From 9812901830e99711880527a9c76cceebd8e23b4e Mon Sep 17 00:00:00 2001
From: rfaircloth-splunk <rfaircloth@splunk.com>
Date: Sun, 14 Jun 2020 11:57:04 -0400
Subject: [PATCH] Update lp-sc4s_internal.conf.tmpl

---
 package/etc/conf.d/log_paths/lp-sc4s_internal.conf.tmpl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package/etc/conf.d/log_paths/lp-sc4s_internal.conf.tmpl b/package/etc/conf.d/log_paths/lp-sc4s_internal.conf.tmpl
index 01e5993..bb8c017 100644
--- a/package/etc/conf.d/log_paths/lp-sc4s_internal.conf.tmpl
+++ b/package/etc/conf.d/log_paths/lp-sc4s_internal.conf.tmpl
@@ -8,7 +8,7 @@ log {
         parser {p_add_context_splunk(key("sc4s_metrics")); };
         rewrite {
             subst('.*Log statistics; ', '', value("MESSAGE"), flags("utf8" "global"));
-            subst('([^= ]+=\x27[^\(]+\(#anon[^,\)]+(?:,[^,]+,[^\)]+)?\)\=\d+\x27(?:)?)', '', value("MESSAGE"), flags("utf8" "global"));
+            subst('([^= ]+=\x27[^\(]+\(#anon[^,\)]+(?:,[^,]+,[^\)]+)?\)\=\d+\x27(?:, )?)', '', value("MESSAGE"), flags("utf8" "global"));
             subst('(?<Type>[^= ]+)=\x27(?<SourceName>[^\(]+)\((?<SourceId>\S+(?=\)[=,]))(?:,(?<SourceInstance>[^,]+),(?<State>[^\)]+))?\)\=(?<Number>\d+)\x27,? ?',
 '{"time": "$S_UNIXTIME","event": "metric","host": "$HOST","index": "${.splunk.index}","source": "internal","sourcetype": "${.splunk.sourcetype}","fields": {"source_name": "${SourceName}","source_instance": "${SourceInstance}","state": "${State}","type": "${Type}","_value": ${Number},"metric_name": "syslogng.${SourceId}"}}
 ',