From Splunk Wiki

Jump to: navigation, search

How to use btool to diagnose problems with your Splunk Applications

Occasionally, issues arise with configuration files interacting in unexpected ways, which can result in Splunk behaving oddly. You might notice at some point that your data might not be going into the right index, maybe your transforms aren't being applied as you defined, or you might just generally see inconsistent search results.

The cause may be that the configurations (used to be called "bundles") for two or more Splunk Applications are not being applied in the order you would like. To troubleshoot this issue, you can use a wrappered version of a utility called btool that is included with the Splunk CLI, show config, to see what values Splunk is actually reading in and using for each setting in each stanza. To use show config:

1. Log into the CLI.

2. Type splunk show config [config file name]

Splunk outputs to the screen all the configuration settings it is actually using. You can less or direct the output to a file by appending the filename to the command.

Generally, you will want to start with inputs.conf so you can see what settings Splunk is using. Once you've located the issue, you can then move on and run the same command on props.conf, then perhaps transforms.conf to troubleshoot further.

Personal tools
Hot Wiki Topics

About Splunk >
  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk