From dcc847253596eac0d173bd1883cfd4216ca16bfa Mon Sep 17 00:00:00 2001
From: Kiyoshi-Miyake <81074739+Kiyoshi-Miyake@users.noreply.github.com>
Date: Sat, 17 Dec 2022 15:08:24 +0900
Subject: [PATCH] bug fix: override index/sourcetype annotation

fixed bug that override the "splunk.com/sourcetype" and "splunk.com/index" annotation of Pod.

ref: https://github.com/splunk/splunk-connect-for-kubernetes/issues/827
---
 .../charts/splunk-kubernetes-logging/templates/configMap.yaml   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/helm-chart/splunk-connect-for-kubernetes/charts/splunk-kubernetes-logging/templates/configMap.yaml b/helm-chart/splunk-connect-for-kubernetes/charts/splunk-kubernetes-logging/templates/configMap.yaml
index b20741bf..366f23ad 100644
--- a/helm-chart/splunk-connect-for-kubernetes/charts/splunk-kubernetes-logging/templates/configMap.yaml
+++ b/helm-chart/splunk-connect-for-kubernetes/charts/splunk-kubernetes-logging/templates/configMap.yaml
@@ -309,7 +309,7 @@ data:
       {{- if eq .Values.containers.logFormatType "cri" }}
       <filter tail.containers.var.log.pods.**>
         @type jq_transformer
-        jq '.record | . + (.source | capture("/var/log/pods/(?<pod_uid>[^/]+)/(?<container_name>[^/]+)/(?<container_retry>[0-9]+).log")) | .sourcetype = ("{{ .Values.sourcetypePrefix }}:container:" + .container_name) | .splunk_index = {{ or .Values.global.splunk.hec.indexName .Values.splunk.hec.indexName | default "main" | quote }}'
+        jq '.record | . + (.source | capture("/var/log/pods/(?<pod_uid>[^/]+)/(?<container_name>[^/]+)/(?<container_retry>[0-9]+).log"))'
       </filter>
       {{- end }}