Splunk Btool

Splunk Btool

The splunk Btool is a command line tool designed to troubleshoot and help with configuration file issues, can be used to see what values are being used by your splunk instance.

Troubleshoot configurations with btool

As we know, Splunk Enterprise configuration file system supports many overlapping configuration files in many different locations/directories. This feature also makes it hard to figure at times which configuration value Splunk is currently using.

The btool shows you the merged settings in the .conf files, displays merged on-disk configurations.It does not necessarily show you what Splunk software is currently using. So for example if you edit a .conf file and do not restart (and the edit requires a restart), btool reports the newly edited settings rather than the settings that are currently being used. To see the current in-memory configurations of your splunk installation, query the REST endpoint /services/properties.

Listing out the configuration values 

Follow the steps given below to see all the configuration values in use by your Splunk instance.

1) #cd $SPLUNK_HOME/bin
2) ./splunk cmd btool <conf_file> list

NOTE: <conf_file> is the name of  the configuration file without extension (.conf).

For example, to list out what settings inputs.conf is using

./splunk cmd btool inputs list

You can also send the results of btool into a text file, like this:

./splunk cmd btool inputs list > /tmp/splunk_inputs.txt

Captureq

or if you want you can pipe to grep as shown:

./splunk cmd btool inputs list | grep '\['

Also you can run btool for a specific app in your Splunk instance. It lists all the configuration values in use by that app for a given configuration file. For this,

./splunk cmd btool --app=<app_name> <conf_file> list

where <app_name> is the name of the app you want to see the configurations for.

Lets say, you want to know the configuration options being used by the Search app for props.conf, 

./splunk cmd btool --app=search props list

Checking where configuration values come from

You can also use the btool to find out from which specific app Splunk is pulling its configurations for a given configuration file. To do this, use the ‘debug’ flag as shown below for outputs.conf.

./splunk cmd btool outputs list --debug

Checking for typos in stanza and the setting names

Splunk has a conf checker that runs on “splunk start”. To invoke it manually use the below command:

./splunk cmd btool check

Hope!! This post was able to clearly point the role of btool in splunk.

Thanks for reading, visit our other posts for more splunk related contents.

Happy Splunking!!

Advertisements

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.