I observed that none of the log files are not indexed into Splunk when I used the environment variable, in my case it's the Windows OS "$PROGRAMFILES" env variable. An example is as below:
[monitor://$PROGRAMFILES\logs\st*Server.log]
and there are two files in logs folder "startServer.log" and "stopServer.log".
However I noticed a different behavior when I used
[monitor://C:\Program Files\logs\st*Server.log]
Both "startServer.log" and "stopServer.log" are indexed into Splunk.
Is this a known limitation to only use the absolute path in the inputs.conf to monitor log files?
There is an example of this being used in the windows app. Looking at Win 2k8 environment variables I see a system variable of "windir". This leads me to believe it must be a system variable (or perhaps a user variable matching the user running the splunkd service), and is case insensitive.
[monitor://$WINDIR\WindowsUpdate.log]
sourcetype = WindowsUpdateLog
disabled = 1
No. In fact, Splunk itself uses the $SPLUNK_HOME
environment variable, and I have used Windows (and Unix) environment variables at other times in the monitor stanza headers. First, make sure that that variable is actually set. Also, I don't know if you need to specify it as $ProgramFiles
, rather than $PROGRAMFILES
. Finally, maybe there's a problem when you try to use environment variables with a wildcard (this seems likely) in which case you should probably specify the parent directory and the whitelist explicitly.
Just again, FYI. When I upgraded these forwarders to 4.1.3, I had problems with BOTH of my previously provided examples. I'm now using the whitelist
approach instead. (So it appears that there is some difference between how this worked in 4.0 and 4.1)
For whatever it's worth, I have inputs stanzas that uses an environment variables, an alternate groups, and wildcards without any issues. Here are two examples that are working fine on a 4.0.11 install: [monitor://$SPNK_WMHOME\MWS\server\default\logs\20*_*\(_full_|install).log]
and [monitor://$SPNK_WMHOME\IntegrationServer\logs\(server|stats|error|security)*.log*]
i'll try adding "whitelist" in the monitor stanza and see how things go