Not technically a question, but pretty sure will be helpful to many. If not helpful to you, please don't upvote.
Simply put, btool list
neither separates stanzas, nor indents properties. E.g.:
$ btool serverclass list
[global]
continueMatching = true
repositoryLocation = $SPLUNK_HOME/etc/deployment-apps
restartSplunkWeb = False
restartSplunkd = False
stateOnClient = enabled
targetRepositoryLocation = $SPLUNK_HOME/etc/apps
tmpFolder = $SPLUNK_HOME/var/run/tmp
[serverClass:foo]
[serverClass:sc_a]
whitelist.0 = dash_at_mrt|bubbles_at_ronnie
[serverClass:sc_a:app:app_one]
[serverClass:sc_a:app:app_three]
[serverClass:sc_b]
whitelist.0 = dash_at_mrt|dgseattle_at_wimpy
[serverClass:sc_b:app:app_four]
[serverClass:sc_b:app:app_one]
[serverClass:sc_c]
whitelist.0 = dgseattle_at_wimpy|bubbles_at_ronnie
[serverClass:sc_c:app:app_five]
[serverClass:sc_c:app:app_one]
[serverClass:sc_d]
[serverClass:sc_d:app:app_two]
[serverClass:sc_e]
whitelist.0 = dgseattle_at_wimpy|bubbles_at_ronnie
Let's try a simple shell function (you can add it to your ~/.bashrc
😞
btoolist () {
if [ $# -lt 1 ]; then echo "USAGE: ${FUNCNAME[0]} <bundle name, e.g.: serverclass, indexes, server, web> [--debug]" >&2; return 1; fi
btool $@ list | sed '1n;/\B\[/! s/^/\x09/;/\B\[/ i \\'
}
Now,
$ btoolist serverclass
[global]
continueMatching = true
repositoryLocation = $SPLUNK_HOME/etc/deployment-apps
restartSplunkWeb = False
restartSplunkd = False
stateOnClient = enabled
targetRepositoryLocation = $SPLUNK_HOME/etc/apps
tmpFolder = $SPLUNK_HOME/var/run/tmp
[serverClass:foo]
[serverClass:sc_a]
whitelist.0 = dash_at_mrt|bubbles_at_ronnie
[serverClass:sc_a:app:app_one]
[serverClass:sc_a:app:app_three]
[serverClass:sc_b]
whitelist.0 = dash_at_mrt|dgseattle_at_wimpy
[serverClass:sc_b:app:app_four]
[serverClass:sc_b:app:app_one]
[serverClass:sc_c]
whitelist.0 = dgseattle_at_wimpy|bubbles_at_ronnie
[serverClass:sc_c:app:app_five]
[serverClass:sc_c:app:app_one]
[serverClass:sc_d]
[serverClass:sc_d:app:app_two]
[serverClass:sc_e]
whitelist.0 = dgseattle_at_wimpy|bubbles_at_ronnie
Nicer, no?
Hello there,
you should install S.o.S that comes along with a custom command called btool. For example, right from Splunk search bar:
| btool <conf file name>
eg:
| btool inputs
or
| btool props
and so on.. Since you have also field extraction of all this, you can even filter for stanza name, app name and so:
| btool inputs | search stanza="WinEventLog://Security"
or
| btool props | search app="Your_wonderful_parsing_app_name"
The output is pefectly readable:
Hope it helps..
Cheers
I like indentation better (different 'sed' command):
/opt/splunk/bin/splunk btool serverclass list | sed 's/^\([^\[]\)/ \1/'
don't forget to preserve that first matched character. in that example, sed will replace it with an indentation, not prepend it.
sed example that preserves the character:
/opt/splunk/bin/splunk btool serverclass list | sed 's/^([^[])/ \1/'
Yes, answer updated.