Archive

How to set up an initial transactiontypes.conf file in $SPLUNK_HOME/etc/system/local ?

Contributor

I am attempting to set up an initial transactiontypes.conf file in $SPLUNK_HOME/etc/system/local so I can use [searchtxn], however, I am not understanding the documentation and setup correctly.

The following is my file contents.

[xemail]
fields = uid, xuid
search = index=mail sourcetype=xemail

The steps I have completed so far are:
1 copied transactiontypes.conf from system/default to system/local
2 edited the transactiontypes.conf file (by adding the above code to the bottom of the default code) and saved it as a .txt (so I can work locally)

What exactly do I need to remove/edit from the default copy to configure my code? Do I need to rename the file or delete the default copy in the /local so there is only one transactiontypes.conf file in the local?

Can anyone provide a clear step by step process to copy, edit, save a transactiontypes.conf file?

Thank you

Tags (1)
1 Solution

SplunkTrust
SplunkTrust

There's usually no need to copy a file from default to local. Splunk automatically merges the two files, with attributes from local overriding those from default. So your local/transactiontypes.conf file just needs your three lines in it. After editing the file, you must make sure the name is transactiontypes.conf. If it has a different extension, like .txt, it will be ignored.

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

There's usually no need to copy a file from default to local. Splunk automatically merges the two files, with attributes from local overriding those from default. So your local/transactiontypes.conf file just needs your three lines in it. After editing the file, you must make sure the name is transactiontypes.conf. If it has a different extension, like .txt, it will be ignored.

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

0 Karma

Contributor

ok I will remove the copy in local (that I copied from /default)
stupid question: how do I change the .txt extension.... its not letting me even when I save as all file types

0 Karma

Contributor

change extension with powershell, will let you know if it works

0 Karma

Contributor

I don't know if this is related but I restarted and now the two services won't start again... even if I try manually... any ideas?

0 Karma

SplunkTrust
SplunkTrust

Check splunkd.log for messages explaining why it's not starting.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

Contributor

It is a permission issue, when I get that sorted I will give you my result about the .conf file. Thank you

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!