Deployment Architecture

make output of "btool some-conf-type list" more legible (UNIX)?

V_at_Splunk
Splunk Employee
Splunk Employee

Not technically a question, but pretty sure will be helpful to many. If not helpful to you, please don't upvote.


Simply put, btool list neither separates stanzas, nor indents properties. E.g.:


$ btool serverclass list
[global]
continueMatching = true
repositoryLocation = $SPLUNK_HOME/etc/deployment-apps
restartSplunkWeb = False
restartSplunkd = False
stateOnClient = enabled
targetRepositoryLocation = $SPLUNK_HOME/etc/apps
tmpFolder = $SPLUNK_HOME/var/run/tmp
[serverClass:foo]
[serverClass:sc_a]
whitelist.0 = dash_at_mrt|bubbles_at_ronnie
[serverClass:sc_a:app:app_one]
[serverClass:sc_a:app:app_three]
[serverClass:sc_b]
whitelist.0 = dash_at_mrt|dgseattle_at_wimpy
[serverClass:sc_b:app:app_four]
[serverClass:sc_b:app:app_one]
[serverClass:sc_c]
whitelist.0 = dgseattle_at_wimpy|bubbles_at_ronnie
[serverClass:sc_c:app:app_five]
[serverClass:sc_c:app:app_one]
[serverClass:sc_d]
[serverClass:sc_d:app:app_two]
[serverClass:sc_e]
whitelist.0 = dgseattle_at_wimpy|bubbles_at_ronnie

Let's try a simple shell function (you can add it to your ~/.bashrc😞


btoolist () {
if [ $# -lt 1 ]; then echo "USAGE: ${FUNCNAME[0]} <bundle name, e.g.: serverclass, indexes, server, web> [--debug]" >&2; return 1; fi
btool $@ list | sed '1n;/\B\[/! s/^/\x09/;/\B\[/ i \\'
}

Now,


$ btoolist serverclass
[global]
continueMatching = true
repositoryLocation = $SPLUNK_HOME/etc/deployment-apps
restartSplunkWeb = False
restartSplunkd = False
stateOnClient = enabled
targetRepositoryLocation = $SPLUNK_HOME/etc/apps
tmpFolder = $SPLUNK_HOME/var/run/tmp

[serverClass:foo]

[serverClass:sc_a]
whitelist.0 = dash_at_mrt|bubbles_at_ronnie

[serverClass:sc_a:app:app_one]

[serverClass:sc_a:app:app_three]

[serverClass:sc_b]
whitelist.0 = dash_at_mrt|dgseattle_at_wimpy

[serverClass:sc_b:app:app_four]

[serverClass:sc_b:app:app_one]

[serverClass:sc_c]
whitelist.0 = dgseattle_at_wimpy|bubbles_at_ronnie

[serverClass:sc_c:app:app_five]

[serverClass:sc_c:app:app_one]

[serverClass:sc_d]

[serverClass:sc_d:app:app_two]

[serverClass:sc_e]
whitelist.0 = dgseattle_at_wimpy|bubbles_at_ronnie

Nicer, no?

Nicolo_Figiani
Path Finder

Hello there,
you should install S.o.S that comes along with a custom command called btool. For example, right from Splunk search bar:

| btool <conf file name>

eg:

| btool inputs

or

| btool props

and so on.. Since you have also field extraction of all this, you can even filter for stanza name, app name and so:

| btool inputs | search stanza="WinEventLog://Security"

or

| btool props | search app="Your_wonderful_parsing_app_name"

The output is pefectly readable:

alt text

Hope it helps..

Cheers

woodcock
Esteemed Legend

I like indentation better (different 'sed' command):

/opt/splunk/bin/splunk btool serverclass list | sed 's/^\([^\[]\)/   \1/'

jhedgpeth
Path Finder

don't forget to preserve that first matched character. in that example, sed will replace it with an indentation, not prepend it.

sed example that preserves the character:
/opt/splunk/bin/splunk btool serverclass list | sed 's/^([^[])/ \1/'

woodcock
Esteemed Legend

Yes, answer updated.

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...