Time
6 hours 3 minutes
Difficulty
Intermediate
CEU/CPE
6

Video Transcription

00:00
Hello and welcome back to the Splunk Enterprise Certified Administrator course on Cyber. This is the B two lab where we're gonna be doing a deep dive on how to use the Splunk be tool command line tool. So in this video, we're gonna go over this syntax for the command.
00:16
What we use the command for I'll run a couple example commands.
00:21
And then I will also demonstrate configuration file precedence and lexical graphical order presidents by basically manipulating different files in different places and then showing you which configurations are being applied using be tool. So without further do, we can get started and actually
00:40
look at what this be Tool
00:42
command is. So any time you're looking at a Splunk command line tool the place I would recommend starting is by just using Splunk help command to get more information about the commander interested in. So in this case will do help be tool,
00:59
and you can see that they give you a quick description. It's used to view or validates pulling configuration files, and it takes into account configuration, file layering and user app context.
01:10
So what that basically means is when you run this tool What it does is whatever configuration file you specify. It will list what the configurations from all of those different files on disk would look like when they are compiled and take into account configuration file precedence.
01:30
So,
01:30
um, basically,
01:33
in other words, it gives you
01:36
what setting Splunk is actually applying to the data based on what is on the disk.
01:44
One thing to note here, though, is
01:47
this tool does run off of the configuration files on disk, so you could have different settings written in your files. You might have made updates
01:57
to the files and not restarted Splunk. So
02:01
the settings that are being applied in memory could be different than what's being spit out by this. Be tool. So if everything coming from B Tool looks correct, but Splunk is still applying improper settings to your data,
02:15
try running a restart just to refresh the configurations. They're loaded in memory, and hopefully that will solve your problems.
02:23
But now that we got rid of her, we got that out of the way. Let's talk quickly about the syntax, so when you use this command, you're going to write Splunk. You're right. The path to this blank. Execute herbal your specified be tool because that's what we want to use.
02:38
You'll specify the configuration file you're interested in looking at the configurations for and that will be like server or inputs or outputs or props transforms whatever it is without the dot com extension, and then you'll specify list which,
02:54
well, just spit out
02:57
all of the settings for that file. And then there's some options that you can apply to narrow down your results, because
03:05
if we run this, I'll demonstrate just how much data it spits out. So let's just look at inputs for this example.
03:16
Oh, sorry, I forgot to write Beetle,
03:21
but you can see this is a lot of information. This is literally all the configurations Splunk has for every input. And this is just a fresh in Seoul of Splunk. So a production system where you have a lot of inputs configured would be way more texts than even this, and this is already kind of a lot to look at.
03:40
So that's why they give you additional means of narrowing down the data
03:46
so you could specify a specific stands the name so we'll do this one
03:53
and then just get the settings for that stanza
03:55
or you could specify
03:58
and app,
04:00
but we don't know any APS right now. So before we get to that, we should talk about the debug command. So if you are option if you add the debug parameter to your be tool command, it will tell you the file path that each individual configuration comes from.
04:18
So here we can see that's an happening, so we'll use that as an example for app equals.
04:28
And now we're just looking at the settings that come from that introspection generator at
04:32
you can see. It's just these two stanzas,
04:35
um,
04:38
de boat tools like Super Useful because you can see on, especially if we narrow down to Let's go back to a specific stanza. Let's look that TCP again clear. Just so we have a
04:49
fresh view, you could see
04:53
where each configuration is coming from, and all the different places that a configuration for this stance or resides so that will help you determine where you need to make your changes toe override what's already existing.
05:06
So, for example, if we wanted to change this connection, host equals DNS. We see it comes from default inputs dot com. So if you remember our conversation about configuration file precedents, there's three places we could put this that would override that.
05:21
We could put it in an app default directory, an APP, local directory or the system local directory and overwrite this value.
05:29
So let's just do a demonstration of that so you can actually see how configuration file presidents works and also how you can use be tool Teoh, basically see. Okay, I made this new configuration. Will it take effect?
05:43
So we're gonna keep operating off the assumption that we want to change this value
05:47
so will
05:49
make a new app. Uh, this So this make their command is what we're gonna use to make a directory and dash. He's gonna let me make multiple directories at the same time. So we'll go to Ops, Blunk, etc. APs because this is where APS are. And basically all app really is in. Splunk is
06:10
a directory with some configuration files
06:12
in it that resides in this path.
06:15
So we'll just pull this test app and we'll make it default.
06:19
And then we will
06:23
make a new inputs dot com file there and we will specify that we want to work on the TCP stands up and we will add the connection post. And since the old value is DNS, just to demonstrate this works will make this not in this.
06:44
So let's run RB tool again to see what the settings are.
06:48
And as you can see, this line is now coming from our test app and is not DNS instead of being DNS and coming from default implants.
06:58
So again, if we wanted to override this value we could use, we could still use configuration pop presence. We could just make a new directory.
07:10
Oh, and rip and remember.
07:12
So if data was coming in with this inputs, this connection host that Splunk would be using still be this old value because we haven't restarted Splunk. So it's still operating off these old configurations. So that's what I was talking about earlier. So even though be tools shows that this value
07:28
would be not Deanna's,
07:30
as long as Splunk hasn't been restarted, its still using its it already compiled, right? So when schooling starts that compiles all these configurations and determines what set of configurations that should use, So unless we restart, this won't get loaded, so just keep that in mind.
07:46
But now if we want toe manipulate this some or we can make
07:53
another
07:57
directory for local come figs,
08:01
Um, and then another input stuck on from there
08:07
specify the same stands Us. So that's a conflicting setting,
08:13
and we'll just suit next host People's definitely Dennis and will
08:22
right that file and then we'll run R B Tool Command again. And you can see now this APP local file is taking precedence over the APP default file.
08:37
So there's one more thing I want to demonstrate with configuration file precedents, and that's gonna be actually lexical graphical order, which only comes into play if you have to, APs
08:48
that have conflicting settings.
08:52
So if I made another app that that controls this same value
08:58
at the same
09:01
directory level,
09:03
then Splunk will decide which configuration to apply based on lexical graphical order. So if you remember lexical graphical order, highest order would be a number.
09:13
Second highest would be alphabetical capital, a tow lower keeper, capital a toe,
09:18
um, Capital Z, and then finally, lower case A to lower Casey. So if we wanted to take precedence over this test app we can make a new app called
09:37
Test and put the file in the same context. Because if we
09:45
if we did
09:46
default,
09:48
then the local would still take precedence over that. This lexical graphical order only comes in a place as like a tiebreaker.
09:54
So we'll do V
09:56
well that this way, because it's a little bit faster
10:01
and then foot stock calm
10:05
so we'll apply the same stands up.
10:09
The next host equals,
10:13
um,
10:13
Lexi Order rocks.
10:20
Okay, so we'll save that. Then we'll run R B Tool one more time and you can see
10:26
that did take precedence because of lexical graphic order so that capital t takes precedence over lower case T.
10:33
And so that's how lexical graphical works in deciding basicly tiebreakers between APS.
10:39
Okay, so we've looked at
10:41
basically everything we need to. We talked about the beetle app what it is, it will be tool command line tool, what exactly you use it for and that's analyzing configuration files on disk.
10:54
We did emphasize that it will show you what files are what configurations would be loaded into *** based on what is on disc. But that does not mean that that is what's loaded in memory. Splunk does have to be restarted toe update your new configurations.
11:13
We talked about
11:16
precedents order again and actually demonstrated how that works. And then we also demonstrated how lexical graphical order would work, I guess, just for context, I'll explain when to use this. I very rarely have had to use lexical graphical order toe override a setting.
11:33
But one recent example was I was working with a customer
11:37
and they had a subset of their forwarders that they want to have send data to Splunk, but also to 1/3 party system. So I already had an app that was sending to all forwarders to give them the basic outputs dot com configuration to just forward to the *** indexing tear.
11:58
But now I needed a different set of outputs icon configurations to apply on Lee to this subset of servers that will send to 1/3 party. So I made,
12:11
um, a nap
12:13
with those settings that only send to that subset of servers, and I'm just named the APP. The same thing is the normal outputs dot com app that I had deployed but all capitals so that I could still leave it so that that generic app got sent to every host
12:28
and still no, that my more specific app would override it in the cases where it needed to.
12:35
So that's like the only use case I've really had to use that it's not super common, but still good to know that you can do that and how
12:43
that works exactly.
12:45
But I think that covers everything you need to know about. Be tool. You should have enough information to leverages tool in your job duties as a Splunk administrator and hopefully should be very helpful with troubleshooting and testing your inputs that wraps it up for this lab. Look forward to senior next one.

Up Next

Splunk Enterprise Certified Administrator

The course is designed around the guidelines provided in Splunk’s Test Blueprint for the Certified Administrator certification, Splunk Docs, the Splunk Data and System Admin courses, and the experience of a Splunk Professional Services Consultant.

Instructed By

Instructor Profile Image
Anthony Fecondo
Splunk Professional Service Consultant
Instructor