Getting Data In

How to monitor a file path with a Splunk UF containing a windows environment variable?

Glasses2
Communicator

Hi,

I am trying to monitor many exchange servers that are not configured the same.

I was giving the paths to monitor containing an environment variable, such as 

%ExchangeInstallPath%TransportRoles\Logs\FrontEnd\AgentLog\*

Assuming splunkd runs under a user that can read the windows variable.

 

Is it possible to monitor like this?

 

[monitor://%ExchangeInstallPath%TransportRoles\Logs\FrontEnd\AgentLog]

 

 Or

 

[monitor://$ExchangeInstallPath\TransportRoles\Logs\FrontEnd\AgentLog]

 

 

Being able to do this will prevent having to create multiple stanzas with different drives, like 

 

[monitor://C:\Program Files\Microsoft\Exchange Server\...\TransportRoles\Logs\FrontEnd\AgentLog\*]

[monitor://D:\Program Files\Microsoft\Exchange Server\...\TransportRoles\Logs\FrontEnd\AgentLog\*]

[monitor://E:\Program Files\Microsoft\Exchange Server\...\TransportRoles\Logs\FrontEnd\AgentLog\*]

 

 

If there are any other suggests (other than the obvious, like standardizing installs) please advise.

Thank you

Labels (2)
0 Karma
1 Solution

Glasses2
Communicator

I could not find any splunk documentation on this for syntax clarity.

However from my testing I found these results:

 

#This standard way works and you could create multiple stanzas for other drives

[monitor://C:\Program Files\Microsoft\Exchange Server\...\TransportRoles\Logs\FrontEnd\AgentLog\*]


#This doesn't work without the \ after the environment variable
[monitor://$ExchangeInstallPathTransportRolesLogs\FrontEnd\AgentLog] 

#These work !!! (all caps or not)  when you add the \ 

[monitor://$EXCHANGEINSTALLPATH\TransportRoles\Logs\FrontEnd\AgentLog] 
[monitor://$ExchangeInstallPath\TransportRoles\Logs\FrontEnd\AgentLog] 

*** note

this does insert an extra "\" in the source path like >>>

...\Exchange Server\V15\\TransportRoles\Logs...

 

#This does not work even with or without \

[monitor://%ExchangeInstallPath%\TransportRoles\Logs\FrontEnd\AgentLog] 

[monitor://%ExchangeInstallPath%TransportRoles\Logs\FrontEnd\AgentLog] 

 

 

I hope this helps and if anyone has more to add, please do

TY!

View solution in original post

0 Karma

Glasses2
Communicator

Apparently this works (for some hosts) so cannot say for sure the others have logs for this input path or the splunkd user is different.

[monitor://$ExchangeInstallPath\TransportRoles\Logs\FrontEnd\AgentLog]

 

 

 

 

 

0 Karma

Glasses2
Communicator

I could not find any splunk documentation on this for syntax clarity.

However from my testing I found these results:

 

#This standard way works and you could create multiple stanzas for other drives

[monitor://C:\Program Files\Microsoft\Exchange Server\...\TransportRoles\Logs\FrontEnd\AgentLog\*]


#This doesn't work without the \ after the environment variable
[monitor://$ExchangeInstallPathTransportRolesLogs\FrontEnd\AgentLog] 

#These work !!! (all caps or not)  when you add the \ 

[monitor://$EXCHANGEINSTALLPATH\TransportRoles\Logs\FrontEnd\AgentLog] 
[monitor://$ExchangeInstallPath\TransportRoles\Logs\FrontEnd\AgentLog] 

*** note

this does insert an extra "\" in the source path like >>>

...\Exchange Server\V15\\TransportRoles\Logs...

 

#This does not work even with or without \

[monitor://%ExchangeInstallPath%\TransportRoles\Logs\FrontEnd\AgentLog] 

[monitor://%ExchangeInstallPath%TransportRoles\Logs\FrontEnd\AgentLog] 

 

 

I hope this helps and if anyone has more to add, please do

TY!

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...