Hello fellow Splunkers,

We've been tracking down and resolving our Splunkd errors and warnings. This one has us perplexed:

WARN ExecProcessor - message from ""C:\program files\SplunkUniversalForwarder\bin\splunk-regmon.exe"" BundlesUtil - C:\program files\SplunkUniversalForwarder\etc\system\metadata\local.meta already exists but with different casing: C:\Program Files\SplunkUniversalForwarder\etc\system\metadata\local.meta

The difference is "program files" vs. "Program Files". I know it's just a warning and has no impact, but I'd still like to resolve it as it happens every minute on all of our forwarders filling up the splunkd logs. I also do not want to change the logging as ExecProcessor contains many useful warnings. The closest answer I've found online is here*, although that one has to do with the case of the app name instead of the $SplunkHome full path.

The only thing I can think of that may have caused this is that we upgrade our forwarders automatically. We are a 100% Windows environment. We achieve this with a scripted input that sends the value of %SPLUNK_HOME% to PowerShell via a command/batch file that uses msiexec to upgrade the forwarders. The value of %SPLUNK_HOME% is sent by Splunk to all scripted inputs (it is not an environment variable). I'm guessing that SPLUNK_HOME is lower()ed by Splunk which is causing some mismatch that Splunk later checks for some reason. However, I have no idea how to resolve the issue.

* https://answers.splunk.com/answers/137700/when-trying-to-schedule-a-pdf-email-delivery-i-receive-the...