Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Highlighted

How to dynamically update transforms.conf with cURL?

skender27
Contributor
‎03-03-2017 06:54 AM

Hi,

I have the following transforms.conf actual configuration (with various User in the regex):

[admin filter]
DEST_KEY = queue
FORMAT = indexQueue
REGEX = (?i)(Account name:\s+User1)|(Account Name:\sUser2)|(……)

Let suppose that FORMAT contains the $1, $2, $3, $n... as the various Users.

I need to update the $SPLUNK_HOME\eta\apps\<my app>\local\transforms.conf
with the curl command as the following, but I do not find the RESt POST method correctly in the docs (http://docs.splunk.com/Documentation/Splunk/6.5.2/RESTREF/RESTconf). I do not understand what to put instead of property and values

curl -k -u <user>:<passwd> https://<ip_server>:8089/servicesNS/nobody/<my app>/properties/transforms/<admin filter> -d <property>=<value>

Any suggestions how to achieve this?

Thanks,
Skender

Reply
Highlighted

Re: How to dynamically update transforms.conf with cURL?

gjanders
SplunkTrust
SplunkTrust
‎03-05-2017 04:10 PM

Try https://localhost:8089/services/data/transforms//extractions or your relevant Splunk instance (ie. replace the localhost).
I've also used the command line of the server which I would assume is:

$SPLUNK_HOME/bin/splunk _internal call "/services/data/transforms/extractions"

I have not used this but I can see the list/reload/edit options available which means that you should be able to make the changes you require.

0 Karma
Reply