From 3543499769778eafdb3210cc038ee0ac059be250 Mon Sep 17 00:00:00 2001
From: Ryan Faircloth <35384120+rfaircloth-splunk@users.noreply.github.com>
Date: Fri, 21 Aug 2020 12:18:21 -0400
Subject: [PATCH] [fix] Return to prior behavior to not change splunk_metadata
 (#656)

---
 package/etc/conf.d/conflib/_splunk/splunk_context.conf      | 2 +-
 .../etc/conf.d/log_paths/lp-common_event_format.conf.tmpl   | 2 +-
 package/sbin/entrypoint.sh                                  | 6 ++++--
 3 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/package/etc/conf.d/conflib/_splunk/splunk_context.conf b/package/etc/conf.d/conflib/_splunk/splunk_context.conf
index 13a04bf..4201078 100644
--- a/package/etc/conf.d/conflib/_splunk/splunk_context.conf
+++ b/package/etc/conf.d/conflib/_splunk/splunk_context.conf
@@ -1,7 +1,7 @@
 block parser p_add_context_splunk(key("syslogng-fallback")) {
     add-contextual-data(
         selector("`key`"),
-        database("conf.d/local/context/splunk_metadata.csv"),
+        database("conf.d/merged/context/splunk_metadata.csv"),
         prefix(".splunk.")
     );
 };
diff --git a/package/etc/conf.d/log_paths/lp-common_event_format.conf.tmpl b/package/etc/conf.d/log_paths/lp-common_event_format.conf.tmpl
index d763e41..04b3925 100644
--- a/package/etc/conf.d/log_paths/lp-common_event_format.conf.tmpl
+++ b/package/etc/conf.d/log_paths/lp-common_event_format.conf.tmpl
@@ -38,7 +38,7 @@ parser p_cef_ts_end {
 parser p_cef_class {
     add-contextual-data(
         selector("${fields.cef_device_vendor}_${fields.cef_device_product}_${fields.cef_device_event_class}"),
-        database("conf.d/local/context/splunk_metadata.csv")
+        database("conf.d/merged/context/splunk_metadata.csv")
         ignore-case(yes)
         prefix(".splunk.")
     );
diff --git a/package/sbin/entrypoint.sh b/package/sbin/entrypoint.sh
index 02250b8..feed4b0 100755
--- a/package/sbin/entrypoint.sh
+++ b/package/sbin/entrypoint.sh
@@ -47,9 +47,11 @@ trap 'kill ${!}; hup_handler' SIGHUP
 trap 'kill ${!}; term_handler' SIGTERM
 
 mkdir -p /opt/syslog-ng/etc/conf.d/local/context/
+mkdir -p /opt/syslog-ng/etc/conf.d/merged/context/
 mkdir -p /opt/syslog-ng/etc/conf.d/local/config/
 
 
+
 cp /opt/syslog-ng/etc/context_templates/* /opt/syslog-ng/etc/conf.d/local/context
 for file in /opt/syslog-ng/etc/conf.d/local/context/*.example ; do cp --verbose -n $file ${file%.example}; done
 if [ "$SC4S_RUNTIME_ENV" == "k8s" ]
@@ -59,7 +61,7 @@ then
   # Add new entries
   temp_file=$(mktemp)
   awk '{print $0}' /opt/syslog-ng/etc/conf.d/configmap/context/splunk_metadata.csv /opt/syslog-ng/etc/context_templates/splunk_metadata.csv.example | grep -v '^#' | sort -b -t ',' -k1,2 -u  > $temp_file
-  cp -f $temp_file /opt/syslog-ng/etc/conf.d/local/context/splunk_metadata.csv
+  cp -f $temp_file /opt/syslog-ng/etc/conf.d/merged/context/splunk_metadata.csv
 
 else
   # splunk_index.csv updates
@@ -72,7 +74,7 @@ else
   # Add new entries
   temp_file=$(mktemp)
   awk '{print $0}' ${LEGACY_SPLUNK_INDEX_FILE} /opt/syslog-ng/etc/conf.d/local/context/splunk_metadata.csv /opt/syslog-ng/etc/context_templates/splunk_metadata.csv.example | grep -v '^#' | sort -b -t ',' -k1,2 -u  > $temp_file
-  cp -f $temp_file /opt/syslog-ng/etc/conf.d/local/context/splunk_metadata.csv
+  cp -f $temp_file /opt/syslog-ng/etc/conf.d/merged/context/splunk_metadata.csv
   # We don't need this file any longer
   rm -f /opt/syslog-ng/etc/conf.d/local/context/splunk_index.csv.example || true 
   if [ -f /opt/syslog-ng/etc/conf.d/local/context/splunk_index.csv ]; then