- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to monitor a file path with a Splunk UF contai...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I am trying to monitor many exchange servers that are not configured the same.
I was giving the paths to monitor containing an environment variable, such as
%ExchangeInstallPath%TransportRoles\Logs\FrontEnd\AgentLog\*
Assuming splunkd runs under a user that can read the windows variable.
Is it possible to monitor like this?
[monitor://%ExchangeInstallPath%TransportRoles\Logs\FrontEnd\AgentLog]
Or
[monitor://$ExchangeInstallPath\TransportRoles\Logs\FrontEnd\AgentLog]
Being able to do this will prevent having to create multiple stanzas with different drives, like
[monitor://C:\Program Files\Microsoft\Exchange Server\...\TransportRoles\Logs\FrontEnd\AgentLog\*]
[monitor://D:\Program Files\Microsoft\Exchange Server\...\TransportRoles\Logs\FrontEnd\AgentLog\*]
[monitor://E:\Program Files\Microsoft\Exchange Server\...\TransportRoles\Logs\FrontEnd\AgentLog\*]
If there are any other suggests (other than the obvious, like standardizing installs) please advise.
Thank you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I could not find any splunk documentation on this for syntax clarity.
However from my testing I found these results:
#This standard way works and you could create multiple stanzas for other drives
[monitor://C:\Program Files\Microsoft\Exchange Server\...\TransportRoles\Logs\FrontEnd\AgentLog\*]
#This doesn't work without the \ after the environment variable
[monitor://$ExchangeInstallPathTransportRolesLogs\FrontEnd\AgentLog]
#These work !!! (all caps or not) when you add the \
[monitor://$EXCHANGEINSTALLPATH\TransportRoles\Logs\FrontEnd\AgentLog]
[monitor://$ExchangeInstallPath\TransportRoles\Logs\FrontEnd\AgentLog]
*** note
this does insert an extra "\" in the source path like >>>
...\Exchange Server\V15\\TransportRoles\Logs...
#This does not work even with or without \
[monitor://%ExchangeInstallPath%\TransportRoles\Logs\FrontEnd\AgentLog]
[monitor://%ExchangeInstallPath%TransportRoles\Logs\FrontEnd\AgentLog]
I hope this helps and if anyone has more to add, please do
TY!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Apparently this works (for some hosts) so cannot say for sure the others have logs for this input path or the splunkd user is different.
[monitor://$ExchangeInstallPath\TransportRoles\Logs\FrontEnd\AgentLog]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I could not find any splunk documentation on this for syntax clarity.
However from my testing I found these results:
#This standard way works and you could create multiple stanzas for other drives
[monitor://C:\Program Files\Microsoft\Exchange Server\...\TransportRoles\Logs\FrontEnd\AgentLog\*]
#This doesn't work without the \ after the environment variable
[monitor://$ExchangeInstallPathTransportRolesLogs\FrontEnd\AgentLog]
#These work !!! (all caps or not) when you add the \
[monitor://$EXCHANGEINSTALLPATH\TransportRoles\Logs\FrontEnd\AgentLog]
[monitor://$ExchangeInstallPath\TransportRoles\Logs\FrontEnd\AgentLog]
*** note
this does insert an extra "\" in the source path like >>>
...\Exchange Server\V15\\TransportRoles\Logs...
#This does not work even with or without \
[monitor://%ExchangeInstallPath%\TransportRoles\Logs\FrontEnd\AgentLog]
[monitor://%ExchangeInstallPath%TransportRoles\Logs\FrontEnd\AgentLog]
I hope this helps and if anyone has more to add, please do
TY!
Modern way of developing distributed application using OTel
Enterprise Security Content Update (ESCU) | New Releases
Archived Metrics Now Available for APAC and EMEA realms
