- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do I show the running configuration on my forwarder?
I want to view what Splunk sees as the running config for my universal forwarder. I read on http://blogs.splunk.com/2012/10/02/tips-and-tricks-for-the-new-guy/ that I can run ./splunk cmd btool list but that shows me the help page. The blog also says that the command takes a config file parameter, but I don't know what the options are for the config files. Besides, I want to see all of the config info, not just one piece.
How do I tell Splunk to show me all of the config?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Run this in your bin dir to view all your settings in memory on CLI for each respective .conf file:
./splunk show config <filename_without_.conf>
For example, to view inputs.conf (you might have to pipe it into less):
./splunk show config inputs- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
that first little link in the comments has/appears to have had it;
https://docs.splunk.com/Documentation/Splunk/8.0.0/Troubleshooting/Usebtooltotroubleshootconfigurati...
"To view current in-memory configurations, query the REST endpoint /services/properties/"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can use $SPLUNK_HOME/bin/splunk show config configname, where configname is the name of one of *.conf
So, for example (Assuming that splunk is $SPLUNK_HOME/bin/splunk) you could do:
$ splunk show config web
or
$ splunk show config inputs
or
$ Splunk show config outputs
and so on.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
show says specified conf file, not what is currently running;
Example:
/opt/splunkforwarder/bin/splunk help show |grep -i config
show config show the details of a specified conf file. (NOTE: this command will only work if the file exists in the location specified by $SPLUNK_HOME/etc/system/default/conf.conf)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like @MuS said, the basic command format is like this:
$SPLUNK_HOME/bin/splunk cmd btool inputs list --debug
The --debug part is frequently important in tracking down "wrong" but not "broken" configurations.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The following link shows a worked example of using the btool from Splunk support (about half way through the video): https://www.youtube.com/watch?v=kuUf4qgL2wI
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi vqd361,
in regards of all config at once, as far as I know this is not possible.
But you could do some wrapper script that finds all your .conf files and use them with the btool command like this :
for i in ` find /opt/splunk/etc | grep .conf | grep -v README | awk -F/ '{ print $NF }'`; do /opt/splunk/bin/splunk cmd btool $i list; done
Hope this helps ...
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can view Splunk documentation on the btool here
http://docs.splunk.com/Documentation/Splunk/6.2.4/Troubleshooting/Usebtooltotroubleshootconfiguratio...
http://docs.splunk.com/Documentation/Splunk/6.2.4/Troubleshooting/CommandlinetoolsforusewithSupport
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks, but I already looked at those and they didn't help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
look at the first link again; 3rd paragraph;
http://docs.splunk.com/Documentation/Splunk/6.2.4/Troubleshooting/Usebtooltotroubleshootconfiguratio...
"To view current in-memory configurations, query the REST endpoint /services/properties/."
FYI: the config file parameter is the stanza name inside square brackets [] inside the conf file;
with the rest call you have to URL encode the config file parameter/stanza name;
example:
/opt/splunkforwarder/bin/splunk show config inputs list monitor:///var/syslog-ng/log/ironport_xxx
Becomes:
/opt/splunkforwarder/bin/splunk _internal call /services/properties/inputs/monitor%3A%2F%2F%2Fvar%2Fsyslog-ng%2Flog%2Fironport_xxx
one way you can reference the url encoding by walking up one up in the REST call and then inspect and copy/paste your target quickly from the parameter; [it appears to come out in json; id]
/opt/splunkforwarder/bin/splunk _internal call /services/properties/inputs
/opt/splunkforwarder/bin/splunk _internal call /services/properties/inputs |grep -i ironport
