From Splunk Wiki

Jump to: navigation, search

How to use btool to diagnose problems with your Splunk Applications

Occasionally, issues arise with configuration files interacting in unexpected ways, which can result in Splunk behaving oddly. You might notice at some point that your data might not be going into the right index, maybe your transforms aren't being applied as you defined, or you might just generally see inconsistent search results.

The cause may be that the configurations (used to be called "bundles") for two or more Splunk Applications are not being applied in the order you would like. To troubleshoot this issue, you can use a wrapped version of a utility called btool that is included with the Splunk CLI to see what values Splunk is actually reading in and using for each setting in each stanza. To use btool:

1. Log into the CLI.

2. Type splunk btool --debug [config name] list

Splunk outputs to the screen all the configuration settings currently on disk. These are not necessarily the settings in use at the time since configuration files may have been changed since the last time Splunk restarted.

NOTE: [config name] is the name of a configuration file without ".conf".

The --debug option is optional and tells btool to include the name of the configuration file in which the setting was found.

You can less or direct the output to a file by appending the filename to the command.

Generally, you will want to start with inputs.conf so you can see what settings Splunk is using. Once you've located the issue, you can then move on and run the same command on props.conf, then perhaps transforms.conf to troubleshoot further.

Personal tools
Hot Wiki Topics

About Splunk >
  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk