Monitoring Splunk

btool app line breaking issues

sbattista09
Contributor

any one else having issues when testing the btool app on a UF where the events are signal line and not merged by stanza? I am having no luck using BREAK_ONLY_BEFORE = \[

Current default props.conf:

[source::*/bin/btool.sh*]
DATETIME_CONFIG = CURRENT
BREAK_ONLY_BEFORE = ^.*?\/etc\/(apps|system|slave-apps)\/(?:(.*?)\/)?(default|local)\/(?<file>\w+\.conf)\s+\[(?<stanza>.+?)\]$

[splunk:config:btool:app]
EXTRACT-btool = (?<SPLUNK_HOME>.*?)/etc/(?<app_folder>apps|master-apps|slave-apps)/(?<app>[^/]*)/(default|local)/(?<file>\w+\.conf)\s+\[(?<stanza>.+)\]


# hack for sourcetype wildcards
# c.f https://answers.splunk.com/answers/8505/is-it-possible-to-use-wildcards-in-sourcetype-props-conf-sta...
# c.f. SPL-117030
[(?::){0}splunk:config:btool:*]
EXTRACT-btool = etc/((apps|master-apps|slave-apps)/)?[^/]+/(default|local)/(?<file>\w+\.conf)\s+\[(?<stanza>.+?)\]
Tags (2)
0 Karma

cyrillefranchet
Explorer

Did you find any solution? I don't see why this isn't working properly.

0 Karma

woodcock
Esteemed Legend

If the events are single-line then you should be using the default LINE_BREAKER Also, if you are pulling in the output from btool, then be aware that there are some GREAT apps out there that help you to do this:

https://splunkbase.splunk.com/apps/#/search/btool/

0 Karma

sbattista09
Contributor

config quest would be amazing if it was for universal forwarders. My question above is for the Btool Scripted Inputs for Splunk.

0 Karma

woodcock
Esteemed Legend

URL for what you are doing? Several of us have no clue for context.

0 Karma

sbattista09
Contributor

i am trying to find out what servers have local input.conf files that are not being pushed out from our deployment server. I would like to use something like the btool app so we can grab the stanzas and wrap them up into a deployment app then, have the server admins remove the local inputs.conf configs.

0 Karma

somesoni2
Revered Legend

Give this a try

[source::*/bin/btool.sh*]
 DATETIME_CONFIG = CURRENT
 SHOULD_LINEMEREGE = false
 LINE_BREAKER= ([\r\n]+)(?<.*?\/etc\/(apps|system|slave-apps))
0 Karma

richgalloway
SplunkTrust
SplunkTrust

How are you running btool? What output are you expecting?

---
If this reply helps you, Karma would be appreciated.
0 Karma

sbattista09
Contributor

with the btool app, its using scripts called from inputs.conf.

################################
# Btool Scripted Input
################################


[script://./bin/btool.sh inputs]
interval = 140
sourcetype = splunk:config:btool:inputs
disabled = 0
index = test

[script://./bin/btool.sh outputs]
interval = 140
sourcetype = splunk:config:btool:outputs
disabled = 0
index = test

[script://./bin/btool.sh app]
interval = 140
sourcetype = splunk:config:btool:app
disabled = 0
index = test
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...