From fb4c24d626d8bfd8fd05ffb808713837931d531f Mon Sep 17 00:00:00 2001
From: Ryan Faircloth <35384120+rfaircloth-splunk@users.noreply.github.com>
Date: Fri, 21 Aug 2020 06:18:46 -0400
Subject: [PATCH] [filtermod] LEEF correct format string for SOURCE:: (#647)

* [filtermod] LEEF correct format string for SOURCE::

* Update lp-log_extended_event_format.conf.tmpl
---
 .../conf.d/log_paths/lp-log_extended_event_format.conf.tmpl   | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/package/etc/conf.d/log_paths/lp-log_extended_event_format.conf.tmpl b/package/etc/conf.d/log_paths/lp-log_extended_event_format.conf.tmpl
index f15ee46..c785cde 100644
--- a/package/etc/conf.d/log_paths/lp-log_extended_event_format.conf.tmpl
+++ b/package/etc/conf.d/log_paths/lp-log_extended_event_format.conf.tmpl
@@ -82,8 +82,8 @@ class leef_kv(object):
                 log_message['.splunk.sourcetype'] = f"LEEF:{lv}"
             else:
                 log_message['.splunk.sourcetype'] = f"LEEF:{lv}:{hex_sep}"
-            log_message['.splunk.source'] = f"{structure[2]}:{structure[3]}"
-            log_message['fields.sc4s_vendor_product'] = f"{structure[2]}:{structure[3]}"
+            log_message['.splunk.source'] = f"{structure[1]}:{structure[2]}"
+            log_message['fields.sc4s_vendor_product'] = f"{structure[1]}:{structure[2]}"
             
             pairs = event.split(separator)
             for p in pairs: