Skip to content

Commit

Permalink
Update p_zz_fallback.conf.tmpl
Browse files Browse the repository at this point in the history
revert changes from mbsonsack
  • Loading branch information
rfaircloth-splunk committed Dec 20, 2019
1 parent 2706617 commit 3a63295
Showing 1 changed file with 28 additions and 23 deletions.
51 changes: 28 additions & 23 deletions package/etc/conf.d/log_paths/p_zz_fallback.conf.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -3,50 +3,55 @@ log {

if {
filter(f_is_rfc5424_strict);
rewrite { r_set_splunk_dest_default(sourcetype("sc4s:fallback"), index("main")); };
parser { p_add_context_splunk(key("sc4s_fallback")); };
rewrite { set("$(template ${.splunk.sc4s_template} $(template t_JSON_5424))" value("MSG")); };
{{- if or (conv.ToBool (getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes")) (conv.ToBool (getenv "SC4S_DEST_FALLBACK_HEC" "no")) }}
rewrite {
r_set_splunk_dest_default(sourcetype("sc4s:fallback"), index("main"));
set("$(template ${.splunk.sc4s_template} $(template t_JSON))" value("MSG"));
};
parser {
p_add_context_splunk(key("sc4s_fallback"));
};
{{- if ((getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes") | conv.ToBool) or (conv.ToBool (getenv "SC4S_DEST_ARCHIVE_HEC" "no") | conv.ToBool) }}
destination(d_hec);
{{- end}}


{{- if or (conv.ToBool (getenv "SC4S_ARCHIVE_GLOBAL" "no")) (conv.ToBool (getenv "SC4S_ARCHIVE_FALLBACK" "no")) }}

#in fallback archive write rawmsg as msg
#in fallback archive only write rawmsg as msg
rewrite {
set("$RAWMSG" value("MSG"));
unset(value("RAWMSG"));
groupunset(values(".kv.*"));
};

{{- if (getenv "SC4S_ARCHIVE_GLOBAL") or (getenv "SC4S_ARCHIVE_FALLBACK") }}
destination(d_archive);
{{- end}}

} else {
rewrite { r_set_splunk_dest_default(sourcetype("sc4s:fallback"), index("main")); };
parser { p_add_context_splunk(key("sc4s_fallback")); };
rewrite { set("$(template ${.splunk.sc4s_template} $(template t_JSON))" value("MSG")); };

{{- if or (conv.ToBool (getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes")) (conv.ToBool (getenv "SC4S_DEST_FALLBACK_HEC" "no")) }}
destination(d_hec);
{{- end}}


{{- if or (conv.ToBool (getenv "SC4S_ARCHIVE_GLOBAL" "no")) (conv.ToBool (getenv "SC4S_ARCHIVE_FALLBACK" "no")) }}

#in fallback archive write rawmsg as msg
rewrite {
set("$RAWMSG" value("MSG"));
r_set_splunk_dest_default(sourcetype("sc4s:fallback"), index("main") );
set("$(template ${.splunk.sc4s_template} $(template t_JSON))" value("MSG"));
unset(value("RAWMSG"));
unset(value("PROGRAM"));
unset(value("LEGACY_MSGHDR"));
groupunset(values(".kv.*"));
};
destination(d_archive);
parser {
p_add_context_splunk(key("sc4s_fallback"));
};

{{- end}}
{{- if ((getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes") | conv.ToBool) or (conv.ToBool (getenv "SC4S_DEST_ARCHIVE_HEC" "no") | conv.ToBool) }}
destination(d_hec);
{{- end}}


#in fallback archive only write rawmsg as msg

{{- if (getenv "SC4S_ARCHIVE_GLOBAL") or (getenv "SC4S_ARCHIVE_FALLBACK") }}
destination(d_archive);
{{- end}}
};



flags(flow-control,fallback);
};
};

0 comments on commit 3a63295

Please sign in to comment.