Command line tools for use with Support's direction

Command line tools for use with Support's direction

Caution: DO NOT use these commands without consulting Splunk Support first.

cmd

btool

Cmd line modification and listing of bundles.

Syntax

Add

./splunk cmd btool [--app=app_name] conf_file_prefix add

Delete

./splunk cmd btool --app=app_name --user=user_name conf_file_prefix delete stanza_name [attribute_name]

List

./splunk cmd btool [--app=app_name] conf_file_prefix list [stanza_prefix]

btprobe

Queries the fishbucket for file records stored by tailing.

Note: You must specify either -d <dir> or --compute-crc <file>

There are 2 possible ways to invoke this tool:

1. btprobe [-h or --help] -d <btree directory> [-k <hex key OR ALL> | --file <filename>] [--salt <salt>] [--validate]</coce>

This method will query the specified BTree for the specified record. You can specify a crc directly or just input a file and crc will be computed from it.

• If you specify --validate, it will run a btree validation to look for errors.
• If you specify --salt, it will salt the crc in the case that --file param is specified

2. <code>btprobe [-h or --help] --compute-crc <filename> [--salt <salt>]

This method will compute a crc from the specified file, and salt it if --salt specified

• Example: btprobe -d /opt/splunk/var/lib/splunk/fishbucket/splunk_private_db -k 0xe8d117ddba85e714 --validate
• Example: btprobe -d /opt/splunk/var/lib/splunk/fishbucket/splunk_private_db --file /var/log/inputfile --salt SOME_SALT
• Example: btprobe --compute-crc /var/log/inputfile --salt SOME_SALT

classify

The "splunk train sourcetype" CLI command calls classify. To call it directly use:

$SPLUNK_HOME/bin/splunk cmd classify path/to/myfile mysourcetypename 

gzdumper

locktest

locktool

./splunk cmd locktool

Usage :

lock : [-l | --lock ] [dirToLock] <timeOutSecs>

unlock [-u | --unlock ] [dirToUnlock] <timeOutSecs>

Acquires and releases locks in the same manner as splunkd. If you were to write an external script to copy db buckets in and out of indexes you should acqure locks on the db colddb and thaweddb directories as you are modifying them and release the locks when you are done.

parsetest

pcregextest

regextest

searchtest

signtool

Sign

./splunk cmd signtool [-s | --sign] [<dir to sign>]

Verify

./splunk cmd signtool [-v | --verify] [<dir to verify>]

Using logging configuration at /Applications/splunk/etc/log-cmdline.cfg.

Allows verification and signing splunk index buckets. If you have signing set up in a cold to frozen script. Signtool allows you to verify the signatures of your archives.

tsidxprobe

This will take a look at your index files (.tsidx) and verify that they meet the necessary format requirements. It should also identify any files that are potentially causing a problem

go to the $SPLUNK_HOME/bin directory. Do "source setSplunkEnv".

Then use tsidxprobe to look at each of your index files with this little script you can run from your shell (this works with bash):

• for i in `find $SPLUNK_DB | grep tsidx`; do tsidxprobe $i >> tsidxprobeout.txt; done

(If you've changed the default datastore path, then this should be in the new location.)

The file tsidxprobeout.txt will contain the results from your index files. You should be able to gzip this and attach it to an email and send it to Splunk Support.

tsidx_scan.py

(4.2.2+) This utility script searches for tsidx files at a specified starting location, runs tsidxprobe for each one, and outputs the results to a file.

From $SPLUNK_HOME/bin, call it like this:

splunk cmd python tsidx_scan.py [path]

Example:

splunk cmd python tsidx_scan.py /opt/splunk/var/lib/splunk

If you omit the optional path, the scan starts at $SPLUNK_DB

The output is written to the file tsidxprobe.YYYY-MM-DD.txt in the current directory.

• Was this topic useful?
• Post a comment