INDEXED not INDEX and fix missing end

CSVD · May 8, 2020 · e873be4 · e873be4
1 parent 7585981
commit e873be4
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 8 deletions.
diff --git a/docs/configuration.md b/docs/configuration.md
@@ -27,7 +27,7 @@ syslog.
 | SC4S_DEST_SPLUNK_HEC_TLS_CA_FILE | path | Custom trusted cert file |
 | SC4S_DEST_SPLUNK_HEC_TLS_VERIFY | yes(default) or no | verify HTTP(s) certificate |
 | SC4S_DEST_SPLUNK_HEC_WORKERS | numeric | Number of destination workers (default: 10 threads).  This should rarely need to be changed; consult sc4s community for advice on appropriate setting in extreme high- or low-volume environments. |
-| SC4S_DEST_SPLUNK_INDEX_FIELDS | facility,severity,container,log_host,dport,fromhostip,proto | list of sc4s indexed fields default list is (container,log_host,dport,fromhostip,proto) )
+| SC4S_DEST_SPLUNK_INDEXED_FIELDS | facility,severity,container,log_host,dport,fromhostip,proto | list of sc4s indexed fields default list is (container,log_host,dport,fromhostip,proto) )
 
 ## Alternate Destination Configuration
 

diff --git a/package/etc/conf.d/conflib/_splunk/splunkfields.conf.tmpl b/package/etc/conf.d/conflib/_splunk/splunkfields.conf.tmpl
@@ -1,26 +1,27 @@
 #Used to set indexed fields we will always use to global defaults
 rewrite r_set_splunk_default {
       set("SC4S:$SOURCE", value(".splunk.source"));
-{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEX_FIELDS" "container,log_host,dport,fromhostip,proto") ",") has "facility" }}
+{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "container,log_host,dport,fromhostip,proto") ",") has "facility" }}
       set($FACILITY, value("fields.sc4s_syslog_facility"));
 {{- end}}      
-{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEX_FIELDS" "container,log_host,dport,fromhostip,proto") ",") has "severity" }}
+{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "container,log_host,dport,fromhostip,proto") ",") has "severity" }}
       set($LEVEL, value("fields.sc4s_syslog_severity"));
 {{- end}}      
-{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEX_FIELDS" "container,log_host,dport,fromhostip,proto") ",") has "log_host" }}
+{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "container,log_host,dport,fromhostip,proto") ",") has "log_host" }}
 {{- if (getenv "SC4S_CONTAINER_HOST") }}
       set("{{ getenv "SC4S_CONTAINER_HOST" }}", value("fields.sc4s_log_host"));
 {{- end}}      
-{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEX_FIELDS" "container,log_host,dport,fromhostip,proto") ",") has "container" }}
+{{- end}}      
+{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "container,log_host,dport,fromhostip,proto") ",") has "container" }}
       set($LOGHOST, value("fields.sc4s_container"));
 {{- end}}      
-{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEX_FIELDS" "container,log_host,dport,fromhostip,proto") ",") has "fromhostip" }}
+{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "container,log_host,dport,fromhostip,proto") ",") has "fromhostip" }}
       set($SOURCEIP, value("fields.sc4s_fromhostip"));
 {{- end}}      
-{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEX_FIELDS" "container,log_host,destport,fromhostip,proto") ",") has "destport" }}
+{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "container,log_host,destport,fromhostip,proto") ",") has "destport" }}
       set($DESTPORT, value("fields.sc4s_destport"));
 {{- end}}    
-{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEX_FIELDS" "container,log_host,destport,fromhostip,proto") ",") has "proto" }}
+{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "container,log_host,destport,fromhostip,proto") ",") has "proto" }}
       set($PROTO, value("fields.sc4s_proto"));
 {{- end}}    
 };