Skip to content

Commit

Permalink
Merge pull request #253 from splunk/fix/fallback-json
Browse files Browse the repository at this point in the history
json events not formatted in fallback
  • Loading branch information
Ryan Faircloth authored and GitHub committed Dec 20, 2019
2 parents a68846f + 76d5bec commit f5beba3
Show file tree
Hide file tree
Showing 2 changed files with 15 additions and 22 deletions.
35 changes: 14 additions & 21 deletions package/etc/conf.d/log_paths/p_zz_fallback.conf.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,8 @@ log {
filter(f_is_rfc5424_strict);
rewrite {
r_set_splunk_dest_default(sourcetype("sc4s:fallback"), index("main"));
set("$(template ${.splunk.sc4s_template} $(template t_JSON))" value("MSG"));
set("$(template ${.splunk.sc4s_template} $(template t_JSON_5424))" value("MSG"));
unset(value("RAWMSG"));
};
parser {
p_add_context_splunk(key("sc4s_fallback"));
Expand All @@ -15,45 +16,37 @@ log {
{{- end}}


#in fallback archive only write rawmsg as msg
rewrite {
unset(value("RAWMSG"));
groupunset(values(".kv.*"));
};

{{- if (getenv "SC4S_ARCHIVE_GLOBAL") or (getenv "SC4S_ARCHIVE_FALLBACK") }}
destination(d_archive);
{{- end}}

} else {

rewrite {
r_set_splunk_dest_default(sourcetype("sc4s:fallback"), index("main") );
set("$(template ${.splunk.sc4s_template} $(template t_JSON))" value("MSG"));
unset(value("RAWMSG"));
unset(value("PROGRAM"));
unset(value("LEGACY_MSGHDR"));
groupunset(values(".kv.*"));
};
parser {
p_add_context_splunk(key("sc4s_fallback"));
};

{{- if ((getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes") | conv.ToBool) or (conv.ToBool (getenv "SC4S_DEST_ARCHIVE_HEC" "no") | conv.ToBool) }}
destination(d_hec);
{{- end}}
{{- if ((getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes") | conv.ToBool) or (conv.ToBool (getenv "SC4S_DEST_ARCHIVE_HEC" "no") | conv.ToBool) }}
destination(d_hec);
{{- end}}


#in fallback archive only write rawmsg as msg
rewrite {
set("$RAWMSG" value("MSG"));
unset(value("RAWMSG"));
unset(value("PROGRAM"));
unset(value("LEGACY_MSGHDR"));
groupunset(values(".kv.*"));
};

{{- if (getenv "SC4S_ARCHIVE_GLOBAL") or (getenv "SC4S_ARCHIVE_FALLBACK") }}
destination(d_archive);
{{- end}}
{{- if (getenv "SC4S_ARCHIVE_GLOBAL") or (getenv "SC4S_ARCHIVE_FALLBACK") }}
destination(d_archive);
{{- end}}
};



flags(flow-control,fallback);
};
};
2 changes: 1 addition & 1 deletion tests/test_common.py
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ def test_defaultroute(record_property, setup_wordlist, setup_splunk):

sendsingle(message)

st = env.from_string("search index=main host=\"{{ host }}\" sourcetype=\"sc4s:fallback\" | head 2")
st = env.from_string("search index=main host=\"{{ host }}\" sourcetype=\"sc4s:fallback\" PROGRAM=\"test\" | head 2")
search = st.render(host=host)

resultCount, eventCount = splunk_single(setup_splunk, search)
Expand Down

0 comments on commit f5beba3

Please sign in to comment.