From d30f7dd49b7c23f3753be73ac81adc7c40d4c8e2 Mon Sep 17 00:00:00 2001 From: rfaircloth-splunk Date: Fri, 29 May 2020 15:02:32 -0400 Subject: [PATCH 1/4] Simplify RFC5424 JSON --- package/etc/conf.d/conflib/_common/templates.conf | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/package/etc/conf.d/conflib/_common/templates.conf b/package/etc/conf.d/conflib/_common/templates.conf index f9afd04..7e1f665 100644 --- a/package/etc/conf.d/conflib/_common/templates.conf +++ b/package/etc/conf.d/conflib/_common/templates.conf @@ -90,8 +90,6 @@ template t_JSON_3164 { template t_JSON_5424 { template('$(format-json --scope rfc5424 - --pair PRI="<$PRI>" - --key ISODATE --key RAWMSG --exclude DATE --exclude FACILITY @@ -106,14 +104,11 @@ template t_JSON_5424 { template t_JSON_5424_SDATA { template('$(format-json --scope rfc5424 - --pair PRI="<$PRI>" - --key ISODATE - --key RAWMSG + --key MESSAGE --exclude DATE --exclude HOST --exclude FACILITY --exclude PRIORITY - --exclude MESSAGE )'); }; From e57f21169c654039d15fa54145e3a2216ca781e9 Mon Sep 17 00:00:00 2001 From: rfaircloth-splunk Date: Fri, 29 May 2020 15:18:48 -0400 Subject: [PATCH 2/4] Update templates.conf --- package/etc/conf.d/conflib/_common/templates.conf | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/package/etc/conf.d/conflib/_common/templates.conf b/package/etc/conf.d/conflib/_common/templates.conf index 7e1f665..f1bbb05 100644 --- a/package/etc/conf.d/conflib/_common/templates.conf +++ b/package/etc/conf.d/conflib/_common/templates.conf @@ -90,11 +90,12 @@ template t_JSON_3164 { template t_JSON_5424 { template('$(format-json --scope rfc5424 - --key RAWMSG + --key MESSAGE --exclude DATE --exclude FACILITY --exclude PRIORITY --exclude HOST + --exclude RAWMSG )'); }; @@ -109,6 +110,7 @@ template t_JSON_5424_SDATA { --exclude HOST --exclude FACILITY --exclude PRIORITY + --exclude RAWMSG )'); }; From 09baff97c242f0d66b0c0e582acbfda4516c1736 Mon Sep 17 00:00:00 2001 From: Mark Bonsack Date: Sun, 31 May 2020 10:57:18 -0700 Subject: [PATCH 3/4] Add new `t_JSON_5424_ALL` template * Add new `t_JSON_5424_ALL` template to aid in log path development * Use `ISODATE` rather than `DATE` in `t_JSON_5424_ALL` to retain TZ info * Refine existing `t_JSON_5424` to keep `RAWMSG` if it exists and omit macros that are passed as Splunk metadata or sc4s indexed fields. --- .../etc/conf.d/conflib/_common/templates.conf | 21 +++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) diff --git a/package/etc/conf.d/conflib/_common/templates.conf b/package/etc/conf.d/conflib/_common/templates.conf index f1bbb05..8ef6b8a 100644 --- a/package/etc/conf.d/conflib/_common/templates.conf +++ b/package/etc/conf.d/conflib/_common/templates.conf @@ -71,7 +71,7 @@ template t_hdr_sdata_msg { }; # =============================================================================================== -# JSON; for JSON pretty-printing (for debugging) +# JSON_3164; for JSON pretty-printing (for debugging) # =============================================================================================== template t_JSON_3164 { @@ -85,17 +85,30 @@ template t_JSON_3164 { }; # =============================================================================================== -# JSON; for JSON pretty-printing (for RFC5424) +# JSON_5424; for JSON pretty-printing (standard output for RFC5424 messages in production) +# Fields passed as indexed fields or as Splunk metadata are excluded # =============================================================================================== template t_JSON_5424 { template('$(format-json --scope rfc5424 - --key MESSAGE + --key RAWMSG --exclude DATE --exclude FACILITY --exclude PRIORITY --exclude HOST - --exclude RAWMSG + )'); + }; + +# =============================================================================================== +# JSON_5424_ALL; for JSON pretty-printing (for printing all fields in RFC5424 message and ISO date) +# Useful for log path development +# =============================================================================================== + +template t_JSON_5424_ALL { + template('$(format-json --scope rfc5424 + --exclude DATE + --key ISODATE + --key RAWMSG )'); }; From 16b24c211a35a0e67a22b6fd73a53bafd6df470c Mon Sep 17 00:00:00 2001 From: mbonsack Date: Tue, 9 Jun 2020 17:10:28 -0700 Subject: [PATCH 4/4] Fix `t_JSON_5424_SDATA` to exclude `MESSAGE` --- package/etc/conf.d/conflib/_common/templates.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/package/etc/conf.d/conflib/_common/templates.conf b/package/etc/conf.d/conflib/_common/templates.conf index 8ef6b8a..92fb5f0 100644 --- a/package/etc/conf.d/conflib/_common/templates.conf +++ b/package/etc/conf.d/conflib/_common/templates.conf @@ -118,11 +118,11 @@ template t_JSON_5424_ALL { template t_JSON_5424_SDATA { template('$(format-json --scope rfc5424 - --key MESSAGE --exclude DATE --exclude HOST --exclude FACILITY --exclude PRIORITY + --exclude MESSAGE --exclude RAWMSG )'); }; @@ -130,4 +130,4 @@ template t_JSON_5424_SDATA { template t_snmp_trap { template('$(format-json .snmp.* --rekey .snmp.* --shift-levels 2)'); - }; \ No newline at end of file + };