I'm using the Splunk TA for Symantec Endpoint Protection 2.3.0 and for the latest version of SEP some of the log file formats have changed and so the field extractions aren't working. I've taken the REGEX from the default\transforms.conf file and modified it and tested it using rex and all is works.
On the search head I copied the transforms.conf file from default to local (inside the app) however the field extractions don't work. So I tried putting the updated extraction directly into the default\transforms.conf file and they now work.
In both of the above cases running
\splunk.exe cmd btool --app=Splunk_TA_symantec-ep transforms list
Displayed the updated REGEX
Can anyone shed some light on why this might be the case?
Do I need to update the local.meta file? If so, what should I put in there?