Content Pack for Microsoft Exchange

Content Pack for Microsoft Exchange

This documentation does not apply to the most recent version of Content Pack for Microsoft Exchange. For documentation on the most recent version, go to the latest release.

Install and configure the Content Pack for Microsoft Exchange

The Splunk App for Content Packs allows you to access content packs, preview their contents, and install them in your environment. The Splunk App for Content Packs includes the Content Pack for Microsoft Exchange provided you are using ITSI version 4.9.0 or higher or IT Essentials Work version 4.9.0 or higher. If you are using ITSI version 4.8.x or lower, or IT Essentials Work version 1.0.x or lower, then you must install the content pack using backup and restore functionality provided by ITSI and IT Essentials Work.

For a full list of the objects shipped in this content pack, see Release notes for the Content Pack for Microsoft Exchange.

Installation and configuration overview

Follow these high-level steps to install and configure the Content Pack for Microsoft Exchange:

  1. Install and configure the Splunk Add-on for Microsoft Exchange.
  2. Install the Content Pack for Microsoft Exchange.
  3. Enable data model acceleration.
  4. Configure domain aliases and fill the lookups.
  5. Import your Exchange Entities.
  6. Review and tune KPI thresholds.

Prerequisites

Review the following prerequisites before installing the content pack:

  • Install and configure the IT Service Intelligence (ITSI) or IT Essentials Work App in your environment. See About Splunk ITSI in the Install and Upgrade Manual, or Install IT Essentials Work in the Overview of Splunk IT Essentials Work manual.
  • Enable the app key value store in the environment where you plan to install the content pack. See About the app key value store in the Splunk Enterprise Admin Manual.
  • Make a full backup of your ITSI environment in the event you need to uninstall the content pack later. For more information, see Create a full backup of ITSI in the Administration Manual.

Install and configure the Splunk Add-on for Microsoft Exchange

This content pack depends on data from the Splunk Add-on for Microsoft Exchange, which collects mailbox, client access, and hub transport data from your Exchange server hosts. Download the latest version of the add-on from Splunkbase.

You can safely install the Splunk Add-on for Microsoft Exchange on all tiers of a distributed Splunk platform deployment, including heavy forwarders, indexers, or search heads. For instructions to install and configure the add-on, see About the Splunk Add-on for Microsoft Exchange.

Install the Content Pack for Microsoft Exchange

You have two options for installing and configuring the Content pack for Microsoft Exchange:

  • One option is to install the content pack from the Splunk App for Content Packs. The Content Pack for Microsoft Exchange is included in the Splunk App for Content Packs if you are using ITSI version 4.9.x higher or IT Essentials Work version 4.9.x or higher.
  • Your second option is to install the content pack using backup and restore functionality provided by ITSI and IT Essentials Work. You must choose this option if you are using ITSI version 4.8.x or lower or IT Essentials Work version 1.0.x or lower.

Install the content pack from the Splunk App for Content Packs

To install the Content Pack for Microsoft Exchange, you have to install the Splunk App for Content Packs. To install the Splunk App for Content Packs in your environment, see the Splunk App for Content Pack installation instructions.

If you use the Splunk App for Microsoft Exchange, and are installing the content pack from the Splunk App for Content Packs, don't install the content pack on the same search head as the app. Doing so causes knowledge object conflicts. To learn more about the Splunk App for Microsoft Exchange, see About the Splunk App for Microsoft Exchange.

After you install the Splunk App for Content Packs, follow these steps to configure the Content Pack for Microsoft Exchange:

  1. From the ITSI or ITE Work main navigation bar, click Configuration > Data Integrations.
  2. Select Add content packs or Add structure to your data depending on your version of ITSI or ITE Work.
  3. Select the Microsoft Exchange content pack.
  4. Review what's included in the content pack and click Proceed.
  5. Configure the content pack settings.
    Setting Description
    Choose which objects to install For a first-time installation, select the items you want to install and deselect any you're not interested in.


    For an upgrade, the installer identifies which objects from the content pack are new and which ones already exist in your environment from a previous installation. You can selectively choose which objects to install from the new version, or install them all.

    Choose a conflict resolution rule for the objects you install For upgrades or subsequent installs, decide what happens to duplicate objects introduced from the content pack. Choose from the following options:
    • Install as new - Objects are installed and any existing identical objects in your environment remain intact.
    • Replace existing - Existing identical objects are replaced with those from the new installation. Any changes you previously made to these objects are overwritten.
    Import as enabled Select whether to install objects as enabled or to leave them in their original state. It's recommended that you import objects as disabled to ensure your environment doesn't break from the addition of new content.


    This setting only applies to services, correlation searches, and aggregation policies. All other objects such as KPI base searches and saved searches are installed in their original state regardless of which option you choose.

    Add a prefix to your new objects Optionally, append a custom prefix to each object installed from the content pack. For example, you might prefix your objects with CP- to indicate they came from a content pack. This option can help you locate and manage the objects post-install.
    Backfill service KPIs Optionally backfill your ITSI environment with the previous seven days of KPI data. Consider enabling backfill if you want to configure adaptive thresholding and Predictive Analytics for the new services. This setting only applies to KPIs and not service health scores.
  6. When you've completed your selections, click Install selected.
  7. Click Install to confirm the installation. When the installation completes you can view all objects that were successfully installed in your environment. A green checkmark on the Data Integrations page shows any other content packs you have installed.

Install the content pack using backup and restore functionality provided by ITSI and IT Essentials Work

If you are using ITSI version 4.8.x or lower or IT Essentials Work version 1.0.x or lower, follow these steps to install the Content Pack for Microsoft Exchange.

Dashboards are not part of the content pack if you install the content pack using backup and restore functionality.

For instructions on restoring a backup, see Restore from a backup zip in the Administration Manual.

Set macro sharing permissions

  1. Click Settings > Advanced search > Search macros.
  2. Locate the following macros and make sure their sharing settings are set to Global:
    • msperfmon-windows-index
    • perfmon-index
    • windows-index
  3. Save any changes made.

Install the Content Pack for Microsoft Exchange

  1. Download the following ITSI backup file: Media: BACKUP-CP-EXCHANGE-1.4.2.zip.
  2. On your ITSI search head, create a restore job and upload the backup file. Give the job the same name as the backup file you downloaded. For example, BACKUP-CP-EXCHANGE-1.4.2
  3. After the restore job completes, confirm that the objects included in the content pack are restored to your environment. For a full list of the objects shipped in this content pack, see Release notes for the Content Pack for Microsoft Exchange.

(Optional) Update the eventtype-based index definitions with custom index

Prerequisites

  • You should have the itoa_admin role to update the eventtype based index definitions.
  • You have to know the indexes your organization uses to send data from the Splunk Add-on for Microsoft Exchange to your Splunk platform deployment.

Steps

1. From Splunk, select Settings > Event types

2. Configure the custom index per the requirements outlined in the following table:

Eventtype name Index type Default Eventtype definition Eventtype definition with custom index
msexchange-index Events index=msexchange All of the indexes that you're using for data collection from add-ons combined with OR operators. For example: index=msexchange OR index=<index-name>
msperfmon-index Events index=perfmon All of the indexes that you're using for data collection from add-ons combined with OR operators. For example: index=perfmon OR index=<index-name>
msad-index Events index=msad All of the indexes that you're using for data collection from add-ons combined with OR operators. For example: index=msad OR index=<index-name>
windows-index Events index=windows All of the indexes that you're using for data collection from add-ons combined with OR operators. For example: index=windows OR index=<index-name>
wineventlog-index Events index=wineventlog All of the indexes that you're using for data collection from add-ons combined with OR operators. For example: index=wineventlog OR index=<index-name>
summary-index Events index=summary All of the indexes that you're using for data collection from add-ons combined with OR operators. For example: index=summary OR index=<index-name>

3. Select Save.

Enable data model acceleration

The acceleration of the data models MSExchange_Messaging and Microsoft_Exchange are disabled by default. Enable acceleration for this data model to populate the data on dashboards packaged in the content pack.

You must have admin permissions to enable data acceleration or change the acceleration period.

Complete the following steps on the search head to enable the acceleration of the MSExchange_Messaging and Microsoft_Exchange data models:

  1. In Splunk Web, go to Settings > Data Models.
  2. From the App list, select IT Service Intelligence or IT Essentials Work to see the data models defined and used by the content packs.
  3. Click Edit next to the data model you want to enable.
  4. Click Edit Acceleration.
  5. Check Accelerate.
  6. Select the summary range to specify the acceleration period or choose to keep the default selection.
  7. Click Save.

Configure domain aliases and fill the lookups

You can configure domain aliases for selected domains or specify a default DNS for unqualified users from the Domain Alias Configuration dashboard.

Open the Domain Alias Configuration dashboard

Follow these steps to open the dashboard:

  1. In Splunk Web, open IT Service Intelligence or IT Essentials Work.
  2. From the main navigation bar go to Dashboards > Dashboards.
  3. Open the Domain Alias Configuration - Microsoft Exchange dashboard from the list of dashboards.

This dashboard must have at least one mapping used as the default mapping.

This image shows the Domain Alias Configuration dashboard with some sample data displayed.

Create domain alias mappings

Follow these steps to create a domain alias mapping:

  1. From the Domain Alias Configuration dashboard, enter the Domain Alias of the domain you want to map.
  2. Enter the fully qualified DNS name that this domain will map to in the Fully Qualified Domain Name field.
  3. Click the Submit button after entering the mapping.
  4. Once submitted, the mapping is saved and the dashboard is connected to that mapping.

Set unqualified user mapping

After configuring the domain alias mapping, follow these steps to specify the fully-qualified domain name that unqualified users can map to:

  1. From the Domain Alias Configuration dashboard, click the Unqualified users belong to: drop-down.
  2. Select the entry that you want from the resulting list. This drop-down list content is generated from the list of mappings you created in previous steps.
  3. Click Submit to save your changes.

Fill the lookups

After you create at least one domain alias mapping and assign at least one default domain for unqualified users, click the panel at the bottom of the dashboard labeled Click here to run saved searches. This action fills the lookups.

Import your Exchange Entities

  1. In Splunk Web, open IT Service Intelligence or IT Essentials Work.
  2. From the main navigation bar go to Configuration > Entities. This takes you to the Entity and Entity Types page.
  3. Click the Create Entity button on the far right of the page.
  4. From the resulting drop-down options, choose Import from Search.
  5. Select Ad hoc Search and add the following SPL query:
    `msperfmon-windows-index` tag = ms_ex_health ms_exchange_host="true" | stats count by host, sourcetype | eval entity_type="Microsoft Exchange Host" | fields - count
    
  6. Run the search. Check the results to make sure you see your Microsoft Exchange hosts with an entity_type of Microsoft Exchange Host.
  7. Click Next.
  8. Configure the following column rules:
    Column Name Import Column As
    host Entity Title
    sourcetype Entity Information Field
    entity_type Entity Type
  9. Click Import to import your Exchange entities.
  10. After the import job completes, click Set Up Recurring Import and follow the steps in Set up a recurring entity import from a Splunk search.

You can click View all entities and confirm your entities appear in ITSI or IT Essentials Work.

Review and tune KPI thresholds

Aggregate and per-entity thresholds for the KPIs in this content pack have pre-set suggested thresholds. You can review the KPIs and configure the aggregate and per-entity thresholds values based on your use case.

For instructions on tuning KPI thresholds, see Configure KPI thresholds in ITSI in the Service Insights Manual.

For a full list of the KPIs in this content pack, see the KPI reference for the Content Pack for Microsoft Exchange.

KPI alerting

KPI alerting is enabled for some services so you can receive alerts when aggregate KPI threshold values change. ITSI generates notable events in Episode Review based on the alerting rules you configure. You can turn off this alerting behavior or tune the parameters based on how many alerts you want to receive.

For more information about KPI alerting, see Receive alerts when KPI severity changes in ITSI.

Anomaly detection

Some KPIs also have anomaly detection enabled. Anomaly detection uses machine learning algorithms to model KPI behavior. If the KPI diverges from the normal pattern, ITSI creates a notable event in Episode Review.

For more information about anomaly detection, see Apply anomaly detection to a KPI in ITSI.

Next step

After you install and configure the Content Pack for Microsoft Exchange, you can begin monitoring your exchange environment. For instructions, see Use the Content Pack for Microsoft Exchange.

Last modified on 26 June, 2023
Release Notes for the Content Pack for Microsoft Exchange   Migrate from the Splunk App for Microsoft Exchange to the Content Pack for Microsoft Exchange

This documentation applies to the following versions of Content Pack for Microsoft Exchange: 1.5.1, 1.5.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters