Documentation > Splunk > Troubleshooting Manual > Command line tools for use with Support

Troubleshooting Manual

 


Welcome to the Troubleshooting Manual
First steps
Splunk log files
Contact Splunk Support
Some common scenarios

Command line tools for use with Support

Contents

Command line tools for use with Support

This topic contains information on CLI tools to help with troubleshooting Splunk. Most of these tools are invoked using the Splunk CLI command "cmd". You should not use these tools without first consulting with Splunk Support.

For general information about using the CLI in Splunk, see "Get help with the CLI" in the Admin Manual.

cmd

Runs the specified utility in $SPLUNK_HOME/bin with the required environment variables preset.

To see which environment variables will be set, run "splunk envvars".

Examples: 

  ./splunk cmd btool inputs list
  ./splunk cmd /bin/ls

Syntax: cmd <command> [parameters...]

Objects: None

Required Parameters: None

Optional Parameters: None

btool

View or validate Splunk configuration files, taking into account configuration file layering and user/app context.

Syntax: 

	btool <CONF_FILE> list [options]
        btool check [options]

Objects: None

Required Parameters: None

Optional Parameters: 

		--user=SPLUNK_USER  		View the configuration data visible to the given user

		--app=SPLUNK_APP    		View the configuration data visible from the given app

		--dir=DIR           		Read configuration data from the given absolute path instead of $SPLUNK_HOME/etc

		--debug             		Print and log extra debugging information

Examples:

List: ./splunk cmd btool [--app=app_name] conf_file_prefix list [stanza_prefix]

Add: ./splunk cmd btool [--app=app_name] conf_file_prefix add

Delete: ./splunk cmd btool --app=app_name --user=user_name conf_file_prefix delete stanza_name [attribute_name]

For more information, read "Use btool to troubleshoot configurations."

btprobe

Queries the fishbucket for file records stored by tailing.

Note: You must specify either -d <dir> or --compute-crc <file>

There are two possible ways to invoke this tool:

1. btprobe [-h or --help] -d <btree directory> [-k <hex key OR ALL> | --file <filename>] [--salt <salt>] [--validate] [--reset]

This method queries the specified BTree for the given key or file. 

	    -d        	 Directory that contains the btree index. (Required)

	    -k        	 Hex crc key or ALL to get all the keys.
	    --file    	 File to compute the crc from.
	      (One of -k and --file must be specified.

	    --validate	 Validate the btree to look for errors.
	    --salt    	 Salt the crc if --file param is specified.

	    --reset   	 Reset the fishbucket for the given key or file in the btree.
              Restart splunkd (./splunk restart splunkd) to re-index the file.

2. btprobe [-h or --help] --compute-crc <filename> [--salt <salt>]

This method computes a crc from the specified file, using the given salt if any.

  • Example: ./btprobe -d /opt/splunk/var/lib/splunk/fishbucket/splunk_private_db -k 0xe8d117ddba85e714 --validate
  • Example: ./btprobe -d /opt/splunk/var/lib/splunk/fishbucket/splunk_private_db --file /var/log/inputfile --salt SOME_SALT
  • Example: ./btprobe --compute-crc /var/log/inputfile --salt SOME_SALT

classify 

$SPLUNK_HOME/bin/splunk cmd classify <path/to/myfile> <mysourcetypename>

fsck

Diagnoses the health of your buckets and can rebuild search data as necessary. 

        [--hots]          include hot buckets in scan
	[--warms]         include warm buckets in scan
	[--colds]         include cold buckets in scan
	[--thawed]        include thawed buckets in scan
	[--all]           include all types of buckets
	[--index <index>] only scan specified index (defaults to all)
	[--mode metadata] only supported mode is 'metadata'
	[--verbose]       display diagnostic info while scanning
	[--repair]        attempt to repair buckets if errors found

NOTE: --repair will only work with buckets created by Splunk version >4.2

For more information, read "How Splunk stores indexes" in the Managing Indexers and Clusters Manual.

locktest

./splunk cmd locktest

locktool

./splunk cmd locktool

Usage :

lock : [-l | --lock ] [dirToLock] <timeOutSecs>

unlock [-u | --unlock ] [dirToUnlock] <timeOutSecs>

Acquires and releases locks in the same manner as splunkd. If you were to write an external script to copy db buckets in and out of indexes you should acqure locks on the db colddb and thaweddb directories as you are modifying them and release the locks when you are done.

parsetest 

./splunk cmd parsetest

Usage: 
	parsetest "<string>" ["<sourcetype>|source::<filename>|host::<hostname>"]
	parsetest file <filename> ["<sourcetype>|host::<hostname>"]
Example:
	parsetest "10/11/2009 12:11:13" "syslog"
	parsetest file "foo.log" "syslog"

pcregextest

Simple utility tool for testing modular regular expressions. 

./splunk cmd pcregextest mregex=<regex>

Usage: pcregextest mregex="query_regex" (name="subregex_value")* (test_str="string to test regex")?

Example: pcregextest mregex="[[ip:src_]] [[ip:dst_]]" ip="(?<ip>\d+[[dotnum]]{3})" dotnum="\.\d+" test_str="1.1.1.1 2.2.2.2"

That is, define modular regex in the 'mregex' parameter. Then define all the subregexes referenced in 'mregex'. Finally you can provide a sample string to test the resulting regex against, in 'test_str'.

regextest

searchtest

./splunk cmd searchtest search

signtool

Sign

./splunk cmd signtool [-s | --sign] [<dir to sign>]

Verify

./splunk cmd signtool [-v | --verify] [<dir to verify>]

Using logging configuration at /Applications/splunk/etc/log-cmdline.cfg.

Allows verification and signing splunk index buckets. If you have signing set up in a cold to frozen script. Signtool allows you to verify the signatures of your archives.

tsidxprobe

This will take a look at your time-series index files (or "tsidx files"; they are appended with .tsidx) and verify that they meet the necessary format requirements. It should also identify any files that are potentially causing a problem

go to the $SPLUNK_HOME/bin directory. Do "source setSplunkEnv".

Then use tsidxprobe to look at each of your index files with this little script you can run from your shell (this works with bash):

  • for i in `find $SPLUNK_DB -name '*.tsidx'`; do tsidxprobe $i >> tsidxprobeout.txt; done

(If you've changed the default datastore path, then this should be in the new location.)

The file tsidxprobeout.txt will contain the results from your index files. You should be able to gzip this and attach it to an email and send it to Splunk Support.

tsidx_scan.py

(4.2.2+) This utility script searches for tsidx files at a specified starting location, runs tsidxprobe for each one, and outputs the results to a file.

From $SPLUNK_HOME/bin, call it like this:

splunk cmd python tsidx_scan.py [path]

Example:

splunk cmd python tsidx_scan.py /opt/splunk/var/lib/splunk

If you omit the optional path, the scan starts at $SPLUNK_DB

The output is written to the file tsidxprobe.YYYY-MM-DD.txt in the current directory.

Retrieved from "http://docs.splunk.com/Documentation/Splunk/4.3/Troubleshooting/CommandlinetoolsforusewithSupport"

This documentation applies to the following versions of Splunk: 4.2.3 , 4.2.4 , 4.2.5 , 4.3 , 4.3.1 , 4.3.2 , 4.3.3 , 4.3.4 , 4.3.5 , 4.3.6 , 5.0 , 5.0.1 , 5.0.2 View the Article History for its revisions.


Comments

Thanks, Sowings! I added some info to the fsck section. For some good guidance about using fsck, see http://docs.splunk.com/Documentation/Splunk/5.0.2/Indexer/HowSplunkstoresindexes#Troubleshoot_your_buckets

Jlaw splunk, Splunker
March 8, 2013

Requesting a sample invocation for fsck.

Sowings splunk, Splunker
March 8, 2013

You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!