Add new template for 5424 SDATA only

* Add template to output only the structured data (SDATA) portion of the 5424 event
CSVD · Apr 23, 2020 · 9dcf469 · 9dcf469
1 parent c0ec0c8
commit 9dcf469
Showing 1 changed file with 16 additions and 0 deletions.
diff --git a/package/etc/conf.d/conflib/_common/templates.conf b/package/etc/conf.d/conflib/_common/templates.conf
@@ -86,6 +86,22 @@ template t_JSON_5424 {
                 )');
     };
 
+# ===============================================================================================
+# JSON_5424_SDATA; for JSON pretty-printing (for RFC5424 messages with duplicate data in MESSAGE)
+# ===============================================================================================
+
+template t_JSON_5424_SDATA {
+    template('$(format-json --scope rfc5424
+                --pair PRI="<$PRI>"
+                --key ISODATE
+                --exclude DATE
+                --exclude HOST
+                --exclude FACILITY
+                --exclude PRIORITY
+                --exclude MESSAGE
+                )');
+    };
+
 
 template t_snmp_trap {
     template('$(format-json .snmp.* --rekey .snmp.* --shift-levels 2)');