From d03095b439546de406882b0bb13322b0b1886881 Mon Sep 17 00:00:00 2001 From: rfaircloth-splunk Date: Fri, 20 Dec 2019 12:30:31 -0500 Subject: [PATCH] Update p_zz_fallback.conf.tmpl resolve unexpected behaior with syslog-ng out of order processing of directives impactin g the hec format for json fallback due to archive support. --- .../conf.d/log_paths/p_zz_fallback.conf.tmpl | 24 +++++++++---------- 1 file changed, 11 insertions(+), 13 deletions(-) diff --git a/package/etc/conf.d/log_paths/p_zz_fallback.conf.tmpl b/package/etc/conf.d/log_paths/p_zz_fallback.conf.tmpl index cb9ed87..465e2ae 100644 --- a/package/etc/conf.d/log_paths/p_zz_fallback.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_zz_fallback.conf.tmpl @@ -26,31 +26,29 @@ log { {{- end}} } else { + rewrite { r_set_splunk_dest_default(sourcetype("sc4s:fallback"), index("main") ); set("$(template ${.splunk.sc4s_template} $(template t_JSON))" value("MSG")); + unset(value("RAWMSG")); + unset(value("PROGRAM")); + unset(value("LEGACY_MSGHDR")); + groupunset(values(".kv.*")); }; parser { p_add_context_splunk(key("sc4s_fallback")); }; - {{- if ((getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes") | conv.ToBool) or (conv.ToBool (getenv "SC4S_DEST_ARCHIVE_HEC" "no") | conv.ToBool) }} - destination(d_hec); - {{- end}} + {{- if ((getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes") | conv.ToBool) or (conv.ToBool (getenv "SC4S_DEST_ARCHIVE_HEC" "no") | conv.ToBool) }} + destination(d_hec); + {{- end}} #in fallback archive only write rawmsg as msg - rewrite { - set("$RAWMSG" value("MSG")); - unset(value("RAWMSG")); - unset(value("PROGRAM")); - unset(value("LEGACY_MSGHDR")); - groupunset(values(".kv.*")); - }; - {{- if (getenv "SC4S_ARCHIVE_GLOBAL") or (getenv "SC4S_ARCHIVE_FALLBACK") }} - destination(d_archive); - {{- end}} + {{- if (getenv "SC4S_ARCHIVE_GLOBAL") or (getenv "SC4S_ARCHIVE_FALLBACK") }} + destination(d_archive); + {{- end}} };