I am trying to get data into Splunk to show the members of the local / builtin windows groups. In particular "Administrators" and "Remote Desktop Users"

Utilizing the Splunk Forwarder. I am using a WMI (WQL) query to do this via wmi.conf (C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\local\wmi.conf)

This stanza currently works:

(FYI: Fakenameofserver = hostname)

disabled = 0
## Run once per day ## edited
interval = 86400
wql = ASSOCIATORS OF {win32_group.Domain="Fakenameofserver",Name="Administrators"} where assocClass=win32_groupuser Role=GroupCompOnent ResultRole=Partcomponent
index = window

I don't want to have to prefill the wql queries in the wmi.conf file with the server name on each server. How do i use an environmental or Splunk variable to replace "Fakenameofserver" with the name of the host the Splunk forwarder is running on. I have tried a number of combinations of $host, %host%, %servername%, %computername% etc etc.

Everytime i restart the forwarder to force the query to run i don't get any data into splunk and the log file says:

Error occurred while trying to retrieve results from a WMI query (error="Object cannot be found." HRESULT=80041002) (root\cimv2: ASSOCIATORS OF {win32_group.Domain="%VARIABLENAME%",Name="Remote Desktop Users"} where assocClass=win32_groupuser Role=GroupCompOnent ResultRole=Partcomponent)

Has anyone had success with this and can you suggest how i can get the stanza to resolve the variable into the value when it queries?
Where should i define the variables (if required) and what syntax do i use when writing these in the wql query?

Thanks for any suggestions.