Getting Data In
Highlighted

How do I show the running configuration on my forwarder?

Path Finder

I want to view what Splunk sees as the running config for my universal forwarder. I read on http://blogs.splunk.com/2012/10/02/tips-and-tricks-for-the-new-guy/ that I can run ./splunk cmd btool list but that shows me the help page. The blog also says that the command takes a config file parameter, but I don't know what the options are for the config files. Besides, I want to see all of the config info, not just one piece.

How do I tell Splunk to show me all of the config?

Tags (2)
0 Karma
Highlighted

Re: How do I show the running configuration on my forwarder?

Contributor
Highlighted

Re: How do I show the running configuration on my forwarder?

Path Finder

thanks, but I already looked at those and they didn't help.

0 Karma
Highlighted

Re: How do I show the running configuration on my forwarder?

Path Finder

look at the first link again; 3rd paragraph;
http://docs.splunk.com/Documentation/Splunk/6.2.4/Troubleshooting/Usebtooltotroubleshootconfiguratio...
"To view current in-memory configurations, query the REST endpoint /services/properties/."

FYI: the config file parameter is the stanza name inside square brackets [] inside the conf file;

with the rest call you have to URL encode the config file parameter/stanza name;
example:
/opt/splunkforwarder/bin/splunk show config inputs list monitor:///var/syslog-ng/log/ironport_xxx

Becomes:
/opt/splunkforwarder/bin/splunk internal call /services/properties/inputs/monitor%3A%2F%2F%2Fvar%2Fsyslog-ng%2Flog%2Fironportxxx

one way you can reference the url encoding by walking up one up in the REST call and then inspect and copy/paste your target quickly from the parameter; [it appears to come out in json; id]

/opt/splunkforwarder/bin/splunk _internal call /services/properties/inputs
/opt/splunkforwarder/bin/splunk _internal call /services/properties/inputs |grep -i ironport

0 Karma
Highlighted

Re: How do I show the running configuration on my forwarder?

SplunkTrust
SplunkTrust

Hi vqd361,

in regards of all config at once, as far as I know this is not possible.
But you could do some wrapper script that finds all your .conf files and use them with the btool command like this :

 for i in ` find /opt/splunk/etc | grep .conf | grep -v README | awk -F/ '{ print $NF }'`; do /opt/splunk/bin/splunk cmd btool $i list; done

Hope this helps ...

cheers, MuS

Highlighted

Re: How do I show the running configuration on my forwarder?

Esteemed Legend

Like @MuS said, the basic command format is like this:

$SPLUNK_HOME/bin/splunk cmd btool inputs list --debug

The --debug part is frequently important in tracking down "wrong" but not "broken" configurations.

0 Karma
Highlighted

Re: How do I show the running configuration on my forwarder?

Contributor

The following link shows a worked example of using the btool from Splunk support (about half way through the video): https://www.youtube.com/watch?v=kuUf4qgL2wI

0 Karma
Highlighted

Re: How do I show the running configuration on my forwarder?

Motivator

You can use $SPLUNK_HOME/bin/splunk show config configname, where configname is the name of one of *.conf

So, for example (Assuming that splunk is $SPLUNK_HOME/bin/splunk) you could do:

$ splunk show config web

or

$ splunk show config inputs

or

$ Splunk show config outputs

and so on.

Highlighted

Re: How do I show the running configuration on my forwarder?

Path Finder

show says specified conf file, not what is currently running;
Example:
/opt/splunkforwarder/bin/splunk help show |grep -i config
show config show the details of a specified conf file. (NOTE: this command will only work if the file exists in the location specified by $SPLUNK_HOME/etc/system/default/conf.conf)

0 Karma
Highlighted

Re: How do I show the running configuration on my forwarder?

Path Finder

that first little link in the comments has/appears to have had it;
https://docs.splunk.com/Documentation/Splunk/8.0.0/Troubleshooting/Usebtooltotroubleshootconfigurati...

"To view current in-memory configurations, query the REST endpoint /services/properties/"

0 Karma