Using Admin’s Little Helper in Splunk Cloud

By |Published On: November 16th, 2023|

Introduction

If you’re a Splunk admin, there’s an excellent chance you’ve used the btool command to troubleshoot your configuration. This command is the best way to understand configuration precedence in Splunk and what settings in the config files are active in your environment. 

One common frustration for an experienced Splunk administrator transitioning to Splunk Cloud is giving up command-line access to the Splunk infrastructure. Not having this visibility and needing to manage apps through the Splunk web interface is definitely a change that can take some getting used to. However, I want to introduce you to a Splunk app that I’ve found that makes this adjustment quite a bit easier.

Introducing Admins Little Helper

The Admins Little Helper for Splunk app brings a familiar command line tool to the Splunk search interface in Splunk Cloud. Install the app in your Splunk Cloud environment (it doesn’t require a restart, at least on the Victoria Experience stacks that I’ve tested), and you’ll have the | btool search command available.

Here’s a video walkthrough of how to get this app set up and what using it looks like: 

One great feature of this app is that it will allow you to see the configurations both on the search heads and the indexers. You can do this by running a search with the | btool command and looking at the splunk_server field in the results:

1. Start by running a search using the | btool command. In this example, I’m looking for the wineventlog stanza in props.conf.


2. You will see multiple search results. In this example, there are four events returned. One of these events is from the search head, and the other three are from the indexers.

3. Expand the event and scroll down to the bottom where the splunk_server field is shown. You will see the hostname of the system where the btool command was executed. In Splunk Cloud, hosts with names that begin with sh-i-* are search heads, and those that begin with idx-i-* are indexers.

Results from a search head:

Results from an indexer:

Wrap Up

Hopefully knowing that this tool exists will help you in your transition to Splunk Cloud. I know I’ve definitely found it useful when doing troubleshooting for our clients. If you’re looking for help with managing Splunk Cloud or have other questions, don’t hesitate to reach out to us!

Share with your network!
Get monthly updates from Hurricane Labs
* indicates required

About Hurricane Labs

Hurricane Labs is a dynamic Managed Services Provider that unlocks the potential of Splunk and security for diverse enterprises across the United States. With a dedicated, Splunk-focused team and an emphasis on humanity and collaboration, we provide the skills, resources, and results to help make our customers’ lives easier.

For more information, visit www.hurricanelabs.com and follow us on Twitter @hurricanelabs.