From ea550ac38abe5cba9532d9a5e493a7b4fe9855e3 Mon Sep 17 00:00:00 2001
From: Mark Bonsack <mbonsack@splunk.com>
Date: Fri, 22 May 2020 14:10:26 -0700
Subject: [PATCH] Shorten rogue/dtparse indexed field

* Shorten rogue/dtparse `sc4s_error` indexed field
---
 .../etc/conf.d/conflib/_common/date-parser_nofilter.conf.tmpl   | 2 +-
 package/etc/conf.d/log_paths/lp-f5_bigip.conf.tmpl              | 2 +-
 package/etc/conf.d/log_paths/lp-fortinet.conf.tmpl              | 2 +-
 package/etc/conf.d/log_paths/lp-zscaler_lss.conf.tmpl           | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/package/etc/conf.d/conflib/_common/date-parser_nofilter.conf.tmpl b/package/etc/conf.d/conflib/_common/date-parser_nofilter.conf.tmpl
index b3d67cc..4878e26 100644
--- a/package/etc/conf.d/conflib/_common/date-parser_nofilter.conf.tmpl
+++ b/package/etc/conf.d/conflib/_common/date-parser_nofilter.conf.tmpl
@@ -10,7 +10,7 @@ block parser date-parser-nofilter(
                     flags(guess-timezone));
                 };
             } else {
-                rewrite { set("date/time parser failed; possible rogue message. Expected strptime format: `format`; Actual timestamp: `template`" value("fields.sc4s_error")); };
+                rewrite { set("dtparse: Expected: `format`; Actual: `template`" value("fields.sc4s_error")); };
             };
         };
     };
diff --git a/package/etc/conf.d/log_paths/lp-f5_bigip.conf.tmpl b/package/etc/conf.d/log_paths/lp-f5_bigip.conf.tmpl
index fa32d23..05cc13d 100644
--- a/package/etc/conf.d/log_paths/lp-f5_bigip.conf.tmpl
+++ b/package/etc/conf.d/log_paths/lp-f5_bigip.conf.tmpl
@@ -118,7 +118,7 @@ log {
     } else {
         rewrite {
             set("f5_bigip_rogue_message", value("fields.sc4s_vendor_product"));
-            set("Possible rogue message on f5 unique port", value("fields.sc4s_error"));
+            set("rogue-f5", value("fields.sc4s_error"));
             r_set_splunk_dest_default(sourcetype("f5:bigip:rogue"), index("netops"))
         };
         parser { p_add_context_splunk(key("f5_bigip")); };
diff --git a/package/etc/conf.d/log_paths/lp-fortinet.conf.tmpl b/package/etc/conf.d/log_paths/lp-fortinet.conf.tmpl
index cc47ac7..4f0351c 100644
--- a/package/etc/conf.d/log_paths/lp-fortinet.conf.tmpl
+++ b/package/etc/conf.d/log_paths/lp-fortinet.conf.tmpl
@@ -54,7 +54,7 @@ log {
             );
         };
     } else {
-        rewrite { set("date/time parser failed", value("fields.sc4s_error")); };
+        rewrite { set("rogue-fortinet", value("fields.sc4s_error")); };
     };
 
 # Fortiweb
diff --git a/package/etc/conf.d/log_paths/lp-zscaler_lss.conf.tmpl b/package/etc/conf.d/log_paths/lp-zscaler_lss.conf.tmpl
index 7d5344b..25d655a 100644
--- a/package/etc/conf.d/log_paths/lp-zscaler_lss.conf.tmpl
+++ b/package/etc/conf.d/log_paths/lp-zscaler_lss.conf.tmpl
@@ -73,7 +73,7 @@ log {
     } else {
         rewrite {
             set("zscaler_lss_rogue_message", value("fields.sc4s_vendor_product"));
-            set("Possible rogue message on zscaler_lss unique port", value("fields.sc4s_error"));
+            set("rogue-zscaler_lss", value("fields.sc4s_error"));
             r_set_splunk_dest_default(sourcetype("zscalerlss:rogue"), index("netproxy"))
         };
         parser { p_add_context_splunk(key("zscaler_lss")); };