All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

MSExchange APP: "No matching fields"

mikelanghorst
Motivator
‎06-29-2012 05:48 PM

I've installed the MSExchange app, and have data coming in. However when I view the summary page, and several other dashboard pages, I get a blue banner message saying "No matching fields exist." Many of the "activity" reports currently aren't working, but I don't know if those are related.

0 Karma
Reply

mikelanghorst
Motivator
‎07-01-2012 04:56 PM

As for the field extractions, searching for each of these sourcetypes it there are a number of fields extracted. But obviously, theres at least one missing.

0 Karma
Reply

mikelanghorst
Motivator
‎07-01-2012 04:46 PM

Sourcetypes, in the index=msexhange there are currently 9 sourcetypes seen:
WinEventLog:Security
WinEventLog:Application
MSExchange:2010:Topology
MSExchange:2010:PublicFolder-Stats
MSExchange:2010:MessageTracking
MSExchange:2010:Mailbox-Usage
MSExchange:2010:Folder-Usage
MSExchange:2010:Database-Stats
MSExchange:2010:AdminAudit

0 Karma
Reply

ahall_splunk
Splunk Employee
Splunk Employee
‎07-01-2012 10:24 AM

Unfortunately, there is not enough to go on here to even begin to answer this. Here are some things to check:

  1. What specific source types are coming in?
  2. Is the MSExchange Topology source type coming in?
  3. Are the field extractions working?
  4. Are they going into the right indices (see eventtypes.conf and macros.conf)

As always, more information is better.

0 Karma
Reply

ahall_splunk
Splunk Employee
Splunk Employee
‎07-13-2012 07:21 AM

Non-Reporting Servers is hopefully blank, unless you have non-reporting servers. The hosts is a little more troubling. Extract the search from the page (it's embedded clearly in the XML) and run it by hand.

0 Karma
Reply

jamlam
Explorer
‎07-13-2012 05:27 AM

I'm having the same issue, in my case the panels missing on the system overview page are Hosts and Non-Reporting Servers

0 Karma
Reply

ahall_splunk
Splunk Employee
Splunk Employee
‎07-02-2012 08:00 AM

Ok - next step - which particular panels on the summary overview have no data? This will narrow down which search is missing information from the field extractions.

0 Karma
Reply

mikelanghorst
Motivator
‎07-01-2012 04:38 PM

Thanks for replying. The confusing part for me is when there are many searches on the page, such as the summary not knowing which search is complaining. Yea, I'll have to dig deeper, but maybe someone saw this.

I'll add the additional info to the original question.

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...