Install and configure the Content Pack for Microsoft Exchange
The Splunk App for Content Packs allows you to access content packs, preview their contents, and install them in your environment. The Splunk App for Content Packs includes the Content Pack for Microsoft Exchange provided you are using ITSI version 4.9.0 or higher or IT Essentials Work version 4.9.0 or higher. If you are using ITSI version 4.8.x or lower, or IT Essentials Work version 1.0.x or lower, then you must install the content pack using backup and restore functionality provided by ITSI and IT Essentials Work.
For a full list of the objects shipped in this content pack, see Release notes for the Content Pack for Microsoft Exchange.
Installation and configuration overview
Follow these high-level steps to install and configure the Content Pack for Microsoft Exchange:
- Install and configure the Splunk Add-on for Microsoft Exchange.
- Install the Content Pack for Microsoft Exchange.
- Enable data model acceleration.
- Configure domain aliases and fill the lookups.
- Import your Exchange Entities.
- Review and tune KPI thresholds.
Prerequisites
Review the following prerequisites before installing the content pack:
- Install and configure the IT Service Intelligence (ITSI) or IT Essentials Work App in your environment. See About Splunk ITSI in the Install and Upgrade Manual, or Install IT Essentials Work in the Overview of Splunk IT Essentials Work manual.
- Enable the app key value store in the environment where you plan to install the content pack. See About the app key value store in the Splunk Enterprise Admin Manual.
- Make a full backup of your ITSI environment in the event you need to uninstall the content pack later. For more information, see Create a full backup of ITSI in the Administration Manual.
Install and configure the Splunk Add-on for Microsoft Exchange
This content pack depends on data from the Splunk Add-on for Microsoft Exchange, which collects mailbox, client access, and hub transport data from your Exchange server hosts. Download the latest version of the add-on from Splunkbase.
You can safely install the Splunk Add-on for Microsoft Exchange on all tiers of a distributed Splunk platform deployment, including heavy forwarders, indexers, or search heads. For instructions to install and configure the add-on, see About the Splunk Add-on for Microsoft Exchange.
Install the Content Pack for Microsoft Exchange
You have two options for installing and configuring the Content pack for Microsoft Exchange:
- One option is to install the content pack from the Splunk App for Content Packs. The Content Pack for Microsoft Exchange is included in the Splunk App for Content Packs if you are using ITSI version 4.9.x higher or IT Essentials Work version 4.9.x or higher.
- Your second option is to install the content pack using backup and restore functionality provided by ITSI and IT Essentials Work. You must choose this option if you are using ITSI version 4.8.x or lower or IT Essentials Work version 1.0.x or lower.
Install the content pack from the Splunk App for Content Packs
To install the Content Pack for Microsoft Exchange, you have to install the Splunk App for Content Packs. To install the Splunk App for Content Packs in your environment, see the Splunk App for Content Pack installation instructions.
If you use the Splunk App for Microsoft Exchange, and are installing the content pack from the Splunk App for Content Packs, don't install the content pack on the same search head as the app. Doing so causes knowledge object conflicts. To learn more about the Splunk App for Microsoft Exchange, see About the Splunk App for Microsoft Exchange.
After you install the Splunk App for Content Packs, follow these steps to configure the Content Pack for Microsoft Exchange:
- From the ITSI or ITE Work main navigation bar, click Configuration > Data Integrations.
- Select Add content packs or Add structure to your data depending on your version of ITSI or ITE Work.
- Select the Microsoft Exchange content pack.
- Review what's included in the content pack and click Proceed.
- Configure the content pack settings.
Setting Description Choose which objects to install For a first-time installation, select the items you want to install and deselect any you're not interested in.
For an upgrade, the installer identifies which objects from the content pack are new and which ones already exist in your environment from a previous installation. You can selectively choose which objects to install from the new version, or install them all.Choose a conflict resolution rule for the objects you install For upgrades or subsequent installs, decide what happens to duplicate objects introduced from the content pack. Choose from the following options: - Install as new - Objects are installed and any existing identical objects in your environment remain intact.
- Replace existing - Existing identical objects are replaced with those from the new installation. Any changes you previously made to these objects are overwritten.
Import as enabled Select whether to install objects as enabled or to leave them in their original state. It's recommended that you import objects as disabled to ensure your environment doesn't break from the addition of new content.
This setting only applies to services, correlation searches, and aggregation policies. All other objects such as KPI base searches and saved searches are installed in their original state regardless of which option you choose.Add a prefix to your new objects Optionally, append a custom prefix to each object installed from the content pack. For example, you might prefix your objects with CP-
to indicate they came from a content pack. This option can help you locate and manage the objects post-install.Backfill service KPIs Optionally backfill your ITSI environment with the previous seven days of KPI data. Consider enabling backfill if you want to configure adaptive thresholding and Predictive Analytics for the new services. This setting only applies to KPIs and not service health scores. - When you've completed your selections, click Install selected.
- Click Install to confirm the installation. When the installation completes you can view all objects that were successfully installed in your environment. A green checkmark on the Data Integrations page shows any other content packs you have installed.
Install the content pack using backup and restore functionality provided by ITSI and IT Essentials Work
If you are using ITSI version 4.8.x or lower or IT Essentials Work version 1.0.x or lower, follow these steps to install the Content Pack for Microsoft Exchange.
Dashboards are not part of the content pack if you install the content pack using backup and restore functionality.
For instructions on restoring a backup, see Restore from a backup zip in the Administration Manual.
Set macro sharing permissions
- Click Settings > Advanced search > Search macros.
- Locate the following macros and make sure their sharing settings are set to Global:
- msperfmon-windows-index
- perfmon-index
- windows-index
- Save any changes made.
Install the Content Pack for Microsoft Exchange
- Download the following ITSI backup file: Media: BACKUP-CP-EXCHANGE-1.4.2.zip.
- On your ITSI search head, create a restore job and upload the backup file. Give the job the same name as the backup file you downloaded. For example,
BACKUP-CP-EXCHANGE-1.4.2
- After the restore job completes, confirm that the objects included in the content pack are restored to your environment. For a full list of the objects shipped in this content pack, see Release notes for the Content Pack for Microsoft Exchange.
(Optional) Update the eventtype-based index definitions with custom index
Prerequisites
- You should have the
itoa_admin
role to update the eventtype based index definitions. - You have to know the indexes your organization uses to send data from the Splunk Add-on for Microsoft Exchange to your Splunk platform deployment.
Steps
1. From Splunk, select Settings > Event types
2. Configure the custom index per the requirements outlined in the following table:
Eventtype name | Index type | Default Eventtype definition | Eventtype definition with custom index |
---|---|---|---|
msexchange-index | Events | index=msexchange | All of the indexes that you're using for data collection from add-ons combined with OR operators. For example: index=msexchange OR index=<index-name>
|
msperfmon-index | Events | index=perfmon
|
All of the indexes that you're using for data collection from add-ons combined with OR operators. For example: index=perfmon OR index=<index-name>
|
msad-index | Events | index=msad
|
All of the indexes that you're using for data collection from add-ons combined with OR operators. For example: index=msad OR index=<index-name>
|
windows-index | Events | index=windows
|
All of the indexes that you're using for data collection from add-ons combined with OR operators. For example: index=windows OR index=<index-name>
|
wineventlog-index | Events | index=wineventlog
|
All of the indexes that you're using for data collection from add-ons combined with OR operators. For example: index=wineventlog OR index=<index-name>
|
summary-index | Events | index=summary
|
All of the indexes that you're using for data collection from add-ons combined with OR operators. For example: index=summary OR index=<index-name>
|
3. Select Save.
Enable data model acceleration
The acceleration of the data models MSExchange_Messaging
and Microsoft_Exchange
are disabled by default. Enable acceleration for this data model to populate the data on dashboards packaged in the content pack.
You must have admin permissions to enable data acceleration or change the acceleration period.
Complete the following steps on the search head to enable the acceleration of the MSExchange_Messaging
and Microsoft_Exchange
data models:
- In Splunk Web, go to Settings > Data Models.
- From the App list, select IT Service Intelligence or IT Essentials Work to see the data models defined and used by the content packs.
- Click Edit next to the data model you want to enable.
- Click Edit Acceleration.
- Check Accelerate.
- Select the summary range to specify the acceleration period or choose to keep the default selection.
- Click Save.
Configure domain aliases and fill the lookups
You can configure domain aliases for selected domains or specify a default DNS for unqualified users from the Domain Alias Configuration dashboard.
Open the Domain Alias Configuration dashboard
Follow these steps to open the dashboard:
- In Splunk Web, open IT Service Intelligence or IT Essentials Work.
- From the main navigation bar go to Dashboards > Dashboards.
- Open the Domain Alias Configuration - Microsoft Exchange dashboard from the list of dashboards.
This dashboard must have at least one mapping used as the default mapping.
Create domain alias mappings
Follow these steps to create a domain alias mapping:
- From the Domain Alias Configuration dashboard, enter the Domain Alias of the domain you want to map.
- Enter the fully qualified DNS name that this domain will map to in the Fully Qualified Domain Name field.
- Click the Submit button after entering the mapping.
- Once submitted, the mapping is saved and the dashboard is connected to that mapping.
Set unqualified user mapping
After configuring the domain alias mapping, follow these steps to specify the fully-qualified domain name that unqualified users can map to:
- From the Domain Alias Configuration dashboard, click the Unqualified users belong to: drop-down.
- Select the entry that you want from the resulting list. This drop-down list content is generated from the list of mappings you created in previous steps.
- Click Submit to save your changes.
Fill the lookups
After you create at least one domain alias mapping and assign at least one default domain for unqualified users, click the panel at the bottom of the dashboard labeled Click here to run saved searches. This action fills the lookups.
Import your Exchange Entities
- In Splunk Web, open IT Service Intelligence or IT Essentials Work.
- From the main navigation bar go to Configuration > Entities. This takes you to the Entity and Entity Types page.
- Click the Create Entity button on the far right of the page.
- From the resulting drop-down options, choose Import from Search.
- Select Ad hoc Search and add the following SPL query:
`msperfmon-windows-index` tag = ms_ex_health ms_exchange_host="true" | stats count by host, sourcetype | eval entity_type="Microsoft Exchange Host" | fields - count
- Run the search. Check the results to make sure you see your Microsoft Exchange hosts with an
entity_type
ofMicrosoft Exchange Host
. - Click Next.
- Configure the following column rules:
Column Name Import Column As host Entity Title sourcetype Entity Information Field entity_type Entity Type - Click Import to import your Exchange entities.
- After the import job completes, click Set Up Recurring Import and follow the steps in Set up a recurring entity import from a Splunk search.
You can click View all entities and confirm your entities appear in ITSI or IT Essentials Work.
Review and tune KPI thresholds
Aggregate and per-entity thresholds for the KPIs in this content pack have pre-set suggested thresholds. You can review the KPIs and configure the aggregate and per-entity thresholds values based on your use case.
For instructions on tuning KPI thresholds, see Configure KPI thresholds in ITSI in the Service Insights Manual.
For a full list of the KPIs in this content pack, see the KPI reference for the Content Pack for Microsoft Exchange.
KPI alerting
KPI alerting is enabled for some services so you can receive alerts when aggregate KPI threshold values change. ITSI generates notable events in Episode Review based on the alerting rules you configure. You can turn off this alerting behavior or tune the parameters based on how many alerts you want to receive.
For more information about KPI alerting, see Receive alerts when KPI severity changes in ITSI.
Anomaly detection
Some KPIs also have anomaly detection enabled. Anomaly detection uses machine learning algorithms to model KPI behavior. If the KPI diverges from the normal pattern, ITSI creates a notable event in Episode Review.
For more information about anomaly detection, see Apply anomaly detection to a KPI in ITSI.
Next step
After you install and configure the Content Pack for Microsoft Exchange, you can begin monitoring your exchange environment. For instructions, see Use the Content Pack for Microsoft Exchange.
Release Notes for the Content Pack for Microsoft Exchange | Migrate from the Splunk App for Microsoft Exchange to the Content Pack for Microsoft Exchange |
This documentation applies to the following versions of Content Pack for Microsoft Exchange: 1.5.1, 1.5.2
Feedback submitted, thanks!