Getting Data In

How to monitor a file path with a Splunk UF containing a windows environment variable?

Glasses2
Communicator

Hi,

I am trying to monitor many exchange servers that are not configured the same.

I was giving the paths to monitor containing an environment variable, such as 

%ExchangeInstallPath%TransportRoles\Logs\FrontEnd\AgentLog\*

Assuming splunkd runs under a user that can read the windows variable.

 

Is it possible to monitor like this?

 

[monitor://%ExchangeInstallPath%TransportRoles\Logs\FrontEnd\AgentLog]

 

 Or

 

[monitor://$ExchangeInstallPath\TransportRoles\Logs\FrontEnd\AgentLog]

 

 

Being able to do this will prevent having to create multiple stanzas with different drives, like 

 

[monitor://C:\Program Files\Microsoft\Exchange Server\...\TransportRoles\Logs\FrontEnd\AgentLog\*]

[monitor://D:\Program Files\Microsoft\Exchange Server\...\TransportRoles\Logs\FrontEnd\AgentLog\*]

[monitor://E:\Program Files\Microsoft\Exchange Server\...\TransportRoles\Logs\FrontEnd\AgentLog\*]

 

 

If there are any other suggests (other than the obvious, like standardizing installs) please advise.

Thank you

Labels (2)
0 Karma
1 Solution

Glasses2
Communicator

I could not find any splunk documentation on this for syntax clarity.

However from my testing I found these results:

 

#This standard way works and you could create multiple stanzas for other drives

[monitor://C:\Program Files\Microsoft\Exchange Server\...\TransportRoles\Logs\FrontEnd\AgentLog\*]


#This doesn't work without the \ after the environment variable
[monitor://$ExchangeInstallPathTransportRolesLogs\FrontEnd\AgentLog] 

#These work !!! (all caps or not)  when you add the \ 

[monitor://$EXCHANGEINSTALLPATH\TransportRoles\Logs\FrontEnd\AgentLog] 
[monitor://$ExchangeInstallPath\TransportRoles\Logs\FrontEnd\AgentLog] 

*** note

this does insert an extra "\" in the source path like >>>

...\Exchange Server\V15\\TransportRoles\Logs...

 

#This does not work even with or without \

[monitor://%ExchangeInstallPath%\TransportRoles\Logs\FrontEnd\AgentLog] 

[monitor://%ExchangeInstallPath%TransportRoles\Logs\FrontEnd\AgentLog] 

 

 

I hope this helps and if anyone has more to add, please do

TY!

View solution in original post

0 Karma

Glasses2
Communicator

Apparently this works (for some hosts) so cannot say for sure the others have logs for this input path or the splunkd user is different.

[monitor://$ExchangeInstallPath\TransportRoles\Logs\FrontEnd\AgentLog]

 

 

 

 

 

0 Karma

Glasses2
Communicator

I could not find any splunk documentation on this for syntax clarity.

However from my testing I found these results:

 

#This standard way works and you could create multiple stanzas for other drives

[monitor://C:\Program Files\Microsoft\Exchange Server\...\TransportRoles\Logs\FrontEnd\AgentLog\*]


#This doesn't work without the \ after the environment variable
[monitor://$ExchangeInstallPathTransportRolesLogs\FrontEnd\AgentLog] 

#These work !!! (all caps or not)  when you add the \ 

[monitor://$EXCHANGEINSTALLPATH\TransportRoles\Logs\FrontEnd\AgentLog] 
[monitor://$ExchangeInstallPath\TransportRoles\Logs\FrontEnd\AgentLog] 

*** note

this does insert an extra "\" in the source path like >>>

...\Exchange Server\V15\\TransportRoles\Logs...

 

#This does not work even with or without \

[monitor://%ExchangeInstallPath%\TransportRoles\Logs\FrontEnd\AgentLog] 

[monitor://%ExchangeInstallPath%TransportRoles\Logs\FrontEnd\AgentLog] 

 

 

I hope this helps and if anyone has more to add, please do

TY!

0 Karma
Get Updates on the Splunk Community!

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...

Splunk and Fraud

Watch Now!Watch an insightful webinar where we delve into the innovative approaches to solving fraud using the ...