Splunk Search
Highlighted

Why splunk btool check doesn't catch erroneous comments?

Ultra Champion

There is a bit of a commotion here because we had stanzas like the below one, which throw errors in _internal. Interestingly, ./splunk btool check doesn’t catch it, which makes it difficult to detect it automatically.

[monitor:///<path>]
disabled=0
ignoreOlderThan=7d   # test
sourcetype = <sourcetype>  
index=<index name>

The error is ERROR TailingProcessor - Invalid value '7d # test'

0 Karma
Highlighted

Re: Why splunk btool check doesn't catch erroneous comments?

Ultra Champion

Our SE said -

It’s out of scope of the tool.

What btool does is pretty simple under the covers. We have in our configuration files .spec files. .spec files define what values can and cannot be loaded into Splunk. The definitions here are pretty simple. Usually it’s something like.

[stanza1]
setting1 = string
setting2 = blob
setting3 = int
setting4 = string

When you run btool, we’re taking all the configurations that will be loaded into Splunk and checking if the stanza and setting combination are valid and if the type of value you’ve given is of the type defined.

In your example, Splunk has loaded a valid config like this

[monitor://] : ignoreOlderThan : = : string

Btool doesn’t have the capability of checking any more than that. For that you’d need a “fuzzing” tool or “debugger” in programming terminology. I’m not aware of any for Splunk specifically though.

0 Karma
Highlighted

Re: Why splunk btool check doesn't catch erroneous comments?

Super Champion

What we do to avoid this issue is to load ALL configurations into DEV system before deploying into PROD. This will include config files of inputs, props, transforms, eventtypes,tags,savedsearches

and do a restart. All errors will either be reported to console or to Splunk _internal. We have searches to captures these errors and compare with previous releases.

Highlighted

Re: Why splunk btool check doesn't catch erroneous comments?

Ultra Champion

Wow, very elaborate process @koshyk ; -)

0 Karma