From c817b86ee598f463abd2ec59569786f2164ecd9d Mon Sep 17 00:00:00 2001
From: Mark Bonsack <mbonsack@splunk.com>
Date: Sun, 19 Apr 2020 13:53:43 -0700
Subject: [PATCH 1/2] Refine rawmsg destination

* Refine rawmsg destination to not fire if `RAWMSG` macro is not set or null
---
 package/etc/conf.d/destinations/rawmsg_file.conf | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/package/etc/conf.d/destinations/rawmsg_file.conf b/package/etc/conf.d/destinations/rawmsg_file.conf
index f5faf88..7f63cf5 100644
--- a/package/etc/conf.d/destinations/rawmsg_file.conf
+++ b/package/etc/conf.d/destinations/rawmsg_file.conf
@@ -1,5 +1,12 @@
 destination d_rawmsg {
-    file("/opt/syslog-ng/var/archive/rawmsg/${.splunk.sourcetype}/${HOST}/$YEAR-$MONTH-$DAY-message.log"
-         template("${RAWMSG}\n")
-     );
-};
+    channel {
+        # Test for length of RAWMSG macro contents, minimum (meaning not set) appears to be "2"
+        filter { "$(length (${RAWMSG}))" != "2" };
+        destination {
+            file("/opt/syslog-ng/var/archive/rawmsg/${.splunk.sourcetype}/${HOST}/$YEAR-$MONTH-$DAY-message.log"
+            template("${RAWMSG}\n")
+#           template("Length of RAWMSG is: $(length (${RAWMSG})), RAWMSG is: <${RAWMSG}>\n")
+            );
+        };
+    };
+};
\ No newline at end of file

From 865415019f9933619abf8b880efbe037efba2433 Mon Sep 17 00:00:00 2001
From: Mark Bonsack <mbonsack@splunk.com>
Date: Mon, 20 Apr 2020 11:10:46 -0700
Subject: [PATCH 2/2] Refine rawmsg destination

* Refine rawmsg destination test based on Bazsi's input
---
 package/etc/conf.d/destinations/rawmsg_file.conf | 13 ++++++-------
 1 file changed, 6 insertions(+), 7 deletions(-)

diff --git a/package/etc/conf.d/destinations/rawmsg_file.conf b/package/etc/conf.d/destinations/rawmsg_file.conf
index 7f63cf5..8ca2f79 100644
--- a/package/etc/conf.d/destinations/rawmsg_file.conf
+++ b/package/etc/conf.d/destinations/rawmsg_file.conf
@@ -1,12 +1,11 @@
 destination d_rawmsg {
     channel {
-        # Test for length of RAWMSG macro contents, minimum (meaning not set) appears to be "2"
-        filter { "$(length (${RAWMSG}))" != "2" };
-        destination {
-            file("/opt/syslog-ng/var/archive/rawmsg/${.splunk.sourcetype}/${HOST}/$YEAR-$MONTH-$DAY-message.log"
-            template("${RAWMSG}\n")
-#           template("Length of RAWMSG is: $(length (${RAWMSG})), RAWMSG is: <${RAWMSG}>\n")
-            );
+        if ("${RAWMSG}" ne "") {
+            destination {
+                file("/opt/syslog-ng/var/archive/rawmsg/${.splunk.sourcetype}/${HOST}/$YEAR-$MONTH-$DAY-message.log"
+                template("${RAWMSG}\n")
+                );
+            };
         };
     };
 };
\ No newline at end of file