Hello,
In a particular TA, I had to use a standalone transforms.conf stanza :
[standalone_stanza]
REGEX = (.+?)\:\s(.+?)(?:\\r\\n|$)
FORMAT = $1::$2
It is needed because I needed dynamic field name extraction (hence, FORMAT = $1::$2).
The stanza is called directly in the search queries using the extract command and with the target passed as the _raw value :
[...]
| eval _raw=...
| table _raw
| extract standalone_stanza limit=1 clean_keys=false
| fields - _raw
[...]
Everything is fine except I got the following warning in the splunkd.log :
WARN SearchOperator:kv - buildRegexList provided empty conf key, ignoring.
I believe it is due to the fact that the transforms stanza is not called in props.conf.
Thing is I do not want it to be called automatically because of the way it works.
So I guess I can just ignore the warning log.
I am just wondering if there is a cleaner way.
Maybe it is somehow possible to reference the transforms stanza in props and configure it to not be launched automatically.
I have checked to documentation without luck so far.
Thanks in advance for any hint!
↧