Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Btools, the big brother of btool (tools, not a question)

jotne
Builder
‎03-03-2025 12:10 PM

I have seen many struggle with the btool and the some messy output of it.

So I made an updated version that makes it far better to use.  Its made as an function, so you can add it to any start up script on your linux.

It make use of color and sort all settings in groups to make it easy to find your settings.
In green you see the stanza name. Yellow is each setting for the stanza.  And last in grey is the file that holds the setting.

 

btools ()
{
# Handle input options
if [[ "$1" == "-sd" || "$1" == "-ds" ]]; then  
  opt="etc/system/default" 
  file="$2"
  stanza=""
  search="$3"
elif [[ "$1" == "-d" && "$2" == "-s" || "$1" == "-s" && "$2" == "-d" ]]; then
  opt="etc/system/default" 
  file="$3"
  stanza=""
  search="$4"
elif [[ "$1" == "-d" ]]; then
  opt="etc/system/default"
  file="$2"
  stanza="$3"
  search="$4"
elif [[ "$1" == "-s" ]]; then
  opt="none" 
  file="$2"
  stanza=""
  search="$3"
else  
  opt="none" 
  file="$1"
  stanza="$2"
  search="$3"  
fi

# If no options are given, show the options
[[ -z "$file" ]] &&  echo -e "
 btools for Splunk v3.0 Jotne
 Missing arguments!

 usage: btools [OPTION] file [STANZA] [SEARCH]
 -d    Do not show splunk default
 -s    All stanza (only needed if search is added and no stanza)
 file=splunk config file without the .conf
 [stanza] = complete stanza name or just part of it
 [search] = search phrase or part of it

 Example:
 btools server general servername
 btools web

" &&  return 1

# If options are not set, give default values
[[ -z "$stanza" ]] && stanza=".*" || stanza=".*$stanza.*"
[[ -z "$search" ]] && search=""

~/bin/splunk btool $file list --debug |
awk -v reset="\033[m\t" \
 -v yellow="\033[38;5;226m\t" \
 -v green="\033[38;5;46m" ' 									# set the different ansi color used

 {sub(/\s+/,"#");split($0,p,"#")}								# split the input p[1]=filename p[2]=rest of line
 p[2]~/^\[.*?\] *$/ {f=0}										# if this is a stanza name set flag f=0
 f && tolower(p[2])~tolower(search) {							# if this is not stanza test if text is part of search or no seach 
        split(p[2],s," ")										# Store each stanza in its own group	
        a[st s[1]]++
        if(p[1]!~opt)print green st yellow p[2] reset p[1]		# Print each block
        }
 p[2]~"^\\["stanza"\\]$" {f=1;st=p[2]}							# Find next stans
 ' stanza="$stanza" search="$search" opt="$opt"
}

 

Example:
btools server general servername
btools web

Lets say you like to see all your custom setting in props.conf for the stansa regarding IP 10.36.30.90
and not show any default settings (-q)
btools -q props 10.36.30.90btools.png 
Give me customer setting for index shb_ad
btools -q indexes shb_ad
btools index.png

Homepath for the shb_ab index:
btools -q indexes shb_ad homepath
btools index homepath.png

Give me all settings for index shb_ab (includes the default settings) (ps there are more lines than picture shows.
btools indexes shb_ad
btools index all.png

Any suggestion to make it better is welcome 🙂

Labels (2)
Reply

yeahnah
Motivator
‎03-03-2025 07:48 PM

Hi @jotne 

As you may be aware, the * wildcard breaks due to filename expansion (or globbing) from the calling shell, i.e. what is passed to the btools function is a list of filenames in the directory where the function is called, not the * wildcard.

This can be turned off in the shell with the set -f call (set +f to re-enable), or the more useful convention is to escape the wildcard with a backslash or wrap it in single quotes.  Standard *nix commands that use the * wildcard on the command line (e.g. find) use this convention so I think this is a more conventional *nix method than using a ¤. My US keyboard does not provide easy access to this character. 

[splunk ~]$ touch test_dummy
[splunk ~]$ btools indexes test* coldpath.maxDataSizeMB
# shell expands to test_dummy so does not work unless the * is escaped
[splunk ~]$ btools indexes test\* coldpath.maxDataSizeMB
[test_cust]     coldPath.maxDataSizeMB = 0      /opt/splunk/etc/system/default/indexes.conf
[splunk ~]$

[splunk@lrlskt02 ~]$ btools indexes * coldpath.maxDataSizeMB
[splunk@lrlskt02 ~]$
[splunk@lrlskt02 ~]$ btools indexes '*' coldpath.maxDataSizeMB
[_audit]        coldPath.maxDataSizeMB = 0      /opt/splunk/etc/system/default/indexes.conf
[_internal]     coldPath.maxDataSizeMB = 0      /opt/splunk/etc/system/default/indexes.conf
[_introspection]        coldPath.maxDataSizeMB = 0      /opt/splunk/etc/system/default/indexes.conf
[_metrics]      coldPath.maxDataSizeMB = 0      /opt/splunk/etc/system/default/indexes.conf
[_metrics_rollup]       coldPath.maxDataSizeMB = 0      /opt/splunk/etc/system/default/indexes.conf
[_telemetry]    coldPath.maxDataSizeMB = 0      /opt/splunk/etc/system/default/indexes.conf
[_thefishbucket]        coldPath.maxDataSizeMB = 0      /opt/splunk/etc/system/default/indexes.conf
[default]       coldPath.maxDataSizeMB = 0      /opt/splunk/etc/system/default/indexes.conf
[history]       coldPath.maxDataSizeMB = 0      /opt/splunk/etc/system/default/indexes.conf
[main]  coldPath.maxDataSizeMB = 0      /opt/splunk/etc/system/default/indexes.conf
[summary]       coldPath.maxDataSizeMB = 0      /opt/splunk/etc/system/default/indexes.conf
[test_cust]     coldPath.maxDataSizeMB = 0      /opt/splunk/etc/system/default/indexes.conf
[splunk@lrlskt02 ~]$



0 Karma
Reply

jotne
Builder
‎03-04-2025 12:29 AM

Thanks for your reply.  

I tried this, but it still expanded a file name. (i did see the problem with expansion so I used a symbol on my key board 🙂  )

 

test ()
{
set -f 
if [[ "$1" == "-q" ]]; then
  opt="etc/system/default"
  file="$2"
  stansa="$3"
  search="$4"
else
  opt="x**x#x" 
  file="$1"
  stansa="$2"
  search="$3"
fi


echo "opt=$opt"
echo "file=$file"
echo "stansa=$stansa"
echo "search=$search"
set +f
}

 


One way I see to solve it is to add another option, like
-a  (all splunk files)
btools -a <stansa> <search>

0 Karma
Reply

yeahnah
Motivator
‎03-04-2025 12:23 PM

It's the calling shell that does the file expansion first so disabling globbing inside the function (which runs in a subshell) will not work.   Here's an example that hopefully demonstrates this more clearly ...

$ mkdir empty
$ mv test.func empty/.test.func
$ cd empty
$ ls      # no files
$ ls -a   # globbing ignores hidden files 
.  ..  .test.func
$ . .test.func
$ test * 2 3   # no files so no globbling and * works 
opt=x**x#x
file=*
stansa=2
search=3
$ touch newfile
$ ls
newfile
$ test * 2 3   
opt=x**x#x
file=newfile
stansa=2
search=3
$ test \* 2 3
opt=x**x#x
file=*
stansa=2
search=3
$ set -f
$ test * 2 3
opt=x**x#x
file=*
stansa=2
search=3
$

 Agree, that using -a switch may be a cleaner way to represent all files though. 

0 Karma
Reply

jotne
Builder
‎03-04-2025 01:35 PM

Thanks for the explanations.

I have made an updated version where there are no need of spesial characters.
Also cleaned up the code some.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...