`splunk btool` is a helpful tool that allows you to determine the result of merging the config on disk, but it doesn't help you to determine whether that config was applied to a given event. Is there any way to do this?
Context: I'm adding some broad configuration to certain sources, but I had to use a regular expression (negative lookahead) to exclude certain subpaths. I'm still getting some warnings in Splunk's internal logs about the timestamp format changing, which makes me uncertain that the config I wrote for timestamp parsing is actually applying to the log that Splunk is complaining about.
↧