Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Why splunk btool check doesn't catch erroneous com...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why splunk btool check doesn't catch erroneous comments?
There is a bit of a commotion here because we had stanzas like the below one, which throw errors in _internal. Interestingly, ./splunk btool check doesn’t catch it, which makes it difficult to detect it automatically.
[monitor:///<path>]
disabled=0
ignoreOlderThan=7d # test
sourcetype = <sourcetype>
index=<index name>
The error is ERROR TailingProcessor - Invalid value '7d # test'
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What we do to avoid this issue is to load ALL configurations into DEV system before deploying into PROD. This will include config files of inputs, props, transforms, eventtypes,tags,savedsearches
and do a restart. All errors will either be reported to console or to Splunk _internal. We have searches to captures these errors and compare with previous releases.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Wow, very elaborate process @koshyk ; -)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Our SE said -
It’s out of scope of the tool.
What btool does is pretty simple under the covers. We have in our configuration files .spec files. .spec files define what values can and cannot be loaded into Splunk. The definitions here are pretty simple. Usually it’s something like.
[stanza1]
setting1 = string
setting2 = blob
setting3 = int
setting4 = string
When you run btool, we’re taking all the configurations that will be loaded into Splunk and checking if the stanza and setting combination are valid and if the type of value you’ve given is of the type defined.
In your example, Splunk has loaded a valid config like this
[monitor://] : ignoreOlderThan : = : string
Btool doesn’t have the capability of checking any more than that. For that you’d need a “fuzzing” tool or “debugger” in programming terminology. I’m not aware of any for Splunk specifically though.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Network to App: Observability Unlocked [May & June Series]
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
