diff --git a/package/etc/conf.d/log_paths/p_zz_fallback.conf.tmpl b/package/etc/conf.d/log_paths/p_zz_fallback.conf.tmpl index 465e2ae..5b7f404 100644 --- a/package/etc/conf.d/log_paths/p_zz_fallback.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_zz_fallback.conf.tmpl @@ -3,55 +3,50 @@ log { if { filter(f_is_rfc5424_strict); - rewrite { - r_set_splunk_dest_default(sourcetype("sc4s:fallback"), index("main")); - set("$(template ${.splunk.sc4s_template} $(template t_JSON))" value("MSG")); - }; - parser { - p_add_context_splunk(key("sc4s_fallback")); - }; - {{- if ((getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes") | conv.ToBool) or (conv.ToBool (getenv "SC4S_DEST_ARCHIVE_HEC" "no") | conv.ToBool) }} + rewrite { r_set_splunk_dest_default(sourcetype("sc4s:fallback"), index("main")); }; + parser { p_add_context_splunk(key("sc4s_fallback")); }; + rewrite { set("$(template ${.splunk.sc4s_template} $(template t_JSON_5424))" value("MSG")); }; + {{- if or (conv.ToBool (getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes")) (conv.ToBool (getenv "SC4S_DEST_FALLBACK_HEC" "no")) }} destination(d_hec); {{- end}} - #in fallback archive only write rawmsg as msg +{{- if or (conv.ToBool (getenv "SC4S_ARCHIVE_GLOBAL" "no")) (conv.ToBool (getenv "SC4S_ARCHIVE_FALLBACK" "no")) }} + + #in fallback archive write rawmsg as msg rewrite { + set("$RAWMSG" value("MSG")); unset(value("RAWMSG")); groupunset(values(".kv.*")); }; - - {{- if (getenv "SC4S_ARCHIVE_GLOBAL") or (getenv "SC4S_ARCHIVE_FALLBACK") }} destination(d_archive); {{- end}} } else { + rewrite { r_set_splunk_dest_default(sourcetype("sc4s:fallback"), index("main")); }; + parser { p_add_context_splunk(key("sc4s_fallback")); }; + rewrite { set("$(template ${.splunk.sc4s_template} $(template t_JSON))" value("MSG")); }; + + {{- if or (conv.ToBool (getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes")) (conv.ToBool (getenv "SC4S_DEST_FALLBACK_HEC" "no")) }} + destination(d_hec); + {{- end}} + +{{- if or (conv.ToBool (getenv "SC4S_ARCHIVE_GLOBAL" "no")) (conv.ToBool (getenv "SC4S_ARCHIVE_FALLBACK" "no")) }} + + #in fallback archive write rawmsg as msg rewrite { - r_set_splunk_dest_default(sourcetype("sc4s:fallback"), index("main") ); - set("$(template ${.splunk.sc4s_template} $(template t_JSON))" value("MSG")); + set("$RAWMSG" value("MSG")); unset(value("RAWMSG")); unset(value("PROGRAM")); unset(value("LEGACY_MSGHDR")); groupunset(values(".kv.*")); }; - parser { - p_add_context_splunk(key("sc4s_fallback")); - }; - - {{- if ((getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes") | conv.ToBool) or (conv.ToBool (getenv "SC4S_DEST_ARCHIVE_HEC" "no") | conv.ToBool) }} - destination(d_hec); - {{- end}} - + destination(d_archive); - #in fallback archive only write rawmsg as msg + {{- end}} - {{- if (getenv "SC4S_ARCHIVE_GLOBAL") or (getenv "SC4S_ARCHIVE_FALLBACK") }} - destination(d_archive); - {{- end}} }; - - flags(flow-control,fallback); };