Add new t_JSON_5424_ALL template

* Add new `t_JSON_5424_ALL` template to aid in log path development * Use `ISODATE` rather than `DATE` in `t_JSON_5424_ALL` to retain TZ info * Refine existing `t_JSON_5424` to keep `RAWMSG` if it exists and omit macros that are passed as Splunk metadata or sc4s indexed fields.
CSVD · May 31, 2020 · 09baff9 · 09baff9
1 parent 9a871ef
commit 09baff9
Showing 1 changed file with 17 additions and 4 deletions.
diff --git a/package/etc/conf.d/conflib/_common/templates.conf b/package/etc/conf.d/conflib/_common/templates.conf
@@ -71,7 +71,7 @@ template t_hdr_sdata_msg {
         };
 
 # ===============================================================================================
-# JSON; for JSON pretty-printing (for debugging)
+# JSON_3164; for JSON pretty-printing (for debugging)
 # ===============================================================================================
 
 template t_JSON_3164 {
@@ -85,17 +85,30 @@ template t_JSON_3164 {
     };
 
 # ===============================================================================================
-# JSON; for JSON pretty-printing (for RFC5424)
+# JSON_5424; for JSON pretty-printing (standard output for RFC5424 messages in production)
+# Fields passed as indexed fields or as Splunk metadata are excluded
 # ===============================================================================================
 
 template t_JSON_5424 {
     template('$(format-json --scope rfc5424
-                --key MESSAGE
+                --key RAWMSG
                 --exclude DATE
                 --exclude FACILITY
                 --exclude PRIORITY
                 --exclude HOST
-                --exclude RAWMSG                
+                )');
+    };
+
+# ===============================================================================================
+# JSON_5424_ALL; for JSON pretty-printing (for printing all fields in RFC5424 message and ISO date)
+# Useful for log path development
+# ===============================================================================================
+
+template t_JSON_5424_ALL {
+    template('$(format-json --scope rfc5424
+                --exclude DATE
+                --key ISODATE
+                --key RAWMSG
                 )');
     };