diff --git a/package/etc/conf.d/log_paths/p_zz_fallback.conf.tmpl b/package/etc/conf.d/log_paths/p_zz_fallback.conf.tmpl index 5b7f404..1dd62cd 100644 --- a/package/etc/conf.d/log_paths/p_zz_fallback.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_zz_fallback.conf.tmpl @@ -3,50 +3,55 @@ log { if { filter(f_is_rfc5424_strict); - rewrite { r_set_splunk_dest_default(sourcetype("sc4s:fallback"), index("main")); }; - parser { p_add_context_splunk(key("sc4s_fallback")); }; - rewrite { set("$(template ${.splunk.sc4s_template} $(template t_JSON_5424))" value("MSG")); }; - {{- if or (conv.ToBool (getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes")) (conv.ToBool (getenv "SC4S_DEST_FALLBACK_HEC" "no")) }} + rewrite { + r_set_splunk_dest_default(sourcetype("sc4s:fallback"), index("main")); + set("$(template ${.splunk.sc4s_template} $(template t_JSON))" value("MSG")); + }; + parser { + p_add_context_splunk(key("sc4s_fallback")); + }; + {{- if ((getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes") | conv.ToBool) or (conv.ToBool (getenv "SC4S_DEST_ARCHIVE_HEC" "no") | conv.ToBool) }} destination(d_hec); {{- end}} -{{- if or (conv.ToBool (getenv "SC4S_ARCHIVE_GLOBAL" "no")) (conv.ToBool (getenv "SC4S_ARCHIVE_FALLBACK" "no")) }} - - #in fallback archive write rawmsg as msg + #in fallback archive only write rawmsg as msg rewrite { - set("$RAWMSG" value("MSG")); unset(value("RAWMSG")); groupunset(values(".kv.*")); }; + + {{- if (getenv "SC4S_ARCHIVE_GLOBAL") or (getenv "SC4S_ARCHIVE_FALLBACK") }} destination(d_archive); {{- end}} } else { - rewrite { r_set_splunk_dest_default(sourcetype("sc4s:fallback"), index("main")); }; - parser { p_add_context_splunk(key("sc4s_fallback")); }; - rewrite { set("$(template ${.splunk.sc4s_template} $(template t_JSON))" value("MSG")); }; - - {{- if or (conv.ToBool (getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes")) (conv.ToBool (getenv "SC4S_DEST_FALLBACK_HEC" "no")) }} - destination(d_hec); - {{- end}} - -{{- if or (conv.ToBool (getenv "SC4S_ARCHIVE_GLOBAL" "no")) (conv.ToBool (getenv "SC4S_ARCHIVE_FALLBACK" "no")) }} - - #in fallback archive write rawmsg as msg rewrite { - set("$RAWMSG" value("MSG")); + r_set_splunk_dest_default(sourcetype("sc4s:fallback"), index("main") ); + set("$(template ${.splunk.sc4s_template} $(template t_JSON))" value("MSG")); unset(value("RAWMSG")); unset(value("PROGRAM")); unset(value("LEGACY_MSGHDR")); groupunset(values(".kv.*")); }; - destination(d_archive); + parser { + p_add_context_splunk(key("sc4s_fallback")); + }; - {{- end}} + {{- if ((getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes") | conv.ToBool) or (conv.ToBool (getenv "SC4S_DEST_ARCHIVE_HEC" "no") | conv.ToBool) }} + destination(d_hec); + {{- end}} + + #in fallback archive only write rawmsg as msg + + {{- if (getenv "SC4S_ARCHIVE_GLOBAL") or (getenv "SC4S_ARCHIVE_FALLBACK") }} + destination(d_archive); + {{- end}} }; + + flags(flow-control,fallback); -}; +}; \ No newline at end of file