Dashboard reference

This topic lists all the dashboards provided in the Splunk App for Microsoft Exchange broken out by menu name, and provides a brief description of each.

Splunk App for Microsoft Exchange

When you first launch the Splunk App for Microsoft Exchange, the app displays a landing page with four choices:

• Health: Click this link to go to the Splunk App for Microsoft Exchange's Overview page.
• Documentation: Click the Documentation link to go to this online manual.
• Community: Click this link to go to the app's page on Splunkbase, where you can ask questions, find out about the latest release, and more.
• Search: This link takes you directly to the search bar, where you can use Splunk's search engine to look through the raw data.

Overview

The Splunk App for Microsoft Exchange displays the Overview dashboard when you launch the app.

This dashboard is divided into six sections.

On the top left, the DNS-based Blocking List (DNSBL) Reputation displays the current status of your organization's email reputation. This is based on the information in a number of DNSBL services that are commonly used by internet-facing email relays. You can click on the reputation status to get detailed information about the systems that have a Poor or Neutral rating.

A poor rating indicates that one or more of your listed outbound servers is listed in a DNSBL server. A good rating indicates that all of your listed outbound servers are not listed in any DNSBL server. A neutral rating indicates that some DNSBL services could not be checked.

The top center view, Service Availability shows you a list of servers that are not running services they should be, based on the Exchange server roles they hold. If a server appears in this list, clicking on it gives you detailed information about the services that are configured for it, as well as which of those services is not running.

The top right view displays information about Exchange servers which have not reported new data within the last 30 minutes. If a server shows up in this list, it might not be sending data. You can click to get additional information on the server that is not reporting.

The bottom left view lists all the source types and hosts that are generating Microsoft Exchange-specific data.

The bottom center view is a gauge that displays an instant count of the number of messages transiting your Exchange network per hour. It is configurable by editing configuration files within the app.

The bottom right view displays all exchange hosts configured to send data to the Splunk App for Microsoft Exchange, along with the number of events they have sent to the app over time.

You can change the time range for this dashboard from the default of "Last 15 minutes," as well as perform ad-hoc searches across the time range you specify. To see all the data from any given host or source type, click on that host or source type.

System Overview

The System Overview dashboard is displayed when you select "Systems Overview" from the System menu.

This dashboard displays information on all of the Exchange servers that are sending data to the Splunk App for Microsoft Exchange. The list is divided into views that represent servers that run the Hub and Edge Transport, Client Access Server, and Mailbox Server roles.

You can narrow the results displayed by clicking on any of the entries shown in the Site list.

Message Tracking

This set of dashboards shows you information about inbound, outbound, and internally distributed messages. Each dashboard shows you the message rate and the bandwidth usage for all your inbound, outbound, and internal mail as well as the top sending or receiving IPs and domains, and message counts and volume by sender or receiver.

To track a message, select "Track a Message", and on the page that appears, provide one or more of the following:

• Sender (email address)
• Recipient (email address)
• IP Address (of the sender)
• Subject

and click "Search". Wildcards are accepted in any of the fields above. Click on a result to drill down into the path that message took through your environment.

To view email behavior for a domain, IP address, or an individual user:

• Select that option from the Message Tracking menu
• Enter the information you want to track on
• Select a time range. The default time range is over the last 60 minutes. To choose a custom time range, choose that option from the time range menu and select dates and times to frame your investigation.

Client Behavior

This set of views shows you how your Mailbox Server resources are being used by size and broken down by mail client usage.

The Mailbox Store Overview shows you information about the top Mailbox Store users by overall size, size of Deleted Items folder, sizes of other Mailbox types, and top user Junk folder size.

The Microsoft Outlook overview shows you top users by Remote Procedure Call (RPC) session and IP address, and also based on RPC sessions per minute.

There are similar views for:

• Outlook Web Access (OWA)
• Microsoft ActiveSync
• Outlook Anywhere
• Post Office Protocol version 3 (POP3) and Internet Mail Access Protocol version 4 revision 1 (IMAP4) (for all users not using a Microsoft client)

To view user activity across all clients based on a username, specify the username. You will see the last time they were seen in your infrastructure, their database usage, their activity via OWA and ActiveSync, and RPC session information. Additionally, you can see the OSes and browsers that user uses, any access via mobile devices, and any POP3 or IMAP4 use.

Operations

The Operations menu offers views of the performance of your Exchange infrastructure from an operations perspective.

The Client Access views include performance details broken down by the client type or protocol you select from the drop-down:

• Client Access Performance shows you the standard performance counters (%CPU used, available memory, and network usage) for your Client Access Server systems.
• POP3 and IMAP4 Performance shows you the current and rejected connections over these protocols, and the processing time associated with them.
• Web Performance shows OWA and ActiveSync requests per second.

The Hub Transport views show you the size of each Hub Transport messaging queue. If you don't see any data in these views, make sure you have enabled the Performance Monitoring data set on each Hub Transport server.

• To see the queues on a specific host, choose it from the list. Microsoft recommends a maximum queue length of 250 for "active" queues and 100 for all other queues. The poison queue should be zero at all times. For more information about monitoring Hub Transport servers, check out "Monitoring Hub Transport servers" (http://technet.microsoft.com/en-us/library/bb201704(EXCHG.80).aspx) on Microsoft TechNet.

The Mailbox Store menu gives you views about the use and capacity of your Mailbox Store servers.

• To find out who in your organization is close to or over a given mailbox quota, enter the value of the quota and click the button.
• The Database overview shows all active Mailbox databases, backups, and local copies.
• The Clustering view shows the Copy and Replay queue lengths, plus the status of each Cluster in your deployment.
• The Managed Folder Assistants view shows the processing status of these automated processes.
• The Mailbox Store Performance view shows the standard performance counters (%CPU used, available memory, and network usage) as well as RPC system and sub-system latency and performance for your Mailbox Store servers.

The Exchange 2010 Administrator Audit dashboard allows you to search for change events initiated by administrators in your environment. Whenever an admin makes a change to a user, mailbox, database or other resource on your Exchange servers, Exchange logs this information and the Splunk App for Microsoft Exchange displays it here. Read events are not logged. This dashboard is only valid on Exchange Server 2010 environments.

The Anomalous Logins Report dashboard displays failed logins by IP address and username, as well as a list of users who log in from multiple countries or regions.

New for version 2.0, the Non-Owner Mailbox Access dashboard gives you insight into Exchange mailbox access by a user who is not the owner of that mailbox. Before you can use this dashboard, you need to enable Mailbox Auditing.

New for version 2.0, the Internal Spammers Report dashboard gives you information about internal Exchange users who are sending large quantities of messages to large numbers of users within the Exchange network. To use this dashboard, select the time range using the time range picker, then enter the minimum amount of Messages sent and the Minimum Rate (amount of messages sent in the range of time defined by the time range picker.)

New for version 2.0, the Distribution Lists Report shows you all of the distribution lists in your organization.

Capacity Planning

The Capacity Planning menu gives you information about the volume of email and number of users your system is handling over time to help you to plan for future expansion.

The Message Volume dashboard displays information about the number of messages your organization receives over a period of time, including mail sent to and from the Internet and internal activity.

The User Population dashboard shows you how many users use your Exchange server resources over time. It also shows the amount of space that each user's mailbox takes up on average.

The Environment Report dashboard gives a high level overview of all of the information on your system over a specified period of time, which, by default, is the last 30 days. This dashboard displays statistics on mailbox usage, number of messages sent and received, and which mail user agents - both internal and external - are connecting to your Exchange services.