Hi,
I am trying to monitor many exchange servers that are not configured the same.
I was giving the paths to monitor containing an environment variable, such as
%ExchangeInstallPath%TransportRoles\Logs\FrontEnd\AgentLog\*
Assuming splunkd runs under a user that can read the windows variable.
Is it possible to monitor like this?
[monitor://%ExchangeInstallPath%TransportRoles\Logs\FrontEnd\AgentLog]
Or
[monitor://$ExchangeInstallPath\TransportRoles\Logs\FrontEnd\AgentLog]
Being able to do this will prevent having to create multiple stanzas with different drives, like
[monitor://C:\Program Files\Microsoft\Exchange Server\...\TransportRoles\Logs\FrontEnd\AgentLog\*]
[monitor://D:\Program Files\Microsoft\Exchange Server\...\TransportRoles\Logs\FrontEnd\AgentLog\*]
[monitor://E:\Program Files\Microsoft\Exchange Server\...\TransportRoles\Logs\FrontEnd\AgentLog\*]
If there are any other suggests (other than the obvious, like standardizing installs) please advise.
Thank you
I could not find any splunk documentation on this for syntax clarity.
However from my testing I found these results:
#This standard way works and you could create multiple stanzas for other drives
[monitor://C:\Program Files\Microsoft\Exchange Server\...\TransportRoles\Logs\FrontEnd\AgentLog\*]
#This doesn't work without the \ after the environment variable
[monitor://$ExchangeInstallPathTransportRolesLogs\FrontEnd\AgentLog]
#These work !!! (all caps or not) when you add the \
[monitor://$EXCHANGEINSTALLPATH\TransportRoles\Logs\FrontEnd\AgentLog]
[monitor://$ExchangeInstallPath\TransportRoles\Logs\FrontEnd\AgentLog]
*** note
this does insert an extra "\" in the source path like >>>
...\Exchange Server\V15\\TransportRoles\Logs...
#This does not work even with or without \
[monitor://%ExchangeInstallPath%\TransportRoles\Logs\FrontEnd\AgentLog]
[monitor://%ExchangeInstallPath%TransportRoles\Logs\FrontEnd\AgentLog]
I hope this helps and if anyone has more to add, please do
TY!
Apparently this works (for some hosts) so cannot say for sure the others have logs for this input path or the splunkd user is different.
[monitor://$ExchangeInstallPath\TransportRoles\Logs\FrontEnd\AgentLog]
I could not find any splunk documentation on this for syntax clarity.
However from my testing I found these results:
#This standard way works and you could create multiple stanzas for other drives
[monitor://C:\Program Files\Microsoft\Exchange Server\...\TransportRoles\Logs\FrontEnd\AgentLog\*]
#This doesn't work without the \ after the environment variable
[monitor://$ExchangeInstallPathTransportRolesLogs\FrontEnd\AgentLog]
#These work !!! (all caps or not) when you add the \
[monitor://$EXCHANGEINSTALLPATH\TransportRoles\Logs\FrontEnd\AgentLog]
[monitor://$ExchangeInstallPath\TransportRoles\Logs\FrontEnd\AgentLog]
*** note
this does insert an extra "\" in the source path like >>>
...\Exchange Server\V15\\TransportRoles\Logs...
#This does not work even with or without \
[monitor://%ExchangeInstallPath%\TransportRoles\Logs\FrontEnd\AgentLog]
[monitor://%ExchangeInstallPath%TransportRoles\Logs\FrontEnd\AgentLog]
I hope this helps and if anyone has more to add, please do
TY!