Currently we are looking ingesting events that have multiple eventIDs that log in new lines. We want to have those appear as one event in splunk since trying to run a "| transaction event_id" slows our searches down significantly.
It looks like we should be able to use transactiontypes.conf but I am confused on how to get this to work. We are extracting the event_id in props.conf with event_id_test and then have a transactiontypes.conf that is looking to perform a transaction on the fields event_id_test but so far it is not performing the transaction at all though the event_id_test field is being extracted. I tried reading through the docs for this but can not see what I am missing or doing wrong based on the splunk docs on this.
props.conf:
[test_props]
EXTRACT-et = \.\d{3}\:(?P<event_id_test>\d+)
transactiontypes.conf:
[test_props]
maxspan=5s
maxpause=5s
fields=event_id_test
I don't see how an index-time transaction would be possible (ok, anything's *possible*) or perform better than a search-time transaction. To do a transaction at index-time, each indexer would have to search all other indexers for matching events and that's just not done.
Thanks @richgalloway looks like I misunderstood what transactiontypes.conf purpose would be. Would there be any way that you could do a transaction at index time?
I don't see how an index-time transaction would be possible (ok, anything's *possible*) or perform better than a search-time transaction. To do a transaction at index-time, each indexer would have to search all other indexers for matching events and that's just not done.
The transactiontypes.conf file does not define an index-time operation and is not invoked from props.conf. It defines a transaction that is invoked by the searchtxn SPL command within a query.
The EXTRACT setting in props.conf invokes a stanza defines in transforms.conf.