Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to use transactiontype.conf usage?

bobby_d
Engager
‎06-07-2022 05:14 AM

Currently we are looking ingesting events that have multiple eventIDs that log in new lines. We want to have those appear as one event in splunk since trying to run a "| transaction event_id" slows our searches down significantly. 

It looks like we should be able to use transactiontypes.conf but I am confused on how to get this to work. We are extracting the event_id in props.conf with event_id_test and then have a transactiontypes.conf that is looking to perform a transaction on the fields  event_id_test but so far it is not performing the transaction at all though the event_id_test field is being extracted.  I tried reading through the docs for this but can not see what I am missing or doing wrong based on the splunk docs on this.

 

props.conf:

[test_props]
EXTRACT-et = \.\d{3}\:(?P<event_id_test>\d+)

 

transactiontypes.conf:

[test_props]
maxspan=5s
maxpause=5s
fields=event_id_test

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎06-07-2022 09:46 AM

I don't see how an index-time transaction would be possible (ok, anything's *possible*) or perform better than a search-time transaction.  To do a transaction at index-time, each indexer would have to search all other indexers for matching events and that's just not done.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

bobby_d
Engager
‎06-07-2022 08:18 AM

Thanks @richgalloway looks like I misunderstood what transactiontypes.conf purpose would be. Would there be any way that you could do a transaction at index time? 

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎06-07-2022 09:46 AM

I don't see how an index-time transaction would be possible (ok, anything's *possible*) or perform better than a search-time transaction.  To do a transaction at index-time, each indexer would have to search all other indexers for matching events and that's just not done.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎06-07-2022 06:55 AM

The transactiontypes.conf file does not define an index-time operation and is not invoked from props.conf.  It defines a transaction that is invoked by the searchtxn SPL command within a query.

The EXTRACT setting in props.conf invokes a stanza defines in transforms.conf.

---
If this reply helps you, Karma would be appreciated.
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...