Today's logstash conf file is for AMP for endpoints. You will need an api created inside of the amp cloud dashboard. Inside of the two .sh files place the api key in place of yourkeyhere. You will also need the two .sh files i am providing inside of your /etc directory on linux. The amp.sh needs an entry in /etc/crontab like so */5 * * * * root /etc/amp.sh so it runs every 5 mins. It will produce the file /etc/run-amp.sh which i am also providing. It creates the curl line with the proper previous 5 mins command. Make sure you make the owner of these files logstash. Last but not least is the amp.conf file for logstash. This takes the ingested json and creates parsed data for you. I was able to create some nice charts and graphs in kibana of the data. Make sure you remove the .txt part of the files before using. If you get stuck anywhere let me know.
https://api-docs.amp.cisco.com/api_resources?api_host=api.amp.cisco.com&api_version=v1