From 7d519c2c3ca5e4941199a56ebb46082e56f1e9cb Mon Sep 17 00:00:00 2001
From: mbonsack <mbonsack@splunk.com>
Date: Thu, 20 Aug 2020 16:47:43 -0700
Subject: [PATCH] Fix host parsing in RSA log path (#652)

* Fix host parsing in RSA log path to take into account the new `.splunk.host` macro for host output in Splunk `/event` JSON blob
---
 .../etc/conf.d/log_paths/lp-dell_rsa_secureid.conf.tmpl  | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/package/etc/conf.d/log_paths/lp-dell_rsa_secureid.conf.tmpl b/package/etc/conf.d/log_paths/lp-dell_rsa_secureid.conf.tmpl
index 44ec5f0..a527cc7 100644
--- a/package/etc/conf.d/log_paths/lp-dell_rsa_secureid.conf.tmpl
+++ b/package/etc/conf.d/log_paths/lp-dell_rsa_secureid.conf.tmpl
@@ -29,7 +29,7 @@ log {
 
             #we need to actual even time from the field GeneratedTime. Use csv-parser to extract it.
             csv-parser(
-                columns("time","ms","HOST","type")
+                columns("time","ms","host","type")
                 prefix(".rsa.")
                 delimiters(',')
                 );
@@ -40,6 +40,13 @@ log {
                     template("${LEGACY_MSGHDR} ${.rsa.time},${.rsa.ms}")
             );
         };
+        rewrite {
+            #Set both HOST and .splunk.host to allow compliance override
+            set("${.rsa.host}" value(".splunk.host")
+                condition( match('^.' value('.rsa.host') )) );
+            set("${.rsa.host}" value("HOST")
+                condition( match('^.' value('.rsa.host') )) );
+        };
         if {
             filter{match('audit\.admin' value('.rsa.type'))};
             rewrite {