Splunk Search

How to set up an initial transactiontypes.conf file in $SPLUNK_HOME/etc/system/local ?

packet_hunter
Contributor

I am attempting to set up an initial transactiontypes.conf file in $SPLUNK_HOME/etc/system/local so I can use [searchtxn], however, I am not understanding the documentation and setup correctly.

The following is my file contents.

[xemail]
fields = uid, xuid
search = index=mail sourcetype=xemail

The steps I have completed so far are:
1 copied transactiontypes.conf from system/default to system/local
2 edited the transactiontypes.conf file (by adding the above code to the bottom of the default code) and saved it as a .txt (so I can work locally)

What exactly do I need to remove/edit from the default copy to configure my code? Do I need to rename the file or delete the default copy in the /local so there is only one transactiontypes.conf file in the local?

Can anyone provide a clear step by step process to copy, edit, save a transactiontypes.conf file?

Thank you

Tags (1)
1 Solution

richgalloway
SplunkTrust
SplunkTrust

There's usually no need to copy a file from default to local. Splunk automatically merges the two files, with attributes from local overriding those from default. So your local/transactiontypes.conf file just needs your three lines in it. After editing the file, you must make sure the name is transactiontypes.conf. If it has a different extension, like .txt, it will be ignored.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

There's usually no need to copy a file from default to local. Splunk automatically merges the two files, with attributes from local overriding those from default. So your local/transactiontypes.conf file just needs your three lines in it. After editing the file, you must make sure the name is transactiontypes.conf. If it has a different extension, like .txt, it will be ignored.

---
If this reply helps you, Karma would be appreciated.
0 Karma

packet_hunter
Contributor

ok I will remove the copy in local (that I copied from /default)
stupid question: how do I change the .txt extension.... its not letting me even when I save as all file types

0 Karma

packet_hunter
Contributor

change extension with powershell, will let you know if it works

0 Karma

packet_hunter
Contributor

I don't know if this is related but I restarted and now the two services won't start again... even if I try manually... any ideas?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Check splunkd.log for messages explaining why it's not starting.

---
If this reply helps you, Karma would be appreciated.
0 Karma

packet_hunter
Contributor

It is a permission issue, when I get that sorted I will give you my result about the .conf file. Thank you

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...