Splunk Enterprise Security

TransformsExtractionHandler - Unable to find stanza. Getting thousands of warnings in _internal splunkd

joshuamcqueen
Path Finder

Hey Splunkers,

I'm getting an error in _internal that I can't seem to figure out. Every enabled app that has a csv lookup is throwing this error in splunkd.log. These happen quite frequently -- adding up to 100,000 a day! 😞

Environmont Details: Splunk 6.1. Enterprise Security 3.1

06-26-2014 04:24:00.807 +0000 WARN  TransformsExtractionHandler - Unable to find stanza=identities_expanded.csv in lookups.conf, cannot enumerate fields list
06-26-2014 04:24:00.807 +0000 WARN  TransformsExtractionHandler - Unable to find stanza=pci_domains.csv in lookups.conf, cannot enumerate fields list
06-26-2014 04:24:00.807 +0000 WARN  TransformsExtractionHandler - Unable to find stanza=pci_domains_from_assets.csv in lookups.conf, cannot enumerate fields list
06-26-2014 04:24:00.807 +0000 WARN  TransformsExtractionHandler - Unable to find stanza=assets.csv in lookups.conf, cannot enumerate fields list
06-26-2014 04:24:00.807 +0000 WARN  TransformsExtractionHandler - Unable to find stanza=identities.csv in lookups.conf, cannot enumerate fields list

Why would Splunk complain about every csv lookup in my environment??? I don't get any syantax errors when I start splunk. Any help would be greatly appreciated. Thanks!

1 Solution

LukeMurphey
Champion

Its a bug in Splunk. A ticket has been opened for this (ticket number SPL-82145).

View solution in original post

antonioformato
Explorer

I have the same problem.
I've just done this change in log.conf "category.TransformsExtractionHandler=ERROR", but issue is still alive.

Any other workaround?

0 Karma

jervin_splunk
Splunk Employee
Splunk Employee

Did you restart Splunk to make the updated log.cfg take effect? I'm not seeing the messages following a restart, but am likely on a different product version.

To make the settings take effect immediately, you can also do this:

splunk set log-level TransformsExtractionHandler -level ERROR

However I don't think that will persist beyond a restart.

If you continue to have trouble, I'd suggest opening a support case; there could be other issues at play.

0 Karma

LukeMurphey
Champion

Its a bug in Splunk. A ticket has been opened for this (ticket number SPL-82145).

i2sheri
Communicator

Is this resolved ?

yannK
Splunk Employee
Splunk Employee

jervin_splunk
Splunk Employee
Splunk Employee

The warning is harmless (except for consuming disk space and I/O when being written). You can suppress it by setting this in log.cfg:

category.TransformsExtractionHandler=ERROR

However, you'd lose other warning messages from that category via that solution; caveat emptor.

0 Karma

joshuamcqueen
Path Finder

Thanks or the info. Is this warning harmless? Can it be affecting performance? Is there anyway to suppress?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...