From 9dcf4699eaa9b9eddec0aa21b5c220ac985b39f8 Mon Sep 17 00:00:00 2001
From: Mark Bonsack <mbonsack@splunk.com>
Date: Thu, 23 Apr 2020 14:54:14 -0700
Subject: [PATCH] Add new template for 5424 SDATA only

* Add template to output only the structured data (SDATA) portion of the 5424 event
---
 .../etc/conf.d/conflib/_common/templates.conf    | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/package/etc/conf.d/conflib/_common/templates.conf b/package/etc/conf.d/conflib/_common/templates.conf
index c86400f..7d582c5 100644
--- a/package/etc/conf.d/conflib/_common/templates.conf
+++ b/package/etc/conf.d/conflib/_common/templates.conf
@@ -86,6 +86,22 @@ template t_JSON_5424 {
                 )');
     };
 
+# ===============================================================================================
+# JSON_5424_SDATA; for JSON pretty-printing (for RFC5424 messages with duplicate data in MESSAGE)
+# ===============================================================================================
+
+template t_JSON_5424_SDATA {
+    template('$(format-json --scope rfc5424
+                --pair PRI="<$PRI>"
+                --key ISODATE
+                --exclude DATE
+                --exclude HOST
+                --exclude FACILITY
+                --exclude PRIORITY
+                --exclude MESSAGE
+                )');
+    };
+
 
 template t_snmp_trap {
     template('$(format-json .snmp.* --rekey .snmp.* --shift-levels 2)');