To help preview merged configurations, we call on btool, a command-line tool that prints the merged version of configurations. The Splunk site has one of my favorite documentation notes of all time, as follows:
With that warning in mind, btool has never steered me wrong. The tool has a number of functions, but the only one I have ever used is list, as follows:
$SPLUNK_HOME/bin/splunk cmd btool props list
This produces 5,277 lines of output, which I won't list here. Let's list the impl_splunk_gen stanza by adding it to the end of the command line, as shown here:
/opt/splunk/bin/splunk cmd btool props list impl_splunk_gen
This will produce an output such as this:
[impl_splunk_gen] ANNOTATE_PUNCT = True BREAK_ONLY_BEFORE = BREAK_ONLY_BEFORE_DATE = True ... truncated ... LINE_BREAKER_LOOKBEHIND = 100 LOOKUP-lookupusers = userslookup user AS user OUTPUTNEW MAX_DAYS_AGO = 2000 ... truncated ... TRUNCATE = 10000 TZ = UTC maxDist = 100
Our configuration file at $SPLUNK_HOME/etc/apps/ImplementingSplunkDataGenerator/local/props.conf contains only the following lines:
[impl_splunk_web] LOOKUP-web_section = flatten_summary_lookup url AS url OUTPUTNEW EXTRACT-url = s[A-Z]+s(?P<url_from_app_local>.*?)s EXTRACT-foo = s[A-Z]+s(?P<url_from_app>.*?)s
So, where did the rest of this configuration come from? With the use of the -debug flag, we can get more details:
/opt/splunk/bin/splunk cmd btool props list impl_splunk_gen -debug
This produces the following query:
Implementi [impl_splunk_gen] system ANNOTATE_PUNCT = True system BREAK_ONLY_BEFORE = system BREAK_ONLY_BEFORE_DATE = True ... truncated ... system LINE_BREAKER_LOOKBEHIND = 100 Implementi LOOKUP-lookupusers = userslookup user AS user OUTPUTNEW system MAX_DAYS_AGO = 2000 ... truncated ... system TRUNCATE = 10000 Implementi TZ = UTC system maxDist = 100
The first column, truncated though it is, tells us what we need to know. The vast majority of these lines are defined in the system, most likely in system/default/props.conf.
The remaining items from our file are labeled Implementi, which is the beginning of our app directory, ImplementingSplunkDataGenerator. If you ever have a question about where some setting is coming from, btool will save you a lot of time. Also, check out the Splunk on Splunk app at Splunkbase for access to btool from the Splunk web interface.