I've been using the Universal Forwader for Windows on my Exchange 2010 box a while now, it works pretty well. Since then I've found the Exchange App for Splunk. I don't have (or need) a deployment server, but I've been unable to get to the Exchange App to work. Even after manually installing the Exchange App forwarders in the C:\Program Files\Splunk\etc\apps folder On the Exchange server) and creating the "local" sub folder for each of the apps with the inputs.conf in it, no events ever make it to the Exchange App. I manually put the correct fwd_* folders in my apps folder for my version of Exchange. I copied the inputs.conf file from the defaults to the local folder, and I've restarted the Splunk Forwarder service.
Events from Exchange that the Forwarder was getting before still work (Windows Event Logs and IIS Logs), however the Exchange App on the Splunk server isn't seeing any data. I'm running the current version of Splunk.
It seems there is some step I've missed to make the Exchange forwarders work, but I can't figure out what it is. Any ideas?
There are several things that could be happening here. The events could be in a different index, you may not have Message Tracking turned on, etc.
I'd first of all see if the events are making it into any index. If they are, then look at the eventtypes.conf to determine if the base search for those events are using the correct source type and index. If they are, then is the sourcetype set up to produce the fields the app is expecting.
Splunk App for Microsoft Exchange is supported, so you can also utilize your support contract and call the Splunk Support Line.
Only general commentary. Every single panel has an underlying search. If you get a "No Data" block, you can roll over that to open the search inspector for the underlying search. Make sure you have the events required and that their fields are being recognized. if you don't have the events or their fields are not being extracted, you won't get the results you want.
OK, that helped considerably! Message tracking now works. However within the Exchange App, the overview screen is still empty. Certain other queries are also empty, such as the Mailbox Store Overview. Any ideas about that?
fwd_apps.zip must be unpacked in your $SPLUNK_HOME/etc/apps folder.
Hmmm....so fwd_apps.zip needs to be extracted where exactly? In the splunk/etc/apps folder on my Splunk Server? Or in the splunk/etc/apps/Splunk_for_Exchange folder? Or someplace else?
If you are receiving events, but the field extractions are not working, then you likely have not extracted the fwd_apps.zip into the etc/apps on the indexer/search heads. The fwd_apps.zip need to be on all Splunk roles.
I've opened the Eventtypes.conf file for the Exchange App on the Splunk Server and manually ran some of the searches.
Some work fine, like (sourcetype=MSExchange:* OR sourcetype=MSWindows:*:IIS)
However others return no results. sourcetype=MSExchange:*:MessageTracking source_id=SMTP returns no results. It seems that the problem is the "source_id=SMTP" part. How do I tell if the problem is the data isn't getting into Splunk or if the problem is with it not being detected with the correct source type?