Monitoring Splunk

btool app line breaking issues

sbattista09
Contributor

any one else having issues when testing the btool app on a UF where the events are signal line and not merged by stanza? I am having no luck using BREAK_ONLY_BEFORE = \[

Current default props.conf:

[source::*/bin/btool.sh*]
DATETIME_CONFIG = CURRENT
BREAK_ONLY_BEFORE = ^.*?\/etc\/(apps|system|slave-apps)\/(?:(.*?)\/)?(default|local)\/(?<file>\w+\.conf)\s+\[(?<stanza>.+?)\]$

[splunk:config:btool:app]
EXTRACT-btool = (?<SPLUNK_HOME>.*?)/etc/(?<app_folder>apps|master-apps|slave-apps)/(?<app>[^/]*)/(default|local)/(?<file>\w+\.conf)\s+\[(?<stanza>.+)\]


# hack for sourcetype wildcards
# c.f https://answers.splunk.com/answers/8505/is-it-possible-to-use-wildcards-in-sourcetype-props-conf-sta...
# c.f. SPL-117030
[(?::){0}splunk:config:btool:*]
EXTRACT-btool = etc/((apps|master-apps|slave-apps)/)?[^/]+/(default|local)/(?<file>\w+\.conf)\s+\[(?<stanza>.+?)\]
Tags (2)
0 Karma

cyrillefranchet
Explorer

Did you find any solution? I don't see why this isn't working properly.

0 Karma

woodcock
Esteemed Legend

If the events are single-line then you should be using the default LINE_BREAKER Also, if you are pulling in the output from btool, then be aware that there are some GREAT apps out there that help you to do this:

https://splunkbase.splunk.com/apps/#/search/btool/

0 Karma

sbattista09
Contributor

config quest would be amazing if it was for universal forwarders. My question above is for the Btool Scripted Inputs for Splunk.

0 Karma

woodcock
Esteemed Legend

URL for what you are doing? Several of us have no clue for context.

0 Karma

sbattista09
Contributor

i am trying to find out what servers have local input.conf files that are not being pushed out from our deployment server. I would like to use something like the btool app so we can grab the stanzas and wrap them up into a deployment app then, have the server admins remove the local inputs.conf configs.

0 Karma

somesoni2
Revered Legend

Give this a try

[source::*/bin/btool.sh*]
 DATETIME_CONFIG = CURRENT
 SHOULD_LINEMEREGE = false
 LINE_BREAKER= ([\r\n]+)(?<.*?\/etc\/(apps|system|slave-apps))
0 Karma

richgalloway
SplunkTrust
SplunkTrust

How are you running btool? What output are you expecting?

---
If this reply helps you, Karma would be appreciated.
0 Karma

sbattista09
Contributor

with the btool app, its using scripts called from inputs.conf.

################################
# Btool Scripted Input
################################


[script://./bin/btool.sh inputs]
interval = 140
sourcetype = splunk:config:btool:inputs
disabled = 0
index = test

[script://./bin/btool.sh outputs]
interval = 140
sourcetype = splunk:config:btool:outputs
disabled = 0
index = test

[script://./bin/btool.sh app]
interval = 140
sourcetype = splunk:config:btool:app
disabled = 0
index = test
0 Karma
Get Updates on the Splunk Community!

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...

Splunk and Fraud

Watch Now!Watch an insightful webinar where we delve into the innovative approaches to solving fraud using the ...