Splunk Search

Is it possible to clear unwanted stanzas out of transforms.conf?

Engager

I am trying to filter unwanted events from a text file and am experimenting with the REGEX expression. I think I have the REGEX figured out but the issue I am having is that every time I restart Splunk to reload the transforms and props.conf, the transforms.conf (local) edit gets appended to the previous transforms.conf which gets loaded (confirmed with btool). Now I have 6 stanzas repeated in the transforms.conf and it's still not filtering the way it should. Is it possible to clear all the unwanted stanzas out?

Tags (3)
0 Karma

SplunkTrust
SplunkTrust

Hi kylosplunk,

yes, if you are sure those stanzas are no longer needed, you can simply delete them.
Might be worth making a backup copy of the file first 😉

Hope this helps ....

cheers, MuS

0 Karma

SplunkTrust
SplunkTrust

You could even just comment then out to test.

0 Karma

Engager

Thank you both for the response but my bigger question is how? The transforms.conf in my /system/local directory only has the single stanza that I am testing. The same file in the /system/default directory doesn't have any of them but when I start Splunk and run the ,, all 6 of the stanzas show up along with many others. What am I missing? How do I access the loaded transforms.conf file?

0 Karma

SplunkTrust
SplunkTrust

Hi kylosplunk,

sorry for not be clear on that, you can run this command to find the location of the transforms.conf

$SPLUNK_HOME/bin/splunk btool transforms list --debug

This will show all transforms merged and by using the --debug it will also show the path where the file is located. This should help to find the transforms that holds the unwanted stanzas.

cheers, MuS

0 Karma

Engager

Thanks MuS

0 Karma