Getting Data In

How to use transactiontype.conf usage?


Currently we are looking ingesting events that have multiple eventIDs that log in new lines. We want to have those appear as one event in splunk since trying to run a "| transaction event_id" slows our searches down significantly. 

It looks like we should be able to use transactiontypes.conf but I am confused on how to get this to work. We are extracting the event_id in props.conf with event_id_test and then have a transactiontypes.conf that is looking to perform a transaction on the fields  event_id_test but so far it is not performing the transaction at all though the event_id_test field is being extracted.  I tried reading through the docs for this but can not see what I am missing or doing wrong based on the splunk docs on this.



EXTRACT-et = \.\d{3}\:(?P<event_id_test>\d+)




Labels (1)
Tags (1)
0 Karma
1 Solution


I don't see how an index-time transaction would be possible (ok, anything's *possible*) or perform better than a search-time transaction.  To do a transaction at index-time, each indexer would have to search all other indexers for matching events and that's just not done.

If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma


Thanks @richgalloway looks like I misunderstood what transactiontypes.conf purpose would be. Would there be any way that you could do a transaction at index time? 

0 Karma


I don't see how an index-time transaction would be possible (ok, anything's *possible*) or perform better than a search-time transaction.  To do a transaction at index-time, each indexer would have to search all other indexers for matching events and that's just not done.

If this reply helps you, Karma would be appreciated.
0 Karma


The transactiontypes.conf file does not define an index-time operation and is not invoked from props.conf.  It defines a transaction that is invoked by the searchtxn SPL command within a query.

The EXTRACT setting in props.conf invokes a stanza defines in transforms.conf.

If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...

New This Month - SLO Capabilities, APM Advanced Filtering & Usage Analytics Plus ...

More for SLO Management We’re continuing to expand the built-in SLO management experience in Splunk ...

Enterprise Security Content Update (ESCU) | New Releases

In June, the Splunk Threat Research Team had 2 releases of new security content via the Enterprise Security ...