- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: I disabled a transforms.conf stanza in Splunk ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I disabled a transforms.conf stanza in Splunk Web, but why is the regex field extraction still effective?
I have disabled the transform stanza in the GUI, but the regex field extractions are still effective. What's wrong?
[<spec>]
REPORT-<class> = <unique_transform_stanza_name1>, <unique_transform_stanza_name2>,...
props.conf:REPORT-apNameList = apNameList
transforms.conf:[apNameList]
transforms.conf:disabled = 1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There are things that create fields automatically; you should make sure that you set KV_MODE = none also. Post an example event and the fields that shouldn't be there.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can check your eventually combined transforms.conf by executing the command.
splunk cmd btool transforms list.
Then you can check which transforms are active or not.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I do not see any disabled argument in stanza's of transforms.conf
Just try commenting out the configuration and restart the instance.
Let me know how it goes... 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
GUI problem?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What do you mean by GUI problem?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I navigated to Fields » Field transformations. Then I clicked disable in that row. Has the GUI produced "disabled = 1" which is undefined in transforms.conf.spec?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Okay did you restart the instance??
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I did not restart the instance. After disabling the transform stanza thru the GUI, I hit http://localhost:8000/debug/refresh.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this http://yoursplunkserver:8000/en-us/debug/refresh?entity=admin/transforms-lookup
Or if not please try a restart that should fix the issue.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- http://yoursplunkserver:8000/en-us/debug/refresh?entity=admin/transforms-lookup
- http://localhost:8000/debug/refresh
- -restart server
I tried all 3. The regex transform is still working. What is the "disabled = 1" in transforms.conf for? Why is the GUI for disabling transform stanzas there?
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
