From 09baff97c242f0d66b0c0e582acbfda4516c1736 Mon Sep 17 00:00:00 2001
From: Mark Bonsack <mbonsack@splunk.com>
Date: Sun, 31 May 2020 10:57:18 -0700
Subject: [PATCH] Add new `t_JSON_5424_ALL` template

* Add new `t_JSON_5424_ALL` template to aid in log path development
* Use `ISODATE` rather than `DATE` in `t_JSON_5424_ALL` to retain TZ info
* Refine existing `t_JSON_5424` to keep `RAWMSG` if it exists and omit macros that are passed as Splunk metadata or sc4s indexed fields.
---
 .../etc/conf.d/conflib/_common/templates.conf | 21 +++++++++++++++----
 1 file changed, 17 insertions(+), 4 deletions(-)

diff --git a/package/etc/conf.d/conflib/_common/templates.conf b/package/etc/conf.d/conflib/_common/templates.conf
index f1bbb05..8ef6b8a 100644
--- a/package/etc/conf.d/conflib/_common/templates.conf
+++ b/package/etc/conf.d/conflib/_common/templates.conf
@@ -71,7 +71,7 @@ template t_hdr_sdata_msg {
         };
 
 # ===============================================================================================
-# JSON; for JSON pretty-printing (for debugging)
+# JSON_3164; for JSON pretty-printing (for debugging)
 # ===============================================================================================
 
 template t_JSON_3164 {
@@ -85,17 +85,30 @@ template t_JSON_3164 {
     };
 
 # ===============================================================================================
-# JSON; for JSON pretty-printing (for RFC5424)
+# JSON_5424; for JSON pretty-printing (standard output for RFC5424 messages in production)
+# Fields passed as indexed fields or as Splunk metadata are excluded
 # ===============================================================================================
 
 template t_JSON_5424 {
     template('$(format-json --scope rfc5424
-                --key MESSAGE
+                --key RAWMSG
                 --exclude DATE
                 --exclude FACILITY
                 --exclude PRIORITY
                 --exclude HOST
-                --exclude RAWMSG                
+                )');
+    };
+
+# ===============================================================================================
+# JSON_5424_ALL; for JSON pretty-printing (for printing all fields in RFC5424 message and ISO date)
+# Useful for log path development
+# ===============================================================================================
+
+template t_JSON_5424_ALL {
+    template('$(format-json --scope rfc5424
+                --exclude DATE
+                --key ISODATE
+                --key RAWMSG
                 )');
     };