Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to set up an initial transactiontypes.conf file in $SPLUNK_HOME/etc/system/local ?

packet_hunter
Contributor
‎03-31-2016 11:23 AM

I am attempting to set up an initial transactiontypes.conf file in $SPLUNK_HOME/etc/system/local so I can use [searchtxn], however, I am not understanding the documentation and setup correctly.

The following is my file contents.

[xemail]
fields = uid, xuid
search = index=mail sourcetype=xemail

The steps I have completed so far are:
1 copied transactiontypes.conf from system/default to system/local
2 edited the transactiontypes.conf file (by adding the above code to the bottom of the default code) and saved it as a .txt (so I can work locally)

What exactly do I need to remove/edit from the default copy to configure my code? Do I need to rename the file or delete the default copy in the /local so there is only one transactiontypes.conf file in the local?

Can anyone provide a clear step by step process to copy, edit, save a transactiontypes.conf file?

Thank you

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎03-31-2016 12:35 PM

There's usually no need to copy a file from default to local. Splunk automatically merges the two files, with attributes from local overriding those from default. So your local/transactiontypes.conf file just needs your three lines in it. After editing the file, you must make sure the name is transactiontypes.conf. If it has a different extension, like .txt, it will be ignored.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎03-31-2016 12:35 PM

There's usually no need to copy a file from default to local. Splunk automatically merges the two files, with attributes from local overriding those from default. So your local/transactiontypes.conf file just needs your three lines in it. After editing the file, you must make sure the name is transactiontypes.conf. If it has a different extension, like .txt, it will be ignored.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

packet_hunter
Contributor
‎03-31-2016 12:40 PM

ok I will remove the copy in local (that I copied from /default)
stupid question: how do I change the .txt extension.... its not letting me even when I save as all file types

0 Karma
Reply
Solved! Jump to solution

packet_hunter
Contributor
‎03-31-2016 01:01 PM

change extension with powershell, will let you know if it works

0 Karma
Reply
Solved! Jump to solution

packet_hunter
Contributor
‎03-31-2016 06:36 PM

I don't know if this is related but I restarted and now the two services won't start again... even if I try manually... any ideas?

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎04-01-2016 05:24 AM

Check splunkd.log for messages explaining why it's not starting.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

packet_hunter
Contributor
‎04-01-2016 06:18 AM

It is a permission issue, when I get that sorted I will give you my result about the .conf file. Thank you

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...