splunk btool
is a helpful tool that allows you to determine the result of merging the config on disk, but it doesn't help you to determine whether that config was applied to a given event. Is there any way to do this?
Context: I'm adding some broad configuration to certain sources, but I had to use a regular expression (negative lookahead) to exclude certain subpaths. I'm still getting some warnings in Splunk's internal logs about the timestamp format changing, which makes me uncertain that the config I wrote for timestamp parsing is actually applying to the log that Splunk is complaining about.
There is no good way to do that but you can add --debug
to btool and it will show you the files that contain the values that apply.
There is no good way to do that but you can add --debug
to btool and it will show you the files that contain the values that apply.
I do know about --debug, but that doesn't tell me if Splunk is using what I'm seeing on the screen when processing data 😞
I'm currently working on attempting to add a static metadata field with transforms/props so that I can see when the config block has been applied. Thanks for confirmation though!