From fcd2503895c6581638b5c133c0d4104f967f6883 Mon Sep 17 00:00:00 2001 From: rfaircloth-splunk Date: Mon, 10 Feb 2020 13:39:50 -0500 Subject: [PATCH] make DRY --- .../etc/conf.d/filters/citrix/netscaler.conf | 19 +++++++++ package/etc/go_templates/source_network.t | 41 ++----------------- 2 files changed, 23 insertions(+), 37 deletions(-) diff --git a/package/etc/conf.d/filters/citrix/netscaler.conf b/package/etc/conf.d/filters/citrix/netscaler.conf index 121a417..9f8d97c 100644 --- a/package/etc/conf.d/filters/citrix/netscaler.conf +++ b/package/etc/conf.d/filters/citrix/netscaler.conf @@ -7,3 +7,22 @@ filter f_citrix_netscaler_message { flags(store-matches) ); }; + +parser p_citrix_netscaler_date { +{{- if (conv.ToBool (getenv "SC4S_SOURCE_CITRIX_NETSCALER_USEALT_DATE_FORMAT" "yes")) }} + #01/10/2001:01:01:01 GMT + date-parser(format('%d/%m/%Y:%H:%M:%S %Z') + template("$2")); +{{ else }} + #10/01/2001:01:01:01 GMT + date-parser(format('%m/%d/%Y:%H:%M:%S %Z') + template("$2")); +{{- end}} +}; + +rewrite r_citrix_netscaler_message { + set("citrix_netscaler" value("fields.sc4s_syslog_format")); + set("citrix_netscaler" value("fields.sc4s_vendor_product")); + set("$3" value("HOST")); + set("$4" value("MESSAGE")); +}; \ No newline at end of file diff --git a/package/etc/go_templates/source_network.t b/package/etc/go_templates/source_network.t index 0a59bcd..0728c2d 100644 --- a/package/etc/go_templates/source_network.t +++ b/package/etc/go_templates/source_network.t @@ -89,48 +89,15 @@ source s_{{ .port_id }} { parser (p_cisco_meraki); rewrite(set_rfc5424_epochtime); {{ else if eq .parser "citrix_netscaler" }} - parser { -{{- if (conv.ToBool (getenv "SC4S_SOURCE_CITRIX_NETSCALER_USEALT_DATE_FORMAT" "yes")) }} - #01/10/2001:01:01:01 GMT - date-parser(format('%d/%m/%Y:%H:%M:%S %Z') - template("$2")); - }; -{{ else }} - #10/01/2001:01:01:01 GMT - date-parser(format('%m/%d/%Y:%H:%M:%S %Z') - template("$2")); - }; -{{- end}} - rewrite { - set("citrix_netscaler" value("fields.sc4s_syslog_format")); - set("citrix_netscaler" value("fields.sc4s_vendor_product")); - set("$3" value("HOST")); - set("$4" value("MESSAGE")); - }; + parser(p_citrix_netscaler_date); + rewrite(r_citrix_netscaler_message); {{ else if eq .parser "no_parse" }} rewrite(set_no_parse); {{ else }} if { filter(f_citrix_netscaler_message); - parser { -{{- if (conv.ToBool (getenv "SC4S_SOURCE_CITRIX_NETSCALER_USEALT_DATE_FORMAT" "yes")) }} - #01/10/2001:01:01:01 GMT - date-parser(format('%d/%m/%Y:%H:%M:%S %Z') - template("$2")); - }; -{{ else }} - #10/01/2001:01:01:01 GMT - date-parser(format('%m/%d/%Y:%H:%M:%S %Z') - template("$2")); - }; -{{- end}} - rewrite { - set("citrix_netscaler" value("fields.sc4s_syslog_format")); - set("citrix_netscaler" value("fields.sc4s_vendor_product")); - set("$3" value("HOST")); - set("$4" value("MESSAGE")); - }; - + parser(p_citrix_netscaler_date); + rewrite(r_citrix_netscaler_message); } elif { filter(f_rfc5424_strict); parser {