https://community.splunk.com/t5/Security/Splunk-API-comparison-to-btool-command/m-p/478929#M11052 <P>So, if in case I have a monitor stanza which monitors a file [monitor:///abc/syslog/xyz/*.log] and this monitor is enabled as in if there was a .log file present under the xyz directory splunk would be monitoring this file. </P> <P>This monitor shows up in the btool as this is the run time config that is currently running on the instance.</P> <P>This monitor should also show up in the rest query..I am hoping to see this config using rest calls.</P> Thu, 23 Apr 2020 01:27:28 GMT rohitmaheshwari 2020-04-23T01:27:28Z https://community.splunk.com/t5/Security/Splunk-API-comparison-to-btool-command/m-p/478927#M11050 <P>I am using Splunk version 7.3.2.</P> <P>I am trying to find the runtime input configuration on a Splunk heavy forwarder using Rest API endpoint. <BR />I have noticed a difference in results when accessing the input configuration on a heavy forwarder using btool in comparison to Splunk API endpoint.<BR />Some of the monitoring input stanzas that appear on the Splunk instance when using btool are not part of the API call results.</P> <P>Rest API Call:<BR />The Rest API call uses the ‘GET’ method to retrieve the configured inputs from the endpoint ‘<A href="https://somethingishere:8089/services/data/inputs/monitor%E2%80%99" target="_blank">https://somethingishere:8089/services/data/inputs/monitor’</A>.<BR />The btool command:<BR />Command used for ‘btool ‘ and filtered on the keyword syslog: <BR />./splunk btool inputs list</P> <P>Is there an endpoint to capture the current running monitor input configurations?? ..or another way of doing this.</P> Sun, 07 Jun 2020 17:36:29 GMT https://community.splunk.com/t5/Security/Splunk-API-comparison-to-btool-command/m-p/478927#M11050 rohitmaheshwari 2020-06-07T17:36:29Z https://community.splunk.com/t5/Security/Splunk-API-comparison-to-btool-command/m-p/478928#M11051 <P>Recall that btool shows the contents of the config files, which is not always what Splunk is currently running. Output of btool is what Splunk will run the next time it restarts.</P> <P>The endpoint for capturing currently monitored inputs is what you already use - <CODE>services/data/inputs/monitor</CODE>.</P> <P>There is also the CLI command <CODE>splunk list monitor</CODE>.</P> Wed, 22 Apr 2020 14:28:54 GMT https://community.splunk.com/t5/Security/Splunk-API-comparison-to-btool-command/m-p/478928#M11051 richgalloway 2020-04-22T14:28:54Z https://community.splunk.com/t5/Security/Splunk-API-comparison-to-btool-command/m-p/478929#M11052 <P>So, if in case I have a monitor stanza which monitors a file [monitor:///abc/syslog/xyz/*.log] and this monitor is enabled as in if there was a .log file present under the xyz directory splunk would be monitoring this file. </P> <P>This monitor shows up in the btool as this is the run time config that is currently running on the instance.</P> <P>This monitor should also show up in the rest query..I am hoping to see this config using rest calls.</P> Thu, 23 Apr 2020 01:27:28 GMT https://community.splunk.com/t5/Security/Splunk-API-comparison-to-btool-command/m-p/478929#M11052 rohitmaheshwari 2020-04-23T01:27:28Z https://community.splunk.com/t5/Security/Splunk-API-comparison-to-btool-command/m-p/478930#M11053 <P>"This monitor shows up in the btool as this is the run time config that is currently running on the instance.<BR /> "</P> <P>That is not correct, btool shows the filesystem level configuration, not the currently active configuration.<BR /> Currently active configuration you can find via REST endpoints</P> <P>If you are unsure which endpoint either check the REST API docs or try <A href="https://splunkbase.splunk.com/app/3696/">Config Quest</A></P> Thu, 23 Apr 2020 03:36:36 GMT https://community.splunk.com/t5/Security/Splunk-API-comparison-to-btool-command/m-p/478930#M11053 gjanders 2020-04-23T03:36:36Z https://community.splunk.com/t5/Security/Splunk-API-comparison-to-btool-command/m-p/478931#M11054 <P>Run the CLI command I mentioned. It will tell you which files are being monitored.</P> Thu, 23 Apr 2020 12:08:14 GMT https://community.splunk.com/t5/Security/Splunk-API-comparison-to-btool-command/m-p/478931#M11054 richgalloway 2020-04-23T12:08:14Z