Solved: Re: How to restrict btool stanzas without wildcard...

jason0 · ‎01-04-2023

Hello,

I am using splunk 9.0.0.1, and running btool to list out my index settings. The trouble is I only want one stanza, but btool treats the stanza as a wildcard.

splunk btool --debug indexes list cisco

I get all stanza's with "cisco" in them (there are 51 of them, including "index=cisco"). how do restrict this? I only want the "cisco" index.

--jason

goncalocoelho · ‎01-09-2023

Hi,

Have you tried btool command with grep? Something like this...

splunk btool --debug indexes list | grep -A 10 "[cisco]"

-A flag will show you N lines after the string your are looking for

---
If this reply helps you, Karma would be appreciated.

View solution in original post

jason0 · ‎02-15-2023

I admit, I had hoped there was a way to do it within btool itself, but grep is always an option...

goncalocoelho · ‎01-09-2023

Hi,

Have you tried btool command with grep? Something like this...

splunk btool --debug indexes list | grep -A 10 "[cisco]"

-A flag will show you N lines after the string your are looking for

---
If this reply helps you, Karma would be appreciated.

How to restrict btool stanzas without wildcards?

Simplifying the Analyst Experience with Finding-based Detections

[Puzzles] Solve, Learn, Repeat: Word Search

[Puzzles] Solve, Learn, Repeat: Advent of Code - Day 4

Join the Conversation

How to restrict btool stanzas without wildcards?

Simplifying the Analyst Experience with Finding-based Detections

[Puzzles] Solve, Learn, Repeat: Word Search

[Puzzles] Solve, Learn, Repeat: Advent of Code - Day 4