diff --git a/package/etc/conf.d/log_paths/lp-mcafee_epo.conf.tmpl b/package/etc/conf.d/log_paths/lp-mcafee_epo.conf.tmpl
index 671fc5e..36419fb 100644
--- a/package/etc/conf.d/log_paths/lp-mcafee_epo.conf.tmpl
+++ b/package/etc/conf.d/log_paths/lp-mcafee_epo.conf.tmpl
@@ -24,17 +24,11 @@ log {
 
     rewrite {
         set("mcafee_epo", value("fields.sc4s_vendor_product"));
+        r_set_splunk_dest_default(sourcetype("mcafee:epo:syslog"), index("epav"))
     };
-    rewrite { r_set_splunk_dest_default(sourcetype("mcafee:epo:syslog"), index("epav")) };
     parser {p_add_context_splunk(key("mcafee_epo")); };
 
-
     parser (compliance_meta_by_source);
-
-
-    #We want to unset the fields we won't need, as this is copied into the
-    #disk queue for network destinations. This can be very disk expensive
-    #if we don't
     rewrite { set("$(template ${.splunk.sc4s_template} $(template t_msg_only))" value("MSG")); };
 
 {{- if or (conv.ToBool (getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes")) (conv.ToBool (getenv "SC4S_DEST_MCAFEE_EPO_STRUCTURED_HEC" "no")) }}
diff --git a/package/etc/context_templates/splunk_index.csv.example b/package/etc/context_templates/splunk_index.csv.example
index 2755202..d7edbdb 100644
--- a/package/etc/context_templates/splunk_index.csv.example
+++ b/package/etc/context_templates/splunk_index.csv.example
@@ -52,6 +52,7 @@
 #juniper_nsm,index,netfw
 #juniper_nsm_idp,index,netids
 #juniper_legacy,index,netops
+#mcafee_epo,index,epav
 #nix_syslog,index,osnix
 #pan_traffic,index,netfw
 #pan_threat,index,netproxy