Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to set up an initial transactiontypes.conf file in $SPLUNK_HOME/etc/system/local ?

packet_hunter
Contributor
‎03-31-2016 11:23 AM

I am attempting to set up an initial transactiontypes.conf file in $SPLUNK_HOME/etc/system/local so I can use [searchtxn], however, I am not understanding the documentation and setup correctly.

The following is my file contents.

[xemail]
fields = uid, xuid
search = index=mail sourcetype=xemail

The steps I have completed so far are:
1 copied transactiontypes.conf from system/default to system/local
2 edited the transactiontypes.conf file (by adding the above code to the bottom of the default code) and saved it as a .txt (so I can work locally)

What exactly do I need to remove/edit from the default copy to configure my code? Do I need to rename the file or delete the default copy in the /local so there is only one transactiontypes.conf file in the local?

Can anyone provide a clear step by step process to copy, edit, save a transactiontypes.conf file?

Thank you

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎03-31-2016 12:35 PM

There's usually no need to copy a file from default to local. Splunk automatically merges the two files, with attributes from local overriding those from default. So your local/transactiontypes.conf file just needs your three lines in it. After editing the file, you must make sure the name is transactiontypes.conf. If it has a different extension, like .txt, it will be ignored.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎03-31-2016 12:35 PM

There's usually no need to copy a file from default to local. Splunk automatically merges the two files, with attributes from local overriding those from default. So your local/transactiontypes.conf file just needs your three lines in it. After editing the file, you must make sure the name is transactiontypes.conf. If it has a different extension, like .txt, it will be ignored.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

packet_hunter
Contributor
‎03-31-2016 12:40 PM

ok I will remove the copy in local (that I copied from /default)
stupid question: how do I change the .txt extension.... its not letting me even when I save as all file types

0 Karma
Reply
Solved! Jump to solution

packet_hunter
Contributor
‎03-31-2016 01:01 PM

change extension with powershell, will let you know if it works

0 Karma
Reply
Solved! Jump to solution

packet_hunter
Contributor
‎03-31-2016 06:36 PM

I don't know if this is related but I restarted and now the two services won't start again... even if I try manually... any ideas?

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎04-01-2016 05:24 AM

Check splunkd.log for messages explaining why it's not starting.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

packet_hunter
Contributor
‎04-01-2016 06:18 AM

It is a permission issue, when I get that sorted I will give you my result about the .conf file. Thank you

0 Karma
Reply
Get Updates on the Splunk Community!

How to Get Started with Splunk Data Management Pipeline Builders (Edge Processor & ...

If you want to gain full control over your growing data volumes, check out Splunk’s Data Management pipeline ...

Out of the Box to Up And Running - Streamlined Observability for Your Cloud ...

  Tech Talk Streamlined Observability for Your Cloud Environment Register    Out of the Box to Up And Running ...

Splunk Smartness with Brandon Sternfield | Episode 3

Hello and welcome to another episode of "Splunk Smartness," the interview series where we explore the power of ...