Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How do you determine the rendered configuration as applied to a specific source?

krisreeves
Path Finder
‎11-30-2018 01:24 PM

splunk btool is a helpful tool that allows you to determine the result of merging the config on disk, but it doesn't help you to determine whether that config was applied to a given event. Is there any way to do this?

Context: I'm adding some broad configuration to certain sources, but I had to use a regular expression (negative lookahead) to exclude certain subpaths. I'm still getting some warnings in Splunk's internal logs about the timestamp format changing, which makes me uncertain that the config I wrote for timestamp parsing is actually applying to the log that Splunk is complaining about.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎11-30-2018 02:23 PM

There is no good way to do that but you can add --debug to btool and it will show you the files that contain the values that apply.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎11-30-2018 02:23 PM

There is no good way to do that but you can add --debug to btool and it will show you the files that contain the values that apply.

0 Karma
Reply
Solved! Jump to solution

krisreeves
Path Finder
‎11-30-2018 02:57 PM

I do know about --debug, but that doesn't tell me if Splunk is using what I'm seeing on the screen when processing data 😞

I'm currently working on attempting to add a static metadata field with transforms/props so that I can see when the config block has been applied. Thanks for confirmation though!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

    Thursday, June 25, 2026  |  11AM PDT / 2PM EDT  Duration: 1 Hour (Includes live Q&A) Register to ...

Analytics Workspace deprecation

As of Splunk Cloud Platform 10.4.2604 and Splunk Enterprise 10.4, Analytics Workspace is now deprecated. ...

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Splunk Developer Day brought the Splunk developer community together for a practical look at what it means to ...