From db1f326dfe17daf89f3c0fb6408caa26ab849f0f Mon Sep 17 00:00:00 2001
From: Mark Bonsack <mbonsack@splunk.com>
Date: Tue, 14 Jan 2020 22:56:41 -0800
Subject: [PATCH] Fix output template for Palo Alto log path

* Change output template from `t_hdr_msg` to `t_msg_only` for Palo Alto log path to account for removed "unset" config element
---
 package/etc/conf.d/log_paths/p_rfc3164-paloalto_panos.conf.tmpl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package/etc/conf.d/log_paths/p_rfc3164-paloalto_panos.conf.tmpl b/package/etc/conf.d/log_paths/p_rfc3164-paloalto_panos.conf.tmpl
index 1a54790..6f5cb7f 100644
--- a/package/etc/conf.d/log_paths/p_rfc3164-paloalto_panos.conf.tmpl
+++ b/package/etc/conf.d/log_paths/p_rfc3164-paloalto_panos.conf.tmpl
@@ -77,7 +77,7 @@ log {
     };
 
     parser (compliance_meta_by_source);
-    rewrite { set("$(template ${.splunk.sc4s_template} $(template t_hdr_msg))" value("MSG")); };
+    rewrite { set("$(template ${.splunk.sc4s_template} $(template t_msg_only))" value("MSG")); };
 
 {{- if or (conv.ToBool (getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes")) (conv.ToBool (getenv "SC4S_DEST_PALOALTO_PANOS_HEC" "no")) }}
     destination(d_hec);