I am trying to filter unwanted events from a text file and am experimenting with the REGEX expression. I think I have the REGEX figured out but the issue I am having is that every time I restart Splunk to reload the transforms and props.conf, the transforms.conf (local) edit gets appended to the previous transforms.conf which gets loaded (confirmed with btool). Now I have 6 stanzas repeated in the transforms.conf and it's still not filtering the way it should. Is it possible to clear all the unwanted stanzas out?
Thank you both for the response but my bigger question is how? The transforms.conf in my /system/local directory only has the single stanza that I am testing. The same file in the /system/default directory doesn't have any of them but when I start Splunk and run the ,, all 6 of the stanzas show up along with many others. What am I missing? How do I access the loaded transforms.conf file?
sorry for not be clear on that, you can run this command to find the location of the
$SPLUNK_HOME/bin/splunk btool transforms list --debug
This will show all transforms merged and by using the
--debug it will also show the path where the file is located. This should help to find the transforms that holds the unwanted stanzas.