diff --git a/package/etc/conf.d/log_paths/p_zz_fallback.conf.tmpl b/package/etc/conf.d/log_paths/p_zz_fallback.conf.tmpl index cb9ed87..220916a 100644 --- a/package/etc/conf.d/log_paths/p_zz_fallback.conf.tmpl +++ b/package/etc/conf.d/log_paths/p_zz_fallback.conf.tmpl @@ -5,7 +5,8 @@ log { filter(f_is_rfc5424_strict); rewrite { r_set_splunk_dest_default(sourcetype("sc4s:fallback"), index("main")); - set("$(template ${.splunk.sc4s_template} $(template t_JSON))" value("MSG")); + set("$(template ${.splunk.sc4s_template} $(template t_JSON_5424))" value("MSG")); + unset(value("RAWMSG")); }; parser { p_add_context_splunk(key("sc4s_fallback")); @@ -15,45 +16,37 @@ log { {{- end}} - #in fallback archive only write rawmsg as msg - rewrite { - unset(value("RAWMSG")); - groupunset(values(".kv.*")); - }; - {{- if (getenv "SC4S_ARCHIVE_GLOBAL") or (getenv "SC4S_ARCHIVE_FALLBACK") }} destination(d_archive); {{- end}} } else { + rewrite { r_set_splunk_dest_default(sourcetype("sc4s:fallback"), index("main") ); set("$(template ${.splunk.sc4s_template} $(template t_JSON))" value("MSG")); + unset(value("RAWMSG")); + unset(value("PROGRAM")); + unset(value("LEGACY_MSGHDR")); + groupunset(values(".kv.*")); }; parser { p_add_context_splunk(key("sc4s_fallback")); }; - {{- if ((getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes") | conv.ToBool) or (conv.ToBool (getenv "SC4S_DEST_ARCHIVE_HEC" "no") | conv.ToBool) }} - destination(d_hec); - {{- end}} + {{- if ((getenv "SC4S_DEST_SPLUNK_HEC_GLOBAL" "yes") | conv.ToBool) or (conv.ToBool (getenv "SC4S_DEST_ARCHIVE_HEC" "no") | conv.ToBool) }} + destination(d_hec); + {{- end}} #in fallback archive only write rawmsg as msg - rewrite { - set("$RAWMSG" value("MSG")); - unset(value("RAWMSG")); - unset(value("PROGRAM")); - unset(value("LEGACY_MSGHDR")); - groupunset(values(".kv.*")); - }; - {{- if (getenv "SC4S_ARCHIVE_GLOBAL") or (getenv "SC4S_ARCHIVE_FALLBACK") }} - destination(d_archive); - {{- end}} + {{- if (getenv "SC4S_ARCHIVE_GLOBAL") or (getenv "SC4S_ARCHIVE_FALLBACK") }} + destination(d_archive); + {{- end}} }; flags(flow-control,fallback); -}; +}; \ No newline at end of file diff --git a/tests/test_common.py b/tests/test_common.py index 1ed4c97..5b57207 100644 --- a/tests/test_common.py +++ b/tests/test_common.py @@ -22,7 +22,7 @@ def test_defaultroute(record_property, setup_wordlist, setup_splunk): sendsingle(message) - st = env.from_string("search index=main host=\"{{ host }}\" sourcetype=\"sc4s:fallback\" | head 2") + st = env.from_string("search index=main host=\"{{ host }}\" sourcetype=\"sc4s:fallback\" PROGRAM=\"test\" | head 2") search = st.render(host=host) resultCount, eventCount = splunk_single(setup_splunk, search)