- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
btool app line breaking issues
any one else having issues when testing the btool app on a UF where the events are signal line and not merged by stanza? I am having no luck using BREAK_ONLY_BEFORE = \[
Current default props.conf:
[source::*/bin/btool.sh*]
DATETIME_CONFIG = CURRENT
BREAK_ONLY_BEFORE = ^.*?\/etc\/(apps|system|slave-apps)\/(?:(.*?)\/)?(default|local)\/(?<file>\w+\.conf)\s+\[(?<stanza>.+?)\]$
[splunk:config:btool:app]
EXTRACT-btool = (?<SPLUNK_HOME>.*?)/etc/(?<app_folder>apps|master-apps|slave-apps)/(?<app>[^/]*)/(default|local)/(?<file>\w+\.conf)\s+\[(?<stanza>.+)\]
# hack for sourcetype wildcards
# c.f https://answers.splunk.com/answers/8505/is-it-possible-to-use-wildcards-in-sourcetype-props-conf-sta...
# c.f. SPL-117030
[(?::){0}splunk:config:btool:*]
EXTRACT-btool = etc/((apps|master-apps|slave-apps)/)?[^/]+/(default|local)/(?<file>\w+\.conf)\s+\[(?<stanza>.+?)\]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you find any solution? I don't see why this isn't working properly.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If the events are single-line then you should be using the default LINE_BREAKER Also, if you are pulling in the output from btool, then be aware that there are some GREAT apps out there that help you to do this:
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
config quest would be amazing if it was for universal forwarders. My question above is for the Btool Scripted Inputs for Splunk.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
URL for what you are doing? Several of us have no clue for context.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i am trying to find out what servers have local input.conf files that are not being pushed out from our deployment server. I would like to use something like the btool app so we can grab the stanzas and wrap them up into a deployment app then, have the server admins remove the local inputs.conf configs.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Give this a try
[source::*/bin/btool.sh*]
DATETIME_CONFIG = CURRENT
SHOULD_LINEMEREGE = false
LINE_BREAKER= ([\r\n]+)(?<.*?\/etc\/(apps|system|slave-apps))
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How are you running btool? What output are you expecting?
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
with the btool app, its using scripts called from inputs.conf.
################################
# Btool Scripted Input
################################
[script://./bin/btool.sh inputs]
interval = 140
sourcetype = splunk:config:btool:inputs
disabled = 0
index = test
[script://./bin/btool.sh outputs]
interval = 140
sourcetype = splunk:config:btool:outputs
disabled = 0
index = test
[script://./bin/btool.sh app]
interval = 140
sourcetype = splunk:config:btool:app
disabled = 0
index = test
