Archive

How to set up an initial transactiontypes.conf file in $SPLUNK_HOME/etc/system/local ?

Contributor

I am attempting to set up an initial transactiontypes.conf file in $SPLUNK_HOME/etc/system/local so I can use [searchtxn], however, I am not understanding the documentation and setup correctly.

The following is my file contents.

[xemail]
fields = uid, xuid
search = index=mail sourcetype=xemail

The steps I have completed so far are:
1 copied transactiontypes.conf from system/default to system/local
2 edited the transactiontypes.conf file (by adding the above code to the bottom of the default code) and saved it as a .txt (so I can work locally)

What exactly do I need to remove/edit from the default copy to configure my code? Do I need to rename the file or delete the default copy in the /local so there is only one transactiontypes.conf file in the local?

Can anyone provide a clear step by step process to copy, edit, save a transactiontypes.conf file?

Thank you

Tags (1)
1 Solution

SplunkTrust
SplunkTrust

There's usually no need to copy a file from default to local. Splunk automatically merges the two files, with attributes from local overriding those from default. So your local/transactiontypes.conf file just needs your three lines in it. After editing the file, you must make sure the name is transactiontypes.conf. If it has a different extension, like .txt, it will be ignored.

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

There's usually no need to copy a file from default to local. Splunk automatically merges the two files, with attributes from local overriding those from default. So your local/transactiontypes.conf file just needs your three lines in it. After editing the file, you must make sure the name is transactiontypes.conf. If it has a different extension, like .txt, it will be ignored.

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

0 Karma

Contributor

ok I will remove the copy in local (that I copied from /default)
stupid question: how do I change the .txt extension.... its not letting me even when I save as all file types

0 Karma

Contributor

change extension with powershell, will let you know if it works

0 Karma

Contributor

I don't know if this is related but I restarted and now the two services won't start again... even if I try manually... any ideas?

0 Karma

SplunkTrust
SplunkTrust

Check splunkd.log for messages explaining why it's not starting.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

Contributor

It is a permission issue, when I get that sorted I will give you my result about the .conf file. Thank you

0 Karma