- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: I disabled a transforms.conf stanza in Splunk ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I disabled a transforms.conf stanza in Splunk Web, but why is the regex field extraction still effective?
I have disabled the transform stanza in the GUI, but the regex field extractions are still effective. What's wrong?
[<spec>]
REPORT-<class> = <unique_transform_stanza_name1>, <unique_transform_stanza_name2>,...
props.conf:REPORT-apNameList = apNameList
transforms.conf:[apNameList]
transforms.conf:disabled = 1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There are things that create fields automatically; you should make sure that you set KV_MODE = none also. Post an example event and the fields that shouldn't be there.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can check your eventually combined transforms.conf by executing the command.
splunk cmd btool transforms list.
Then you can check which transforms are active or not.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I do not see any disabled argument in stanza's of transforms.conf
Just try commenting out the configuration and restart the instance.
Let me know how it goes... 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
GUI problem?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What do you mean by GUI problem?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I navigated to Fields » Field transformations. Then I clicked disable in that row. Has the GUI produced "disabled = 1" which is undefined in transforms.conf.spec?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Okay did you restart the instance??
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I did not restart the instance. After disabling the transform stanza thru the GUI, I hit http://localhost:8000/debug/refresh.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this http://yoursplunkserver:8000/en-us/debug/refresh?entity=admin/transforms-lookup
Or if not please try a restart that should fix the issue.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- http://yoursplunkserver:8000/en-us/debug/refresh?entity=admin/transforms-lookup
- http://localhost:8000/debug/refresh
- -restart server
I tried all 3. The regex transform is still working. What is the "disabled = 1" in transforms.conf for? Why is the GUI for disabling transform stanzas there?
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
