Solved: Re: How do you determine the rendered configuratio...

krisreeves · ‎11-30-2018

splunk btool is a helpful tool that allows you to determine the result of merging the config on disk, but it doesn't help you to determine whether that config was applied to a given event. Is there any way to do this?

Context: I'm adding some broad configuration to certain sources, but I had to use a regular expression (negative lookahead) to exclude certain subpaths. I'm still getting some warnings in Splunk's internal logs about the timestamp format changing, which makes me uncertain that the config I wrote for timestamp parsing is actually applying to the log that Splunk is complaining about.

woodcock · ‎11-30-2018

There is no good way to do that but you can add --debug to btool and it will show you the files that contain the values that apply.

View solution in original post

woodcock · ‎11-30-2018

There is no good way to do that but you can add --debug to btool and it will show you the files that contain the values that apply.

krisreeves · ‎11-30-2018

I do know about --debug, but that doesn't tell me if Splunk is using what I'm seeing on the screen when processing data 😞

I'm currently working on attempting to add a static metadata field with transforms/props so that I can see when the config block has been applied. Thanks for confirmation though!

How do you determine the rendered configuration as applied to a specific source?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!