with builtins; {

  #data.graylog_index_set.default.index_prefix = "graylog";

  resource = {

    graylog_input.journald = {
      title = "Journald Logs";
      # https://javadoc.io/doc/org.graylog2/graylog2-inputs/latest/index.html
      type = "org.graylog2.inputs.gelf.udp.GELFUDPInput";
      global = true;
      attributes = toJSON ({
        bind_address = "0.0.0.0";
        decompress_size_limit = 8388608;
        number_worker_threads = 4;
        port = 11201;
        recv_buffer_size = 262144;
      });
    };

    # todo create stream
    graylog_stream.journald = {
      title = "journald";
      description = "journald processing stream";
      #index_set_id = "\${data.graylog_index_set.default.id}";
      index_set_id = "\${graylog_index_set.default.id}";
      disabled = false;
      matching_type = "AND";
    };

    graylog_stream_rule.journald = {
      field = "from_journald";
      value = true;
      stream_id = "\${graylog_stream.journald.id}";
      #description = "";
      type = 1;
      inverted = false;
    };

    graylog_input_static_fields.journald = {
      input_id = "\${graylog_input.journald.id}";
      fields = { from_journald = true; };
    };

    graylog_pipeline.systemd_loglevel_fix.source = ''
      pipeline "journald : log level fix"
        stage 0 match either
          rule "journald : lookup log level"
        stage 1 match either
          rule "journald : replace log level"
      end
    '';

    graylog_pipeline_rule = {
      lookup.source = ''
        rule "journald : lookup log level"
        when
          has_field("level")
        then
          let lookup = lookup_value("systemd-log-level-reverse",$message.level);
          set_field("level_fix",lookup);
        end
      '';
      replace.source = ''
        rule "journald : replace log level"
        when
          has_field("level_fix")
        then
          set_field("level",$message.level_fix);
        end
      '';

    };
  };

}