Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I show the running configuration on my forwarder?

vqd361
Path Finder
‎08-06-2015 03:05 PM

I want to view what Splunk sees as the running config for my universal forwarder. I read on http://blogs.splunk.com/2012/10/02/tips-and-tricks-for-the-new-guy/ that I can run ./splunk cmd btool list but that shows me the help page. The blog also says that the command takes a config file parameter, but I don't know what the options are for the config files. Besides, I want to see all of the config info, not just one piece.

How do I tell Splunk to show me all of the config?

Tags (2)
0 Karma
Reply

nsanzar_splunk
Splunk Employee
Splunk Employee
‎01-18-2021 12:28 PM

Run this in your bin dir to view all your settings in memory on CLI for each respective .conf file:

./splunk show config <filename_without_.conf>

 

For example, to view inputs.conf (you might have to pipe it into less):

./splunk show config inputs
0 Karma
Reply

GDustin
Path Finder
‎11-25-2019 03:31 PM

that first little link in the comments has/appears to have had it;
https://docs.splunk.com/Documentation/Splunk/8.0.0/Troubleshooting/Usebtooltotroubleshootconfigurati...

"To view current in-memory configurations, query the REST endpoint /services/properties/"

0 Karma
Reply

wrangler2x
Motivator
‎05-30-2018 10:04 AM

You can use $SPLUNK_HOME/bin/splunk show config configname, where configname is the name of one of *.conf

So, for example (Assuming that splunk is $SPLUNK_HOME/bin/splunk) you could do:

$ splunk show config web

or

$ splunk show config inputs

or

$ Splunk show config outputs

and so on.

Reply

GDustin
Path Finder
‎11-25-2019 03:36 PM

show says specified conf file, not what is currently running;
Example:
/opt/splunkforwarder/bin/splunk help show |grep -i config
show config show the details of a specified conf file. (NOTE: this command will only work if the file exists in the location specified by $SPLUNK_HOME/etc/system/default/conf.conf)

0 Karma
Reply

woodcock
Esteemed Legend
‎08-06-2015 03:44 PM

Like @MuS said, the basic command format is like this:

$SPLUNK_HOME/bin/splunk cmd btool inputs list --debug

The --debug part is frequently important in tracking down "wrong" but not "broken" configurations.

0 Karma
Reply

gcato
Contributor
‎08-06-2015 04:02 PM

The following link shows a worked example of using the btool from Splunk support (about half way through the video): https://www.youtube.com/watch?v=kuUf4qgL2wI

0 Karma
Reply

MuS
Legend
‎08-06-2015 03:33 PM

Hi vqd361,

in regards of all config at once, as far as I know this is not possible.
But you could do some wrapper script that finds all your .conf files and use them with the btool command like this :

 for i in ` find /opt/splunk/etc | grep .conf | grep -v README | awk -F/ '{ print $NF }'`; do /opt/splunk/bin/splunk cmd btool $i list; done

Hope this helps ...

cheers, MuS

Reply

vqd361
Path Finder
‎08-06-2015 03:21 PM

thanks, but I already looked at those and they didn't help.

0 Karma
Reply

GDustin
Path Finder
‎11-25-2019 03:48 PM

look at the first link again; 3rd paragraph;
http://docs.splunk.com/Documentation/Splunk/6.2.4/Troubleshooting/Usebtooltotroubleshootconfiguratio...
"To view current in-memory configurations, query the REST endpoint /services/properties/."

FYI: the config file parameter is the stanza name inside square brackets [] inside the conf file;

with the rest call you have to URL encode the config file parameter/stanza name;
example:
/opt/splunkforwarder/bin/splunk show config inputs list monitor:///var/syslog-ng/log/ironport_xxx

Becomes:
/opt/splunkforwarder/bin/splunk _internal call /services/properties/inputs/monitor%3A%2F%2F%2Fvar%2Fsyslog-ng%2Flog%2Fironport_xxx

one way you can reference the url encoding by walking up one up in the REST call and then inspect and copy/paste your target quickly from the parameter; [it appears to come out in json; id]

/opt/splunkforwarder/bin/splunk _internal call /services/properties/inputs
/opt/splunkforwarder/bin/splunk _internal call /services/properties/inputs |grep -i ironport

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...