diff --git a/package/etc/conf.d/log_paths/p_zz_fallback.conf.tmpl b/package/etc/conf.d/log_paths/p_zz_fallback.conf.tmpl index 1dd62cd..22fc97b 100644 --- a/package/etc/conf.d/log_paths/p_zz_fallback.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_zz_fallback.conf.tmpl @@ -6,6 +6,7 @@ log { rewrite { r_set_splunk_dest_default(sourcetype("sc4s:fallback"), index("main")); set("$(template ${.splunk.sc4s_template} $(template t_JSON))" value("MSG")); + unset(value("RAWMSG")); }; parser { p_add_context_splunk(key("sc4s_fallback")); @@ -15,12 +16,6 @@ log { {{- end}} - #in fallback archive only write rawmsg as msg - rewrite { - unset(value("RAWMSG")); - groupunset(values(".kv.*")); - }; - {{- if (getenv "SC4S_ARCHIVE_GLOBAL") or (getenv "SC4S_ARCHIVE_FALLBACK") }} destination(d_archive); {{- end}}