Update lp-sc4s_internal.conf.tmpl

package/etc/conf.d/log_paths/lp-sc4s_internal.conf.tmpl

@@ -8,7 +8,7 @@ log {
         parser {p_add_context_splunk(key("sc4s_metrics")); };
         rewrite {
             subst('.*Log statistics; ', '', value("MESSAGE"), flags("utf8" "global"));
-            subst('([^= ]+=\x27[^\(]+\(#anon[^,\)]+(?:,[^,]+,[^\)]+)?\)\=\d+\x27(?:)?)', '', value("MESSAGE"), flags("utf8" "global"));
+            subst('([^= ]+=\x27[^\(]+\(#anon[^,\)]+(?:,[^,]+,[^\)]+)?\)\=\d+\x27(?:, )?)', '', value("MESSAGE"), flags("utf8" "global"));
             subst('(?<Type>[^= ]+)=\x27(?<SourceName>[^\(]+)\((?<SourceId>\S+(?=\)[=,]))(?:,(?<SourceInstance>[^,]+),(?<State>[^\)]+))?\)\=(?<Number>\d+)\x27,? ?',
 '{"time": "$S_UNIXTIME","event": "metric","host": "$HOST","index": "${.splunk.index}","source": "internal","sourcetype": "${.splunk.sourcetype}","fields": {"source_name": "${SourceName}","source_instance": "${SourceInstance}","state": "${State}","type": "${Type}","_value": ${Number},"metric_name": "syslogng.${SourceId}"}}
 ',