Hi,
I have savedsearches like:
dev_sudo
dev_sudo mod
dev_sudo mod2
How to dump the first with btool?
If I use splunk cmd btool savedsearches list dev_sudo
- I get all three results. I need to dump only exact match
If somebody will need it, something like this should work:
| sed 's/^[^ ]\+ \+//g' | tr '\n' '~' | sed 's/^\(\[[^\[]\+\).*/\1/g' | tr '~' '\n'
It assumes that the exact match will be first.
I like grep -P
-P, --perl-regexp
Interpret the pattern as a Perl-compatible regular expression (PCRE).
splunk cmd btool savedsearches list | grep -P "dev_sudo$"
and if you are only looking to scrape the matching regex...
-o, --only-matching
Print only the matched (non-empty) parts of a matching line, with each such part on a separate output line.
splunk cmd btool savedsearches list | grep -Po "dev_sudo$"
If somebody will need it, something like this should work:
| sed 's/^[^ ]\+ \+//g' | tr '\n' '~' | sed 's/^\(\[[^\[]\+\).*/\1/g' | tr '~' '\n'
It assumes that the exact match will be first.
I'm not sure you can. The help for btool says " btool [options] CONF_FILE {list|layer|add|delete} [stanzaPrefix]", which tells me btool adds an implicit "*" to the last argument. For example, "splunk btool savedsearches list dev_sudo*".