diff --git a/package/etc/conf.d/log_paths/p_rfc3164-checkpoint_splunk.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-checkpoint_splunk.conf.tmpl index e0d5c88..da7ffeb 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-checkpoint_splunk.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3164-checkpoint_splunk.conf.tmpl @@ -79,7 +79,7 @@ log { #disk queue for network destinations. This can be very disk expensive #if we don't rewrite { - set("$(template ${fields.sc4s_template} $(template t_hdr_msg))" value("MSG")); + set("$(template ${.splunk.sc4s_template} $(template t_hdr_msg))" value("MSG")); unset(value("RAWMSG")); unset(value("PROGRAM")); unset(value("LEGACY_MSGHDR")); diff --git a/package/etc/conf.d/log_paths/p_rfc3164-cisco_acs.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-cisco_acs.conf.tmpl index 5666854..0b9ccfd 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-cisco_acs.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3164-cisco_acs.conf.tmpl @@ -73,7 +73,7 @@ log { #disk queue for network destinations. This can be very disk expensive #if we don't rewrite { - set("$(template ${fields.sc4s_template} $(template t_msg_only))" value("MSG")); + set("$(template ${.splunk.sc4s_template} $(template t_msg_only))" value("MSG")); unset(value("RAWMSG")); unset(value("PROGRAM")); unset(value("PID")); diff --git a/package/etc/conf.d/log_paths/p_rfc3164-cisco_asa.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-cisco_asa.conf.tmpl index 26dfaea..172445d 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-cisco_asa.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3164-cisco_asa.conf.tmpl @@ -26,7 +26,7 @@ log { #disk queue for network destinations. This can be very disk expensive #if we don't rewrite { - set("$(template ${fields.sc4s_template} $(template t_msg_only))" value("MSG")); + set("$(template ${.splunk.sc4s_template} $(template t_msg_only))" value("MSG")); unset(value("RAWMSG")); unset(value("PROGRAM")); unset(value("LEGACY_MSGHDR")); diff --git a/package/etc/conf.d/log_paths/p_rfc3164-cisco_ios.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-cisco_ios.conf.tmpl index d03081a..cb90f70 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-cisco_ios.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3164-cisco_ios.conf.tmpl @@ -28,7 +28,7 @@ log { #disk queue for network destinations. This can be very disk expensive #if we don't rewrite { - set("$(template ${fields.sc4s_template} $(template t_msg_only))" value("MSG")); + set("$(template ${.splunk.sc4s_template} $(template t_msg_only))" value("MSG")); unset(value("RAWMSG")); unset(value("PROGRAM")); unset(value("LEGACY_MSGHDR")); diff --git a/package/etc/conf.d/log_paths/p_rfc3164-cisco_ise.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-cisco_ise.conf.tmpl index bdd92d4..544c0a3 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-cisco_ise.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3164-cisco_ise.conf.tmpl @@ -73,7 +73,7 @@ log { #disk queue for network destinations. This can be very disk expensive #if we don't rewrite { - set("$(template ${fields.sc4s_template} $(template t_msg_only))" value("MSG")); + set("$(template ${.splunk.sc4s_template} $(template t_msg_only))" value("MSG")); unset(value("RAWMSG")); unset(value("PROGRAM")); unset(value("PID")); diff --git a/package/etc/conf.d/log_paths/p_rfc3164-cisco_nxos.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-cisco_nxos.conf.tmpl index 0d28a3a..59db061 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-cisco_nxos.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3164-cisco_nxos.conf.tmpl @@ -28,7 +28,7 @@ log { #disk queue for network destinations. This can be very disk expensive #if we don't rewrite { - set("$(template ${fields.sc4s_template} $(template t_hdr_msg))" value("MSG")); + set("$(template ${.splunk.sc4s_template} $(template t_hdr_msg))" value("MSG")); unset(value("RAWMSG")); unset(value("PROGRAM")); unset(value("LEGACY_MSGHDR")); diff --git a/package/etc/conf.d/log_paths/p_rfc3164-forcepoint_webprotect.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-forcepoint_webprotect.conf.tmpl index d86957d..72d4de7 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-forcepoint_webprotect.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3164-forcepoint_webprotect.conf.tmpl @@ -27,7 +27,7 @@ log { #disk queue for network destinations. This can be very disk expensive #if we don't rewrite { - set("$(template ${fields.sc4s_template} $(template t_hdr_msg))" value("MSG")); + set("$(template ${.splunk.sc4s_template} $(template t_hdr_msg))" value("MSG")); unset(value("RAWMSG")); unset(value("PROGRAM")); unset(value("LEGACY_MSGHDR")); diff --git a/package/etc/conf.d/log_paths/p_rfc3164-fortinet_fortios.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-fortinet_fortios.conf.tmpl index 02be55a..29f17fc 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-fortinet_fortios.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3164-fortinet_fortios.conf.tmpl @@ -44,7 +44,7 @@ log { #disk queue for network destinations. This can be very disk expensive #if we don't rewrite { - set("$(template ${fields.sc4s_template} $(template t_hdr_msg))" value("MSG")); + set("$(template ${.splunk.sc4s_template} $(template t_hdr_msg))" value("MSG")); unset(value("RAWMSG")); unset(value("PROGRAM")); unset(value("LEGACY_MSGHDR")); diff --git a/package/etc/conf.d/log_paths/p_rfc3164-infoblox.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-infoblox.conf.tmpl index 14bb05a..ecfad6e 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-infoblox.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3164-infoblox.conf.tmpl @@ -22,7 +22,7 @@ log { set("${PROGRAM}", value(".PROGRAM")); subst('^\/(?:[^\/]+\/)+', "" , value(".PROGRAM")); r_set_splunk_dest_default(sourcetype("infoblox:dns"), index("netdns"), source("program:${.PROGRAM}")) - set("$(template ${fields.sc4s_template} $(template t_msg_only))" value("MSG")); + set("$(template ${.splunk.sc4s_template} $(template t_msg_only))" value("MSG")); }; parser { p_add_context_splunk(key("infoblox_dns")); @@ -34,7 +34,7 @@ log { set("${PROGRAM}", value(".PROGRAM")); subst('^\/(?:[^\/]+\/)+', "" , value(".PROGRAM")); r_set_splunk_dest_default(sourcetype("infoblox:dhcp"), index("netipam"), source("program:${.PROGRAM}")) - set("$(template ${fields.sc4s_template} $(template t_msg_only))" value("MSG")); + set("$(template ${.splunk.sc4s_template} $(template t_msg_only))" value("MSG")); }; parser { p_add_context_splunk(key("infoblox_dhcp")); @@ -46,7 +46,7 @@ log { set("${PROGRAM}", value(".PROGRAM")); subst('^\/(?:[^\/]+\/)+', "" , value(".PROGRAM")); r_set_splunk_dest_default(sourcetype("infoblox:threat"), index("netids"), source("program:${.PROGRAM}")) - set("$(template ${fields.sc4s_template} $(template t_msg_only))" value("MSG")); + set("$(template ${.splunk.sc4s_template} $(template t_msg_only))" value("MSG")); }; parser { p_add_context_splunk(key("infoblox_threat")); @@ -61,7 +61,7 @@ log { rewrite { r_set_splunk_dest_default(sourcetype("nix:syslog"), index("osnix"), source("program:${.PROGRAM}") ) - set("$(template ${fields.sc4s_template} $(template t_legacy_hdr_msg))" value("MSG")); + set("$(template ${.splunk.sc4s_template} $(template t_legacy_hdr_msg))" value("MSG")); }; diff --git a/package/etc/conf.d/log_paths/p_rfc3164-juniper_idp.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-juniper_idp.conf.tmpl index b9d1ca1..16f2c0c 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-juniper_idp.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3164-juniper_idp.conf.tmpl @@ -28,7 +28,7 @@ log { #disk queue for network destinations. This can be very disk expensive #if we don't rewrite { - set("$(template ${fields.sc4s_template} $(template t_hdr_sdata_msg))" value("MSG")); + set("$(template ${.splunk.sc4s_template} $(template t_hdr_sdata_msg))" value("MSG")); unset(value("RAWMSG")); unset(value("PROGRAM")); unset(value("LEGACY_MSGHDR")); diff --git a/package/etc/conf.d/log_paths/p_rfc3164-juniper_junos.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-juniper_junos.conf.tmpl index 0ecaee2..f0c8a1d 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-juniper_junos.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3164-juniper_junos.conf.tmpl @@ -44,7 +44,7 @@ log { #disk queue for network destinations. This can be very disk expensive #if we don't rewrite { - set("$(template ${fields.sc4s_template} $(template t_hdr_msg))" value("MSG")); + set("$(template ${.splunk.sc4s_template} $(template t_hdr_msg))" value("MSG")); unset(value("RAWMSG")); unset(value("PROGRAM")); unset(value("LEGACY_MSGHDR")); diff --git a/package/etc/conf.d/log_paths/p_rfc3164-juniper_netscreen.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-juniper_netscreen.conf.tmpl index ca717e8..dde7d54 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-juniper_netscreen.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3164-juniper_netscreen.conf.tmpl @@ -28,7 +28,7 @@ log { #disk queue for network destinations. This can be very disk expensive #if we don't rewrite { - set("$(template ${fields.sc4s_template} $(template t_hdr_msg))" value("MSG")); + set("$(template ${.splunk.sc4s_template} $(template t_hdr_msg))" value("MSG")); unset(value("RAWMSG")); unset(value("PROGRAM")); unset(value("LEGACY_MSGHDR")); diff --git a/package/etc/conf.d/log_paths/p_rfc3164-juniper_nsm.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-juniper_nsm.conf.tmpl index 94bbba5..8d8d999 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-juniper_nsm.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3164-juniper_nsm.conf.tmpl @@ -29,7 +29,7 @@ log { #disk queue for network destinations. This can be very disk expensive #if we don't rewrite { - set("$(template ${fields.sc4s_template} $(template t_hdr_msg))" value("MSG")); + set("$(template ${.splunk.sc4s_template} $(template t_hdr_msg))" value("MSG")); unset(value("RAWMSG")); unset(value("PROGRAM")); unset(value("LEGACY_MSGHDR")); diff --git a/package/etc/conf.d/log_paths/p_rfc3164-juniper_nsm_idp.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-juniper_nsm_idp.conf.tmpl index e571083..c1196c5 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-juniper_nsm_idp.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3164-juniper_nsm_idp.conf.tmpl @@ -26,7 +26,7 @@ log { #disk queue for network destinations. This can be very disk expensive #if we don't rewrite { - set("$(template ${fields.sc4s_template} $(template t_standard))" value("MSG")); + set("$(template ${.splunk.sc4s_template} $(template t_standard))" value("MSG")); unset(value("RAWMSG")); unset(value("PROGRAM")); unset(value("LEGACY_MSGHDR")); diff --git a/package/etc/conf.d/log_paths/p_rfc3164-microfocus_arcsight.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-microfocus_arcsight.conf.tmpl index 0114932..8d26d45 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-microfocus_arcsight.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3164-microfocus_arcsight.conf.tmpl @@ -73,7 +73,7 @@ log { #disk queue for network destinations. This can be very disk expensive #if we don't rewrite { - set("$(template ${fields.sc4s_template} $(template t_hdr_msg))" value("MSG")); + set("$(template ${.splunk.sc4s_template} $(template t_hdr_msg))" value("MSG")); unset(value("RAWMSG")); unset(value("PROGRAM")); unset(value("LEGACY_MSGHDR")); diff --git a/package/etc/conf.d/log_paths/p_rfc3164-paloalto_panos.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-paloalto_panos.conf.tmpl index 31b5013..ee4caaf 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-paloalto_panos.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3164-paloalto_panos.conf.tmpl @@ -82,7 +82,7 @@ log { #disk queue for network destinations. This can be very disk expensive #if we don't rewrite { - set("$(template ${fields.sc4s_template} $(template t_hdr_msg))" value("MSG")); + set("$(template ${.splunk.sc4s_template} $(template t_hdr_msg))" value("MSG")); unset(value("RAWMSG")); unset(value("PROGRAM")); unset(value("LEGACY_MSGHDR")); diff --git a/package/etc/conf.d/log_paths/p_rfc3164-proofpoint_pps.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-proofpoint_pps.conf.tmpl index 4b383e8..0c805e7 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-proofpoint_pps.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3164-proofpoint_pps.conf.tmpl @@ -35,7 +35,7 @@ log { #disk queue for network destinations. This can be very disk expensive #if we don't rewrite { - set("$(template ${fields.sc4s_template} $(template t_msg_only))" value("MSG")); + set("$(template ${.splunk.sc4s_template} $(template t_msg_only))" value("MSG")); unset(value("RAWMSG")); unset(value("PROGRAM")); unset(value("LEGACY_MSGHDR")); diff --git a/package/etc/conf.d/log_paths/p_rfc3164-zscaler_nss.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-zscaler_nss.conf.tmpl index 21ffa8b..0bcdf3d 100644 --- a/package/etc/conf.d/log_paths/p_rfc3164-zscaler_nss.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3164-zscaler_nss.conf.tmpl @@ -66,7 +66,7 @@ log { #disk queue for network destinations. This can be very disk expensive #if we don't rewrite { - set("$(template ${fields.sc4s_template} $(template t_msg_only))" value("MSG")); + set("$(template ${.splunk.sc4s_template} $(template t_msg_only))" value("MSG")); unset(value("RAWMSG")); unset(value("PROGRAM")); unset(value("LEGACY_MSGHDR")); diff --git a/package/etc/conf.d/log_paths/p_rfc3165-symantec_brightmail.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3165-symantec_brightmail.conf.tmpl index a81ca33..70c1298 100644 --- a/package/etc/conf.d/log_paths/p_rfc3165-symantec_brightmail.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc3165-symantec_brightmail.conf.tmpl @@ -61,7 +61,7 @@ log { #disk queue for network destinations. This can be very disk expensive #if we don't rewrite { - set("$(template ${fields.sc4s_template} $(template t_legacy_hdr_msg))" value("MSG")); + set("$(template ${.splunk.sc4s_template} $(template t_legacy_hdr_msg))" value("MSG")); unset(value("RAWMSG")); unset(value("PROGRAM")); unset(value("LEGACY_MSGHDR")); @@ -96,7 +96,7 @@ log { #disk queue for network destinations. This can be very disk expensive #if we don't rewrite { - set("$(template ${fields.sc4s_template} $(template t_legacy_hdr_msg))" value("MSG")); + set("$(template ${.splunk.sc4s_template} $(template t_legacy_hdr_msg))" value("MSG")); unset(value("RAWMSG")); unset(value("PROGRAM")); unset(value("LEGACY_MSGHDR")); diff --git a/package/etc/conf.d/log_paths/p_rfc5424-noversion_cisco_asa.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc5424-noversion_cisco_asa.conf.tmpl index 0e803a7..065c824 100644 --- a/package/etc/conf.d/log_paths/p_rfc5424-noversion_cisco_asa.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc5424-noversion_cisco_asa.conf.tmpl @@ -24,7 +24,7 @@ log { #disk queue for network destinations. This can be very disk expensive #if we don't rewrite { - set("$(template ${fields.sc4s_template} $(template t_msg_only))" value("MSG")); + set("$(template ${.splunk.sc4s_template} $(template t_msg_only))" value("MSG")); unset(value("RAWMSG")); unset(value("PROGRAM")); unset(value("LEGACY_MSGHDR")); diff --git a/package/etc/conf.d/log_paths/p_rfc5424-noversion_symantec_proxy.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc5424-noversion_symantec_proxy.conf.tmpl index 2c3c547..c455a9d 100644 --- a/package/etc/conf.d/log_paths/p_rfc5424-noversion_symantec_proxy.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc5424-noversion_symantec_proxy.conf.tmpl @@ -27,7 +27,7 @@ log { #disk queue for network destinations. This can be very disk expensive #if we don't rewrite { - set("$(template ${fields.sc4s_template} $(template t_msg_only))" value("MSG")); + set("$(template ${.splunk.sc4s_template} $(template t_msg_only))" value("MSG")); unset(value("RAWMSG")); unset(value("PROGRAM")); unset(value("LEGACY_MSGHDR")); diff --git a/package/etc/conf.d/log_paths/p_rfc5424-strict_juniper_junos.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc5424-strict_juniper_junos.conf.tmpl index 766bbff..0d103a8 100644 --- a/package/etc/conf.d/log_paths/p_rfc5424-strict_juniper_junos.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc5424-strict_juniper_junos.conf.tmpl @@ -47,7 +47,7 @@ log { #disk queue for network destinations. This can be very disk expensive #if we don't rewrite { - set("$(template ${fields.sc4s_template} $(template t_JSON_5424))" value("MSG")); + set("$(template ${.splunk.sc4s_template} $(template t_JSON_5424))" value("MSG")); unset(value("RAWMSG")); groupunset(values(".kv.*")); }; diff --git a/package/etc/conf.d/log_paths/p_rfc5424_epoch-cisco_meraki.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc5424_epoch-cisco_meraki.conf.tmpl index 949fcce..793b356 100644 --- a/package/etc/conf.d/log_paths/p_rfc5424_epoch-cisco_meraki.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_rfc5424_epoch-cisco_meraki.conf.tmpl @@ -24,7 +24,7 @@ log { #disk queue for network destinations. This can be very disk expensive #if we don't rewrite { - set("$(template ${fields.sc4s_template} $(template t_hdr_msg))" value("MSG")); + set("$(template ${.splunk.sc4s_template} $(template t_hdr_msg))" value("MSG")); unset(value("RAWMSG")); unset(value("PROGRAM")); unset(value("LEGACY_MSGHDR")); diff --git a/package/etc/conf.d/log_paths/p_za_nix_syslog.conf.tmpl b/package/etc/conf.d/log_paths/p_za_nix_syslog.conf.tmpl index 805ceff..c8f4e2a 100644 --- a/package/etc/conf.d/log_paths/p_za_nix_syslog.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_za_nix_syslog.conf.tmpl @@ -32,7 +32,7 @@ log { #disk queue for network destinations. This can be very disk expensive #if we don't rewrite { - set("$(template ${fields.sc4s_template} $(template t_legacy_hdr_msg))" value("MSG")); + set("$(template ${.splunk.sc4s_template} $(template t_legacy_hdr_msg))" value("MSG")); unset(value("RAWMSG")); unset(value("PROGRAM")); unset(value("LEGACY_MSGHDR")); diff --git a/package/etc/conf.d/log_paths/p_zz_fallback.conf.tmpl b/package/etc/conf.d/log_paths/p_zz_fallback.conf.tmpl index 15c3931..f0abfaa 100644 --- a/package/etc/conf.d/log_paths/p_zz_fallback.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_zz_fallback.conf.tmpl @@ -3,7 +3,7 @@ log { rewrite { r_set_splunk_dest_default(sourcetype("sc4s:fallback"), index("main"), template("t_JSON")); - set("$(template ${fields.sc4s_template} $(template t_JSON))" value("MSG")); + set("$(template ${.splunk.sc4s_template} $(template t_JSON))" value("MSG")); }; parser { p_add_context_splunk(key("sc4s_fallback"));