Getting Data In

How to call $SPLUNK_HOME or %SPLUNK_HOME% from a .bat file for Windows Scripted input?

bandit
Motivator

I have a working scripted input using the first method below, however I'm wanting to get rid of the hard coding of SPLUNK_HOME and make it dynamic as sometimes Splunk is installed in different locations. I tried 3 different dynamic variations which all fail with the following message in the splunkd.log

ERROR ExecProcessor - message from ""C:\Program Files\Splunk\etc\apps\TA-btool-Win\bin\TA-btool.bat"" The filename, directory name, or volume label syntax is incorrect.

.bat file below

#TA-btool.bat
# working, however, using a hard coded path
"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" btool --debug outputs list

# fails
"%SPLUNK_HOME%\bin\splunk.exe" btool --debug outputs list

# fails
"$SPLUNK_HOME\bin\splunk.exe" btool --debug outputs list

# fails
"..\..\..\..\bin\splunk.exe" btool --debug outputs list

inputs.conf file below

[script://.\bin\TA-btool.bat]
disabled = 0
# set index below which will receive events - defaults to main
#index = splunk_admin_p
 # every 60 seconds
#interval = 60.0
# every 5 minutes
#interval = 300.0
# every hour
#interval = 6000
# once a day - default
interval = 86400.0
# 15 minutes
#interval = 900
sourcetype = ta_btool

You can alternatively grab my Windows TA/scripted input here: http://downloads.jordan2000.com/splunk/TA-btool-Win.tgz
and a Linux version which could be used for comparison: http://downloads.jordan2000.com/splunk/TA-btool-Linux.tgz
btw, the Linux .sh version works just fine using $SPLUNK_HOME - I just couldn't solve how to do the equivalent on Windows using a .bat.

I will award Karma points to a working solution for the .bat file

Thanks,

Rob

0 Karma

moregorenine
New Member

To load Windows system variables
use %SPLUNK_HOME%

But it does not recognize the blank.
ex) C:\Program Files\Splunk

So we need to change
ex)C:\\"Program Files\"\Splunk

or

You use Windows system variables
ex) set SPLUNK_HOME="C:\Program Files\Splunk"
need double quotes

0 Karma

bandit
Motivator

I must have had a typo somewhere or possibly had bad statements mixed with good. Ultimately, I got it to work with the following format in my .bat file.

"%SPLUNK_HOME%\bin\splunk.exe" btool --debug inputs list

"%SPLUNK_HOME%\bin\splunk.exe" btool --debug outputs list

"%SPLUNK_HOME%\bin\splunk.exe" btool --debug props list

"%SPLUNK_HOME%\bin\splunk.exe" btool --debug limits list

"%SPLUNK_HOME%\splunk.exe" btool --debug server list

"%SPLUNK_HOME%\bin\splunk.exe" btool --debug web list

"%SPLUNK_HOME%\bin\splunk.exe" btool --debug deploymentclient list
0 Karma

koshyk
Super Champion

hi rob,
In your script, if you change to

REM  This will get the splunk.exe path dynamically within a bat file. 
for /f "delims=" %%a in ('where /r c:\ splunk.exe') do @set SPLUNK_EXE=%%a

%SPLUNK_EXE% btool inputs list --debug
%SPLUNK_EXE% btool outputs list --debug
..

and so on for Windows

Also another improvement you could do is to provide (inputs, outputs, limits, props) as a list and call in a for loop within .bat file
something like below

FOR %%CONFS IN (inputs, outputs, limits,  props) DO (
 %SPLUNK_EXE% btool %CONFS% list --debug
)
0 Karma

bandit
Motivator

Thanks for the ideas, @koshyk. The where command seems fairly intense on my Windows workstation CPU to recursively look for splunk.exe so I don't think I could push out to the Universal Forwarders on Windows servers.

0 Karma

DavidHourani
Super Champion

Hi @rob_jordan,

Make sure you've defined the %SPLUNK_HOME% as a variable on your windows or you won't be able to use it from a .batscript since it's actually a Splunk defined variable :
https://stackoverflow.com/questions/5898131/set-a-persistent-environment-variable-from-cmd-exe

If you want to use a relative path as follows ..\..\..\..\bin\splunk.exe my advise is to output an ls from the script and see if you are hitting the right folder.

Cheers,
David

0 Karma

bandit
Motivator

Thanks or you suggestions, @DavidHourani Should %SPLUNK_HOME% already be set by the parent process since this is a process being spawned as a scripted input by a either Splunk or the Splunk Universal Forwarder?

0 Karma

DavidHourani
Super Champion

Hi @rob_jordan, no it wont be inherited for scripted inputs 😞 did you get any info about the path using echo on the different commands you were using ?

0 Karma

bandit
Motivator

BTW, on Linux it does seem to have $SPLUNK_HOME available to it. It may very well be different on Windows. I was able to add the following statement to my .bat file.

echo %SPLUNK_HOME%

and it did return back a valid value.

The following showed up in the event indexed by Splunk.
C:\WINDOWS\system32>echo C:\Program Files\Splunk
C:\Program Files\Splunk

This leads me to think that I have a minor issue with surrounding the command or portions of the command with double or single quotes, etc. so it's properly interpreted at run time.

Thanks,

Rob

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...