Splunk Enterprise

Heavy Forwarder between Exchange servers and Indexers

ddeighton
Explorer

When we first installed the Exchange app, we configured the Universal Forwarders to send our logs directly to the Indexers and all was good. We made a change to the Universal Forwarders on the Exchange servers so that the logs now go through our Heavy Forwarder. At that point, our User Count dropped to 25 users (which is way below the actual number of users). After doing some investigation, we realized that "msexchange:2010:mailbox-usage" log lines were merged. This is what caused the problem with the User count (and possibly caused other issues).

How do we correct the line merging problem?

0 Karma

ddeighton
Explorer

By default, SHOULD_LINEMERGE is set to true in /opt/splunk/etc/system/default/props.conf. The Exchange app explicitly sets SHOULD_LINEMERGE to false in the fwd_* apps. Currently, the deployment doc for the Exchange app states that fwd_* components should be pushed out to the Universal Forwarders, Indexers and Search Heads. It does not mention Heavy Forwarders that will receive and send Exchange data.

To correct the problem, fwd_* components should also be pushed to the Heavy Forwarders. This can be accomplished with your deployment server or manually. The props.conf files in the fwd_* components will set SHOULD_LINEMERGE to false for all of the Exchange sourcetypes. Once this goes into effect on the Heavy Forwarders, the User counts will be correct again.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...