All Apps and Add-ons

Exchange App for Splunk

nmace
Path Finder

I've been using the Universal Forwader for Windows on my Exchange 2010 box a while now, it works pretty well. Since then I've found the Exchange App for Splunk. I don't have (or need) a deployment server, but I've been unable to get to the Exchange App to work. Even after manually installing the Exchange App forwarders in the C:\Program Files\Splunk\etc\apps folder On the Exchange server) and creating the "local" sub folder for each of the apps with the inputs.conf in it, no events ever make it to the Exchange App. I manually put the correct fwd_* folders in my apps folder for my version of Exchange. I copied the inputs.conf file from the defaults to the local folder, and I've restarted the Splunk Forwarder service.

Events from Exchange that the Forwarder was getting before still work (Windows Event Logs and IIS Logs), however the Exchange App on the Splunk server isn't seeing any data. I'm running the current version of Splunk.

It seems there is some step I've missed to make the Exchange forwarders work, but I can't figure out what it is. Any ideas?

ahall_splunk
Splunk Employee
Splunk Employee

There are several things that could be happening here. The events could be in a different index, you may not have Message Tracking turned on, etc.

I'd first of all see if the events are making it into any index. If they are, then look at the eventtypes.conf to determine if the base search for those events are using the correct source type and index. If they are, then is the sourcetype set up to produce the fields the app is expecting.

Splunk App for Microsoft Exchange is supported, so you can also utilize your support contract and call the Splunk Support Line.

ahall_splunk
Splunk Employee
Splunk Employee

Only general commentary. Every single panel has an underlying search. If you get a "No Data" block, you can roll over that to open the search inspector for the underlying search. Make sure you have the events required and that their fields are being recognized. if you don't have the events or their fields are not being extracted, you won't get the results you want.

0 Karma

nmace
Path Finder

OK, that helped considerably! Message tracking now works. However within the Exchange App, the overview screen is still empty. Certain other queries are also empty, such as the Mailbox Store Overview. Any ideas about that?

0 Karma

ahall_splunk
Splunk Employee
Splunk Employee

fwd_apps.zip must be unpacked in your $SPLUNK_HOME/etc/apps folder.

0 Karma

nmace
Path Finder

Hmmm....so fwd_apps.zip needs to be extracted where exactly? In the splunk/etc/apps folder on my Splunk Server? Or in the splunk/etc/apps/Splunk_for_Exchange folder? Or someplace else?

0 Karma

ahall_splunk
Splunk Employee
Splunk Employee

If you are receiving events, but the field extractions are not working, then you likely have not extracted the fwd_apps.zip into the etc/apps on the indexer/search heads. The fwd_apps.zip need to be on all Splunk roles.

0 Karma

nmace
Path Finder

I've opened the Eventtypes.conf file for the Exchange App on the Splunk Server and manually ran some of the searches.

Some work fine, like (sourcetype=MSExchange:* OR sourcetype=MSWindows:*:IIS)

However others return no results. sourcetype=MSExchange:*:MessageTracking source_id=SMTP returns no results. It seems that the problem is the "source_id=SMTP" part. How do I tell if the problem is the data isn't getting into Splunk or if the problem is with it not being detected with the correct source type?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...