The splunk Btool is a command line tool designed to troubleshoot and help with configuration file issues, can be used to see what values are being used by your splunk instance.
Troubleshoot configurations with btool
As we know, Splunk Enterprise configuration file system supports many overlapping configuration files in many different locations/directories. This feature also makes it hard to figure at times which configuration value Splunk is currently using.
The btool shows you the merged settings in the .conf files, displays merged on-disk configurations.It does not necessarily show you what Splunk software is currently using. So for example if you edit a .conf file and do not restart (and the edit requires a restart), btool reports the newly edited settings rather than the settings that are currently being used. To see the current in-memory configurations of your splunk installation, query the REST endpoint /services/properties.
Listing out the configuration values
Follow the steps given below to see all the configuration values in use by your Splunk instance.
1) #cd $SPLUNK_HOME/bin 2) ./splunk cmd btool <conf_file> list
NOTE: <conf_file> is the name of the configuration file without extension (.conf).
For example, to list out what settings inputs.conf is using
./splunk cmd btool inputs list
You can also send the results of btool into a text file, like this:
./splunk cmd btool inputs list > /tmp/splunk_inputs.txt
or if you want you can pipe to grep as shown:
./splunk cmd btool inputs list | grep '\['
Also you can run btool for a specific app in your Splunk instance. It lists all the configuration values in use by that app for a given configuration file. For this,
./splunk cmd btool --app=<app_name> <conf_file> list
where <app_name> is the name of the app you want to see the configurations for.
Lets say, you want to know the configuration options being used by the Search app for props.conf,
./splunk cmd btool --app=search props list
Checking where configuration values come from
You can also use the btool to find out from which specific app Splunk is pulling its configurations for a given configuration file. To do this, use the ‘debug’ flag as shown below for outputs.conf.
./splunk cmd btool outputs list --debug
Checking for typos in stanza and the setting names
Splunk has a conf checker that runs on “splunk start”. To invoke it manually use the below command:
./splunk cmd btool check
Hope!! This post was able to clearly point the role of btool in splunk.
Thanks for reading, visit our other posts for more splunk related contents.