Getting Data In

How to configure universal forwarder or use environment variables to monitor folder in different Windows OS versions?

steveo69
Explorer

Using the Universal Forwarder I need to monitor a folder, so I am editing the inputs.conf file.

However, in Windows XP / Windows 2003 the folder is located in :

C:\Documents and Settings\All Users

In Windows 7 and later it is located in C:\ProgramData

I have tried to use the Windows environment variable %AllUsersProfile% but in the splunkd log filer I get an error:

TailingProcessor - Parsing configuration stanza: monitor://%allusersprofile%\Application Data\myfolder.
TailingProcessor - Input stanza path, '%allusersprofile%\Application Data\myfolder\' is not absolute. This is a configuration error and may not work / break things. Change this path to an absolute path.

So how can I use an environment variable or change the config so that it works on bother older and newer Windows OS?

Thanks

1 Solution

strive
Influencer

Good to know that it worked. Dont forget to cast your vote 🙂

0 Karma

steveo69
Explorer

Thanks for the link strive - thats exactly what I needed.

One thing which fooled me - not being a programmer of any type or background - was that the environment variable I wanted to use I understood to be %variable% - however in the conf file it seems you need to use the format $variable

0 Karma

steveo69
Explorer

The forum has removed all the back slashes from my post....

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...