Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

newbie question: Exchange data input

itrcb4
New Member
‎05-03-2012 09:54 AM

So I installed universal forwarder on my Exchange 2010 server, during install specified the splunk server's FQDN.

On the web console - under "manager" - "forwarding and receiving" - receiving data - made sure there is an entry for prot 9997.

Downloaded Splunk app for Exchange and Sideview.

Problem - no data.

What should I do?

0 Karma
Reply

ChrisG
Splunk Employee
Splunk Employee
‎06-27-2012 01:17 PM

It's possible that when you installed the universal forwarder on your Exchange server, you enabled some of the default inputs. You also have to install the technology add-ons where you installed the forwarder. We've added a troubleshooting topic to the docs to highlight these points.

0 Karma
Reply

Drainy
Champion
‎05-03-2012 10:07 AM

Have you tested that DNS lookup is working from the mail server? It might be worth testing it with the IP instead. Also are there any firewalls blocking the ports on either machine or on the link between them?

0 Karma
Reply

ChrisG
Splunk Employee
Splunk Employee
‎05-03-2012 10:07 AM

Did you create new inputs.conf files in the local directory for each technology add-on? See the Make configuration changes... topic in Deploy and Use the Splunk App for Microsoft Exchange.

0 Karma
Reply

ChrisG
Splunk Employee
Splunk Employee
‎05-04-2012 11:01 AM

Whether or not you're running Splunk Free should not affect where the data goes (although I am not sure that the Exchange App officially supports Splunk Free). I have talked to other customers who have installed version 1.1 and it sends the data to the correct three indexes (exchange, perfmon, and blackberry). There is a topic in the Exchange App documentation that tells you how to make configuration changes to match your existing environment. But it seems as if there is something going on with your config--it's hard to diagnose with the information you've provided. You might want to try to reinstall the trial version of Splunk and follow the procedures in the Exchange App doc to reinstall that afterwards, see if it just clears up.

0 Karma
Reply

itrcb4
New Member
‎05-04-2012 08:01 AM

It's the latest as I just downloaded it yesterday.

Does it matter if I'm running Splunk free (eg. it restricts all data to main index)? I want to use this to demo the value of Splunk before we make the leap / purchase.

0 Karma
Reply

ChrisG
Splunk Employee
Splunk Employee
‎05-03-2012 11:52 AM

Are you using version 1.1 of the app? In 1.1, the default is not to use main. See What data the Splunk App for Microsoft Exchange collects for an explanation of what goes where in the current release. If you are using 1.0, I suggest an upgrade.

0 Karma
Reply

itrcb4
New Member
‎05-03-2012 11:23 AM

found that the data is coming in, but going into main. How do I get it into the Exchange index?

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...