From ee28b952cfc53a3ca9ba522d56462352d1dc9225 Mon Sep 17 00:00:00 2001
From: Mark Bonsack <mbonsack@splunk.com>
Date: Tue, 12 May 2020 22:19:18 -0700
Subject: [PATCH] Fix indexed field gomplate template

* Fix indexed field gomplate template
* Add "none" as an option for indexed fields
* Update and expand docs
---
 docs/configuration.md                         |  2 +-
 docs/gettingstarted/docker-systemd-general.md |  2 +-
 docs/gettingstarted/podman-systemd-general.md |  2 +-
 .../conflib/_splunk/splunkfields.conf.tmpl    | 38 +++++++++++--------
 .../conf.d/destinations/splunk_hec.conf.tmpl  |  5 ++-
 5 files changed, 30 insertions(+), 19 deletions(-)

diff --git a/docs/configuration.md b/docs/configuration.md
index f8f3920..60b9800 100644
--- a/docs/configuration.md
+++ b/docs/configuration.md
@@ -27,7 +27,7 @@ syslog.
 | SC4S_DEST_SPLUNK_HEC_TLS_CA_FILE | path | Custom trusted cert file |
 | SC4S_DEST_SPLUNK_HEC_TLS_VERIFY | yes(default) or no | verify HTTP(s) certificate |
 | SC4S_DEST_SPLUNK_HEC_WORKERS | numeric | Number of destination workers (default: 10 threads).  This should rarely need to be changed; consult sc4s community for advice on appropriate setting in extreme high- or low-volume environments. |
-| SC4S_DEST_SPLUNK_INDEXED_FIELDS | facility,severity,container,loghost,dport,fromhostip,proto | list of sc4s indexed fields default list is all fields )
+| SC4S_DEST_SPLUNK_INDEXED_FIELDS | facility,severity,container,loghost,destport,fromhostip,proto, or none | List of sc4s indexed fields (default is the entire list except "none").  If this veriable is not set, the default indexed fields `sc4s_vendor_product` and `sc4d_syslog_format` _will_ appear.  If no indexed fields are desired (including the two defaults mentioned), set the value to the single value of "none".  This list maps to the following indexed fields that will appear in all Splunk events:<br>facility: sc4s_syslog_facility<br>severity: sc4s_syslog_severity<br>container: sc4s_container<br>loghost: sc4s_loghost<br>dport: sc4s_destport<br>fromhostip: sc4s_fromhostip<br>proto: sc4s_proto
 
 ## Alternate Destination Configuration
 
diff --git a/docs/gettingstarted/docker-systemd-general.md b/docs/gettingstarted/docker-systemd-general.md
index 5614607..f18cb08 100644
--- a/docs/gettingstarted/docker-systemd-general.md
+++ b/docs/gettingstarted/docker-systemd-general.md
@@ -59,7 +59,7 @@ ExecStartPre=/usr/bin/docker run \
         --name SC4S_preflight \
         --rm $SC4S_IMAGE -s
 ExecStart=/usr/bin/docker run -p 514:514 -p 514:514/udp -p 6514:6514 \
-        -e "SC4S_CONTAINER_HOST=$(hostname -s)" \
+        -e "SC4S_CONTAINER_HOST=$(`hostname -s`)" \
         --env-file=/opt/sc4s/env_file \
         "$SC4S_PERSIST_VOLUME" \
         "$SC4S_LOCAL_CONFIG_MOUNT" \
diff --git a/docs/gettingstarted/podman-systemd-general.md b/docs/gettingstarted/podman-systemd-general.md
index 2b2269a..afbcefd 100644
--- a/docs/gettingstarted/podman-systemd-general.md
+++ b/docs/gettingstarted/podman-systemd-general.md
@@ -77,7 +77,7 @@ ExecStartPre=/usr/bin/podman run \
         --name SC4S_preflight \
         --rm $SC4S_IMAGE -s
 ExecStart=/usr/bin/podman run -p 514:514 -p 514:514/udp -p 6514:6514 \
-        -e "SC4S_CONTAINER_HOST=$(hostname -s)" \
+        -e "SC4S_CONTAINER_HOST=$(`hostname -s`)" \
         --env-file=/opt/sc4s/env_file \
         "$SC4S_PERSIST_VOLUME" \
         "$SC4S_LOCAL_CONFIG_MOUNT" \
diff --git a/package/etc/conf.d/conflib/_splunk/splunkfields.conf.tmpl b/package/etc/conf.d/conflib/_splunk/splunkfields.conf.tmpl
index 320acf8..fea713b 100644
--- a/package/etc/conf.d/conflib/_splunk/splunkfields.conf.tmpl
+++ b/package/etc/conf.d/conflib/_splunk/splunkfields.conf.tmpl
@@ -1,28 +1,36 @@
 #Used to set indexed fields we will always use to global defaults
 rewrite r_set_splunk_default {
-      set("SC4S:$SOURCE", value(".splunk.source"));
-{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "facility,severity,container,loghost,dport,fromhostip,proto") ",") has "facility" }}
-      set($FACILITY, value("fields.sc4s_syslog_facility"));
+    set("SC4S:$SOURCE", value(".splunk.source"));
+{{- if (has (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "facility,severity,container,loghost,dport,fromhostip,proto") ",") "facility") }}
+    set($FACILITY, value("fields.sc4s_syslog_facility"));
 {{- end}}      
-{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "facility,severity,container,loghost,dport,fromhostip,proto") ",") has "severity" }}
-      set($LEVEL, value("fields.sc4s_syslog_severity"));
+{{- if (has (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "facility,severity,container,loghost,dport,fromhostip,proto") ",") "severity") }}
+    set($LEVEL, value("fields.sc4s_syslog_severity"));
 {{- end}}      
-{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "facility,severity,container,loghost,dport,fromhostip,proto") ",") has "loghost" }}
+{{- if (has (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "facility,severity,container,loghost,dport,fromhostip,proto") ",") "loghost") }}
 {{- if (getenv "SC4S_CONTAINER_HOST") }}
-      set("{{ getenv "SC4S_CONTAINER_HOST" }}", value("fields.sc4s_loghost"));
+    set("{{ getenv "SC4S_CONTAINER_HOST" }}", value("fields.sc4s_loghost"));
 {{- end}}      
 {{- end}}      
-{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "facility,severity,container,loghost,dport,fromhostip,proto") ",") has "container" }}
-      set($LOGHOST, value("fields.sc4s_container"));
+{{- if (has (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "facility,severity,container,loghost,dport,fromhostip,proto") ",") "container") }}
+    set($LOGHOST, value("fields.sc4s_container"));
 {{- end}}      
-{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "facility,severity,container,loghost,dport,fromhostip,proto") ",") has "fromhostip" }}
-      set($SOURCEIP, value("fields.sc4s_fromhostip"));
+{{- if (has (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "facility,severity,container,loghost,dport,fromhostip,proto") ",") "fromhostip") }}
+    set($SOURCEIP, value("fields.sc4s_fromhostip"));
 {{- end}}      
-{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "facility,severity,container,loghost,destport,fromhostip,proto") ",") has "destport" }}
-      set($DESTPORT, value("fields.sc4s_destport"));
+{{- if (has (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "facility,severity,container,loghost,dport,fromhostip,proto") ",") "destport") }}
+    set($DESTPORT, value("fields.sc4s_destport"));
 {{- end}}    
-{{- if (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "facility,severity,container,loghost,destport,fromhostip,proto") ",") has "proto" }}
-      set($PROTO, value("fields.sc4s_proto"));
+{{- if (has (split (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS" "facility,severity,container,loghost,dport,fromhostip,proto") ",") "proto") }}
+    channel {
+        if (match("6" value("PROTO"))) {
+            rewrite { set("TCP", value("fields.sc4s_proto")); };
+        } elif (match("17" value("PROTO"))) {
+            rewrite { set("UDP", value("fields.sc4s_proto")); };
+        } else {
+            rewrite { set($PROTO, value("fields.sc4s_proto")); };
+        };
+    };
 {{- end}}    
 };
 #used by each log-path to set index and sourcetype which may be
diff --git a/package/etc/conf.d/destinations/splunk_hec.conf.tmpl b/package/etc/conf.d/destinations/splunk_hec.conf.tmpl
index 0b2b349..d0a3341 100644
--- a/package/etc/conf.d/destinations/splunk_hec.conf.tmpl
+++ b/package/etc/conf.d/destinations/splunk_hec.conf.tmpl
@@ -47,6 +47,9 @@ destination d_hec {
                  sourcetype=${.splunk.sourcetype}
                  index=${.splunk.index}
                  event="$MSG"
-                 fields.*)')
+                 {{- if ne (getenv "SC4S_DEST_SPLUNK_INDEXED_FIELDS") "none" }}
+                 fields.*
+                 {{- end }}
+                 )')
         );
 };