From 35d66a9f90f459f49fb65e9362a50fde0be58eec Mon Sep 17 00:00:00 2001
From: Mark Bonsack <mbonsack@splunk.com>
Date: Fri, 13 Mar 2020 13:26:10 -0700
Subject: [PATCH 1/2] Add `d_hec_debug` destination

* Add `d_hec_debug` destination to output "curl" commands that can be directly run to debug HEC/token issues
---
 .../etc/conf.d/destinations/splunk_hec_debug.conf  | 14 ++++++++++++++
 1 file changed, 14 insertions(+)
 create mode 100644 package/etc/conf.d/destinations/splunk_hec_debug.conf

diff --git a/package/etc/conf.d/destinations/splunk_hec_debug.conf b/package/etc/conf.d/destinations/splunk_hec_debug.conf
new file mode 100644
index 0000000..e5e6714
--- /dev/null
+++ b/package/etc/conf.d/destinations/splunk_hec_debug.conf
@@ -0,0 +1,14 @@
+destination d_hec_debug {
+    file("/opt/syslog-ng/var/archive/${.splunk.sourcetype}/${HOST}/$YEAR-$MONTH-$DAY-message.log"
+        template("curl -k -u \"sc4s HEC debug:$(env SPLUNK_HEC_TOKEN)\" \"$(env SPLUNK_HEC_URL)\" -d '$(format-json
+                 time=$S_UNIXTIME.$S_MSEC
+                 host=${HOST}
+                 source=${.splunk.source}
+                 sourcetype=${.splunk.sourcetype}
+                 index=${.splunk.index}
+                 event=$MSG
+                 fields.*)'\n")
+#       file("/var/log/messages_syslog"
+        create_dirs(yes)
+   );
+};

From fab5b46e8c93d8162590e3ee2d8f5f213f512667 Mon Sep 17 00:00:00 2001
From: Mark Bonsack <mbonsack@splunk.com>
Date: Fri, 13 Mar 2020 13:28:03 -0700
Subject: [PATCH 2/2] Update splunk_hec_debug.conf

---
 package/etc/conf.d/destinations/splunk_hec_debug.conf | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/package/etc/conf.d/destinations/splunk_hec_debug.conf b/package/etc/conf.d/destinations/splunk_hec_debug.conf
index e5e6714..795757b 100644
--- a/package/etc/conf.d/destinations/splunk_hec_debug.conf
+++ b/package/etc/conf.d/destinations/splunk_hec_debug.conf
@@ -1,5 +1,5 @@
 destination d_hec_debug {
-    file("/opt/syslog-ng/var/archive/${.splunk.sourcetype}/${HOST}/$YEAR-$MONTH-$DAY-message.log"
+    file("/opt/syslog-ng/var/archive/debug/${.splunk.sourcetype}/${HOST}/$YEAR-$MONTH-$DAY-message.log"
         template("curl -k -u \"sc4s HEC debug:$(env SPLUNK_HEC_TOKEN)\" \"$(env SPLUNK_HEC_URL)\" -d '$(format-json
                  time=$S_UNIXTIME.$S_MSEC
                  host=${HOST}
@@ -8,7 +8,6 @@ destination d_hec_debug {
                  index=${.splunk.index}
                  event=$MSG
                  fields.*)'\n")
-#       file("/var/log/messages_syslog"
         create_dirs(yes)
    );
 };