Splunk Enterprise Security

TransformsExtractionHandler - Unable to find stanza. Getting thousands of warnings in _internal splunkd

joshuamcqueen
Path Finder

Hey Splunkers,

I'm getting an error in _internal that I can't seem to figure out. Every enabled app that has a csv lookup is throwing this error in splunkd.log. These happen quite frequently -- adding up to 100,000 a day! 😞

Environmont Details: Splunk 6.1. Enterprise Security 3.1

06-26-2014 04:24:00.807 +0000 WARN  TransformsExtractionHandler - Unable to find stanza=identities_expanded.csv in lookups.conf, cannot enumerate fields list
06-26-2014 04:24:00.807 +0000 WARN  TransformsExtractionHandler - Unable to find stanza=pci_domains.csv in lookups.conf, cannot enumerate fields list
06-26-2014 04:24:00.807 +0000 WARN  TransformsExtractionHandler - Unable to find stanza=pci_domains_from_assets.csv in lookups.conf, cannot enumerate fields list
06-26-2014 04:24:00.807 +0000 WARN  TransformsExtractionHandler - Unable to find stanza=assets.csv in lookups.conf, cannot enumerate fields list
06-26-2014 04:24:00.807 +0000 WARN  TransformsExtractionHandler - Unable to find stanza=identities.csv in lookups.conf, cannot enumerate fields list

Why would Splunk complain about every csv lookup in my environment??? I don't get any syantax errors when I start splunk. Any help would be greatly appreciated. Thanks!

1 Solution

LukeMurphey
Champion

Its a bug in Splunk. A ticket has been opened for this (ticket number SPL-82145).

View solution in original post

antonioformato
Explorer

I have the same problem.
I've just done this change in log.conf "category.TransformsExtractionHandler=ERROR", but issue is still alive.

Any other workaround?

0 Karma

jervin_splunk
Splunk Employee
Splunk Employee

Did you restart Splunk to make the updated log.cfg take effect? I'm not seeing the messages following a restart, but am likely on a different product version.

To make the settings take effect immediately, you can also do this:

splunk set log-level TransformsExtractionHandler -level ERROR

However I don't think that will persist beyond a restart.

If you continue to have trouble, I'd suggest opening a support case; there could be other issues at play.

0 Karma

LukeMurphey
Champion

Its a bug in Splunk. A ticket has been opened for this (ticket number SPL-82145).

i2sheri
Communicator

Is this resolved ?

yannK
Splunk Employee
Splunk Employee

jervin_splunk
Splunk Employee
Splunk Employee

The warning is harmless (except for consuming disk space and I/O when being written). You can suppress it by setting this in log.cfg:

category.TransformsExtractionHandler=ERROR

However, you'd lose other warning messages from that category via that solution; caveat emptor.

0 Karma

joshuamcqueen
Path Finder

Thanks or the info. Is this warning harmless? Can it be affecting performance? Is there anyway to suppress?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...