Splunk Enterprise

Is there any script to lint and validate splunk config?

muebel
SplunkTrust
SplunkTrust

Do any of you use (or know of) any scripts that look at splunk configuration and point out errors, or otherwise allow for a framework to do some sanity checking? This is a fairly open question, and I'd also love any ideas for what kind of things you'd like to see in such a script.

Labels (2)
0 Karma
1 Solution

tscroggins
Influencer

@muebel 

btool includes a "check" command, which I believe does simple .conf.spec validation, similar to Splunk startup.

AppInspect includes various checks.

The official Visual Studio Code Extension for Splunk includes .conf linting. I've not used it, so I can't comment on its quality or accuracy.

How deep down the lint rabbit hole do you plan to go? It's perhaps too late to break PC-lint's continuously advertised software record. 😉 (I do miss Dr. Dobb's Journal.)

View solution in original post

haraksin
Path Finder

I usually use a combination of the .conf VSCode linter that others have suggested for writing, and then upon committing I have AppInspect and the Splunk Packaging Tool run for my apps, and this keeps them bug free and knowing that I will pass cloud verification. I will also drop these since I wrote them and am biased, but I use them myself for writing SPL in VSCode: Splunk Search Syntax Highlighter Extension  and Splunk Search Autocompletion Tool 

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

@muebel - How about btool?

./splunk btool check

tscroggins
Influencer

@muebel 

btool includes a "check" command, which I believe does simple .conf.spec validation, similar to Splunk startup.

AppInspect includes various checks.

The official Visual Studio Code Extension for Splunk includes .conf linting. I've not used it, so I can't comment on its quality or accuracy.

How deep down the lint rabbit hole do you plan to go? It's perhaps too late to break PC-lint's continuously advertised software record. 😉 (I do miss Dr. Dobb's Journal.)

muebel
SplunkTrust
SplunkTrust

hmm it appears that check doesn't work when also using the --dir flag

0 Karma

muebel
SplunkTrust
SplunkTrust

with some help from @mmccul in slack I was able to figure this out.

btool is expecting a specific directory structure, and is looking for the spec files to be found in `system/README` from what is specified as the `--dir` target.

It also only looks in directories named like the normal config directories ( apps, master-apps etc)

Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...