From d00266675fa4212d7112ff054c776e6db6bda3f0 Mon Sep 17 00:00:00 2001
From: Ryan Faircloth <35384120+rfaircloth-splunk@users.noreply.github.com>
Date: Mon, 15 Jun 2020 09:01:00 -0400
Subject: [PATCH] Update for syntax changes in develop

Remove use of the index macro and ensure the source is set if not provided
---
 .../etc/conf.d/log_paths/lp-mcafee_epo.conf.tmpl  | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/package/etc/conf.d/log_paths/lp-mcafee_epo.conf.tmpl b/package/etc/conf.d/log_paths/lp-mcafee_epo.conf.tmpl
index b56d8ed..74b590d 100644
--- a/package/etc/conf.d/log_paths/lp-mcafee_epo.conf.tmpl
+++ b/package/etc/conf.d/log_paths/lp-mcafee_epo.conf.tmpl
@@ -28,16 +28,17 @@ log {
         rewrite {
             set("$(lowercase $1)" value(".mcafee.product"));
             subst('\s', '_', value(".mcafee.product") flags("global"));
-            r_set_splunk_dest_default(sourcetype("mcafee:epo:syslog"), index("epav"), source("${.mcafee.product}"))
-        };
+            r_set_splunk_dest_default(sourcetype("mcafee:epo:syslog"), source("${.mcafee.product}"))
+        };    
+    } else {
+            # If the product is not provided by EPO we will just use a constant for the value
+	    rewrite {
+		set("mcafee_epo", value("fields.sc4s_vendor_product"));
+		r_set_splunk_dest_default(sourcetype("mcafee:epo:syslog"), source("epo"))
+	    };    
     };
 
-    rewrite {
-        set("mcafee_epo", value("fields.sc4s_vendor_product"));
-        r_set_splunk_dest_default(sourcetype("mcafee:epo:syslog"), index("epav"))
-    };
     parser {p_add_context_splunk(key("mcafee_epo")); };
-
     parser (compliance_meta_by_source);
     rewrite { set("$(template ${.splunk.sc4s_template} $(template t_msg_only))" value("MSG")); };