Deployment Architecture

Is there a simple way to get all config files from $SPLUNK_HOME/etc?

danielbb
Motivator

A fellow here would like to compare the config files across a cluster of three SHs. So, what's an easy way to get all the config files under $SPLUNK_HOME/etc?

We thought about getting the diags from these three, or run the btool for each config file. Is there a way to get all the config files via a nice Unix command?

0 Karma
1 Solution

MuS
SplunkTrust
SplunkTrust

Hi danielbb,

Sadly there is no single show them all command in Splunk but have a look at this answer https://answers.splunk.com/answers/293407/how-do-i-show-the-running-configuration-on-my-forw.html#an... it will show an example to list all Splunk .conf files.
With the output you can compare it server by server.

Hope this helps ...

cheers, MuS

View solution in original post

bcusick_splunk
Splunk Employee
Splunk Employee

Hi Daniel - try this on for size:

find /opt/splunk/etc/ -type f -name '*.conf' | grep -v README | awk -F/ '{print $NF}' | awk -F\. '{print $1}' | sort -u > btool_list.txt; for i in $(cat btool_list.txt); do splunk btool $i list; done > complete_btool_output.txt

danielbb
Motivator

Worked perfectly fine - thank you.

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi danielbb,

Sadly there is no single show them all command in Splunk but have a look at this answer https://answers.splunk.com/answers/293407/how-do-i-show-the-running-configuration-on-my-forw.html#an... it will show an example to list all Splunk .conf files.
With the output you can compare it server by server.

Hope this helps ...

cheers, MuS

danielbb
Motivator

@MuS, it's great but find /opt/apps/splunk/etc | grep .conf | grep -v README | awk -F/ '{ print $NF }' seems to need some improvements ... on one server find /opt/apps/splunk/etc | grep .conf | grep -v README | awk -F/ '{ print $NF }' | wc -l returns 3339 files...

0 Karma

MuS
SplunkTrust
SplunkTrust

If you improve the find you might end up missing some files but feel free to modify the find in anyway that works better for you 🙂

cheers, MuS

0 Karma

danielbb
Motivator

Ok - will do... : )

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...