Troubleshooting conf files using the btool command
As we have seen, conf files can be placed in more than one place, and in some cases, the default conf setting might need to undergo changes, which an administrator or Splunk user will create in /local directories, either in an etc/apps/<app_name> or users/<user_name>/<app_name> directory.
As more conf files are added to or updated, it becomes very difficult to track the changes to troubleshoot Splunk issues. In this situation, the btool CLI command is very helpful for seeing merged versions of conf files that exist on disk. Let’s look at the syntax of the btool command. It must be issued from the $SPLUNK_HOME/bin directory:
./splunk btool <conf_file_prefix> [list|layer|add|delete] --debug --app=<app_name> --user=<user_name>
Let’s understand the components:
--debug: This option shows the absolute path of the conf file’s location in thesystem...
