hi guys
I am experiencing an odd behavior when using btool to troubleshoot some issues.
When I run btool to get the list of props.conf in my instance I get lots of duplicates and I don´t know why this is happening nor if it is normal / expected to be like this. any ideas or explanations??
Example:
$ splunk btool props --debug list | grep send_to_nullqueue
/opt/splunk/etc/apps/test/default/props.conf TRANSFORMS = send_to_nullqueue
/opt/splunk/etc/apps/test/default/props.conf TRANSFORMS = send_to_nullqueue
/opt/splunk/etc/apps/test/default/props.conf TRANSFORMS = send_to_nullqueue
/opt/splunk/etc/apps/test/default/props.conf TRANSFORMS = send_to_nullqueue
/opt/splunk/etc/apps/test/default/props.conf TRANSFORMS = send_to_nullqueue
/opt/splunk/etc/apps/test/default/props.conf TRANSFORMS = send_to_nullqueue
/opt/splunk/etc/apps/test/default/props.conf TRANSFORMS = send_to_nullqueue
/opt/splunk/etc/apps/test/default/props.conf TRANSFORMS = send_to_nullqueue
/opt/splunk/etc/apps/test/default/props.conf TRANSFORMS = send_to_nullqueue
/opt/splunk/etc/apps/test/default/props.conf TRANSFORMS = send_to_nullqueue
/opt/splunk/etc/apps/test/default/props.conf TRANSFORMS = send_to_nullqueue
/opt/splunk/etc/apps/test/default/props.conf TRANSFORMS = send_to_nullqueue
/opt/splunk/etc/apps/test/default/props.conf TRANSFORMS = send_to_nullqueue
/opt/splunk/etc/apps/test/default/props.conf TRANSFORMS = send_to_nullqueue
/opt/splunk/etc/apps/test/default/props.conf TRANSFORMS = send_to_nullqueue
/opt/splunk/etc/apps/test/default/props.conf TRANSFORMS = send_to_nullqueue
....
....
...
(lots of times)
Here is the content of my props.conf and my transforms.conf
props.conf
[default]
TRANSFORMS = send_to_nullqueue
transforms.conf
[send_to_nullqueue_slb]
DEST_KEY = queue
REGEX = blah\sblah\sblah
FORMAT = nullQueue
Hello,
The reason you are seeing that many send_to_nullqueue is because you have added it to [default] stanza which means it will be applied to ALL sourcetypes. To avoid this do not use [default] and instead add the proper stanza.
I hope this helps you to understand.
br
Adam
*edit spelling
Hello,
The reason you are seeing that many send_to_nullqueue is because you have added it to [default] stanza which means it will be applied to ALL sourcetypes. To avoid this do not use [default] and instead add the proper stanza.
I hope this helps you to understand.
br
Adam
*edit spelling
Thanks Adam. This makes sense now. However this is only a part of the case we have with Splunk Support. If you have time, feel free to take a look at #540217
Hi
this means that in the props.con of the app test you have many stanzas where you want to execute the TRANSFORMS = send_to_null_queue
command.
If you see only these rows you cannot understand the contest of the command!
The best way to proceed is to run the command readdressing output in a text file
splunk btool props --debug list > file.txt
in this way you have all the command results in a file and you can examine it.
Bye.
Giuseppe
I downvoted this post because it is offensive and does not answer the question
If this answer satisfies your question, please accept or upvote it.
Bye.
Giuseppe
it does not. thanks but I understand the command very well enough.
I only have one stanza in that execute that Transforms.
We have been working with Splunk Support for some time but could not find an explanation yet, that´s why I brought it to the community. I would appreciate a little bit of respect when you provide an answer. thanks again