Solved: Standalone transforms.conf stanza (not called in p...

D2SI · ‎07-19-2019

Hello,

In a particular TA, I had to use a standalone transforms.conf stanza :

[standalone_stanza]
REGEX = (.+?)\:\s(.+?)(?:\\r\\n|$)
FORMAT = $1::$2

It is needed because I needed dynamic field name extraction (hence, FORMAT = $1::$2).

The stanza is called directly in the search queries using the extract command and with the target passed as the _raw value :

[...]
| eval _raw=...
| table _raw
| extract standalone_stanza limit=1 clean_keys=false
| fields - _raw
[...]

Everything is fine except I got the following warning in the splunkd.log :

WARN  SearchOperator:kv - buildRegexList provided empty conf key, ignoring.

I believe it is due to the fact that the transforms stanza is not called in props.conf.

Thing is I do not want it to be called automatically because of the way it works.

So I guess I can just ignore the warning log.

I am just wondering if there is a cleaner way.

Maybe it is somehow possible to reference the transforms stanza in props and configure it to not be launched automatically.

I have checked to documentation without luck so far.

Thanks in advance for any hint!

woodcock · ‎07-19-2019

Yes, you can. You do it like this:

... | rex mode=sed "s/fancy stuff here that converts raw text/so that it matches key=value format/g"
| kv

woodcock · ‎07-19-2019

Yes, you can. You do it like this:

... | rex mode=sed "s/fancy stuff here that converts raw text/so that it matches key=value format/g"
| kv

D2SI · ‎07-22-2019

Wow, no clue why I did not think of that!

I ended up using '| makemv delim="\r\n"' instead but following the same logic and got rid of the standalone transforms.conf stanza!

Thanks a lot!

Standalone transforms.conf stanza (not called in props.conf) without warnings