Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is btool command returning many duplicate events for props.conf?

asimagu
Builder
‎09-19-2017 02:39 AM

hi guys

I am experiencing an odd behavior when using btool to troubleshoot some issues.

When I run btool to get the list of props.conf in my instance I get lots of duplicates and I don´t know why this is happening nor if it is normal / expected to be like this. any ideas or explanations??

Example:

$ splunk btool props --debug list | grep send_to_nullqueue

/opt/splunk/etc/apps/test/default/props.conf TRANSFORMS = send_to_nullqueue
/opt/splunk/etc/apps/test/default/props.conf TRANSFORMS = send_to_nullqueue
/opt/splunk/etc/apps/test/default/props.conf TRANSFORMS = send_to_nullqueue
/opt/splunk/etc/apps/test/default/props.conf TRANSFORMS = send_to_nullqueue
/opt/splunk/etc/apps/test/default/props.conf TRANSFORMS = send_to_nullqueue
/opt/splunk/etc/apps/test/default/props.conf TRANSFORMS = send_to_nullqueue
/opt/splunk/etc/apps/test/default/props.conf TRANSFORMS = send_to_nullqueue
/opt/splunk/etc/apps/test/default/props.conf TRANSFORMS = send_to_nullqueue
/opt/splunk/etc/apps/test/default/props.conf TRANSFORMS = send_to_nullqueue
/opt/splunk/etc/apps/test/default/props.conf TRANSFORMS = send_to_nullqueue
/opt/splunk/etc/apps/test/default/props.conf TRANSFORMS = send_to_nullqueue
/opt/splunk/etc/apps/test/default/props.conf TRANSFORMS = send_to_nullqueue
/opt/splunk/etc/apps/test/default/props.conf TRANSFORMS = send_to_nullqueue
/opt/splunk/etc/apps/test/default/props.conf TRANSFORMS = send_to_nullqueue
/opt/splunk/etc/apps/test/default/props.conf TRANSFORMS = send_to_nullqueue
/opt/splunk/etc/apps/test/default/props.conf TRANSFORMS = send_to_nullqueue
....
....
...
(lots of times)

Here is the content of my props.conf and my transforms.conf

props.conf

[default]
TRANSFORMS = send_to_nullqueue

transforms.conf

[send_to_nullqueue_slb]
DEST_KEY = queue
REGEX = blah\sblah\sblah
FORMAT = nullQueue

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

abalogh_splunk
Splunk Employee
Splunk Employee
‎09-20-2017 05:38 AM

Hello,

The reason you are seeing that many send_to_nullqueue is because you have added it to [default] stanza which means it will be applied to ALL sourcetypes. To avoid this do not use [default] and instead add the proper stanza.

I hope this helps you to understand.

br
Adam

*edit spelling

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

abalogh_splunk
Splunk Employee
Splunk Employee
‎09-20-2017 05:38 AM

Hello,

The reason you are seeing that many send_to_nullqueue is because you have added it to [default] stanza which means it will be applied to ALL sourcetypes. To avoid this do not use [default] and instead add the proper stanza.

I hope this helps you to understand.

br
Adam

*edit spelling

0 Karma
Reply
Solved! Jump to solution

asimagu
Builder
‎09-21-2017 05:58 AM

Thanks Adam. This makes sense now. However this is only a part of the case we have with Splunk Support. If you have time, feel free to take a look at #540217

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-19-2017 02:47 AM

Hi
this means that in the props.con of the app test you have many stanzas where you want to execute the TRANSFORMS = send_to_null_queue command.
If you see only these rows you cannot understand the contest of the command!

The best way to proceed is to run the command readdressing output in a text file

splunk btool props --debug list > file.txt

in this way you have all the command results in a file and you can examine it.

Bye.
Giuseppe

Reply
Solved! Jump to solution

asimagu
Builder
‎09-20-2017 05:15 AM

I downvoted this post because it is offensive and does not answer the question

0 Karma
Reply
Solved! Jump to solution

fredclown
Contributor
‎06-02-2023 08:40 AM

@gcusello's answer is not disrespectful in anyway. Nothing that he said was demeaning or implied malice. I have received much help from @gcusello in the past and his answers have always been respectful. I think you are reading into something that is not there.

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-20-2017 04:13 AM

If this answer satisfies your question, please accept or upvote it.
Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

asimagu
Builder
‎09-20-2017 05:04 AM

it does not. thanks but I understand the command very well enough.
I only have one stanza in that execute that Transforms.
We have been working with Splunk Support for some time but could not find an explanation yet, that´s why I brought it to the community. I would appreciate a little bit of respect when you provide an answer. thanks again

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...