From e873be4b9d55a7f15873a42aa6f5d7e09c21abf5 Mon Sep 17 00:00:00 2001 From: rfaircloth-splunk Date: Fri, 8 May 2020 12:54:57 -0400 Subject: [PATCH] INDEXED not INDEX and fix missing end --- docs/configuration.md | 2 +- .../conf.d/conflib/_splunk/splunkfields.conf.tmpl | 15 ++++++++------- 2 files changed, 9 insertions(+), 8 deletions(-) diff --git a/docs/configuration.md b/docs/configuration.md index a30ec11..eeffb1e 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -27,7 +27,7 @@ syslog. | SC4S_DEST_SPLUNK_HEC_TLS_CA_FILE | path | Custom trusted cert file | | SC4S_DEST_SPLUNK_HEC_TLS_VERIFY | yes(default) or no | verify HTTP(s) certificate | | SC4S_DEST_SPLUNK_HEC_WORKERS | numeric | Number of destination workers (default: 10 threads). This should rarely need to be changed; consult sc4s community for advice on appropriate setting in extreme high- or low-volume environments. | -| SC4S_DEST_SPLUNK_INDEX_FIELDS | facility,severity,container,log_host,dport,fromhostip,proto | list of sc4s indexed fields default list is (container,log_host,dport,fromhostip,proto) ) +| SC4S_DEST_SPLUNK_INDEXED_FIELDS | facility,severity,container,log_host,dport,fromhostip,proto | list of sc4s indexed fields default list is (container,log_host,dport,fromhostip,proto) ) ## Alternate Destination Configuration diff --git a/package/etc/conf.d/conflib/_splunk/splunkfields.conf.tmpl b/package/etc/conf.d/conflib/_splunk/splunkfields.conf.tmpl index 9f43664..1d838f9 100644 --- a/package/etc/conf.d/conflib/_splunk/splunkfields.conf.tmpl +++ b/package/etc/conf.d/conflib/_splunk/splunkfields.conf.tmpl @@ -1,26 +1,27 @@ #Used to set indexed fields we will always use to global defaults rewrite r_set_splunk_default { set("SC4S:$SOURCE", value(".splunk.source")); -{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEX_FIELDS" "container,log_host,dport,fromhostip,proto") ",") has "facility" }} +{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "container,log_host,dport,fromhostip,proto") ",") has "facility" }} set($FACILITY, value("fields.sc4s_syslog_facility")); {{- end}} -{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEX_FIELDS" "container,log_host,dport,fromhostip,proto") ",") has "severity" }} +{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "container,log_host,dport,fromhostip,proto") ",") has "severity" }} set($LEVEL, value("fields.sc4s_syslog_severity")); {{- end}} -{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEX_FIELDS" "container,log_host,dport,fromhostip,proto") ",") has "log_host" }} +{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "container,log_host,dport,fromhostip,proto") ",") has "log_host" }} {{- if (getenv "SC4S_CONTAINER_HOST") }} set("{{ getenv "SC4S_CONTAINER_HOST" }}", value("fields.sc4s_log_host")); {{- end}} -{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEX_FIELDS" "container,log_host,dport,fromhostip,proto") ",") has "container" }} +{{- end}} +{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "container,log_host,dport,fromhostip,proto") ",") has "container" }} set($LOGHOST, value("fields.sc4s_container")); {{- end}} -{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEX_FIELDS" "container,log_host,dport,fromhostip,proto") ",") has "fromhostip" }} +{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "container,log_host,dport,fromhostip,proto") ",") has "fromhostip" }} set($SOURCEIP, value("fields.sc4s_fromhostip")); {{- end}} -{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEX_FIELDS" "container,log_host,destport,fromhostip,proto") ",") has "destport" }} +{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "container,log_host,destport,fromhostip,proto") ",") has "destport" }} set($DESTPORT, value("fields.sc4s_destport")); {{- end}} -{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEX_FIELDS" "container,log_host,destport,fromhostip,proto") ",") has "proto" }} +{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "container,log_host,destport,fromhostip,proto") ",") has "proto" }} set($PROTO, value("fields.sc4s_proto")); {{- end}} };