Content Pack for Microsoft Exchange

Content Pack for Microsoft Exchange

This documentation does not apply to the most recent version of Content Pack for Microsoft Exchange. For documentation on the most recent version, go to the latest release.

Install and configure the Content Pack for Microsoft Exchange

The Splunk App for Content Packs allows you to access content packs, preview their contents, and install them in your environment. The Splunk App for Content Packs includes the Content Pack for Microsoft Exchange. For a full list of the objects shipped in this content pack, see About the Content Pack for Microsoft Exchange.

Installation and configuration overview

Follow these high-level steps to install and configure the Content Pack for Microsoft Exchange:

  1. Install and configure the Splunk Add-on for Microsoft Exchange.
  2. Install the Content Pack for Microsoft Exchange.
  3. Enable data model acceleration.
  4. Configure domain aliases and fill the lookups.
  5. Review and tune KPI thresholds.

Prerequisites

Review the following prerequisites before installing the content pack:

  • Install and configure the IT Service Intelligence (ITSI) or IT Essentials Work App in your environment. See About Splunk ITSI in the Install and Upgrade Manual, or Install IT Essentials Work in the Overview of Splunk IT Essentials Work manual.
  • Enable the app key value store in the environment where you plan to install the content pack. See About the app key value store in the Splunk Enterprise Admin Manual.
  • Make a full backup of your ITSI environment in the event you need to uninstall the content pack later. For more information, see Create a full backup of ITSI in the Administration Manual.

Install and configure the Splunk Add-on for Microsoft Exchange

This content pack depends on data from the Splunk Add-on for Microsoft Exchange, which collects mailbox, client access, and hub transport data from your Exchange server hosts. Download the latest version of the add-on from Splunkbase.

You can safely install the Splunk Add-on for Microsoft Exchange on all tiers of a distributed Splunk platform deployment, including heavy forwarders, indexers, or search heads. For instructions to install and configure the add-on, see About the Splunk Add-on for Microsoft Exchange.

Install the Content Pack for Microsoft Exchange

To install the Content Pack for Microsoft Exchange, you have to install the Splunk App for Content Packs. To install the Splunk App for Content Packs in your environment, see the Splunk App for Content Packs installation instructions.

After you install the Splunk App for Content Packs, follow these steps to configure the Content Pack for Microsoft Exchange:

  1. From the ITSI or ITE Work main navigation bar, click Configuration and then Data Integrations.
  2. Select Content Library.
  3. Select the Microsoft Exchange content pack.
  4. Review what's included in the content pack and click Proceed.
  5. Configure the content pack settings.
    Setting Description
    Choose which objects to install For a first-time installation, select the items you want to install and deselect any you're not interested in.


    For an upgrade, the installer identifies which objects from the content pack are new and which ones already exist in your environment from a previous installation. You can selectively choose which objects to install from the new version, or install them all.

    Choose a conflict resolution rule for the objects you install For upgrades or subsequent installs, decide what happens to duplicate objects introduced from the content pack. Choose from the following options:
    • Install as new - Objects are installed and any existing identical objects in your environment remain intact.
    • Replace existing - Existing identical objects are replaced with those from the new installation. Any changes you previously made to these objects are overwritten.
    Import as enabled Select whether to install objects as enabled or to leave them in their original state. It's recommended that you import objects as disabled to ensure your environment doesn't break from the addition of new content.


    This setting only applies to services, correlation searches, and aggregation policies. All other objects such as KPI base searches and saved searches are installed in their original state regardless of which option you choose.

    Modify status of saved searches This configuration step will be displayed only if the content pack contains saved searches. Within this configuration, you have the flexibility to perform the following operations:
    • Activate all saved searches - By selecting this option, you can activate all the saved searches associated with the content pack.
    • Deactivate all saved searches - By selecting this option, you can deactivate all the saved searches associated with the content pack.
    • Retain current status of saved searches - This option allows you to preserve the existing status of the saved searches within the content pack.

    By default, saved searches included in a content pack are in deactivated state.

    Add a prefix to your new objects Optionally, append a custom prefix to each object installed from the content pack. For example, you might prefix your objects with CP- to indicate they came from a content pack. This option can help you locate and manage the objects post-install.
    Backfill service KPIs Optionally backfill your ITSI environment with the previous seven days of KPI data. Consider enabling backfill if you want to configure adaptive thresholding and Predictive Analytics for the new services. This setting only applies to KPIs and not service health scores.
  6. When you've completed your selections, click Install selected.
  7. Click Install to confirm the installation. When the installation completes you can view all objects that were successfully installed in your environment. A green checkmark on the Data Integrations page shows any other content packs you have installed.

(Optional) Update the eventtype-based index definitions with custom index

Prerequisites

  • You should have the itoa_admin role to update the eventtype based index definitions.
  • You have to know the indexes your organization uses to send data from the Splunk Add-on for Microsoft Exchange to your Splunk platform deployment.

Steps

1. From Splunk, select Settings > Event types

2. Configure the custom index per the requirements outlined in the following table:

Eventtype name Index type Default Eventtype definition Eventtype definition with custom index
msexchange-index Events index=msexchange All of the indexes that you're using for data collection from add-ons combined with OR operators. For example: index=msexchange OR index=<index-name>
msperfmon-index Events index=perfmon All of the indexes that you're using for data collection from add-ons combined with OR operators. For example: index=perfmon OR index=<index-name>
msad-index Events index=msad All of the indexes that you're using for data collection from add-ons combined with OR operators. For example: index=msad OR index=<index-name>
windows-index Events index=windows All of the indexes that you're using for data collection from add-ons combined with OR operators. For example: index=windows OR index=<index-name>
wineventlog-index Events index=wineventlog All of the indexes that you're using for data collection from add-ons combined with OR operators. For example: index=wineventlog OR index=<index-name>
summary-index Events index=summary All of the indexes that you're using for data collection from add-ons combined with OR operators. For example: index=summary OR index=<index-name>

3. Select Save.

Enable data model acceleration

The acceleration of the data models MSExchange_Messaging and Microsoft_Exchange are disabled by default. Enable acceleration for this data model to populate the data on dashboards packaged in the content pack.

You must have admin permissions to enable data acceleration or change the acceleration period.

Complete the following steps on the search head to enable the acceleration of the MSExchange_Messaging and Microsoft_Exchange data models:

  1. In Splunk Web, go to Settings > Data Models.
  2. From the App list, select IT Service Intelligence or IT Essentials Work to see the data models defined and used by the content packs.
  3. Click Edit next to the data model you want to enable.
  4. Click Edit Acceleration.
  5. Check Accelerate.
  6. Select the summary range to specify the acceleration period or choose to keep the default selection.
  7. Click Save.

Configure domain aliases and fill the lookups

You can configure domain aliases for selected domains or specify a default DNS for unqualified users from the Domain Alias Configuration dashboard.

Open the Domain Alias Configuration dashboard

Follow these steps to open the dashboard:

  1. In Splunk Web, open IT Service Intelligence or IT Essentials Work.
  2. From the main navigation bar go to Dashboards > Dashboards.
  3. Open the Domain Alias Configuration - Microsoft Exchange dashboard from the list of dashboards.

This dashboard must have at least one mapping used as the default mapping.

This image shows the Domain Alias Configuration dashboard with some sample data displayed.

Create domain alias mappings

Follow these steps to create a domain alias mapping:

  1. From the Domain Alias Configuration dashboard, enter the Domain Alias of the domain you want to map.
  2. Enter the fully qualified DNS name that this domain will map to in the Fully Qualified Domain Name field.
  3. Click the Submit button after entering the mapping.
  4. Once submitted, the mapping is saved and the dashboard is connected to that mapping.

Set unqualified user mapping

After configuring the domain alias mapping, follow these steps to specify the fully-qualified domain name that unqualified users can map to:

  1. From the Domain Alias Configuration dashboard, click the Unqualified users belong to: drop-down.
  2. Select the entry that you want from the resulting list. This drop-down list content is generated from the list of mappings you created in previous steps.
  3. Click Submit to save your changes.

Fill the lookups

After you create at least one domain alias mapping and assign at least one default domain for unqualified users, click the panel at the bottom of the dashboard labeled Click here to run saved searches. This action fills the lookups.


Review and tune KPI thresholds

Aggregate and per-entity thresholds for the KPIs in this content pack have pre-set suggested thresholds. You can review the KPIs and configure the aggregate and per-entity thresholds values based on your use case.

For instructions on tuning KPI thresholds, see Configure KPI thresholds in ITSI in the Service Insights Manual.

For a full list of the KPIs in this content pack, see the KPI reference for the Content Pack for Microsoft Exchange.

KPI alerting

KPI alerting is enabled for some services so you can receive alerts when aggregate KPI threshold values change. ITSI generates notable events in Episode Review based on the alerting rules you configure. You can turn off this alerting behavior or tune the parameters based on how many alerts you want to receive.

For more information about KPI alerting, see Receive alerts when KPI severity changes in ITSI.

Anomaly detection

Some KPIs also have anomaly detection enabled. Anomaly detection uses machine learning algorithms to model KPI behavior. If the KPI diverges from the normal pattern, ITSI creates a notable event in Episode Review.

For more information about anomaly detection, see Apply anomaly detection to a KPI in ITSI.

Next step

After you install and configure the Content Pack for Microsoft Exchange, you can begin monitoring your exchange environment. For instructions, see Use the Content Pack for Microsoft Exchange.

Last modified on 30 January, 2024
Release Notes for the Content Pack for Microsoft Exchange   Upgrade to version 1.7.0 of the Content Pack

This documentation applies to the following versions of Content Pack for Microsoft Exchange: 1.7.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters