Databases Reference
In-Depth Information
... truncated ...
LINE_BREAKER_LOOKBEHIND = 100
LOOKUP-lookupusers = userslookup user AS user OUTPUTNEW
MAX_DAYS_AGO = 2000
... truncated ...
TRUNCATE = 10000
TZ = UTC
maxDist = 100
Our configuration file at
$SPLUNK_HOME/etc/apps/
ImplementingSplunkDataGenerator/local/props.conf
contains only the
following lines:
[impl_splunk_web]
LOOKUP-web_section = flatten_summary_lookup url AS url OUTPUTNEW
EXTRACT-url = \s[A-Z]+\s(?P<url_from_app_local>.*?)\s
EXTRACT-foo = \s[A-Z]+\s(?P<url_from_app>.*?)\s
So where did the rest of this configuration come from? With the use of the
--debug
flag, we can get more details.
/opt/splunk/bin/splunk cmd btool props list impl_splunk_gen --debug
This produces the following query:
Implementi [impl_splunk_gen]
system ANNOTATE_PUNCT = True
system BREAK_ONLY_BEFORE =
system BREAK_ONLY_BEFORE_DATE = True
... truncated ...
system LINE_BREAKER_LOOKBEHIND = 100
Implementi LOOKUP-lookupusers = userslookup user AS user OUTPUTNEW
system MAX_DAYS_AGO = 2000
... truncated ...
system TRUNCATE = 10000
Implementi TZ = UTC
system maxDist = 100
The first column, though truncated, tells us what we need to know. The vast majority
of these lines are defined in
system
, most likely in
system/default/props.conf
.
The remaining items from our file are labeled
Implementi
, which is the beginning
of our app directory,
ImplementingSplunkDataGenerator
.
If you ever have a question about where some setting is coming from,
btool
will
save you a lot of time. Also, check out the app
Splunk on Splunk
at Splunkbase for
access to
btool
from the Splunk web interface.
Search WWH ::
Custom Search