Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is btool command returning many duplicate events for props.conf?

asimagu
Builder
‎09-19-2017 02:39 AM

hi guys

I am experiencing an odd behavior when using btool to troubleshoot some issues.

When I run btool to get the list of props.conf in my instance I get lots of duplicates and I don´t know why this is happening nor if it is normal / expected to be like this. any ideas or explanations??

Example:

$ splunk btool props --debug list | grep send_to_nullqueue

/opt/splunk/etc/apps/test/default/props.conf TRANSFORMS = send_to_nullqueue
/opt/splunk/etc/apps/test/default/props.conf TRANSFORMS = send_to_nullqueue
/opt/splunk/etc/apps/test/default/props.conf TRANSFORMS = send_to_nullqueue
/opt/splunk/etc/apps/test/default/props.conf TRANSFORMS = send_to_nullqueue
/opt/splunk/etc/apps/test/default/props.conf TRANSFORMS = send_to_nullqueue
/opt/splunk/etc/apps/test/default/props.conf TRANSFORMS = send_to_nullqueue
/opt/splunk/etc/apps/test/default/props.conf TRANSFORMS = send_to_nullqueue
/opt/splunk/etc/apps/test/default/props.conf TRANSFORMS = send_to_nullqueue
/opt/splunk/etc/apps/test/default/props.conf TRANSFORMS = send_to_nullqueue
/opt/splunk/etc/apps/test/default/props.conf TRANSFORMS = send_to_nullqueue
/opt/splunk/etc/apps/test/default/props.conf TRANSFORMS = send_to_nullqueue
/opt/splunk/etc/apps/test/default/props.conf TRANSFORMS = send_to_nullqueue
/opt/splunk/etc/apps/test/default/props.conf TRANSFORMS = send_to_nullqueue
/opt/splunk/etc/apps/test/default/props.conf TRANSFORMS = send_to_nullqueue
/opt/splunk/etc/apps/test/default/props.conf TRANSFORMS = send_to_nullqueue
/opt/splunk/etc/apps/test/default/props.conf TRANSFORMS = send_to_nullqueue
....
....
...
(lots of times)

Here is the content of my props.conf and my transforms.conf

props.conf

[default]
TRANSFORMS = send_to_nullqueue

transforms.conf

[send_to_nullqueue_slb]
DEST_KEY = queue
REGEX = blah\sblah\sblah
FORMAT = nullQueue

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

abalogh_splunk
Splunk Employee
Splunk Employee
‎09-20-2017 05:38 AM

Hello,

The reason you are seeing that many send_to_nullqueue is because you have added it to [default] stanza which means it will be applied to ALL sourcetypes. To avoid this do not use [default] and instead add the proper stanza.

I hope this helps you to understand.

br
Adam

*edit spelling

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

abalogh_splunk
Splunk Employee
Splunk Employee
‎09-20-2017 05:38 AM

Hello,

The reason you are seeing that many send_to_nullqueue is because you have added it to [default] stanza which means it will be applied to ALL sourcetypes. To avoid this do not use [default] and instead add the proper stanza.

I hope this helps you to understand.

br
Adam

*edit spelling

0 Karma
Reply
Solved! Jump to solution

asimagu
Builder
‎09-21-2017 05:58 AM

Thanks Adam. This makes sense now. However this is only a part of the case we have with Splunk Support. If you have time, feel free to take a look at #540217

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-19-2017 02:47 AM

Hi
this means that in the props.con of the app test you have many stanzas where you want to execute the TRANSFORMS = send_to_null_queue command.
If you see only these rows you cannot understand the contest of the command!

The best way to proceed is to run the command readdressing output in a text file

splunk btool props --debug list > file.txt

in this way you have all the command results in a file and you can examine it.

Bye.
Giuseppe

Reply
Solved! Jump to solution

asimagu
Builder
‎09-20-2017 05:15 AM

I downvoted this post because it is offensive and does not answer the question

0 Karma
Reply
Solved! Jump to solution

fredclown
Contributor
‎06-02-2023 08:40 AM

@gcusello's answer is not disrespectful in anyway. Nothing that he said was demeaning or implied malice. I have received much help from @gcusello in the past and his answers have always been respectful. I think you are reading into something that is not there.

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-20-2017 04:13 AM

If this answer satisfies your question, please accept or upvote it.
Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

asimagu
Builder
‎09-20-2017 05:04 AM

it does not. thanks but I understand the command very well enough.
I only have one stanza in that execute that Transforms.
We have been working with Splunk Support for some time but could not find an explanation yet, that´s why I brought it to the community. I would appreciate a little bit of respect when you provide an answer. thanks again

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...