Re: make output of "btool some-conf-type list" mor...

V_at_Splunk · ‎10-03-2013

Not technically a question, but pretty sure will be helpful to many. If not helpful to you, please don't upvote.

Simply put, btool list neither separates stanzas, nor indents properties. E.g.:



$ btool serverclass list

[global]

continueMatching = true

repositoryLocation = $SPLUNK_HOME/etc/deployment-apps

restartSplunkWeb = False

restartSplunkd = False

stateOnClient = enabled

targetRepositoryLocation = $SPLUNK_HOME/etc/apps

tmpFolder = $SPLUNK_HOME/var/run/tmp

[serverClass:foo]

[serverClass:sc_a]

whitelist.0 = dash_at_mrt|bubbles_at_ronnie

[serverClass:sc_a:app:app_one]

[serverClass:sc_a:app:app_three]

[serverClass:sc_b]

whitelist.0 = dash_at_mrt|dgseattle_at_wimpy

[serverClass:sc_b:app:app_four]

[serverClass:sc_b:app:app_one]

[serverClass:sc_c]

whitelist.0 = dgseattle_at_wimpy|bubbles_at_ronnie

[serverClass:sc_c:app:app_five]

[serverClass:sc_c:app:app_one]

[serverClass:sc_d]

[serverClass:sc_d:app:app_two]

[serverClass:sc_e]

whitelist.0 = dgseattle_at_wimpy|bubbles_at_ronnie

Let's try a simple shell function (you can add it to your ~/.bashrc😞



btoolist () {

    if [ $# -lt 1 ]; then echo "USAGE: ${FUNCNAME[0]} <bundle name, e.g.: serverclass, indexes, server, web> [--debug]" >&2; return 1; fi

    btool $@ list | sed '1n;/\B\[/! s/^/\x09/;/\B\[/ i \\'

}

Now,



$ btoolist serverclass

[global]

    continueMatching = true

    repositoryLocation = $SPLUNK_HOME/etc/deployment-apps

    restartSplunkWeb = False

    restartSplunkd = False

    stateOnClient = enabled

    targetRepositoryLocation = $SPLUNK_HOME/etc/apps

    tmpFolder = $SPLUNK_HOME/var/run/tmp

[serverClass:foo]

[serverClass:sc_a]
whitelist.0 = dash_at_mrt|bubbles_at_ronnie

[serverClass:sc_a:app:app_one]

[serverClass:sc_a:app:app_three]

[serverClass:sc_b]
whitelist.0 = dash_at_mrt|dgseattle_at_wimpy

[serverClass:sc_b:app:app_four]

[serverClass:sc_b:app:app_one]

[serverClass:sc_c]
whitelist.0 = dgseattle_at_wimpy|bubbles_at_ronnie

[serverClass:sc_c:app:app_five]

[serverClass:sc_c:app:app_one]

[serverClass:sc_d]

[serverClass:sc_d:app:app_two]

[serverClass:sc_e]
whitelist.0 = dgseattle_at_wimpy|bubbles_at_ronnie

Nicer, no?

Nicolo_Figiani · ‎07-19-2016

Hello there,
you should install S.o.S that comes along with a custom command called btool. For example, right from Splunk search bar:

| btool <conf file name>

eg:

| btool inputs

or

| btool props

and so on.. Since you have also field extraction of all this, you can even filter for stanza name, app name and so:

| btool inputs | search stanza="WinEventLog://Security"

or

| btool props | search app="Your_wonderful_parsing_app_name"

The output is pefectly readable:

Hope it helps..

Cheers

woodcock · ‎05-02-2015

I like indentation better (different 'sed' command):

/opt/splunk/bin/splunk btool serverclass list | sed 's/^\([^\[]\)/   \1/'

jhedgpeth · ‎07-18-2016

don't forget to preserve that first matched character. in that example, sed will replace it with an indentation, not prepend it.

sed example that preserves the character:
/opt/splunk/bin/splunk btool serverclass list | sed 's/^([^[])/ \1/'

woodcock · ‎07-19-2016

Yes, answer updated.

make output of "btool some-conf-type list" more legible (UNIX)?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...