Splunk® App for Microsoft Exchange (EOL)

Deploy and Use the Splunk Add-ons for Microsoft Exchange

On October 22 2021, the Splunk App for Microsoft Exchange will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app is migrating to a content pack in Data Integrations. Learn about the Content Pack for Microsoft Exchange.
This documentation does not apply to the most recent version of Splunk® App for Microsoft Exchange (EOL). For documentation on the most recent version, go to the latest release.

Configure TA-Exchange-HubTransport

The Splunk Add-ons for Microsoft Exchange must be configured before you can deploy them to Exchange Server hosts. This is because you must specifically enable support for the version of Exchange Server that you run.

Each add-on within the Splunk Add-ons for Microsoft Exchange package includes an inputs.conf file that has all of the data inputs that are necessary to get Exchange Server data. These inputs are disabled by default.

Download and unpack the TA-Exchange-HubTransport add-on

  1. Download the Splunk Add-ons for Microsoft Exchange package from Splunkbase.
  2. Unpack the add-on bundle to an accessible location.

Create and edit inputs.conf

  1. Open a PowerShell window, command prompt, or Explorer window.
  2. Create a local directory within the TA-Exchange-HubTransport add-on.
  3. Copy inputs.conf from the TA-Exchange-HubTransport\default directory to the TA-Exchange-HubTransport\local directory.
  4. Use a text editor such as Notepad to open the TA-Exchange-HubTransport\local\inputs.conf file for editing.
  5. Modify the inputs.conf file so that the common data inputs and the inputs that are for the version of Exchange Server that you run are enabled. Do this by changing disabled = true to disabled = false for all input stanzas that are associated with your version of Exchange Server. See the example inputs.conf later in this topic.
  6. After you update the inputs.conf file, save it and close it.

Distribute the add-ons

If you do not have a deployment server to distribute apps and add-ons, set one up. A deployment server greatly reduces the overhead in distributing apps and add-ons to hosts. You can make one change on the deployment server and push that change to all universal forwarders in your Splunk App for Microsoft Exchange deployment. The Splunk App for Microsoft Exchange manual uses deployment server extensively in its setup instructions.

If you run more than one version of Exchange Server in your environment, set up a deployment server for each version of Exchange. This is because the Splunk Add-ons for Microsoft Exchange include data inputs for all versions of Exchange Server.

  1. Copy the TA-Exchange-HubTransport add-on to the %SPLUNK_HOME%\etc\deployment-apps directory on the deployment server.
  2. Create a server class for all hosts that run Exchange Server and hold the Hub Transport role.
  3. Add all Exchange Server hosts that hold the Hub Transport role to this server class.
  4. Push the add-on to all hosts in this server class.

Example inputs.conf

The following inputs.conf listing is an example of how you should configure the TA-Exchange-HubTransport add-on for installation on an Exchange Server 2010 host that holds the Hub Transport role. In this example, Exchange Server 2010 block has had its input stanzas changed from disabled = true to disabled = false. All other data input blocks have not been changed.

Remember to save the inputs.conf file after editing it, as changes do not take effect until the file has been saved and the add-on has been pushed to Exchange Server hosts. 

##################################################################################################
#User should enable the stanza specific to the exchange server version by setting disabled=false #
##################################################################################################

####Common Stanzas - Start####

[WinHostMon://Processes]
index = windows
interval = 10
disabled = false
type = process

[WinHostMon://Services]
index = windows
interval = 10
disabled = false
type = service

[perfmon://Total_Processor_Time]
index=perfmon
object=Processor
counters=% Processor Time
instances=_Total
interval=10
disabled=false
useEnglishOnly=true

[perfmon://Processor]
index=perfmon
object=Processor
counters=% User Time; % Privileged Time
instances=_Total
interval=10
disabled=false
useEnglishOnly=true

[perfmon://System]
index=perfmon
object=System
counters=Processor Queue Length
instances=*
interval=10
disabled=false
useEnglishOnly=true

[perfmon://Available_Memory]
index=perfmon
object=Memory
counters=Available MBytes; Page Reads/sec
interval=10
disabled=false
useEnglishOnly=true

[perfmon://Memory]
index=perfmon
object=Memory
counters=Pool Nonpaged bytes; Pool Paged bytes; Cache Bytes; Committed Bytes; %Committed Bytes in Use; Transition Pages Repurposed/sec; Pages/sec; Pages Input/sec; Pages Output/sec
interval=10
disabled=false
useEnglishOnly=true

[perfmon://DotNET_CLR_Memory]
index=perfmon
object=.NET CLR Memory
counters=% Time in GC; # Bytes in all Heaps
instances=*
interval=10
disabled=false
useEnglishOnly=true

[perfmon://Network_Utilization]
index=perfmon
object=Network Interface
counters=Bytes Total/sec; Packets Outbound Errors
instances=*
interval=10
disabled=false
useEnglishOnly=true

[perfmon://TCPv4]
index=perfmon
object=TCPv4
counters=Connections Established; Connections Reset
interval=10
disabled=false
useEnglishOnly=true

[perfmon://TCPv6]
index=perfmon
object=TCPv6
counters=Connection Failures
interval=10
disabled=false
useEnglishOnly=true

[perfmon://Disk]
index=perfmon
object=Logical/Physical Disk
counters=Avg. Disk sec/Read; Avg. Disk sec/Write
instances=*
interval=10
disabled=false
useEnglishOnly=true

[perfmon://MSExchange_Control_Panel]
index=perfmon
object=MSExchange Control Panel
counters=Outbound Proxy Requests - Average Response Time; Requests - Average Response Time; ASP.Net Request Failures/sec; Explicit Sign-On Inbound Proxy Requests/sec; Explicit Sign-On Inbound Proxy Sessions/sec; Explicit Sign-On Outbound Proxy Requests/sec; Explicit Sign-On Outbound Session Requests/sec; Explicit Sign-On Standard RBAC Requests/sec; Explicit Sign-On Standard RBAC Sessions/sec; Inbound Proxy Requests/sec; Inbound Proxy Sessions/sec; Outbound Proxy Requests - Average Response Time; Outbound Proxy Requests/sec; Outbound Proxy Sessions/sec; PowerShell Runspaces - Activations/sec; PowerShell Runspaces - Average Active Time; PowerShell Runspaces/sec; RBAC Sessions/sec; Requests - Activations/sec; Requests - Average Response Time
interval=10
disabled=false
useEnglishOnly=true

[perfmon://MSExchange_Queue_Lengths]
index=perfmon
object=MSExchangeTransport Queues
counters=*
instances=_total
interval=10
disabled=false
useEnglishOnly=true

[perfmon://MSExchange_Transport_Dumpster]
index=perfmon
object=MSExchangeTransport Dumpster
counters=Dumpster Size; Dumpster Inserts/sec; Dumpster Item Count; Dumpster Deletes/sec
interval=10
disabled=false
useEnglishOnly=true

[perfmon://MSExchange_Store_Driver]
index=perfmon
object=MSExchange Store Driver
counters=Inbound: LocalDeliveryCallsPerSecond; Outbound: Submitted Mail Items Per Second; Inbound: MessageDeliveryAttemptsPerSecond; Inbound: Recipients Delivered Per Second
instances=_total
interval=10
disabled=false
useEnglishOnly=true

[perfmon://MSExchange_SmtpReceive]
index=perfmon
object=MSExchangeTransport SmtpReceive
counters=Average bytes/message; Messages Received/sec
instances=_total
interval=10
disabled=false
useEnglishOnly=true

[perfmon://MSExchange_SmtpSend]
index=perfmon
object=MSExchangeTransport SmtpSend
counters=Messages Sent/sec
instances=_total
interval=10
disabled=false
useEnglishOnly=true

[perfmon://MSExchange_Extensibility_Agents]
index=perfmon
object=MSExchange Extensibility Agents
counters=Average Agent Processing Time (sec); Total Agent Invocations
instances=*
interval=10
disabled=false
useEnglishOnly=true

####Common Stanzas - End####

####Exchange Server 2007 - Start####

[monitor://C:\Program Files\Microsoft\Exchange Server\TransportRoles\Logs\MessageTracking]
whitelist=\.log$|\.LOG$
time_before_close = 0
sourcetype=MSExchange:2007:MessageTracking
queue=parsingQueue
index=msexchange
disabled=true

[script://.\bin\exchangepowershell.cmd v8.0 get-hoststats_2007_2010.ps1]
source=Powershell
sourcetype=MSExchange:2007:Topology
interval=300
index=msexchange
disabled=true


####Exchange Server 2007 - End####

####Exchange Server 2010 - Start####

[monitor://C:\Program Files\Microsoft\Exchange Server\V14\TransportRoles\Logs\MessageTracking]
whitelist=\.log$|\.LOG$
time_before_close = 0
sourcetype=MSExchange:2010:MessageTracking
queue=parsingQueue
index=msexchange
disabled=false

[script://.\bin\exchangepowershell.cmd v14 read-audit-logs_2010.ps1]
source=Powershell
sourcetype=MSExchange:2010:AdminAudit
interval=300
index=msexchange
disabled=false

[script://.\bin\exchangepowershell.cmd v14 get-hoststats_2007_2010.ps1]
source=Powershell
sourcetype=MSExchange:2010:Topology
interval=300
index=msexchange
disabled=false

####Exchange Server 2010 - End####
Last modified on 11 April, 2019
TA-Exchange-HubTransport inputs   Troubleshoot TA-Exchange-HubTransport

This documentation applies to the following versions of Splunk® App for Microsoft Exchange (EOL): 3.4.2, 3.4.3, 3.4.4, 3.5.0, 3.5.1

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters