If you need a solution for a fleet of hosts, where one file might appear in a number of different known locations across different endpoints, due to inconsistent builds or what have you.. Splunk honors Windows environment variables, but does so with "linuxy" syntax. So I have the build orchestration set a system-wide envvar %APPLOGS% to either "C:\path" or "D:\path" on the host, and then do a [monitor://$APPLOGS\file.log] stanza in my inputs.conf. The key is the two different dialects of environment variable.

Actually we can not get this env variable created on thousands of desktops. Need a generic solution which can only be implemented using splunk config.