Getting Data In

Why am I receiving these errors on startup of WAS Universal Forwarder

New Member

upon startup of universal forwarder in a WAS environment, I receive the following (many of them, this is just an example). App does start and execute.

Possible typo in stanza [WebSphere:ActivityLog] in /local/home/awas0/splunkforwarder/etc/apps/splunkforwarderaddonwas/default/props.conf, line 194:
TRANSFORM-was_host = host-extract

Possible typo in stanza [WebSphere:ActivityLog] in /local/home/awas0/splunkforwarder/etc/apps/splunkforwarderaddonwas/default/props.conf,
line 195: TRANSFORM-profile = profile-extract

I look here as per docs: $SPLUNKHOME/splunkforwarder/etc/system/default/ and find no transforms.conf file.
Instead I find it in:/.../splunkforwarder/etc/apps/splunk
forwarderaddonwas/default

in Transforms.conf:

[host-extract]
SOURCEKEY = MetaData:Host
REGEX = host::(.+)
FORMAT = was
host::"$1"
WRITE_META = true

[profile-extract]
SOURCEKEY = MetaData:Source
REGEX = profiles\W{1,2}([\w-.]+)
FORMAT = profile::"$1"

WRITE
META = true

Ran the following: 'splunk btool check --debug'

Possible typo in stanza [WebSphere:ActivityLog] in /.../splunkforwarder/etc/apps/splunkforwarderaddonwas/default/props.conf, line 194: TRANSFORM-washost = host-extract
Did you mean 'TIMEFORMAT'?
Did you mean 'TIME
PREFIX'?
Did you mean 'TRANSFORMS-'?
Did you mean 'TRANSFORMS-colorchange'?
Did you mean 'TRUNCATE'?
Did you mean 'TZ'?
Did you mean 'TZALIAS'?
Did you mean 'This means that if you have e.g. EVAL-x'?
Did you mean 'the default event boundary detection (BREAK
ONLYBEFOREDATE'?

Also see this in the output:
No spec file for: /.../splunkforwarder/etc/apps/splunkforwarderaddon_was/default/transforms.conf
No spec file for: /.../splunkforwarder/etc/system/default/app.conf
No spec file for: /.../splunkforwarder/etc/system/default/conf.conf
No spec file for: /.../splunkforwarder/etc/system/local/deploymentclient.conf

I'm still learning but what am I missing?
Is the transforms.conf in incorrect spot?
Are there parms I'm to add in one of these files?

Tags (3)
0 Karma
1 Solution

Splunk Employee
Splunk Employee

Change TRANSFORM in default/props.conf to TRANSFORMS

View solution in original post

Path Finder

A very simple solution to get the app working. The problem is existing over two years, so why not updating the App and publish a working version of the app?

0 Karma

New Member

mad4wknds,
It's been a while since I had this issue but, after I updated all the TRANSFORM references, I had not additional problems. Using the btool --debug ( 'splunk btool check --debug' ) worked great since it identified lines I looked over.

0 Karma

New Member

mad4wknds,
It's been a while since I had this issue but, after I updated all the TRANSFORM references, I had not additional problems. Using the btool --debug ( 'splunk btool check --debug' ) worked great since it identified lines I looked over.

0 Karma

New Member

Excellent. Thank you. that fixed the errors. can't believe I didn't catch that simple change.

0 Karma

New Member

mad4wknds, I posted my comments above.

0 Karma

Path Finder

I had the very same exact issue with the "S" being dropped. How did you solve the issue of "No Spec file for:"

0 Karma

New Member

Excellent. Thank you. that fixed the errors. can't believe I didn't catch that simple change.

0 Karma

Splunk Employee
Splunk Employee

Change TRANSFORM in default/props.conf to TRANSFORMS

View solution in original post