Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Transform field extraction work from default but n...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Transform field extraction work from default but not from local
I'm using the Splunk TA for Symantec Endpoint Protection 2.3.0 and for the latest version of SEP some of the log file formats have changed and so the field extractions aren't working. I've taken the REGEX from the default\transforms.conf file and modified it and tested it using rex and all is works.
On the search head I copied the transforms.conf file from default to local (inside the app) however the field extractions don't work. So I tried putting the updated extraction directly into the default\transforms.conf file and they now work.
In both of the above cases running
.\splunk.exe cmd btool --app=Splunk_TA_symantec-ep transforms list
Displayed the updated REGEX
Can anyone shed some light on why this might be the case?
Do I need to update the local.meta file? If so, what should I put in there?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Check your escape characters, some working using the rex command does not work in conf files. for example backslashes.
Check this post
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Rex works in one transform.conf file, but not in another. Nothing wrong with the rex.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
After changing/adding configuration in <app>/local/transforms.conf have you restarted Splunk or used /debug/refresh endpoint to reload configuration ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
See from my OP that when I put them in default\transforms it works. So yes I have.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
