Splunk® Enterprise

Admin Manual

This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

transactiontypes.conf

The following are the spec and example files for transactiontypes.conf.

transactiontypes.conf.spec

#   Version 9.1.7
#
# This file contains all possible attributes and value pairs for a
# transactiontypes.conf file.  Use this file to configure transaction searches
# and their properties.
#
# There is a transactiontypes.conf in $SPLUNK_HOME/etc/system/default/.  To set
# custom configurations, place a transactiontypes.conf in
# $SPLUNK_HOME/etc/system/local/. You must restart Splunk to enable
# configurations.
#
# To learn more about configuration files (including precedence) please see the
# documentation located at
# http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles

GLOBAL SETTINGS


# Use the [default] stanza to define any global settings.
#   * You can also define global settings outside of any stanza, at the top of
#     the file.
#   * Each conf file should have at most one default stanza. If there are
#     multiple default stanzas, attributes are combined. In the case of
#     multiple definitions of the same attribute, the last definition in the
#     file wins.
#   * If an attribute is defined at both the global level and in a specific
#     stanza, the value in the specific stanza takes precedence.


[<TRANSACTIONTYPE>]
* Create any number of transaction types, each represented by a stanza name and
  any number of the following attribute/value pairs.
* Use the stanza name, [<TRANSACTIONTYPE>], to search for the transaction in
  Splunk Web.
* If you do not specify a value for an attribute, the Splunk platform
  uses the default value.

maxspan = [<integer> s|m|h|d|-1]
* Set the maximum time span between the events in a transaction.
* Can be in seconds, minutes, hours, or days, or -1 for an unlimited timespan.
  * Example:  5s, 6m, 12h or 30d.
* The events in the transaction must span less than the integer specified 
  for 'maxspan'.
* Events that exceed the 'maxspan' limit are treated as part of a 
  separate transaction.
* If the value is negative, the maxspan constraint is disabled and there is 
  no limit. 
* Events must be sorted in descending chronological order before the 'maxspan' 
  argument is used.
* Default: maxspan=-1

maxpause = [<integer> s|m|h|d|-1]
* Set the maximum pause for the transaction.
* Can be in seconds, minutes, hours, or days, or -1 for an unlimited pause.
  * Example:  5s, 6m, 12h or 30d.
* If the value is negative, the 'maxpause' constraint is disabled and there is 
  no limit. 
* Events must be sorted in descending chronological order before the 'maxpause' 
  argument is used.
* Default: maxpause=-1

maxevents = <integer>
* The maximum number of events in a transaction. This constraint is disabled if
  the value is a negative integer.
* Default: maxevents=1000

fields = <comma-separated list of fields>
* If set, each event must have the same field(s) to be considered part of the
  same transaction.
  * Example: fields=host,cookie
* Default: ""

connected =< boolean>
* Relevant only if 'fields' (see above) is not empty. Controls whether an event
  that is not inconsistent and not consistent with the fields of a transaction
  opens a new transaction (connected=true) or is added to the transaction.
* An event can be not inconsistent and not field-consistent if it contains
  fields required by the transaction but none of these fields has been
  instantiated in the transaction (by a previous event addition).
* Default: true

startswith=<transam-filter-string>
* A search or eval filtering expression which, if satisfied by an event, marks
  the beginning of a new transaction.
* Examples:
  * startswith="login"
  * startswith=(username=foobar)
  * startswith=eval(speed_field < max_speed_field)
  * startswith=eval(speed_field < max_speed_field/12)
* Default: empty string

endswith=<transam-filter-string>
* A search or eval filtering expression which, if satisfied by an event, marks
  the end of a transaction.
* Examples:
  * endswith="logout"
  * endswith=(username=foobar)
  * endswith=eval(speed_field > max_speed_field)
  * endswith=eval(speed_field > max_speed_field/12)
* Default: empty string

* For 'startswith' and 'endswith' <transam-filter-string> has the following syntax:
* syntax:   "<search-expression>" | (<quoted-search-expression>) | eval(<eval-expression>)
* Where:
  * <search-expression>        is a valid search expression that does not contain quotes
  * <quoted-search-expression> is a valid search expression that contains quotes
  * <eval-expression>          is a valid eval expression that evaluates to a boolean.
                               For example, startswith=eval(foo<bar*2) matches events
                               where "foo" is less than 2 x "bar".
* Examples:
  * "<search expression>":       startswith="foo bar"
  * <quoted-search-expression>:  startswith=(name="mildred")
  * <quoted-search-expression>:  startswith=("search literal")
  * eval(<eval-expression>):     startswith=eval(distance/time < max_speed)

### memory constraint options ###

maxopentxn=<int>
* Specifies the maximum number of not yet closed transactions to keep in the
  open pool. When this limit is exceeded, the Splunk platform begins to evict
  transactions using LRU (least-recently-used memory cache algorithm) policy.
* The default value of this attribute is read from the transactions stanza in
  limits.conf.

maxopenevents=<int>
* Specifies the maximum number of events that can be part of open transactions.
  When this limit is exceeded, the Splunk platform begins to evict transactions
  using LRU (least-recently-used memory cache algorithm) policy.
* The default value of this attribute is read from the transactions stanza in
  limits.conf.

keepevicted=<bool>
* Specifies whether to output evicted transactions. Evicted transactions can be
  distinguished from non-evicted transactions by checking the value of the
  'evicted' field, which is set to "1" for evicted transactions.
* Default: keepevicted=false

### multivalue rendering options ###

mvlist=<bool>|<field-list>
* Specifies whether the multivalued fields of the transaction are (1) a
  list of the original events ordered in arrival order or (2) a set of unique
  field values ordered lexicographically.
* If a comma or space delimited list of fields is provided, only those fields
  are rendered as lists.
* Default: mvlist=f

delim=<string>
* A string used to delimit the original event values in the transaction event
  fields.
* Default: " " (a single space)

nullstr=<string>
* The string value to use when rendering missing field values as part of mv
  fields in a transaction.
* This option applies only to fields that are rendered as lists.
* Default: NULL

### values used only by the searchtxn search command ###

search=<string>
* A search string used to more efficiently seed transactions of this type.
* Make the value as specific as possible, to limit the number of events
  that must be retrieved to find transactions.
* Example: sourcetype="sendmaill_sendmail"
* Default: "*" (all events)

transactiontypes.conf.example

#   Version 9.1.7
#
# This is an example transactiontypes.conf.  Use this file as a template to
# configure transactions types.
#
# To use one or more of these configurations, copy the configuration block into
# transactiontypes.conf in $SPLUNK_HOME/etc/system/local/.
#
# To learn more about configuration files (including precedence) please see the
# documentation located at
# http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles

[default]
maxspan = 5m
maxpause = 2s
match = closest

[purchase]
maxspan  = 10m
maxpause = 5m
fields  = userid


Last modified on 06 November, 2024
times.conf   transforms.conf

This documentation applies to the following versions of Splunk® Enterprise: 9.1.7


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters