Getting Data In

How to call $SPLUNK_HOME or %SPLUNK_HOME% from a .bat file for Windows Scripted input?

bandit
Motivator

I have a working scripted input using the first method below, however I'm wanting to get rid of the hard coding of SPLUNK_HOME and make it dynamic as sometimes Splunk is installed in different locations. I tried 3 different dynamic variations which all fail with the following message in the splunkd.log

ERROR ExecProcessor - message from ""C:\Program Files\Splunk\etc\apps\TA-btool-Win\bin\TA-btool.bat"" The filename, directory name, or volume label syntax is incorrect.

.bat file below

#TA-btool.bat
# working, however, using a hard coded path
"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" btool --debug outputs list

# fails
"%SPLUNK_HOME%\bin\splunk.exe" btool --debug outputs list

# fails
"$SPLUNK_HOME\bin\splunk.exe" btool --debug outputs list

# fails
"..\..\..\..\bin\splunk.exe" btool --debug outputs list

inputs.conf file below

[script://.\bin\TA-btool.bat]
disabled = 0
# set index below which will receive events - defaults to main
#index = splunk_admin_p
 # every 60 seconds
#interval = 60.0
# every 5 minutes
#interval = 300.0
# every hour
#interval = 6000
# once a day - default
interval = 86400.0
# 15 minutes
#interval = 900
sourcetype = ta_btool

You can alternatively grab my Windows TA/scripted input here: http://downloads.jordan2000.com/splunk/TA-btool-Win.tgz
and a Linux version which could be used for comparison: http://downloads.jordan2000.com/splunk/TA-btool-Linux.tgz
btw, the Linux .sh version works just fine using $SPLUNK_HOME - I just couldn't solve how to do the equivalent on Windows using a .bat.

I will award Karma points to a working solution for the .bat file

Thanks,

Rob

0 Karma

moregorenine
New Member

To load Windows system variables
use %SPLUNK_HOME%

But it does not recognize the blank.
ex) C:\Program Files\Splunk

So we need to change
ex)C:\\"Program Files\"\Splunk

or

You use Windows system variables
ex) set SPLUNK_HOME="C:\Program Files\Splunk"
need double quotes

0 Karma

bandit
Motivator

I must have had a typo somewhere or possibly had bad statements mixed with good. Ultimately, I got it to work with the following format in my .bat file.

"%SPLUNK_HOME%\bin\splunk.exe" btool --debug inputs list

"%SPLUNK_HOME%\bin\splunk.exe" btool --debug outputs list

"%SPLUNK_HOME%\bin\splunk.exe" btool --debug props list

"%SPLUNK_HOME%\bin\splunk.exe" btool --debug limits list

"%SPLUNK_HOME%\splunk.exe" btool --debug server list

"%SPLUNK_HOME%\bin\splunk.exe" btool --debug web list

"%SPLUNK_HOME%\bin\splunk.exe" btool --debug deploymentclient list
0 Karma

koshyk
Super Champion

hi rob,
In your script, if you change to

REM  This will get the splunk.exe path dynamically within a bat file. 
for /f "delims=" %%a in ('where /r c:\ splunk.exe') do @set SPLUNK_EXE=%%a

%SPLUNK_EXE% btool inputs list --debug
%SPLUNK_EXE% btool outputs list --debug
..

and so on for Windows

Also another improvement you could do is to provide (inputs, outputs, limits, props) as a list and call in a for loop within .bat file
something like below

FOR %%CONFS IN (inputs, outputs, limits,  props) DO (
 %SPLUNK_EXE% btool %CONFS% list --debug
)
0 Karma

bandit
Motivator

Thanks for the ideas, @koshyk. The where command seems fairly intense on my Windows workstation CPU to recursively look for splunk.exe so I don't think I could push out to the Universal Forwarders on Windows servers.

0 Karma

DavidHourani
Super Champion

Hi @rob_jordan,

Make sure you've defined the %SPLUNK_HOME% as a variable on your windows or you won't be able to use it from a .batscript since it's actually a Splunk defined variable :
https://stackoverflow.com/questions/5898131/set-a-persistent-environment-variable-from-cmd-exe

If you want to use a relative path as follows ..\..\..\..\bin\splunk.exe my advise is to output an ls from the script and see if you are hitting the right folder.

Cheers,
David

0 Karma

bandit
Motivator

Thanks or you suggestions, @DavidHourani Should %SPLUNK_HOME% already be set by the parent process since this is a process being spawned as a scripted input by a either Splunk or the Splunk Universal Forwarder?

0 Karma

DavidHourani
Super Champion

Hi @rob_jordan, no it wont be inherited for scripted inputs 😞 did you get any info about the path using echo on the different commands you were using ?

0 Karma

bandit
Motivator

BTW, on Linux it does seem to have $SPLUNK_HOME available to it. It may very well be different on Windows. I was able to add the following statement to my .bat file.

echo %SPLUNK_HOME%

and it did return back a valid value.

The following showed up in the event indexed by Splunk.
C:\WINDOWS\system32>echo C:\Program Files\Splunk
C:\Program Files\Splunk

This leads me to think that I have a minor issue with surrounding the command or portions of the command with double or single quotes, etc. so it's properly interpreted at run time.

Thanks,

Rob

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...