sidkrishna/logstash_filter Secret

## logstash_filter
filter {
    if [type] == "syslog" {
        grok {
            match => { "message" => "Interface %{GREEDYDATA:interfacename} is link down" }
            add_field => [ "received_at", "%{@timestamp}"]
            add_field => [ "received_from", "%{host}" ]
        }
    }
}

## logstash_input_ouput
input {
    udp {
       port => 514
       type => syslog
    }
}

output {
    elasticsearch { hosts => ["127.0.0.1:9200"] }
    stdout { }
}

## stackstorm_elk_webhook
name: "elk_link_flap_webhook_rule"
  enabled: true
  description: "ELK link flap  webhook rule"

  trigger:
    type: "core.st2.webhook"
    parameters:
      url: "elk_link_flap"

  criteria: {}

  action:
    ref: st2_demos.link_flap_remed_workflow
    parameters:
      host: "{{trigger.body.host}}"
      interface: "{{trigger.body.interface}}"

## watcher_watch
PUT _watcher/watch/my_demo_watch
{
  "trigger" : {
    "schedule" : { "interval" : "5s" }
  },
  "input" : {
    "search": {
      "request": {
        "indices": "logstash-*",
        "body": {
          "query": {
            "bool": {
              "must": {
                "match_phrase": {
                  "message": "is link down"
                }
              },
              "filter" : {
                "range": {
                  "@timestamp": {
                      "from": "now-8s",
                      "to": "now"
                  }
                }
              }
            }
          }
        }
      }
    }
  },
  "condition" : {
      "compare" : { "ctx.payload.hits.total" : { "gt" : 0 }}
  },
  "actions" : {
    "my_webhook" : {
      "webhook" : {
        "scheme" : "https",
        "port"  : 443,
        "method" : "POST",
        "host" : "bwc",
        "path" : "/api/v1/webhooks/elk_link_flap?st2-api-key=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
        "headers": {
          "Content-Type": "application/json"
        },
        "body" : "{\"host\": \"{{ctx.payload.hits.hits.0._source.host}}\", \"interface\": \"{{ctx.payload.hits.hits.0._source.interfacename}}\"}"
      }
   }
  }
 }
	filter {
	if [type] == "syslog" {
	grok {
	match => { "message" => "Interface %{GREEDYDATA:interfacename} is link down" }
	add_field => [ "received_at", "%{@timestamp}"]
	add_field => [ "received_from", "%{host}" ]
	}
	}
	}
	input {
	udp {
	port => 514
	type => syslog
	}
	}

	output {
	elasticsearch { hosts => ["127.0.0.1:9200"] }
	stdout { }
	}
	name: "elk_link_flap_webhook_rule"
	enabled: true
	description: "ELK link flap webhook rule"

	trigger:
	type: "core.st2.webhook"
	parameters:
	url: "elk_link_flap"

	criteria: {}

	action:
	ref: st2_demos.link_flap_remed_workflow
	parameters:
	host: "{{trigger.body.host}}"
	interface: "{{trigger.body.interface}}"
	PUT _watcher/watch/my_demo_watch
	{
	"trigger" : {
	"schedule" : { "interval" : "5s" }
	},
	"input" : {
	"search": {
	"request": {
	"indices": "logstash-*",
	"body": {
	"query": {
	"bool": {
	"must": {
	"match_phrase": {
	"message": "is link down"
	}
	},
	"filter" : {
	"range": {
	"@timestamp": {
	"from": "now-8s",
	"to": "now"
	}
	}
	}
	}
	}
	}
	}
	}
	},
	"condition" : {
	"compare" : { "ctx.payload.hits.total" : { "gt" : 0 }}
	},
	"actions" : {
	"my_webhook" : {
	"webhook" : {
	"scheme" : "https",
	"port" : 443,
	"method" : "POST",
	"host" : "bwc",
	"path" : "/api/v1/webhooks/elk_link_flap?st2-api-key=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
	"headers": {
	"Content-Type": "application/json"
	},
	"body" : "{\"host\": \"{{ctx.payload.hits.hits.0._source.host}}\", \"interface\": \"{{ctx.payload.hits.hits.0._source.interfacename}}\"}"
	}
	}
	}
	}