This app requires python3
Install Infotools on any Search Heads in your environment. Infotools should NOT be installed to any Forwarders, Indexers, or other non-Searching Splunk instances.
Install the app. For Splunk Cloud, refer to Install apps in your Splunk Cloud deployment. For customer managed deployments, refer to the standard methods for Splunk Add-on installs as documented for a Single Server Install or a Distributed Environment Install.
There is no configuration requirement for Infotools. You may wish to restrict access to the commands to certain roles: admin, sc_admin. This is done via: Settings | All Configurations. Select the App: Info Tools (infotools) then click on the Permissions link for the command you wish to restrict.
Version 1.2
usage:
| lookupinfo
| lookupinfo2
lookupinfo is a custom search command that will return information about the files contained in lookups directory for all apps on the search head where it is run
lookupinfo is a generating command and must be the first command in the pipeline
lookupinfo has no arguments
lookupinfo requires python3 to run
lookupinfo returns the following results:
app - the name of the app folder
name - the name of a file in the lookup folder
size - the size in bytes of the file
mtime - the modtime of the file in epoch format
lookupinfo returns ALL files found in the lookups folder, mostly this will be .csv files but also other files such as .gz, .kmz and the occasional README
Note: There can be another lookupinfo command on a search head (Enterprise Security, or the lookup editor) that will cause the web ui to hang, so there is an alias for this lookupinfo: lookupinfo2
Version 1.2
usage:
| bundleinfo
bundleinfo is a custom search command that will return information about all the files contained in the most current search bundle (.bundle) on the search head where it is run
bundleinfo is a generating command and must be the first command in the pipeline
bundleinfo has no arguments
bundleinfo requires python3 to run
bundleinfo returns the following results:
bundlename - the full path and name of the bundle file
file - the name of a file in the bundle
size - the size in bytes of the file
mtime - the modtime of the file in epoch format
Note: In a search head cluster you must run this on the captain node to get the most current bundle.
Version 1.2
usage:
| userinfo
userinfo is a custom search command that will return information about all the user folders and files on the search head where it is run
userinfo is a generating command and must be the first command in the pipeline
userinfo has no arguments
userinfo requires python3 to run
userinfo returns the following results:
user - the user name (foldername) from the etc/users directory
app - the name of the app folder
fileobject - the path and name of a file(s) below the app
size - the size in bytes of the file
mtime - the modtime of the file in epoch format
Version 1.2
usage:
| appinfo (app=appname)
appinfo is a custom search command that will return information about all the app folders and files on the search head where it is run
appinfo is a generating command and must be the first command in the pipeline
appinfo has an optional argument: app which is a app folder name. This can also be a wildcard: */local will return only local folders in apps
appinfo requires python3 to run
appinfo returns the following results:
file - the path and name of a file(s) below the app
size - the size in bytes of the file
mtime - the modtime of the file in epoch format
Version 1.2
usage:
| btoolinfo conf="conf file name"
example:
| btoolinfo conf="props"
btoolinfo will run a btool command with the --debug option for conf files on the search head where it is run
btoolinfo is a generating command and must be the first command in the pipeline
btoolinfo has an arguement conf= that should be the name of a valid .conf file - invalid names will return no results
btoolinfo requires python3 to run
btoolinfo returns the following results:
confpath - the full path the .conf file for the property
stanza - the name of the stanza with square brackets included
property - the name of the property
value - the value of the property
Note: btoolinfo is blocked from running on Splunk Cloud due to the app jail feature.
Version 1.2
| artifactinfo <sid, search, regex>=<option_value>
example:
| artifactinfo sid=1679956099.1578
| artifactinfo search="really bad error"
| artifactinfo regex="\w+Searches"
artifactinfo is a custom search command that will return the contents of an info.csv file from a search artifact on the search head where it is run
artifactinfo is a generating command and must be the first command in the pipeline
artifactinfo requires 1 of 3 arguments: sid, search, regex
sid = search id of the artifact
search = a search string (case sensitive) to find in the info.csv file of any artifact
regex = a regex expression to use to search the info.csv file of any search artifact
artifactinfo requires python3 to run
artifactinfo returns the contents of the search artifact info.csv file
Note: In a search head cluster not all search artifacts will likely be on all nodes of the cluster depending on the
replication factor.
Version 1.2
| pinginfo address="ip address or name" (count=n)
example:
| pinginfo address="google.com" count=5
pinginfo is a custom search command that will run the OS ping command to the ip address or hostname specified
pinginfo is a generating command and must be the first command in the pipeline
ping info requires a host or ip address and optionally a count (max count is 10, default count is 3)
pinginfo requires python3 to run
pinginfo returns a field: pingdata that is the output of the OS ping command that was run
Version 1.2
| sslinfo hostport="host:port" (timeout=n)
example:
| sslinfo hostport=google.com:443" timeout=10
sslinfo is a custom search command that will run the openssl sclient command to return info about ssl certificate found at the address and port specified
sslinfo is a generating command and must be the first command in the pipeline
sslinfo requires a host or ip address and port be specified and optionally a timeout value in seconds for the command (default 5) maximum of 30
sslinfo requires python3 to run
sslinfo will return a field: data that is the output of the openssl s_client -connect command
Version 1.2
| varinfo (<subdir>=<subdirectory under $SPLUNK_HOME/var>)
example:
| varinfo subdir="run/splunk/csv"
varinfo is a custom search command that will generates a list of files under $SPLUNK_HOME/var
varinfo is a generating command and must be the first command in the pipeline
varinfo has an optional argument: subdir that can be any valid subdirectory under $SPLUNK_HOME/var - if not specified all files are listed (may be a lot of files)
varinfo will return the following fields: file (including full path), size (bytes), mtime (epoch format)
Note: upward recursion is not allowed
Version 1.2
| cliinfo clicmd=<status, list, show, display, help command and options>
example:
| cliinfo clicmd="show kvstore-status"
cliinfo is a custom search command that will generate the output of certain display only splunk cli commands if you have the proper capability (list_settings) or role to run them (admin, sc_admin)
cliinfo is a generating command and must be the first command in the pipeline
cliinfo returns a field: cmdout that is the stdout from the command that was run
Note: if you try to run a command not listed you will get the message "not allowed" in the cmdout field
Note: the cliinfo command is blocked from running on Splunk Cloud by the app jail feature.
Version 1.2
| specinfo spec=<spec file name>
example:
| specinfo spec=server
specinfo is a custom search command that will display the contents of a spec file from $SPLUNK_HOME/etc/system/README
specinfo is a generating command and must be the first command in the pipeline
specinfo returns a field: contents that is a complete listing of the .spec file requested
Note: a bad spec file name will return: .spec file not found
Minor change to README
Version 1.2 has been tested for compatibility with python 3.9 and Splunk version 9.3.
The splunklib library has been updated to version 2.0.1
The btoolinfo command option has been changed to conf= to be consistent with the documentation (it was confname=).
A new command has been added: appinfo that will display filename, size and modtimes of files in etc/apps
An alias has been added to the lookupinfo command: lookupinfo2 to allow it's execution when there is another lookupinfo python command installed
Note about Splunk Cloud: the btoolinfo and cliinfo commands are blocked from execution by the app jail function
the remainder of the commands have been added - original was very old
New app release
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.