Splunk® Enterprise

Troubleshooting Manual

Splunk Enterprise version 7.0 is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

Use btool to troubleshoot configurations

The Splunk Enterprise configuration file system supports many overlapping configuration files in many different locations. How these configuration files interact with and take precedence over one another is described in Configuration file precedence in the Admin Manual. This flexibility can make it hard to figure out exactly which configuration value Splunk Enterprise is using.

To help you out, Splunk provides btool. This is a command line tool that can help you troubleshoot configuration file issues or see what values are being used by your Splunk Enterprise installation.

Btool displays merged on-disk configurations. That is, btool shows you the merged settings in the .conf files. It does not necessarily show you what Splunk software is currently using. So for example if you edit a .conf file and do not restart (and the edit requires a restart), btool reports the newly edited settings rather than the settings that are currently being used. To view current in-memory configurations, query the REST endpoint /services/properties/.

Note: btool is not officially supported by Splunk. That said, it is what our Support team uses when trying to troubleshoot your issues.

Investigate configuration values of your entire Splunk software instance

You can run btool to see all the configuration values in use by your Splunk software instance.

From $SPLUNK_HOME/bin type:

./splunk cmd btool <conf_file_prefix> list

where <conf_file_prefix> is the name of the configuration file you're interested in (minus the .conf extension). The list literal specifies that you want to list the options.

For example, to see what settings transforms.conf is using, type:

./splunk cmd btool transforms list

You probably want to send the results of btool into a text file that you can peruse then delete, like this:

./splunk cmd btool transforms list > /tmp/transformsconfigs.txt

or if not to a file, at least pipe to grep like this:

./splunk cmd btool server list --debug | grep '\['

which determines which server.conf stanzas are being recognized.

Redirecting the output to a file is handy for all use cases of btool, but for simplicity we'll only explicitly mention it this once.

Investigate configuration values in one app

You can also run btool for a specific app in your Splunk instance. It lists all the configuration values in use by that app for a given configuration file.

To run btool, go to $SPLUNK_HOME/bin and type:

./splunk cmd btool --app=<app_name> <conf_file_prefix> list

where <app_name> is the name of the app you want to see the configurations for.

For example, if you want to know what configuration options are being used in props.conf by the Search app, type:

./splunk cmd btool --app=search props list

This returns a list of the props.conf settings currently being used for the Search app.

The app name is not required. In fact, it is often a good idea not to specify the app when using btool. In the case of btool, insight into all of your configurations can be helpful.

Learn where configuration values come from

Another thing you can do with btool is find out from which specific app Splunk is pulling its configuration parameters for a given configuration file. To do this, add the --debug flag to btool like in this example for props.conf:

./splunk cmd btool props list --debug

Read about btool syntax in Command line tools for use with Support.

Check for typos in stanza and setting names

There is a conf checker that runs on "splunk start". You can manually invoke it with the following command: 

./splunk cmd btool check

Any typos are printed to stdout. The cmd is optional.

For example, say your local indexes.conf has an incorrectly capitalized setting like the following: 

$ cat $SPLUNK_HOME/etc/system/local/indexes.conf
[hello]
#This should be capitalized "homePath".
homepath = $SPLUNK_DB/hello/db

The command and its output look like the following: 

$ splunk btool check
 Possible typo in stanza [hello] in /opt/splunk/etc/system/local/indexes.conf, line 3: homepath  =  $SPLUNK_DB/hello/db

Additional resources

Watch a video on using btool to troubleshoot configuration issues by a Splunk Support engineer.


Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using btool.

Last modified on 06 February, 2020
Determine which version of Splunk Enterprise you're running   Splunk on Splunk app

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters