topic Re: Btools, the big brother of btool (tools, not a question) in Splunk Enterprise

Btools, the big brother of btool (tools, not a question)

jotne — Tue, 04 Mar 2025 21:37:44 GMT

I have seen many struggle with the btool and the some messy output of it.

So I made an updated version that makes it far better to use. Its made as an function, so you can add it to any start up script on your linux.

It make use of color and sort all settings in groups to make it easy to find your settings.
In green you see the stanza name. Yellow is each setting for the stanza. And last in grey is the file that holds the setting.

btools () { # Handle input options if [[ "$1" == "-sd" || "$1" == "-ds" ]]; then opt="etc/system/default" file="$2" stanza="" search="$3" elif [[ "$1" == "-d" && "$2" == "-s" || "$1" == "-s" && "$2" == "-d" ]]; then opt="etc/system/default" file="$3" stanza="" search="$4" elif [[ "$1" == "-d" ]]; then opt="etc/system/default" file="$2" stanza="$3" search="$4" elif [[ "$1" == "-s" ]]; then opt="none" file="$2" stanza="" search="$3" else opt="none" file="$1" stanza="$2" search="$3" fi # If no options are given, show the options [[ -z "$file" ]] && echo -e " btools for Splunk v3.0 Jotne Missing arguments! usage: btools [OPTION] file [STANZA] [SEARCH] -d Do not show splunk default -s All stanza (only needed if search is added and no stanza) file=splunk config file without the .conf [stanza] = complete stanza name or just part of it [search] = search phrase or part of it Example: btools server general servername btools web " && return 1 # If options are not set, give default values [[ -z "$stanza" ]] && stanza=".*" || stanza=".*$stanza.*" [[ -z "$search" ]] && search="" ~/bin/splunk btool $file list --debug | awk -v reset="\033[m\t" \ -v yellow="\033[38;5;226m\t" \ -v green="\033[38;5;46m" ' # set the different ansi color used {sub(/\s+/,"#");split($0,p,"#")} # split the input p[1]=filename p[2]=rest of line p[2]~/^\[.*?\] *$/ {f=0} # if this is a stanza name set flag f=0 f && tolower(p[2])~tolower(search) { # if this is not stanza test if text is part of search or no seach split(p[2],s," ") # Store each stanza in its own group a[st s[1]]++ if(p[1]!~opt)print green st yellow p[2] reset p[1] # Print each block } p[2]~"^\\["stanza"\\]$" {f=1;st=p[2]} # Find next stans ' stanza="$stanza" search="$search" opt="$opt" }

Example:
btools server general servername
btools web

Lets say you like to see all your custom setting in props.conf for the stansa regarding IP 10.36.30.90
and not show any default settings (-q)
btools -q props 10.36.30.90
Give me customer setting for index shb_ad
btools -q indexes shb_ad

Homepath for the shb_ab index:
btools -q indexes shb_ad homepath

Give me all settings for index shb_ab (includes the default settings) (ps there are more lines than picture shows.
btools indexes shb_ad

Any suggestion to make it better is welcome 🙂

Re: Btools, the big brother of btool (tools, not a question)

yeahnah — Tue, 04 Mar 2025 03:48:51 GMT

Hi @jotne

As you may be aware, the * wildcard breaks due to filename expansion (or globbing) from the calling shell, i.e. what is passed to the btools function is a list of filenames in the directory where the function is called, not the * wildcard.

This can be turned off in the shell with the set -f call (set +f to re-enable), or the more useful convention is to escape the wildcard with a backslash or wrap it in single quotes. Standard *nix commands that use the * wildcard on the command line (e.g. find) use this convention so I think this is a more conventional *nix method than using a ¤. My US keyboard does not provide easy access to this character.

[splunk ~]$ touch test_dummy [splunk ~]$ btools indexes test* coldpath.maxDataSizeMB # shell expands to test_dummy so does not work unless the * is escaped [splunk ~]$ btools indexes test\* coldpath.maxDataSizeMB [test_cust] coldPath.maxDataSizeMB = 0 /opt/splunk/etc/system/default/indexes.conf [splunk ~]$ [splunk@lrlskt02 ~]$ btools indexes * coldpath.maxDataSizeMB [splunk@lrlskt02 ~]$ [splunk@lrlskt02 ~]$ btools indexes '*' coldpath.maxDataSizeMB [_audit] coldPath.maxDataSizeMB = 0 /opt/splunk/etc/system/default/indexes.conf [_internal] coldPath.maxDataSizeMB = 0 /opt/splunk/etc/system/default/indexes.conf [_introspection] coldPath.maxDataSizeMB = 0 /opt/splunk/etc/system/default/indexes.conf [_metrics] coldPath.maxDataSizeMB = 0 /opt/splunk/etc/system/default/indexes.conf [_metrics_rollup] coldPath.maxDataSizeMB = 0 /opt/splunk/etc/system/default/indexes.conf [_telemetry] coldPath.maxDataSizeMB = 0 /opt/splunk/etc/system/default/indexes.conf [_thefishbucket] coldPath.maxDataSizeMB = 0 /opt/splunk/etc/system/default/indexes.conf [default] coldPath.maxDataSizeMB = 0 /opt/splunk/etc/system/default/indexes.conf [history] coldPath.maxDataSizeMB = 0 /opt/splunk/etc/system/default/indexes.conf [main] coldPath.maxDataSizeMB = 0 /opt/splunk/etc/system/default/indexes.conf [summary] coldPath.maxDataSizeMB = 0 /opt/splunk/etc/system/default/indexes.conf [test_cust] coldPath.maxDataSizeMB = 0 /opt/splunk/etc/system/default/indexes.conf [splunk@lrlskt02 ~]$

Re: Btools, the big brother of btool (tools, not a question)

jotne — Tue, 04 Mar 2025 08:30:44 GMT

Thanks for your reply.

I tried this, but it still expanded a file name. (i did see the problem with expansion so I used a symbol on my key board 🙂 )

test () { set -f if [[ "$1" == "-q" ]]; then opt="etc/system/default" file="$2" stansa="$3" search="$4" else opt="x**x#x" file="$1" stansa="$2" search="$3" fi echo "opt=$opt" echo "file=$file" echo "stansa=$stansa" echo "search=$search" set +f }

One way I see to solve it is to add another option, like
-a (all splunk files)
btools -a <stansa> <search>

Re: Btools, the big brother of btool (tools, not a question)

yeahnah — Tue, 04 Mar 2025 20:23:43 GMT

It's the calling shell that does the file expansion first so disabling globbing inside the function (which runs in a subshell) will not work. Here's an example that hopefully demonstrates this more clearly ...

$ mkdir empty $ mv test.func empty/.test.func $ cd empty $ ls # no files $ ls -a # globbing ignores hidden files . .. .test.func $ . .test.func $ test * 2 3 # no files so no globbling and * works opt=x**x#x file=* stansa=2 search=3 $ touch newfile $ ls newfile $ test * 2 3 opt=x**x#x file=newfile stansa=2 search=3 $ test \* 2 3 opt=x**x#x file=* stansa=2 search=3 $ set -f $ test * 2 3 opt=x**x#x file=* stansa=2 search=3 $

Agree, that using -a switch may be a cleaner way to represent all files though.

Re: Btools, the big brother of btool (tools, not a question)

jotne — Tue, 04 Mar 2025 21:35:23 GMT

Thanks for the explanations.

I have made an updated version where there are no need of spesial characters.
Also cleaned up the code some.