Getting Data In

How to use transactiontype.conf usage?

bobby_d
Engager

Currently we are looking ingesting events that have multiple eventIDs that log in new lines. We want to have those appear as one event in splunk since trying to run a "| transaction event_id" slows our searches down significantly. 

It looks like we should be able to use transactiontypes.conf but I am confused on how to get this to work. We are extracting the event_id in props.conf with event_id_test and then have a transactiontypes.conf that is looking to perform a transaction on the fields  event_id_test but so far it is not performing the transaction at all though the event_id_test field is being extracted.  I tried reading through the docs for this but can not see what I am missing or doing wrong based on the splunk docs on this.

 

props.conf:

[test_props]
EXTRACT-et = \.\d{3}\:(?P<event_id_test>\d+)

 

transactiontypes.conf:

[test_props]
maxspan=5s
maxpause=5s
fields=event_id_test

Labels (1)
Tags (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

I don't see how an index-time transaction would be possible (ok, anything's *possible*) or perform better than a search-time transaction.  To do a transaction at index-time, each indexer would have to search all other indexers for matching events and that's just not done.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

bobby_d
Engager

Thanks @richgalloway looks like I misunderstood what transactiontypes.conf purpose would be. Would there be any way that you could do a transaction at index time? 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I don't see how an index-time transaction would be possible (ok, anything's *possible*) or perform better than a search-time transaction.  To do a transaction at index-time, each indexer would have to search all other indexers for matching events and that's just not done.

---
If this reply helps you, Karma would be appreciated.
0 Karma

richgalloway
SplunkTrust
SplunkTrust

The transactiontypes.conf file does not define an index-time operation and is not invoked from props.conf.  It defines a transaction that is invoked by the searchtxn SPL command within a query.

The EXTRACT setting in props.conf invokes a stanza defines in transforms.conf.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...