Liste des monitors :
1 $ splunk list monitor
2 Monitored Directories:
3 $SPLUNK_HOME/var/log/introspection
4 /Applications/Splunk/var/log/introspection/disk_objects.log
5 /Applications/Splunk/var/log/introspection/http_event_collector_metrics.log
6 /Applications/Splunk/var/log/introspection/kvstore.log
7 /Applications/Splunk/var/log/introspection/resource_usage.log
8 $SPLUNK_HOME/var/log/splunk
9 /Applications/Splunk/var/log/splunk/audit.log
10 /Applications/Splunk/var/log/splunk/btool.log
11 /Applications/Splunk/var/log/splunk/conf.log
12 /Applications/Splunk/var/log/splunk/dfm_stderr.log
13 /Applications/Splunk/var/log/splunk/dfm_stdout.log
14 /Applications/Splunk/var/log/splunk/export_metrics.log
15 /Applications/Splunk/var/log/splunk/first_install.log
16 /Applications/Splunk/var/log/splunk/health.log
17 /Applications/Splunk/var/log/splunk/license_usage.log
18 /Applications/Splunk/var/log/splunk/metrics.log
19 /Applications/Splunk/var/log/splunk/mongod.log
20 /Applications/Splunk/var/log/splunk/remote_searches.log
21 /Applications/Splunk/var/log/splunk/scheduler.log
22 /Applications/Splunk/var/log/splunk/search_messages.log
23 /Applications/Splunk/var/log/splunk/searchhistory.log
24 /Applications/Splunk/var/log/splunk/splunk_instrumentation.log
25 /Applications/Splunk/var/log/splunk/splunkd-utility.log
26 /Applications/Splunk/var/log/splunk/splunkd.log
27 /Applications/Splunk/var/log/splunk/splunkd_access.log
28 /Applications/Splunk/var/log/splunk/splunkd_stderr.log
29 /Applications/Splunk/var/log/splunk/splunkd_stdout.log
30 /Applications/Splunk/var/log/splunk/splunkd_ui_access.log
31 /Applications/Splunk/var/log/splunk/web_access.log
32 /Applications/Splunk/var/log/splunk/web_service.log
33 /Applications/Splunk/var/log/splunk/wlm_monitor.log
34 $SPLUNK_HOME/var/log/splunk/license_usage_summary.log
35 /Applications/Splunk/var/log/splunk/license_usage_summary.log
36 $SPLUNK_HOME/var/log/splunk/splunk_instrumentation_cloud.log
37 /Applications/Splunk/var/log/splunk/splunk_instrumentation_cloud.log
38 $SPLUNK_HOME/var/log/watchdog/watchdog.log
39 /Applications/Splunk/var/log/watchdog/watchdog.log
40 $SPLUNK_HOME/var/run/splunk/search_telemetry/*search_telemetry.json
41 $SPLUNK_HOME/var/spool/splunk/...stash_new
42 Monitored Files:
43 $SPLUNK_HOME/etc/splunk.version
Commande btool :
Utilisation :
Doc officielle
1 $ splunk btool <prefixe-fichier-de-config> list [--debug]
prefixe-fichier-de-config : correspond au nom de fichier de config sans ".conf" (inputs, indexes ...).
L'option "--debug" permet d'afficher le fichier qui fournit la configuration, très utile pour comprendre la précédence lors d'analyse.
Liste les inputs
1 $ splunk btool inputs list
2 ---SNiP---
3 t_key:linebreaker:parsingQueue
4 [tcp]
5 rcvbuf = 1572864
6 acceptFrom = *
7 connection_host = dns
8 host = $decideOnStartup
9 index = default
10 [udp]
11 _rcvbuf = 1572864
12 connection_host = ip
13 host = $decideOnStartup
14 index = default
Sur un inputs spécificique, ici tcp :
1 $ splunk btool inputs list tcp
2 [tcp]
3 _rcvbuf = 1572864
4 acceptFrom = *
5 connection_host = dns
6 host = $decideOnStartup
7 index = default
Debug pour voir quel fichier fourni la config :
1 $ splunk btool inputs list tcp --debug
2 /Applications/Splunk/etc/system/default/inputs.conf [tcp]
3 /Applications/Splunk/etc/system/default/inputs.conf _rcvbuf = 1572864
4 /Applications/Splunk/etc/system/default/inputs.conf acceptFrom = *
5 /Applications/Splunk/etc/system/default/inputs.conf connection_host = dns
6 /Applications/Splunk/etc/system/default/inputs.conf host = $decideOnStartup
7 /Applications/Splunk/etc/system/default/inputs.conf index = default
Infos spécifiques sur une apps
Ici on a créer une app lab-all-indexes qui fourni un index.
1 $ splunk btool indexes list --app=lab-all-indexes
2 [lab_test]
3 coldPath = $SPLUNK_DB/$index_name/colddb
4 homePath = $SPLUNK_DB/$ index_name/db
5 thawedPath = $SPLUNK_DB/$_index_name/thaweddb
On peut aussi ajouter un filtre --user= mais --app= est alors obligatoire.
Check de config (typo)
1 $ splunk btool check
Recherche en CLI :
1 $ splunk search '|tstats count where index=* by index'
2 index count
3 -------- ------
4 lab_test 109864