Install and configure the Content Pack for Microsoft Exchange
The Splunk App for Content Packs allows you to access content packs, preview their contents, and install them in your environment. The Splunk App for Content Packs includes the Content Pack for Microsoft Exchange. For a full list of the objects shipped in this content pack, see About the Content Pack for Microsoft Exchange.
Installation and configuration overview
Follow these high-level steps to install and configure the Content Pack for Microsoft Exchange:
- Install and configure the Splunk Add-on for Microsoft Exchange.
- Install the Content Pack for Microsoft Exchange.
- Enable data model acceleration.
- Configure domain aliases and fill the lookups.
- Review and tune KPI thresholds.
Prerequisites
Review the following prerequisites before installing the content pack:
- Install and configure the IT Service Intelligence (ITSI) or IT Essentials Work App in your environment. See About Splunk ITSI in the Install and Upgrade Manual, or Install IT Essentials Work in the Overview of Splunk IT Essentials Work manual.
- Enable the app key value store in the environment where you plan to install the content pack. See About the app key value store in the Splunk Enterprise Admin Manual.
- Make a full backup of your ITSI environment in the event you need to uninstall the content pack later. For more information, see Create a full backup of ITSI in the Administration Manual.
Install and configure the Splunk Add-on for Microsoft Exchange
This content pack depends on data from the Splunk Add-on for Microsoft Exchange, which collects mailbox, client access, and hub transport data from your Exchange server hosts. Download the latest version of the add-on from Splunkbase.
You can safely install the Splunk Add-on for Microsoft Exchange on all tiers of a distributed Splunk platform deployment, including heavy forwarders, indexers, or search heads. For instructions to install and configure the add-on, see About the Splunk Add-on for Microsoft Exchange.
Install the Content Pack for Microsoft Exchange
To install the Content Pack for Microsoft Exchange, you have to install the Splunk App for Content Packs. To install the Splunk App for Content Packs in your environment, see the Splunk App for Content Packs installation instructions.
After you install the Splunk App for Content Packs, follow these steps to configure the Content Pack for Microsoft Exchange:
- From the ITSI or ITE Work main navigation bar, click Configuration and then Data Integrations.
- Select Content Library.
- Select the Microsoft Exchange content pack.
- Review what's included in the content pack and click Proceed.
- Configure the content pack settings.
Setting Description Choose which objects to install For a first-time installation, select the items you want to install and deselect any you're not interested in.
For an upgrade, the installer identifies which objects from the content pack are new and which ones already exist in your environment from a previous installation. You can selectively choose which objects to install from the new version, or install them all.Choose a conflict resolution rule for the objects you install For upgrades or subsequent installs, decide what happens to duplicate objects introduced from the content pack. Choose from the following options: - Install as new - Objects are installed and any existing identical objects in your environment remain intact.
- Replace existing - Existing identical objects are replaced with those from the new installation. Any changes you previously made to these objects are overwritten.
Import as enabled Select whether to install objects as enabled or to leave them in their original state. It's recommended that you import objects as disabled to ensure your environment doesn't break from the addition of new content.
This setting only applies to services, correlation searches, and aggregation policies. All other objects such as KPI base searches and saved searches are installed in their original state regardless of which option you choose.Modify status of saved searches This configuration step will be displayed only if the content pack contains saved searches. Within this configuration, you have the flexibility to perform the following operations: - Activate all saved searches - By selecting this option, you can activate all the saved searches associated with the content pack.
- Deactivate all saved searches - By selecting this option, you can deactivate all the saved searches associated with the content pack.
- Retain current status of saved searches - This option allows you to preserve the existing status of the saved searches within the content pack.
By default, saved searches included in a content pack are in deactivated state.
Add a prefix to your new objects Optionally, append a custom prefix to each object installed from the content pack. For example, you might prefix your objects with CP-
to indicate they came from a content pack. This option can help you locate and manage the objects post-install.Backfill service KPIs Optionally backfill your ITSI environment with the previous seven days of KPI data. Consider enabling backfill if you want to configure adaptive thresholding and Predictive Analytics for the new services. This setting only applies to KPIs and not service health scores. - When you've completed your selections, click Install selected.
- Click Install to confirm the installation. When the installation completes you can view all objects that were successfully installed in your environment. A green checkmark on the Data Integrations page shows any other content packs you have installed.
(Optional) Update the eventtype-based index definitions with custom index
Prerequisites
- You should have the
itoa_admin
role to update the eventtype based index definitions. - You have to know the indexes your organization uses to send data from the Splunk Add-on for Microsoft Exchange to your Splunk platform deployment.
Steps
1. From Splunk, select Settings > Event types
2. Configure the custom index per the requirements outlined in the following table:
Eventtype name | Index type | Default Eventtype definition | Eventtype definition with custom index |
---|---|---|---|
msexchange-index | Events | index=msexchange | All of the indexes that you're using for data collection from add-ons combined with OR operators. For example: index=msexchange OR index=<index-name>
|
msperfmon-index | Events | index=perfmon
|
All of the indexes that you're using for data collection from add-ons combined with OR operators. For example: index=perfmon OR index=<index-name>
|
msad-index | Events | index=msad
|
All of the indexes that you're using for data collection from add-ons combined with OR operators. For example: index=msad OR index=<index-name>
|
windows-index | Events | index=windows
|
All of the indexes that you're using for data collection from add-ons combined with OR operators. For example: index=windows OR index=<index-name>
|
wineventlog-index | Events | index=wineventlog
|
All of the indexes that you're using for data collection from add-ons combined with OR operators. For example: index=wineventlog OR index=<index-name>
|
summary-index | Events | index=summary
|
All of the indexes that you're using for data collection from add-ons combined with OR operators. For example: index=summary OR index=<index-name>
|
3. Select Save.
Enable data model acceleration
The acceleration of the data models MSExchange_Messaging
and Microsoft_Exchange
are disabled by default. Enable acceleration for this data model to populate the data on dashboards packaged in the content pack.
You must have admin permissions to enable data acceleration or change the acceleration period.
Complete the following steps on the search head to enable the acceleration of the MSExchange_Messaging
and Microsoft_Exchange
data models:
- In Splunk Web, go to Settings > Data Models.
- From the App list, select IT Service Intelligence or IT Essentials Work to see the data models defined and used by the content packs.
- Click Edit next to the data model you want to enable.
- Click Edit Acceleration.
- Check Accelerate.
- Select the summary range to specify the acceleration period or choose to keep the default selection.
- Click Save.
Configure domain aliases and fill the lookups
You can configure domain aliases for selected domains or specify a default DNS for unqualified users from the Domain Alias Configuration dashboard.
Open the Domain Alias Configuration dashboard
Follow these steps to open the dashboard:
- In Splunk Web, open IT Service Intelligence or IT Essentials Work.
- From the main navigation bar go to Dashboards > Dashboards.
- Open the Domain Alias Configuration - Microsoft Exchange dashboard from the list of dashboards.
This dashboard must have at least one mapping used as the default mapping.
Create domain alias mappings
Follow these steps to create a domain alias mapping:
- From the Domain Alias Configuration dashboard, enter the Domain Alias of the domain you want to map.
- Enter the fully qualified DNS name that this domain will map to in the Fully Qualified Domain Name field.
- Click the Submit button after entering the mapping.
- Once submitted, the mapping is saved and the dashboard is connected to that mapping.
Set unqualified user mapping
After configuring the domain alias mapping, follow these steps to specify the fully-qualified domain name that unqualified users can map to:
- From the Domain Alias Configuration dashboard, click the Unqualified users belong to: drop-down.
- Select the entry that you want from the resulting list. This drop-down list content is generated from the list of mappings you created in previous steps.
- Click Submit to save your changes.
Fill the lookups
After you create at least one domain alias mapping and assign at least one default domain for unqualified users, click the panel at the bottom of the dashboard labeled Click here to run saved searches. This action fills the lookups.
Review and tune KPI thresholds
Aggregate and per-entity thresholds for the KPIs in this content pack have pre-set suggested thresholds. You can review the KPIs and configure the aggregate and per-entity thresholds values based on your use case.
For instructions on tuning KPI thresholds, see Configure KPI thresholds in ITSI in the Service Insights Manual.
For a full list of the KPIs in this content pack, see the KPI reference for the Content Pack for Microsoft Exchange.
KPI alerting
KPI alerting is enabled for some services so you can receive alerts when aggregate KPI threshold values change. ITSI generates notable events in Episode Review based on the alerting rules you configure. You can turn off this alerting behavior or tune the parameters based on how many alerts you want to receive.
For more information about KPI alerting, see Receive alerts when KPI severity changes in ITSI.
Anomaly detection
Some KPIs also have anomaly detection enabled. Anomaly detection uses machine learning algorithms to model KPI behavior. If the KPI diverges from the normal pattern, ITSI creates a notable event in Episode Review.
For more information about anomaly detection, see Apply anomaly detection to a KPI in ITSI.
Next step
After you install and configure the Content Pack for Microsoft Exchange, you can begin monitoring your exchange environment. For instructions, see Use the Content Pack for Microsoft Exchange.
Release Notes for the Content Pack for Microsoft Exchange | Upgrade to version 1.7.0 of the Content Pack |
This documentation applies to the following versions of Content Pack for Microsoft Exchange: 1.7.0
Feedback submitted, thanks!