-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathelk_query_sig.yml
36 lines (34 loc) · 1.19 KB
/
elk_query_sig.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
#!/usr/bin/env ansible-playbook
###############################################################################
# Elasticsearch with support ID
# Example: ansible-playbook elk_query_sig.yml -e support_id=7433281905790294428
# Author: Foo-Bang (fb@f5.com)
# Version: 0.01
###############################################################################
---
- name: "### PLAY 01 ### - Query Elasticsearch"
hosts: localhost
connection: local
gather_facts: False
vars:
elk_ip: 192.168.211.11:9200
support_id: "{{ support_id }}"
tasks:
- name: "# TASK 01 # - Query elasticsearch"
uri:
url: "http://{{ elk_ip }}/_search?pretty"
method: GET
body: "{\"query\":{\"match\":{\"message\":{\"query\":\"{{ support_id }}\"}}}}"
body_format: json
return_content: yes
register: data
- name: "# TASK 02 # Print output"
vars:
var: |
Log Source: '{{ data.json.hits.hits[0]._source.logsource }}'
Signature Name: '{{ data.json.hits.hits[0]._source.sig_names }}'
Signature IDs: '{{ data.json.hits.hits[0]._source.sig_ids }}'
debug:
msg: "{{ var.split('\n') }}"
with_items:
- "{{ var }}"