You cannot do that using an http_poller input. You will have to use http filters. You can drive the schedule using a heartbeat input
heartbeat { interval => 60 }
If you can do a login for every audit_trail request then just use two http filters. If you need to use a single session for everything then you will need to use a single worker thread, and I think you will need to set pipeline.ordered to be true. Maybe something like
ruby {
code => '
if ! @@sessionId
event.set("[@metadata][needId]", true)
end
'
}
if ! [@metadata][needId] {
ruby { code => 'event.set([@metadata][id]", @@sessionId)' }
else
http {
# Make the call to api/v1/login
}
# Parse the session id from the response into [@metadata][id]
ruby { code => '@@sessionId = event.get("[@metadata][id]")' }
end
http {
# Make the call to audit_trail
}
Note the use of a variable with class scope (@@) so that multiple ruby filters can share it. [@metadata] is a field on the event that is ignored by most outputs, so it is useful for temporary variables.
If sessions expire then you will need to add code that sets @@sessionId back to nil just before that happens.