Skip to content

Latest commit

 

History

History
76 lines (50 loc) · 2.69 KB

cmd_filter.rst

File metadata and controls

76 lines (50 loc) · 2.69 KB
Raw

ksconf filter

How is this different that btool?

Some of the things filter can do functionally overlaps with btool list. Take for example:

ksconf filter search/default/savedsearches.conf --stanza "Messages by minute last 3 hours"

Is essentially the same as:

splunk btool --app=search savedsearches list "Messages by minute last 3 hours"

The output is the same, assuming that you didn't overwrite any part of that search in local. But if you take off the --app argument, you'll quickly see that btool is merging all the layers together to show the final value of all attributes. That is certainly a helpful thing to do, but not always what you want.

Ksconf is only going to look at the file you explicitly pointed it to. It doesn't traverse the tree on it's own. This means that it works on app directory structure that live inside or outside of your Splunk instance. If you've ever tried to run btool check on an app that you haven't installed yet, then you'll understand the value of this.

In many other cases, the usage of both ksconf filter and btool differ significantly.

Examples

Lift and shift

Copy all indexes defined within a specific app.

cd $SPLUNK_DB
for idx in $(ksconf filter $SPLUNK_HOME/etc/app/MyApp/default/indexes.conf --brief)
do
    echo "Copy index ${idx}"
    tar -czf "/migrate/export-${idx}" "${idx}"
done

Now you'll have a copy all of the necessary indexes in the /migrate folder to make MyApp work on another Splunk instance. Of course, there's likely other migration tasks to consider, like copying the actual app. This is just one way ksconf can help.

Can I do the same thing with standard unix tools?

Sure, go for it!

Yes, there's significant overlap with the filter command and what you can do with grep, awk, or sed. Much of that is on purpose, and in fact some command line arguments were borrowed.

I used to do these tasks by hand, but it's easy to make mistakes. The idea of ksconf is to give you stable and reliable tools that are more suitable for .conf file work. Also keep in mind that these features are expanding much more quickly than the unix tools change.

Although, if you've had to deal with BSD vs GNU tools and trying to find a set of common arguments, then you probably already appreciate how awesome a domain-specific-tool like this is.