Deployment Architecture
Highlighted

make output of "btool some-conf-type list" more legible (UNIX)?

Splunk Employee
Splunk Employee

Not technically a question, but pretty sure will be helpful to many. If not helpful to you, please don't upvote.


Simply put, btool list neither separates stanzas, nor indents properties. E.g.:


$ btool serverclass list
[global]
continueMatching = true
repositoryLocation = $SPLUNKHOME/etc/deployment-apps
restartSplunkWeb = False
restartSplunkd = False
stateOnClient = enabled
targetRepositoryLocation = $SPLUNK
HOME/etc/apps
tmpFolder = $SPLUNKHOME/var/run/tmp
[serverClass:foo]
[serverClass:sc_a]
whitelist.0 = dash
atmrt|bubblesatronnie
[serverClass:sca:app:appone]
[serverClass:sca:app:appthree]
[serverClass:sc
b]
whitelist.0 = dashatmrt|dgseattleatwimpy
[serverClass:scb:app:appfour]
[serverClass:scb:app:appone]
[serverClass:scc]
whitelist.0 = dgseattle
atwimpy|bubblesatronnie
[serverClass:scc:app:appfive]
[serverClass:scc:app:appone]
[serverClass:scd]
[serverClass:sc
d:app:app_two]
[serverClass:sc
e]
whitelist.0 = dgseattleatwimpy|bubblesatronnie

Let's try a simple shell function (you can add it to your ~/.bashrc😞


btoolist () {
if [ $# -lt 1 ]; then echo "USAGE: ${FUNCNAME[0]} <bundle name, e.g.: serverclass, indexes, server, web> [--debug]" >&2; return 1; fi
btool $@ list | sed '1n;/\B\[/! s/^/\x09/;/\B\[/ i \\'
}

Now,


$ btoolist serverclass
[global]
continueMatching = true
repositoryLocation = $SPLUNKHOME/etc/deployment-apps
restartSplunkWeb = False
restartSplunkd = False
stateOnClient = enabled
targetRepositoryLocation = $SPLUNK
HOME/etc/apps
tmpFolder = $SPLUNK_HOME/var/run/tmp

[serverClass:foo]

[serverClass:sca]
whitelist.0 = dash
atmrt|bubblesat_ronnie

[serverClass:sca:app:appone]

[serverClass:sca:app:appthree]

[serverClass:scb]
whitelist.0 = dash
atmrt|dgseattleat_wimpy

[serverClass:scb:app:appfour]

[serverClass:scb:app:appone]

[serverClass:scc]
whitelist.0 = dgseattle
atwimpy|bubblesat_ronnie

[serverClass:scc:app:appfive]

[serverClass:scc:app:appone]

[serverClass:sc_d]

[serverClass:scd:app:apptwo]

[serverClass:sce]
whitelist.0 = dgseattle
atwimpy|bubblesat_ronnie

Nicer, no?

Highlighted

Re: make output of "btool some-conf-type list" more legible (UNIX)?

Esteemed Legend

I like indentation better (different 'sed' command):

/opt/splunk/bin/splunk btool serverclass list | sed 's/^\([^\[]\)/   \1/'
Highlighted

Re: make output of "btool some-conf-type list" more legible (UNIX)?

Path Finder

don't forget to preserve that first matched character. in that example, sed will replace it with an indentation, not prepend it.

sed example that preserves the character:
/opt/splunk/bin/splunk btool serverclass list | sed 's/^([^[])/ \1/'

Highlighted

Re: make output of "btool some-conf-type list" more legible (UNIX)?

Esteemed Legend

Yes, answer updated.

0 Karma
Highlighted

Re: make output of "btool some-conf-type list" more legible (UNIX)?

Path Finder

Hello there,
you should install S.o.S that comes along with a custom command called btool. For example, right from Splunk search bar:

| btool <conf file name>

eg:

| btool inputs

or

| btool props

and so on.. Since you have also field extraction of all this, you can even filter for stanza name, app name and so:

| btool inputs | search stanza="WinEventLog://Security"

or

| btool props | search app="Your_wonderful_parsing_app_name"

The output is pefectly readable:

alt text

Hope it helps..

Cheers