.type |
keyword |
Changelog
editChangelog
| Version | Details | Kibana version(s) |
|---|---|---|
1.4.1 |
Enhancement (View pull request) |
8.15.0 or higher |
1.4.0 |
Enhancement (View pull request) |
8.15.0 or higher |
1.3.0 |
Enhancement (View pull request) |
8.15.0 or higher |
1.2.0 |
Enhancement (View pull request) |
8.15.0 or higher |
1.1.0 |
Enhancement (View pull request) |
8.15.0 or higher |
1.0.1 |
Bug fix (View pull request) |
8.15.0 or higher |
1.0.0 |
Enhancement (View pull request) |
8.15.0 or higher |
0.1.1 |
Bug fix (View pull request) |
— |
0.1.0 |
Enhancement (View pull request) |
— |
On this page