Merge pull request #501 from splunk/fix/vmware-vpxd

Simplify RFC5424 JSON
CSVD · Jun 10, 2020 · be2b5e9 · be2b5e9
2 parents e79cce8 + 16b24c2
commit be2b5e9
Showing 1 changed file with 18 additions and 8 deletions.
diff --git a/package/etc/conf.d/conflib/_common/templates.conf b/package/etc/conf.d/conflib/_common/templates.conf
@@ -71,7 +71,7 @@ template t_hdr_sdata_msg {
         };
 
 # ===============================================================================================
-# JSON; for JSON pretty-printing (for debugging)
+# JSON_3164; for JSON pretty-printing (for debugging)
 # ===============================================================================================
 
 template t_JSON_3164 {
@@ -85,13 +85,12 @@ template t_JSON_3164 {
     };
 
 # ===============================================================================================
-# JSON; for JSON pretty-printing (for RFC5424)
+# JSON_5424; for JSON pretty-printing (standard output for RFC5424 messages in production)
+# Fields passed as indexed fields or as Splunk metadata are excluded
 # ===============================================================================================
 
 template t_JSON_5424 {
     template('$(format-json --scope rfc5424
-                --pair PRI="<$PRI>"
-                --key ISODATE
                 --key RAWMSG
                 --exclude DATE
                 --exclude FACILITY
@@ -101,23 +100,34 @@ template t_JSON_5424 {
     };
 
 # ===============================================================================================
-# JSON_5424_SDATA; for JSON pretty-printing (for RFC5424 messages with duplicate data in MESSAGE)
+# JSON_5424_ALL; for JSON pretty-printing (for printing all fields in RFC5424 message and ISO date)
+# Useful for log path development
 # ===============================================================================================
 
-template t_JSON_5424_SDATA {
+template t_JSON_5424_ALL {
     template('$(format-json --scope rfc5424
-                --pair PRI="<$PRI>"
+                --exclude DATE
                 --key ISODATE
                 --key RAWMSG
+                )');
+    };
+
+# ===============================================================================================
+# JSON_5424_SDATA; for JSON pretty-printing (for RFC5424 messages with duplicate data in MESSAGE)
+# ===============================================================================================
+
+template t_JSON_5424_SDATA {
+    template('$(format-json --scope rfc5424
                 --exclude DATE
                 --exclude HOST
                 --exclude FACILITY
                 --exclude PRIORITY
                 --exclude MESSAGE
+                --exclude RAWMSG
                 )');
     };
 
 
 template t_snmp_trap {
     template('$(format-json .snmp.* --rekey .snmp.* --shift-levels 2)');
-    };
+    };