Knowledge management
As mentioned, you can define or create Splunk transactional types for later use by yourself or for other Splunk users by utilizing the transactiontypes.conf file. A lot of thought should go into a Splunk knowledge management strategy. You will find more on this topic later in this book, but for now, here are the basics you can use to define some Splunk transactions:
If it doesn't already exist, you can use a text editor to create a
transactiontypes.conffile in$SPLUNK_HOME/etc/system/local/or your own custom app directory in$SPLUNK_HOME/etc/apps/.Next, define transactions using the following arguments:
[<transactiontype>] maxspan = [<integer> s|m|h|d|-1] maxpause = [<integer> s|m|h|d|-1] fields = <comma-separated list of fields> startswith = <transam-filter-string> endswith=<transam-filter-string>
Let's discover the functions of the code terms in the preceding example:
transactiontype: This is the name of the transaction typemaxspan...
