Getting Data In

How to use transactiontype.conf usage?

bobby_d
Engager

Currently we are looking ingesting events that have multiple eventIDs that log in new lines. We want to have those appear as one event in splunk since trying to run a "| transaction event_id" slows our searches down significantly. 

It looks like we should be able to use transactiontypes.conf but I am confused on how to get this to work. We are extracting the event_id in props.conf with event_id_test and then have a transactiontypes.conf that is looking to perform a transaction on the fields  event_id_test but so far it is not performing the transaction at all though the event_id_test field is being extracted.  I tried reading through the docs for this but can not see what I am missing or doing wrong based on the splunk docs on this.

 

props.conf:

[test_props]
EXTRACT-et = \.\d{3}\:(?P<event_id_test>\d+)

 

transactiontypes.conf:

[test_props]
maxspan=5s
maxpause=5s
fields=event_id_test

Labels (1)
Tags (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

I don't see how an index-time transaction would be possible (ok, anything's *possible*) or perform better than a search-time transaction.  To do a transaction at index-time, each indexer would have to search all other indexers for matching events and that's just not done.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

bobby_d
Engager

Thanks @richgalloway looks like I misunderstood what transactiontypes.conf purpose would be. Would there be any way that you could do a transaction at index time? 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I don't see how an index-time transaction would be possible (ok, anything's *possible*) or perform better than a search-time transaction.  To do a transaction at index-time, each indexer would have to search all other indexers for matching events and that's just not done.

---
If this reply helps you, Karma would be appreciated.
0 Karma

richgalloway
SplunkTrust
SplunkTrust

The transactiontypes.conf file does not define an index-time operation and is not invoked from props.conf.  It defines a transaction that is invoked by the searchtxn SPL command within a query.

The EXTRACT setting in props.conf invokes a stanza defines in transforms.conf.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...