From 86c020aa1d497918f555f42c1e03fea8b4859ac5 Mon Sep 17 00:00:00 2001 From: rfaircloth-splunk Date: Mon, 27 Jan 2020 09:49:51 -0500 Subject: [PATCH] Update lp-common_event_format.conf.tmpl Order of lookups should be "filter specific" "splunk_index" then compliance --- .../etc/conf.d/log_paths/lp-common_event_format.conf.tmpl | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/package/etc/conf.d/log_paths/lp-common_event_format.conf.tmpl b/package/etc/conf.d/log_paths/lp-common_event_format.conf.tmpl index 64e9577..52faaa7 100644 --- a/package/etc/conf.d/log_paths/lp-common_event_format.conf.tmpl +++ b/package/etc/conf.d/log_paths/lp-common_event_format.conf.tmpl @@ -62,10 +62,6 @@ log { set("${fields.cef_device_vendor}_${fields.cef_device_product}", value("fields.sc4s_vendor_product")); }; - parser { - p_add_context_splunk(key("${fields.cef_device_vendor}_${fields.cef_device_product}")); - }; - # We already have the syslog msg time stamp however that may not be the best one # If we have an rt or end field that is best we use the If trick here so if this parser fails # We don't get sent to fallback. @@ -78,6 +74,10 @@ log { #CEF TAs use the source as their bounds in props.conf parser(p_cef_source); + parser { + p_add_context_splunk(key("${fields.cef_device_vendor}_${fields.cef_device_product}")); + }; + parser (compliance_meta_by_source); #We want to unset the fields we won't need, as this is copied into the