Merge branch 'develop' into fix/chpt-noise-test

docs/configuration.md

@@ -27,7 +27,7 @@ syslog.
 | SC4S_DEST_SPLUNK_HEC_TLS_CA_FILE | path | Custom trusted cert file |
 | SC4S_DEST_SPLUNK_HEC_TLS_VERIFY | yes(default) or no | verify HTTP(s) certificate |
 | SC4S_DEST_SPLUNK_HEC_WORKERS | numeric | Number of destination workers (default: 10 threads).  This should rarely need to be changed; consult sc4s community for advice on appropriate setting in extreme high- or low-volume environments. |
-| SC4S_DEST_SPLUNK_INDEXED_FIELDS | facility,severity,container,loghost,destport,fromhostip,proto, or none | List of sc4s indexed fields (default is the entire list except "none").  If this veriable is not set, the default indexed fields `sc4s_vendor_product` and `sc4d_syslog_format` _will_ appear.  If no indexed fields are desired (including the two defaults mentioned), set the value to the single value of "none".  This list maps to the following indexed fields that will appear in all Splunk events:<br>facility: sc4s_syslog_facility<br>severity: sc4s_syslog_severity<br>container: sc4s_container<br>loghost: sc4s_loghost<br>dport: sc4s_destport<br>fromhostip: sc4s_fromhostip<br>proto: sc4s_proto
+| SC4S_DEST_SPLUNK_INDEXED_FIELDS | facility,<br>severity,<br>container,<br>loghost,<br>destport,<br>fromhostip,<br>proto<br><br>none | List of sc4s indexed fields that will be included with each event in Splunk (default is the entire list except "none").  Two other indexed fields, `sc4s_vendor_product` and `sc4s_syslog_format`, will also appear along with the fields selected via the list and cannot be turned on or off individually.  If no indexed fields are desired (including the two internal ones), set the value to the single value of "none".  When setting this variable, separate multiple entries with commas and do not include extra spaces.<br><br>This list maps to the following indexed fields that will appear in all Splunk events:<br>facility: sc4s_syslog_facility<br>severity: sc4s_syslog_severity<br>container: sc4s_container<br>loghost: sc4s_loghost<br>dport: sc4s_destport<br>fromhostip: sc4s_fromhostip<br>proto: sc4s_proto
 
 ## Alternate Destination Configuration
 

docs/gettingstarted/docker-systemd-general.md

@@ -53,13 +53,14 @@ TimeoutStartSec=0
 Restart=always
 
 ExecStartPre=/usr/bin/docker pull $SC4S_IMAGE
+ExecStartPre=/usr/bin/bash -c "/usr/bin/systemctl set-environment SC4SHOST=$(hostname -s)"
 ExecStartPre=/usr/bin/docker run \
         --env-file=/opt/sc4s/env_file \
         "$SC4S_LOCAL_CONFIG_MOUNT" \
         --name SC4S_preflight \
         --rm $SC4S_IMAGE -s
 ExecStart=/usr/bin/docker run -p 514:514 -p 514:514/udp -p 6514:6514 \
-        -e "SC4S_CONTAINER_HOST=$(`hostname -s`)" \
+        -e "SC4S_CONTAINER_HOST=${SC4SHOST}" \
         --env-file=/opt/sc4s/env_file \
         "$SC4S_PERSIST_VOLUME" \
         "$SC4S_LOCAL_CONFIG_MOUNT" \

docs/gettingstarted/podman-systemd-general.md

@@ -71,13 +71,14 @@ TimeoutStartSec=0
 Restart=always
 
 ExecStartPre=/usr/bin/podman pull $SC4S_IMAGE
+ExecStartPre=/usr/bin/bash -c "/usr/bin/systemctl set-environment SC4SHOST=$(hostname -s)"
 ExecStartPre=/usr/bin/podman run \
         --env-file=/opt/sc4s/env_file \
         "$SC4S_LOCAL_CONFIG_MOUNT" \
         --name SC4S_preflight \
         --rm $SC4S_IMAGE -s
 ExecStart=/usr/bin/podman run -p 514:514 -p 514:514/udp -p 6514:6514 \
-        -e "SC4S_CONTAINER_HOST=$(`hostname -s`)" \
+        -e "SC4S_CONTAINER_HOST=${SC4SHOST}" \
         --env-file=/opt/sc4s/env_file \
         "$SC4S_PERSIST_VOLUME" \
         "$SC4S_LOCAL_CONFIG_MOUNT" \

package/etc/conf.d/conflib/_splunk/splunkfields.conf.tmpl

@@ -1,27 +1,27 @@
 #Used to set indexed fields we will always use to global defaults
 rewrite r_set_splunk_default {
     set("SC4S:$SOURCE", value(".splunk.source"));
-{{- if (has (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "facility,severity,container,loghost,dport,fromhostip,proto") ",") "facility") }}
+{{- if (has (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "facility") ",") "facility") }}
     set($FACILITY, value("fields.sc4s_syslog_facility"));
 {{- end}}      
-{{- if (has (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "facility,severity,container,loghost,dport,fromhostip,proto") ",") "severity") }}
+{{- if (has (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "severity") ",") "severity") }}
     set($LEVEL, value("fields.sc4s_syslog_severity"));
 {{- end}}      
-{{- if (has (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "facility,severity,container,loghost,dport,fromhostip,proto") ",") "loghost") }}
+{{- if (has (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "loghost") ",") "loghost") }}
 {{- if (getenv "SC4S_CONTAINER_HOST") }}
     set("{{ getenv "SC4S_CONTAINER_HOST" }}", value("fields.sc4s_loghost"));
 {{- end}}      
 {{- end}}      
-{{- if (has (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "facility,severity,container,loghost,dport,fromhostip,proto") ",") "container") }}
+{{- if (has (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "container") ",") "container") }}
     set($LOGHOST, value("fields.sc4s_container"));
 {{- end}}      
-{{- if (has (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "facility,severity,container,loghost,dport,fromhostip,proto") ",") "fromhostip") }}
+{{- if (has (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "fromhostip") ",") "fromhostip") }}
     set($SOURCEIP, value("fields.sc4s_fromhostip"));
 {{- end}}      
-{{- if (has (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "facility,severity,container,loghost,dport,fromhostip,proto") ",") "destport") }}
+{{- if (has (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "destport") ",") "destport") }}
     set($DESTPORT, value("fields.sc4s_destport"));
 {{- end}}    
-{{- if (has (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "facility,severity,container,loghost,dport,fromhostip,proto") ",") "proto") }}
+{{- if (has (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "proto") ",") "proto") }}
     channel {
         if (match("6" value("PROTO"))) {
             rewrite { set("TCP", value("fields.sc4s_proto")); };