Splunk Enterprise

Noob question about btool and conf file precedence

Nicolas2203
Explorer

Hi, first question here !

I'm new on Splunk and I have a basic question on btool.

With this command line : 

 

/splunk btool outputs list --debug

 


the result is that the first element in the (long) list is the one which is applied in case if there is no outputs.conf in a deployed app on the Heavy Forwarder ?

Am I right ?

Thanks

Nico

Labels (1)
0 Karma

Nicolas2203
Explorer

OK thanks richgalloway and isoutamo for the help

So if I understand correctly, if no outputs.conf is defined in the app conf then :
- Splunk will used the first outputs file in the btool list, unless a default group is set ?


0 Karma

richgalloway
SplunkTrust
SplunkTrust

As I said earlier, the output from btool is *everything* Splunk will use.  Btool has already selected the appropriate files based on what is available in apps and defaults after applying file precedence rules.

IOW, Splunk will use *all* of the outputs.conf files listed by btool, not just the first.

---
If this reply helps you, Karma would be appreciated.
0 Karma

Nicolas2203
Explorer

Hi richgalloway, thanks for your time,

OK I see, and in case of an app which has no outputs.conf init, how can I know which output will be used by this app ?


0 Karma

richgalloway
SplunkTrust
SplunkTrust

Apps don't use configs.  Splunk uses configs specified by apps.  If an app doesn't provide a config file then another file will be used by order of precedence.  This is what btool shows us.

IOW, what you see in the btool output is what Splunk will use.

---
If this reply helps you, Karma would be appreciated.
0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

#----TCP Output Global Configuration -----
# You can overwrite the global configurations specified here in the
# [tcpout] stanza in stanzas for specific target groups, as described later.
# You can only set the 'defaultGroup' and 'indexAndForward' settings
# here, at the global level.
#
# Starting with version 4.2, the [tcpout] stanza is no longer required.

[tcpout]

defaultGroup = <comma-separated list>
* A comma-separated list of one or more target group names, specified later
  in [tcpout:<target_group>] stanzas.
* The forwarder sends all data to the specified groups.
* If you don't want to forward data automatically, don't configure this setting.
* Can be overridden by the '_TCP_ROUTING' setting in the inputs.conf file, 
  which in turn can be overridden by a props.conf or transforms.conf modifier.
* Starting with version 4.2, this setting is no longer required.

 Unless you haven’t set defaultGroup to anything, which you have defined separately, node don’t sent events anywhere. Of course you could define something special ininputs.conf too.

r. Ismo

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The btool command shows *all* of the settings that will be applied the next time Splunk restarts.  It takes file precedence into account when generating the output.  The first column produced by the --debug option is the name of the file from which the setting was read.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...