topic Re: Monitor doesn't work with env variable in inputs.conf in Monitoring Splunk

Monitor doesn't work with env variable in inputs.conf

Nicholas_Key — Sun, 16 May 2010 12:09:50 GMT

I observed that none of the log files are not indexed into Splunk when I used the environment variable, in my case it's the Windows OS "$PROGRAMFILES" env variable. An example is as below:

[monitor://$PROGRAMFILES\logs\st*Server.log]

and there are two files in logs folder "startServer.log" and "stopServer.log".

However I noticed a different behavior when I used

[monitor://C:\Program Files\logs\st*Server.log]

Both "startServer.log" and "stopServer.log" are indexed into Splunk.

Is this a known limitation to only use the absolute path in the inputs.conf to monitor log files?

Re: Monitor doesn't work with env variable in inputs.conf

gkanapathy — Sun, 16 May 2010 13:51:24 GMT

No. In fact, Splunk itself uses the $SPLUNK_HOME environment variable, and I have used Windows (and Unix) environment variables at other times in the monitor stanza headers. First, make sure that that variable is actually set. Also, I don't know if you need to specify it as $ProgramFiles, rather than $PROGRAMFILES. Finally, maybe there's a problem when you try to use environment variables with a wildcard (this seems likely) in which case you should probably specify the parent directory and the whitelist explicitly.

Re: Monitor doesn't work with env variable in inputs.conf

Nicholas_Key — Sun, 16 May 2010 22:09:52 GMT

i'll try adding "whitelist" in the monitor stanza and see how things go

Re: Monitor doesn't work with env variable in inputs.conf

Lowell — Mon, 17 May 2010 21:58:21 GMT

For whatever it's worth, I have inputs stanzas that uses an environment variables, an alternate groups, and wildcards without any issues. Here are two examples that are working fine on a 4.0.11 install: [monitor://$SPNK_WMHOME\MWS\server\default\logs\20*_*\(_full_|install).log] and [monitor://$SPNK_WMHOME\IntegrationServer\logs\(server|stats|error|security)*.log*]

Re: Monitor doesn't work with env variable in inputs.conf

Lowell — Wed, 30 Jun 2010 04:02:40 GMT

Just again, FYI. When I upgraded these forwarders to 4.1.3, I had problems with BOTH of my previously provided examples. I'm now using the whitelist approach instead. (So it appears that there is some difference between how this worked in 4.0 and 4.1)

Re: Monitor doesn't work with env variable in inputs.conf

hazekamp — Tue, 12 Apr 2011 01:57:40 GMT

There is an example of this being used in the windows app. Looking at Win 2k8 environment variables I see a system variable of "windir". This leads me to believe it must be a system variable (or perhaps a user variable matching the user running the splunkd service), and is case insensitive.

[monitor://$WINDIR\WindowsUpdate.log]
sourcetype = WindowsUpdateLog
disabled = 1