Skip to content

Commit

Permalink
Update p_zz_fallback.conf.tmpl
Browse files Browse the repository at this point in the history
resolve unexpected behaior with syslog-ng out of order processing of directives impactin g the hec format for json fallback due to archive support.
  • Loading branch information
rfaircloth-splunk committed Dec 20, 2019
1 parent c930a66 commit d03095b
Showing 1 changed file with 11 additions and 13 deletions.
24 changes: 11 additions & 13 deletions package/etc/conf.d/log_paths/p_zz_fallback.conf.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -26,31 +26,29 @@ log {
{{- end}}

} else {

rewrite {
r_set_splunk_dest_default(sourcetype("sc4s:fallback"), index("main") );
set("$(template ${.splunk.sc4s_template} $(template t_JSON))" value("MSG"));
unset(value("RAWMSG"));
unset(value("PROGRAM"));
unset(value("LEGACY_MSGHDR"));
groupunset(values(".kv.*"));
};
parser {
p_add_context_splunk(key("sc4s_fallback"));
};

{{- if ((getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes") | conv.ToBool) or (conv.ToBool (getenv "SC4S_DEST_ARCHIVE_HEC" "no") | conv.ToBool) }}
destination(d_hec);
{{- end}}
{{- if ((getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes") | conv.ToBool) or (conv.ToBool (getenv "SC4S_DEST_ARCHIVE_HEC" "no") | conv.ToBool) }}
destination(d_hec);
{{- end}}


#in fallback archive only write rawmsg as msg
rewrite {
set("$RAWMSG" value("MSG"));
unset(value("RAWMSG"));
unset(value("PROGRAM"));
unset(value("LEGACY_MSGHDR"));
groupunset(values(".kv.*"));
};

{{- if (getenv "SC4S_ARCHIVE_GLOBAL") or (getenv "SC4S_ARCHIVE_FALLBACK") }}
destination(d_archive);
{{- end}}
{{- if (getenv "SC4S_ARCHIVE_GLOBAL") or (getenv "SC4S_ARCHIVE_FALLBACK") }}
destination(d_archive);
{{- end}}
};


Expand Down

0 comments on commit d03095b

Please sign in to comment.