Getting Data In

How to monitor a file path with a Splunk UF containing a windows environment variable?

Glasses2
Communicator

Hi,

I am trying to monitor many exchange servers that are not configured the same.

I was giving the paths to monitor containing an environment variable, such as 

%ExchangeInstallPath%TransportRoles\Logs\FrontEnd\AgentLog\*

Assuming splunkd runs under a user that can read the windows variable.

 

Is it possible to monitor like this?

 

[monitor://%ExchangeInstallPath%TransportRoles\Logs\FrontEnd\AgentLog]

 

 Or

 

[monitor://$ExchangeInstallPath\TransportRoles\Logs\FrontEnd\AgentLog]

 

 

Being able to do this will prevent having to create multiple stanzas with different drives, like 

 

[monitor://C:\Program Files\Microsoft\Exchange Server\...\TransportRoles\Logs\FrontEnd\AgentLog\*]

[monitor://D:\Program Files\Microsoft\Exchange Server\...\TransportRoles\Logs\FrontEnd\AgentLog\*]

[monitor://E:\Program Files\Microsoft\Exchange Server\...\TransportRoles\Logs\FrontEnd\AgentLog\*]

 

 

If there are any other suggests (other than the obvious, like standardizing installs) please advise.

Thank you

Labels (2)
0 Karma
1 Solution

Glasses2
Communicator

I could not find any splunk documentation on this for syntax clarity.

However from my testing I found these results:

 

#This standard way works and you could create multiple stanzas for other drives

[monitor://C:\Program Files\Microsoft\Exchange Server\...\TransportRoles\Logs\FrontEnd\AgentLog\*]


#This doesn't work without the \ after the environment variable
[monitor://$ExchangeInstallPathTransportRolesLogs\FrontEnd\AgentLog] 

#These work !!! (all caps or not)  when you add the \ 

[monitor://$EXCHANGEINSTALLPATH\TransportRoles\Logs\FrontEnd\AgentLog] 
[monitor://$ExchangeInstallPath\TransportRoles\Logs\FrontEnd\AgentLog] 

*** note

this does insert an extra "\" in the source path like >>>

...\Exchange Server\V15\\TransportRoles\Logs...

 

#This does not work even with or without \

[monitor://%ExchangeInstallPath%\TransportRoles\Logs\FrontEnd\AgentLog] 

[monitor://%ExchangeInstallPath%TransportRoles\Logs\FrontEnd\AgentLog] 

 

 

I hope this helps and if anyone has more to add, please do

TY!

View solution in original post

0 Karma

Glasses2
Communicator

Apparently this works (for some hosts) so cannot say for sure the others have logs for this input path or the splunkd user is different.

[monitor://$ExchangeInstallPath\TransportRoles\Logs\FrontEnd\AgentLog]

 

 

 

 

 

0 Karma

Glasses2
Communicator

I could not find any splunk documentation on this for syntax clarity.

However from my testing I found these results:

 

#This standard way works and you could create multiple stanzas for other drives

[monitor://C:\Program Files\Microsoft\Exchange Server\...\TransportRoles\Logs\FrontEnd\AgentLog\*]


#This doesn't work without the \ after the environment variable
[monitor://$ExchangeInstallPathTransportRolesLogs\FrontEnd\AgentLog] 

#These work !!! (all caps or not)  when you add the \ 

[monitor://$EXCHANGEINSTALLPATH\TransportRoles\Logs\FrontEnd\AgentLog] 
[monitor://$ExchangeInstallPath\TransportRoles\Logs\FrontEnd\AgentLog] 

*** note

this does insert an extra "\" in the source path like >>>

...\Exchange Server\V15\\TransportRoles\Logs...

 

#This does not work even with or without \

[monitor://%ExchangeInstallPath%\TransportRoles\Logs\FrontEnd\AgentLog] 

[monitor://%ExchangeInstallPath%TransportRoles\Logs\FrontEnd\AgentLog] 

 

 

I hope this helps and if anyone has more to add, please do

TY!

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...