I am encountering similar behaviour to http://splunk-base.splunk.com/answers/69273/splunk-for-exchange-not-showing-data . Our setup is Exchange 2007 running on Windows 2003, but the issue I'm seeing is that no events are going to client behavior dashboard. I checked the events and there are events showing for Windows:2003:IIS and client-iis-logs but none for the rest of the eventtype the search in client behavior dashboard requires.
I checked props.conf and transforms.conf and in my understanding, from Windows:2003:IIS it has to extract and create eventtype for client-owa-usage, client-activesync-usage and so on, but for some reason it's not being populated.
I can see events such as "2013-01-02 08:15:08 W3SVC1 EXCHANGETH 1.1.1.61 POST /owa/ev.owa oeh=1&ns=Notify&ev=Poll&prfltncy=0&prfrpccnt=0&prfrpcltncy=0&prfldpcnt=0&prfldpltncy=0&prfavlcnt=0&prfavlltncy=0 443 protodom\wolverine 1.2.120.53 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+Trident/4.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+InfoPath.3) exchangeth 200 0 0"
So I am assuming that data is being forwarded. I tried to change some extractions from transforms.conf from indexer server, and change
[extract_webapp]
SOURCE_KEY = cs_uri_stem
REGEX = (?i)^[^/]*/(?P [^/]+)
to make field "WebApplication" appear but maybe I am barking at the wrong tree.
thanks,
... View more