Merge pull request #453 from splunk/splunkfields/indexed_fields

Fix indexed field gomplate template
CSVD · May 13, 2020 · 2d3d655 · 2d3d655
2 parents c796d2d + ee28b95
commit 2d3d655
Show file tree

Hide file tree

Showing 5 changed files with 30 additions and 19 deletions.
diff --git a/docs/configuration.md b/docs/configuration.md
@@ -27,7 +27,7 @@ syslog.
 | SC4S_DEST_SPLUNK_HEC_TLS_CA_FILE | path | Custom trusted cert file |
 | SC4S_DEST_SPLUNK_HEC_TLS_VERIFY | yes(default) or no | verify HTTP(s) certificate |
 | SC4S_DEST_SPLUNK_HEC_WORKERS | numeric | Number of destination workers (default: 10 threads).  This should rarely need to be changed; consult sc4s community for advice on appropriate setting in extreme high- or low-volume environments. |
-| SC4S_DEST_SPLUNK_INDEXED_FIELDS | facility,severity,container,loghost,dport,fromhostip,proto | list of sc4s indexed fields default list is all fields )
+| SC4S_DEST_SPLUNK_INDEXED_FIELDS | facility,severity,container,loghost,destport,fromhostip,proto, or none | List of sc4s indexed fields (default is the entire list except "none").  If this veriable is not set, the default indexed fields `sc4s_vendor_product` and `sc4d_syslog_format` _will_ appear.  If no indexed fields are desired (including the two defaults mentioned), set the value to the single value of "none".  This list maps to the following indexed fields that will appear in all Splunk events:<br>facility: sc4s_syslog_facility<br>severity: sc4s_syslog_severity<br>container: sc4s_container<br>loghost: sc4s_loghost<br>dport: sc4s_destport<br>fromhostip: sc4s_fromhostip<br>proto: sc4s_proto
 
 ## Alternate Destination Configuration
 

diff --git a/docs/gettingstarted/docker-systemd-general.md b/docs/gettingstarted/docker-systemd-general.md
@@ -59,7 +59,7 @@ ExecStartPre=/usr/bin/docker run \
         --name SC4S_preflight \
         --rm $SC4S_IMAGE -s
 ExecStart=/usr/bin/docker run -p 514:514 -p 514:514/udp -p 6514:6514 \
-        -e "SC4S_CONTAINER_HOST=$(hostname -s)" \
+        -e "SC4S_CONTAINER_HOST=$(`hostname -s`)" \
         --env-file=/opt/sc4s/env_file \
         "$SC4S_PERSIST_VOLUME" \
         "$SC4S_LOCAL_CONFIG_MOUNT" \

diff --git a/docs/gettingstarted/podman-systemd-general.md b/docs/gettingstarted/podman-systemd-general.md
@@ -77,7 +77,7 @@ ExecStartPre=/usr/bin/podman run \
         --name SC4S_preflight \
         --rm $SC4S_IMAGE -s
 ExecStart=/usr/bin/podman run -p 514:514 -p 514:514/udp -p 6514:6514 \
-        -e "SC4S_CONTAINER_HOST=$(hostname -s)" \
+        -e "SC4S_CONTAINER_HOST=$(`hostname -s`)" \
         --env-file=/opt/sc4s/env_file \
         "$SC4S_PERSIST_VOLUME" \
         "$SC4S_LOCAL_CONFIG_MOUNT" \

diff --git a/package/etc/conf.d/conflib/_splunk/splunkfields.conf.tmpl b/package/etc/conf.d/conflib/_splunk/splunkfields.conf.tmpl
@@ -1,28 +1,36 @@
 #Used to set indexed fields we will always use to global defaults
 rewrite r_set_splunk_default {
-      set("SC4S:$SOURCE", value(".splunk.source"));
-{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "facility,severity,container,loghost,dport,fromhostip,proto") ",") has "facility" }}
-      set($FACILITY, value("fields.sc4s_syslog_facility"));
+    set("SC4S:$SOURCE", value(".splunk.source"));
+{{- if (has (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "facility,severity,container,loghost,dport,fromhostip,proto") ",") "facility") }}
+    set($FACILITY, value("fields.sc4s_syslog_facility"));
 {{- end}}      
-{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "facility,severity,container,loghost,dport,fromhostip,proto") ",") has "severity" }}
-      set($LEVEL, value("fields.sc4s_syslog_severity"));
+{{- if (has (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "facility,severity,container,loghost,dport,fromhostip,proto") ",") "severity") }}
+    set($LEVEL, value("fields.sc4s_syslog_severity"));
 {{- end}}      
-{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "facility,severity,container,loghost,dport,fromhostip,proto") ",") has "loghost" }}
+{{- if (has (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "facility,severity,container,loghost,dport,fromhostip,proto") ",") "loghost") }}
 {{- if (getenv "SC4S_CONTAINER_HOST") }}
-      set("{{ getenv "SC4S_CONTAINER_HOST" }}", value("fields.sc4s_loghost"));
+    set("{{ getenv "SC4S_CONTAINER_HOST" }}", value("fields.sc4s_loghost"));
 {{- end}}      
 {{- end}}      
-{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "facility,severity,container,loghost,dport,fromhostip,proto") ",") has "container" }}
-      set($LOGHOST, value("fields.sc4s_container"));
+{{- if (has (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "facility,severity,container,loghost,dport,fromhostip,proto") ",") "container") }}
+    set($LOGHOST, value("fields.sc4s_container"));
 {{- end}}      
-{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "facility,severity,container,loghost,dport,fromhostip,proto") ",") has "fromhostip" }}
-      set($SOURCEIP, value("fields.sc4s_fromhostip"));
+{{- if (has (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "facility,severity,container,loghost,dport,fromhostip,proto") ",") "fromhostip") }}
+    set($SOURCEIP, value("fields.sc4s_fromhostip"));
 {{- end}}      
-{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "facility,severity,container,loghost,destport,fromhostip,proto") ",") has "destport" }}
-      set($DESTPORT, value("fields.sc4s_destport"));
+{{- if (has (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "facility,severity,container,loghost,dport,fromhostip,proto") ",") "destport") }}
+    set($DESTPORT, value("fields.sc4s_destport"));
 {{- end}}    
-{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "facility,severity,container,loghost,destport,fromhostip,proto") ",") has "proto" }}
-      set($PROTO, value("fields.sc4s_proto"));
+{{- if (has (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "facility,severity,container,loghost,dport,fromhostip,proto") ",") "proto") }}
+    channel {
+        if (match("6" value("PROTO"))) {
+            rewrite { set("TCP", value("fields.sc4s_proto")); };
+        } elif (match("17" value("PROTO"))) {
+            rewrite { set("UDP", value("fields.sc4s_proto")); };
+        } else {
+            rewrite { set($PROTO, value("fields.sc4s_proto")); };
+        };
+    };
 {{- end}}    
 };
 #used by each log-path to set index and sourcetype which may be

diff --git a/package/etc/conf.d/destinations/splunk_hec.conf.tmpl b/package/etc/conf.d/destinations/splunk_hec.conf.tmpl
@@ -47,6 +47,9 @@ destination d_hec {
                  sourcetype=${.splunk.sourcetype}
                  index=${.splunk.index}
                  event="$MSG"
-                 fields.*)')
+                 {{- if ne (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS") "none" }}
+                 fields.*
+                 {{- end }}
+                 )')
         );
 };