Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Highlighted
Solved! Jump to solution

reload transforms.conf

gcusello
Legend
‎02-28-2018 06:33 AM

Hi at all,
a very quick answer:
I modified transforms.conf in one app without restarting Splunk:
The update I performed was to add three new fields in a FIELDS row after DELIM:

[my_transform]
DELIM = "|"
FIELDS = "field1","field2","newfield1",newfield2","newfield3"

The strange behavior (but maybe I didn't understand it) is that my search sees the new fields without any Splunk restart and if I remove the new fields, my search doesn't see them!
It seems that transforms.conf is reading every time at search time.

Can anyone confirm this and/or explain this behavior?

Bye.
Giuseppe

0 Karma
Reply
1 Solution
Highlighted
Solved! Jump to solution

Re: reload transforms.conf

FrankVl
Ultra Champion
‎02-28-2018 06:44 AM

That is expected behavior. There are plenty of config changes that you can make which do not require splunk to be restarted.

For details, see: http://docs.splunk.com/Documentation/Splunk/latest/Admin/Configurationfilechangesthatrequirerestart

Reply
Highlighted
Solved! Jump to solution
Solution

Re: reload transforms.conf

493669
Super Champion
‎02-28-2018 06:47 AM

Hi @cusello,
Each time you run a search Splunk will fork off a new process and reload the props and transforms as part of that - for any search time changes. So, Settings that apply to search-time processing take effect immediately and do not require a restart.
In addition, index-time props and transforms do not require restarts, as long as your indexers are receiving the data from forwarders.
reference: http://docs.splunk.com/Documentation/Splunk/latest/Admin/Configurationfilechangesthatrequirerestart

View solution in original post

0 Karma
Reply