All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk for Active Dir/Exchange

dsteinb
New Member
‎05-29-2013 10:11 AM

Can someone tell me how to get the data into these please.
I have downloaded and put the folders in the forwarder dir (C:\Program Files\SplunkUniversalForwarder) etc\apps and nothing is happening. The only thing that sort of works is Windows. On this server I have the following in ETC\APPS
Splunk_TA_windows
sideview_utils
SplunkUniversalForwarder
TA-SMTP-Reputation
TA-Exchange-2010-MailboxStore
TA-Exchange-2010-HubTransport
TA-DNSServer-NT6
TA-DomainController-NT6

0 Karma
Reply

Gilberto_Castil
Splunk Employee
Splunk Employee
‎05-29-2013 11:43 AM

What version are the Splunk Forwarders? If you are using the latest and greatest, you may need to downgrade to version 4.3.5 on the Active Directory server(s). That is documented in the release notes.

For the Active Directory piece you'll need to enable local PowerShell script execution on the AD servers. That is how the AD data is collected on the end point. You can see that requirement documented here.

As for the Exchange side, you also need PowerShell and very likely you need to specify where the data resides, plus which index the data is meant to land. You should get started here.

I hope this helps. You are likely close but need a bit more configuration before you can awesome results.

Reply

Gilberto_Castil
Splunk Employee
Splunk Employee
‎05-29-2013 12:43 PM

Splunk Apps will have a default location under %SPLUNK_HOME%\etc\apps. The application itself will have a default directory (case sensitive, lower case is the standard) where all the deault artifacts are loaded. For customization and changes, we copy the appropriate artifact from the default and place in a "local" directory. If one does not exist, you should create one.

%SPLUNK__HOME%\etc\apps\TA-Exchange-2013-Mailbox\local is the right place on the Forwarder.

0 Karma
Reply

dsteinb
New Member
‎05-29-2013 12:25 PM

I am reading the one for exchange and it makes NO sense. there is NO local anywhere under C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_for_Exchange\appserver\addons\TA-Exchange-2013-Mailbox or any of the others. I am also running 2008R2. So where would I copy the inputs to? Am I just making a :
C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_for_Exchange\appserver\addons\TA-Exchange-2013-Mailbox\LOCAL ?

0 Karma
Reply

dsteinb
New Member
‎05-29-2013 12:00 PM

I checked and local Powershell script was enabled.

I do appreciate the help

0 Karma
Reply

skylasam_splunk
Splunk Employee
Splunk Employee
‎05-29-2013 11:04 AM

What role is the machine on which you've installed the Universal forwarder playing? Is it a Domain Controller? Mailbox Store? Or something else? Basically, the appropriate TA for a given role needs to be used on the machine. As Chris suggested earlier, please go over the deployment instructions for both exchange and AD apps and follow the configuration instructions.

Reply

ChrisG
Splunk Employee
Splunk Employee
‎05-29-2013 10:58 AM

Sounds as if maybe you missed some steps to configure the technology add-ons? Are you following the deployment instructions in the documentation?

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...