upon startup of universal forwarder in a WAS environment, I receive the following (many of them, this is just an example). App does start and execute.
Possible typo in stanza [WebSphere:ActivityLog] in /local/home/a_was0/splunkforwarder/etc/apps/splunk_forwarder_addon_was/default/props.conf, line 194: TRANSFORM-was_host = host-extract
Possible typo in stanza [WebSphere:ActivityLog] in /local/home/a_was0/splunkforwarder/etc/apps/splunk_forwarder_addon_was/default/props.conf, line 195: TRANSFORM-profile = profile-extract
I look here as per docs: $SPLUNK_HOME/splunkforwarder/etc/system/default/ and find no transforms.conf file. Instead I find it in:/.../splunkforwarder/etc/apps/splunk_forwarder_addon_was/default
in Transforms.conf:
[host-extract] SOURCE_KEY = MetaData:Host REGEX = host::(.+) FORMAT = was_host::"$1" WRITE_META = true
[profile-extract]
SOURCE_KEY = MetaData:Source
REGEX = profilesW{1,2}([w-.]+)
FORMAT = profile::"$1"
WRITE_META = true
Ran the following: 'splunk btool check --debug'
Possible typo in stanza [WebSphere:ActivityLog] in /.../splunkforwarder/etc/apps/splunk_forwarder_addon_was/default/props.conf, line 194: TRANSFORM-was_host = host-extract Did you mean 'TIME_FORMAT'? Did you mean 'TIME_PREFIX'? Did you mean 'TRANSFORMS-<class>'? Did you mean 'TRANSFORMS-colorchange'? Did you mean 'TRUNCATE'? Did you mean 'TZ'? Did you mean 'TZ_ALIAS'? Did you mean 'This means that if you have e.g. EVAL-x'? Did you mean 'the default event boundary detection (BREAK_ONLY_BEFORE_DATE'?
Also see this in the output: No spec file for: /.../splunkforwarder/etc/apps/splunk_forwarder_addon_was/default/transforms.conf No spec file for: /.../splunkforwarder/etc/system/default/app.conf No spec file for: /.../splunkforwarder/etc/system/default/conf.conf No spec file for: /.../splunkforwarder/etc/system/local/deploymentclient.conf
I'm still learning but what am I missing? Is the transforms.conf in incorrect spot? Are there parms I'm to add in one of these files?