From e611a7c27fca6c069760429c2fae5a57c39ada30 Mon Sep 17 00:00:00 2001 From: rfaircloth-splunk Date: Thu, 17 Jun 2021 17:45:44 -0400 Subject: [PATCH] feat: allow meta config for nix_syslog by more specific values When a product key is arrived via vendor_product_by_source OR by PORT for example vmware_vsphere some data may still be "nix" like syslog. We will now compose a new product key ${.netsource.sc4s_vendor_product}_nix_syslog i.e. vmware_vsphere_nix_syslog allowing index/sourcetype to be overridden in this case. fixes #1176 Update app-nix_syslog.conf --- package/etc/conf.d/conflib/net_source/app-nix_syslog.conf | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/package/etc/conf.d/conflib/net_source/app-nix_syslog.conf b/package/etc/conf.d/conflib/net_source/app-nix_syslog.conf index dc57987d70..076395400b 100644 --- a/package/etc/conf.d/conflib/net_source/app-nix_syslog.conf +++ b/package/etc/conf.d/conflib/net_source/app-nix_syslog.conf @@ -13,6 +13,12 @@ block parser nix_syslog-parser() { }; + rewrite { + r_set_splunk_dest_update( + meta_key('${.netsource.sc4s_vendor_product}_nix_syslog') + + ); + }; }; }; application nix_syslog[sc4s-network-source] {