Hi,
I have the following transforms.conf actual configuration (with various User in the regex):
[admin filter]
DEST_KEY = queue
FORMAT = indexQueue
REGEX = (?i)(Account name:\s+User1)|(Account Name:\sUser2)|(……)
Let suppose that FORMAT contains the $1, $2, $3, $n... as the various Users.
I need to update the $SPLUNK_HOME\eta\apps\<my app>\local\transforms.conf
with the curl command as the following, but I do not find the RESt POST method correctly in the docs (http://docs.splunk.com/Documentation/Splunk/6.5.2/RESTREF/RESTconf). I do not understand what to put instead of property and values
curl -k -u <user>:<passwd> https://<ip_server>:8089/servicesNS/nobody/<my app>/properties/transforms/<admin filter> -d <property>=<value>
Any suggestions how to achieve this?
Thanks,
Skender
Try https://localhost:8089/services/data/transforms//extractions or your relevant Splunk instance (ie. replace the localhost).
I've also used the command line of the server which I would assume is:
$SPLUNK_HOME/bin/splunk _internal call "/services/data/transforms/extractions"
I have not used this but I can see the list/reload/edit options available which means that you should be able to make the changes you require.