There is a bit of a commotion here because we had stanzas like the below one, which throw errors in _internal. Interestingly,
./splunk btool check doesn’t catch it, which makes it difficult to detect it automatically.
[monitor:///<path>] disabled=0 ignoreOlderThan=7d # test sourcetype = <sourcetype> index=<index name>
The error is
ERROR TailingProcessor - Invalid value '7d # test'
Our SE said -
It’s out of scope of the tool.
What btool does is pretty simple under the covers. We have in our configuration files .spec files. .spec files define what values can and cannot be loaded into Splunk. The definitions here are pretty simple. Usually it’s something like.
[stanza1] setting1 = string setting2 = blob setting3 = int setting4 = string
When you run btool, we’re taking all the configurations that will be loaded into Splunk and checking if the stanza and setting combination are valid and if the type of value you’ve given is of the type defined.
In your example, Splunk has loaded a valid config like this
[monitor://] : ignoreOlderThan : = : string
Btool doesn’t have the capability of checking any more than that. For that you’d need a “fuzzing” tool or “debugger” in programming terminology. I’m not aware of any for Splunk specifically though.
What we do to avoid this issue is to load ALL configurations into DEV system before deploying into PROD. This will include config files of inputs, props, transforms, eventtypes,tags,savedsearches
and do a restart. All errors will either be reported to console or to Splunk _internal. We have searches to captures these errors and compare with previous releases.