Splunk with btool for Combined Inputs.conf

btool splunk debug

Inputs not showing up in Splunk?

The other day I pointed some additional data at my Splunk Indexer but it was not showing up. I wanted to make sure I did not fat finger something or that I did not have overlapping inputs from other apps inputs. I found the following BTOOL command to run when you want to find out how Splunk has combined all the inputs.conf files that is it processing.

./splunk btool inputs list

Splunk BtoolYou run it from $SPLUNK_HOME/bin folder and it does not matter if you are on a Search Head, Indexer, DCN, or Universal Forwarder.
It outputs all the Stanzas in all the INPUTS.conf files in the final order they are processed in. You get to see which Stanzas won due to the folder and file precedence that Splunk uses when processing .conf files.

By the way if you want to get the same information about any .conf file other than inputs.conf you just replace place the name of .conf file after btool and before list.

If you want to save the results in a file so you can slice and dice the results in text editor or sort it with Excel use the following btool command.

./splunk btool inputs list > nameOfFile.txt

That list command will give you just the names of the Stanzas but what if you want to know the entire path to each file that contains those Stanzas?

Use this btool command that includes the list and –debug switches.

./splunk btool inputs list --debug > nameOfFile.txt

The output gives you the full path to each .conf file of each processed Stanza.

It is a lot of data about those little old Stanza that mean so much to Splunk and the data you sent your way.

Try btool for props.conf and transforms.conf it will help provide even more insight to your data and the is what it is all about.

Here is the link to the Splunk>docs btool page.

Here is the link to a great Splunk Blog page about btool

Author: Logan Bingham

Designing IT solutions for 20 years.

Leave a Reply