<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: How to dynamically update transforms.conf with cURL? in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/How-to-dynamically-update-transforms-conf-with-cURL/m-p/339507#M62673</link>
    <description>&lt;P&gt;Try &lt;A href="https://localhost:8089/services/data/transforms//extractions"&gt;https://localhost:8089/services/data/transforms//extractions&lt;/A&gt; or your relevant Splunk instance (ie. replace the localhost).&lt;BR /&gt;
I've also used the command line of the server which I would assume is:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;$SPLUNK_HOME/bin/splunk _internal call "/services/data/transforms/extractions"
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;I have not used this but I can see the list/reload/edit options available which means that you should be able to make the changes you require.&lt;/P&gt;</description>
    <pubDate>Mon, 06 Mar 2017 00:10:18 GMT</pubDate>
    <dc:creator>gjanders</dc:creator>
    <dc:date>2017-03-06T00:10:18Z</dc:date>
    <item>
      <title>How to dynamically update transforms.conf with cURL?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-to-dynamically-update-transforms-conf-with-cURL/m-p/339506#M62672</link>
      <description>&lt;P&gt;Hi,&lt;/P&gt;

&lt;P&gt;I have the following transforms.conf actual configuration (with various User in the regex):&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[admin filter]
DEST_KEY = queue
FORMAT = indexQueue
REGEX = (?i)(Account name:\s+User1)|(Account Name:\sUser2)|(……)
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;Let suppose that FORMAT contains the $1, $2, $3, $n... as the various Users. &lt;/P&gt;

&lt;P&gt;I need to update the &lt;CODE&gt;$SPLUNK_HOME\eta\apps\&amp;lt;my app&amp;gt;\local\transforms.conf&lt;/CODE&gt;&lt;BR /&gt;
with the curl command as the following, but I do not find the RESt POST method correctly in the docs (&lt;A href="http://docs.splunk.com/Documentation/Splunk/6.5.2/RESTREF/RESTconf"&gt;http://docs.splunk.com/Documentation/Splunk/6.5.2/RESTREF/RESTconf&lt;/A&gt;). I do not understand what to put instead of property and values&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;curl -k -u &amp;lt;user&amp;gt;:&amp;lt;passwd&amp;gt; &lt;A href="https://&amp;lt;ip_server&amp;gt;:8089/servicesNS/nobody/&amp;lt;my" target="test_blank"&gt;https://&amp;lt;ip_server&amp;gt;:8089/servicesNS/nobody/&amp;lt;my&lt;/A&gt; app&amp;gt;/properties/transforms/&amp;lt;admin filter&amp;gt; -d &amp;lt;property&amp;gt;=&amp;lt;value&amp;gt;
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;Any suggestions how to achieve this?&lt;/P&gt;

&lt;P&gt;Thanks,&lt;BR /&gt;
Skender&lt;/P&gt;</description>
      <pubDate>Fri, 03 Mar 2017 14:54:44 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-to-dynamically-update-transforms-conf-with-cURL/m-p/339506#M62672</guid>
      <dc:creator>skender27</dc:creator>
      <dc:date>2017-03-03T14:54:44Z</dc:date>
    </item>
    <item>
      <title>Re: How to dynamically update transforms.conf with cURL?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-to-dynamically-update-transforms-conf-with-cURL/m-p/339507#M62673</link>
      <description>&lt;P&gt;Try &lt;A href="https://localhost:8089/services/data/transforms//extractions"&gt;https://localhost:8089/services/data/transforms//extractions&lt;/A&gt; or your relevant Splunk instance (ie. replace the localhost).&lt;BR /&gt;
I've also used the command line of the server which I would assume is:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;$SPLUNK_HOME/bin/splunk _internal call "/services/data/transforms/extractions"
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;I have not used this but I can see the list/reload/edit options available which means that you should be able to make the changes you require.&lt;/P&gt;</description>
      <pubDate>Mon, 06 Mar 2017 00:10:18 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-to-dynamically-update-transforms-conf-with-cURL/m-p/339507#M62673</guid>
      <dc:creator>gjanders</dc:creator>
      <dc:date>2017-03-06T00:10:18Z</dc:date>
    </item>
  </channel>
</rss>

