I'm getting ready to upgrade an app that we had developed in Splunk 6.2. We are now going to start using version 7.0 and wanted to update the queries so that it will work properly in 7.0. However, we can't even get the app's transforms.conf to be recognized by Splunk. I have reviewed the newest docs from Transforms.conf, but nothing changed in the features we were using. Our transforms.conf file is loaded in the default folder of the app, and we even moved it over to the local folder, but it still isn't being recognized in the UI under settings->fields->field transforms, nor is it transforming the data.
Here is the transforms.conf file:
[client_map]
external_type = kvstore
collection = genesis_location
fields_list = src_ip, region, sitename
max_matches = 1
min_matches = 1
default_match = UNKNOWN
match_type = CIDR(src_ip)
We have confirmed that the collection is working, and that the src_ip field is being exposed. Not sure why this isn't working.
↧