Databases Reference
In-Depth Information
[web_access]
MAX_TIMESTAMP_LOOKAHEAD = 25
TIME_PREFIX = ^\[
TIME_FORMAT = %Y-%m-%d $H:%M:%S
TZ = UTC
BREAK_ONLY_BEFORE_DATE = false
[source::*/access.log]
BREAK_ONLY_BEFORE_DATE = false
[source::*.log]
BREAK_ONLY_BEFORE_DATE = true
[security_log]
EXTRACT-<name> = \[(?P<user>.*?)\]
BREAK_ONLY_BEFORE_DATE = false
I know this is fairly confusing, but with practice, it will make sense. Luckily,
btool
,
which we will cover next, makes it easier to see.
Using btool
To help preview merged configurations, we call on
btool
, a command-line tool that
prints the merged version of configurations. The Splunk site has one of my favorite
documentation notes of all time, as follows:
Note: btool is not tested by Splunk and is not officially supported or guaranteed. That
said, it's what our Support team uses when trying to troubleshoot your issues.
With that warning in mind,
btool
has never steered me wrong. The tool has a
number of functions, but the only one I have ever used is
list
, like so:
$SPLUNK_HOME/bin/splunk cmd btool props list
This produces 5,277 lines of output, which I won't list here. Let's list the stanza
impl_
splunk_gen
by adding it to the end of the command line, thus:
/opt/splunk/bin/splunk cmd btool props list impl_splunk_gen
This will produce an output such as this:
[impl_splunk_gen]
ANNOTATE_PUNCT = True
BREAK_ONLY_BEFORE =
BREAK_ONLY_BEFORE_DATE = True
Search WWH ::
Custom Search