btool app line breaking issues

sbattista09 · ‎06-28-2018

any one else having issues when testing the btool app on a UF where the events are signal line and not merged by stanza? I am having no luck using BREAK_ONLY_BEFORE = \[

Current default props.conf:

[source::*/bin/btool.sh*]
DATETIME_CONFIG = CURRENT
BREAK_ONLY_BEFORE = ^.*?\/etc\/(apps|system|slave-apps)\/(?:(.*?)\/)?(default|local)\/(?<file>\w+\.conf)\s+\[(?<stanza>.+?)\]$

[splunk:config:btool:app]
EXTRACT-btool = (?<SPLUNK_HOME>.*?)/etc/(?<app_folder>apps|master-apps|slave-apps)/(?<app>[^/]*)/(default|local)/(?<file>\w+\.conf)\s+\[(?<stanza>.+)\]


# hack for sourcetype wildcards
# c.f https://answers.splunk.com/answers/8505/is-it-possible-to-use-wildcards-in-sourcetype-props-conf-sta...
# c.f. SPL-117030
[(?::){0}splunk:config:btool:*]
EXTRACT-btool = etc/((apps|master-apps|slave-apps)/)?[^/]+/(default|local)/(?<file>\w+\.conf)\s+\[(?<stanza>.+?)\]

cyrillefranchet · ‎10-17-2018

Did you find any solution? I don't see why this isn't working properly.

woodcock · ‎06-30-2018

If the events are single-line then you should be using the default LINE_BREAKER Also, if you are pulling in the output from btool, then be aware that there are some GREAT apps out there that help you to do this:

https://splunkbase.splunk.com/apps/#/search/btool/

sbattista09 · ‎07-02-2018

config quest would be amazing if it was for universal forwarders. My question above is for the Btool Scripted Inputs for Splunk.

woodcock · ‎07-02-2018

URL for what you are doing? Several of us have no clue for context.

sbattista09 · ‎07-16-2018

i am trying to find out what servers have local input.conf files that are not being pushed out from our deployment server. I would like to use something like the btool app so we can grab the stanzas and wrap them up into a deployment app then, have the server admins remove the local inputs.conf configs.

somesoni2 · ‎06-28-2018

Give this a try

[source::*/bin/btool.sh*]
 DATETIME_CONFIG = CURRENT
 SHOULD_LINEMEREGE = false
 LINE_BREAKER= ([\r\n]+)(?<.*?\/etc\/(apps|system|slave-apps))

richgalloway · ‎06-28-2018

How are you running btool? What output are you expecting?

---
If this reply helps you, Karma would be appreciated.

sbattista09 · ‎06-28-2018

with the btool app, its using scripts called from inputs.conf.

################################
# Btool Scripted Input
################################


[script://./bin/btool.sh inputs]
interval = 140
sourcetype = splunk:config:btool:inputs
disabled = 0
index = test

[script://./bin/btool.sh outputs]
interval = 140
sourcetype = splunk:config:btool:outputs
disabled = 0
index = test

[script://./bin/btool.sh app]
interval = 140
sourcetype = splunk:config:btool:app
disabled = 0
index = test

btool app line breaking issues

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Developer Day announcements: AI agents, MCP tools, Forecasting, and Custom ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

Join the Conversation

btool app line breaking issues

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Developer Day announcements: AI agents, MCP tools, Forecasting, and Custom ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition