Splunk® Content Packs for ITSI and IT Essentials Work

Splunk Content Packs for ITSI and IT Essentials Work

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Dashboard reference for the Content Pack for Microsoft Exchange

The Content Pack for Microsoft Exchange offers a variety of dashboards to give you insight into your Microsoft Exchange data. Each dashboard is powered by data collected from your Microsoft Exchange environment using one or more input types configured in the Splunk Add-on for Microsoft Exchange.

You can configure each dashboard included in the content pack. Refer to the following tables for the configurable input types by available dashboard.

Host Performance Reports

This dashboard shows you the status of your Exchange servers based on the Exchange server role. The dashboard displays the status of each host in a host group based on specific factors such as memory, CPU usage, disk space, and network traffic.

You can view the health rates of each host group based on those factors. There are three status indicators for Hub Transport servers, Mail servers, and Client Access servers: Ok, Warning, and Critical.

Use this dashboard

In the dashboard panels, each of the listed hosts has corresponding columns that show CPU usage, available memory, network traffic, messages per second, and status. Each column has a corresponding sparkline that shows recent activity over time.

You can filter within the dashboard and dashboard panels to see more specific information:

  • You can sort the listed hosts by a certain metric (such as CPU usage or network traffic) by clicking on the column header button. Clicking more than once on the same column header toggles between an ascending and descending sort.
  • You can show a graph of recent host activity for a given server type by selecting the server type from the listed hosts.

Client Access Servers

This dashboard displays information about the performance of the Client Access Servers in your Microsoft Exchange deployment.

The dashboard includes several panels:

Panel name Description
Client Throttling Counters Shows when Exchange has throttled clients to maintain performance.
Core Counters Shows you information about core performance counters (percent CPU used, available memory, and network usage) for your Client Access Server systems. The panels include a sparkline that displays average values for each counter.
POP3 and IMAP4 Performance Shows you the current and rejected connections over the POP3 and IMAP4 performance protocols, and the processing time associated with them.
Web Performance Counters Shows you information about Outlook Web Access and ActiveSync requests per second.

Use this dashboard

You can filter within the dashboard and dashboard panels to see more specific information:

  • You can set your preferred time range using the time range picker and clicking Search. The content pack updates the page with entries that match the date or time range entered.
  • In the Host Name drop-down you can select the CAS host you want more information on.
  • For each panel, you can sort the contents by clicking on the column header button. Clicking more than once on the same column header toggles between an ascending and descending sort.
  • You can mouse over the sparkline in the Average column to see individual data points for the chosen metric.
  • You can click on any point in the sparkline to load the Performance page for the selected host, performance object, and performance counter.

Hub Transports

This dashboard displays information about the performance of the Hub Transport servers in your Microsoft Exchange deployment.

The dashboard includes several panels:

Panel name Description
Core Counters Shows the standard performance counters (percent CPU used, available memory, and network usage) for your Hub Transport Server systems.
Hub Transport Counters Shows Hub Transport-specific counters.
Queue Lengths Shows the current average of your Hub Transport Servers' queue lengths. The panel includes a numeric average as well as a sparkline that shows average queue lengths over time.

If you don't see any data in this dashboard, make sure you have enabled the Performance Monitoring data set on each Hub Transport server.

Microsoft suggests a maximum queue length of 250 for active queues and 100 for all other queues. The poison queue should be zero at all times.

For more information about monitoring Hub Transport servers, see http://technet.microsoft.com/en-us/library/bb201704(EXCHG.80).aspx.

Use this dashboard

You can filter within the dashboard and dashboard panels to see more specific information:

  • You can set your preferred time range using the time range picker and clicking Search. The content pack updates the page with entries that match the date or time range entered.
  • In the Host Name drop-down you can select the host you want more information on.
  • For each panel, you can sort the contents by clicking on the column header button. Clicking more than once on the same column header toggles between an ascending and descending sort.
  • You can mouse over the sparkline in the Average column to see individual data points for the chosen metric.
  • You can click on any point in the sparkline to load the Performance page for the selected host, performance object, and performance counter.

Mailbox Stores

This dashboard displays information about the performance the Mailbox Store hosts in your Microsoft Exchange environment.

The dashboard includes several panels:

Panel name Description
Calendar counters Provides information on calendar-based performance monitoring objects.
Core counters Shows you the standard performance counters (percent CPU used, available memory, and network usage) for your Mailbox Store systems.
Store counters Provides specific performance monitoring information for Mailbox Store services.
Sub-system RPC latency Shows you the different remote procedure call (RPC) latencies for various Exchange subsystems such as ActiveSync, Content Indexing, and other, per host.
Sub-system RPC operations/sec Shows you how many subsystem RPC operations occur per second on a host.

Use this dashboard

You can filter within the dashboard and dashboard panels to see more specific information:

  • You can set your preferred time range using the time range picker and clicking Search. The content pack updates the page with entries that match the date or time range entered.
  • In the Host Name drop-down you can select the Mailbox Store host you want more information on.
  • For each panel, you can sort the contents by clicking on the column header button. Clicking more than once on the same column header toggles between an ascending and descending sort.
  • You can mouse over the sparkline in the Average column to see individual data points for the chosen metric.
  • You can click on any point in the sparkline to load the Performance page for the selected host, performance object, and performance counter.

Managed Folder Assistants

This dashboard shows you the number of messages processed, the average amount of time it takes to process a mailbox, and the number of mailboxes processed per second in your Microsoft Exchange environment.

The dashboard includes several panels:

Panel name Description
Average Mailbox Processing Time Provides a chart of how long it took on average to process a specific mailbox.
Messages Processed Shows you the number of messages processed per server.
Mailboxes Processed/sec chart Shows how many mailboxes were processed per second per host.

Use this dashboard

You can filter within the dashboard and dashboard panels to see more specific information:

  • You can set your preferred time range using the time range picker and clicking Search. The content pack updates the page with entries that match the date or time range entered.
  • In the Host Name drop-down you can select the host you want more information on.
  • For each panel, you can sort the contents by clicking on the column header button. Clicking more than once on the same column header toggles between an ascending and descending sort.
  • You can mouse over the sparkline in the Average column to see individual data points for the chosen metric.
  • You can click on any point in the sparkline to load the Performance page for the selected host, performance object, and performance counter.

Client Throttling Policies

This dashboard displays information about the current throttling policies that are set on your Exchange network to prevent system abuse. The dashboard shows the active policies, when they were created and modified, and a count of users that have been affected by that policy.

To get more information about a specific policy, click on its name in the list to view the Throttling Policy page. The resulting page shows you the list of users that the policy applies to, and the global and per-protocol limits that make up the policy.

Use this dashboard

For each dashboard panel, you can sort the contents by clicking on the column header. Clicking more than once on the same column header toggles between an ascending and descending sort.

You can click on any policy in the list to load the Throttling Policy page for that policy.

Host Overview

This dashboard provides a listing of all hosts in your Microsoft Exchange deployment. The dashboard provides information on the cluster and site that the host is in, as well as the status of Exchange services:

  • The Service Availability panel provides an updated list of services that are experiencing problems.
  • The Non-Reporting Servers shows a count of hosts that are not reporting status, but should be reporting status.

Use this dashboard

From the dashboard, use the available filters to more specific host related information. In each filter control, you can begin typing in the field to see a list of matching terms, or you can click the filter drop-down and select an entry from the list. The content pack immediately updates the page based on the filter settings.

You must select an entry in All Filter Controls for the dashboard to display results.

You can filter the dashboard by the following fields:

Field name Description
Clustered Filters on whether a host is in a cluster or not in a cluster.
Cluster Status Filters on the status of the cluster.
Exchange Version Filters on the version of Exchange that the host runs.
Host Name Filters on the name of the host.
Product Version Filters on the Exchange product version.
Role Filters on the Exchange Server role(s) a host holds.
Services Filters on whether the host reports problems with any of its services.
Site Name Filters on the name of the Active Directory site that the host is in.
Windows Version Filters on the version of Windows that the host runs.

To get more information on a host, click that host name in the list. The content pack takes you to the Analyze a Host dashboard and populates the dashboard with information on the selected host.

Analyze a Host

This dashboard gives you information about a specific host in your Exchange deployment.

The dashboard includes the following panels:

Panel name Description
Host Information Provides information about the host name, cluster status, Exchange server role, site, and version, and Windows version.
Services Displays the state of installed Exchange-specific services.
Services History Shows the status of various services on a host.
Windows Updates and Host Downtime Displays a timeline of the chosen system's availability, as well as any Windows Update activity.

Use this dashboard

Follow these steps from the dashboard to see more detailed host related information:

  1. Select a host from the Host Name drop-down menu. This selection updated the dashboard with information about that host.
  2. Alternatively, you can search for a host from the Host Name drop-down menu. Enter a search string into the text box to search.
    1. Click the name of the host from the search results to update the dashboard with information about that host.
  3. In the resulting dashboard panel, click any entry to display the base search that produced the results.
  4. You can export the results to a CSV, XML, or JSON file. Click the Export icon in the lower-left corner of the dashboard panel.

Analyze a Host Drive

This dashboard gives you information to analyze the contents of a host drive.

Use this dashboard

From the dashboard, use the available drop-down menus to more specific host drive related information. The content pack immediately updates the page based on the menu settings:

  • Use the Host drop-down to view specific host content.
  • Use the Drive drop-down to view specific drive content.

Mailbox Database Overview

This dashboard provides a listing of all databases in your Exchange deployment. The dashboard shows the information on the host(s) that contain the database, the current database size, and available free space.

Use this dashboard

To get more information on a database, click its name in the list. The content pack takes you to the Analyze a Mailbox Database page and populates it with information about the selected database.

Analyze a Mailbox Database

This dashboard gives you information about a specific database in your Exchange deployment.

This dashboard includes the following panels:

Panel name Description
Backups Shows when you last backed up the database. It lists information for full, incremental, differential, and copy backups.
Database Growth An area chart that shows the growth of the Exchange database over a period of time that you set in the time range picker. It shows the information on both the overall database size and the size of the local copy of the database on the server.
Database I/O latency A line chart that displays the average database latency, in seconds, over the period of time you set in the time range picker.
Log information Displays where you have configured your database log folder to be.
User information Displays the number of users in this database and how much space the database takes up (committed size), in megabytes.

Use this dashboard

You can filter within the dashboard and dashboard panels to see more specific information:

  • You can set your preferred time range using the time range picker and clicking Search. The content pack updates the page with entries that match the date or time range entered.
  • In the Database drop-down, select the database you want more information on.
  • For Backups, Log Information, and User Information panels, you can sort the contents by clicking on the column header button. Clicking more than once on the same column header toggles between an ascending and descending sort.
  • You can mouse over any line in the Database Growth and Database I/O latency panels to see individual data points for the chosen metric.
  • You can click on any point in the line in the Database Growth and Database I/O latency panels to view the base search that produced the results shown in the panel.

Clustering and Replication

This dashboard gives you information about the clustered mailbox databases in your Exchange deployment. The dashboard provides information on the databases, including the cluster they are in, the cluster type, the Exchange hosts that maintain the databases, and the status of the hosts.

The dashboard also has a panel for Replication Performance which is a line chart that shows the information on how well the servers in a clustered Exchange deployment replicate mailbox databases.

Use this dashboard

To get more information on the status of a clustered mailbox database, click on its name in the list. The content pack takes you to the Analyze a Mailbox Database dashboard and populates it with information about the selected database.

You can click on a point in the Replication Performance line chart to load the base search that produced the results that the chart displayed.

Windows Update and Host Downtime

This dashboard displays information about the availability of servers in your Exchange environment for the last hour. The dashboard displays a timeline for each server that depicts when the server was up, when it was down, and when it ran a Windows Update.

Use this dashboard

From the dashboard, use the available filters to see more specific Windows update and host downtime information:

  • To limit results to all servers in a specific site, select that site's entry in the Site drop-down list.
  • To limit results to a specific server, select that server's entry in the Server drop-down list.

Message Activity Overview

The Message Activity Overview dashboard displays the status of the Exchange Hub Transport and Mailbox Store services, as well as graphs that chart inbound and outbound Simple Mail Transfer Protocol (SMTP) rate, user submission rate, and mailbox delivery rate. When these services are operating properly, the top panels display status:green. If there are problems, the panels display status:yellow.

Each of the rate panels features a gauge that displays the current rate for each metric. Higher delivery rates move the gauges closer to the red area and warrant further investigation.

The dashboard also has panels that list the top 10 senders and recipients of mail, sorted by percentage of message volume, and a panel that displays the current outbound sender reputation, as rated by external internet service providers.

Use this dashboard

You can make selections within the dashboard to view additional information as follows:

  • To get more information about the status of your Hub Transport services, click the icon next to Exchange Hub Transports. This takes you to the Hub Transports page.
  • To get more information about the status of your Mailbox Store services, click the icon next to Exchange Mailbox Store. The Content Pack takes you to the Mailbox Store page.
  • To find out more information about a top local recipient, click the recipient's name in the list to go to the Track a Message page for the selected user.
  • To find out more information about a top local sender, click the sender's name in the list to go to the Track a Message page for the selected sender.

Track a Message

This dashboard allows you to find a single message among all messages that have passed through the Exchange system. It then allows you to find all events that concern the message.

Use this dashboard

Follow these steps from the dashboard to begin tracking a message:

  1. Enter as much detail as possible into the Sender / From, Recipient / To, and/or Message Subject fields. To specify all of a certain category, use an asterisk (*).
  2. If you know a message's message ID, you can enter it into the Message ID field.
  3. Set your preferred time range using the time range picker and clicking Search. The content pack updates the page with entries that match the date or time range entered.
  4. To track a matching message, click on it in the Matching Messages list. This takes you to the Message Routing page, where it displays a full trace of the message through the Exchange system in the Message Trace panel, based on its message ID.

Inbound Messages

This dashboard provides a snapshot of the rate of messages coming into your Exchange network. Inbound messages are messages that your Hub or Edge Transport servers receive into the network using the Simple Mail Transfer Protocol (SMTP). The dashboard uses Message Tracking logs to present this data.

The dashboard displays data in both line charts and dashboard panels:

  • Line charts display both incoming message rate (in messages per minute) and volume (in kilobytes per second).
  • Dashboard panels display the top sending IP addresses and domains, as well as the top recipients by message count and volume.

Use this dashboard

You can navigate within the dashboard to see more inbound message related information:

  • To learn about the activity of a top sending IP address, click the IP address's name in the Top Sending IPs list. This loads the Message Activity by IP Address page for the selected IP address.
  • To learn about the activity of a top sending domain, click the domain's name in the Top Sending Domains list. This loads the Message Activity by Domain page for the selected domain.
  • To learn about the activity of a top recipient, click the recipient's name in the Top Recipients by Message Count or Top Recipients by Volume list. You can view the Message Activity by User page for the selected user.
  • Clicking on a node in either of the line charts brings up the base search that produced the events at that point in time, along with the events that occurred at that point.

Outbound Messages

This dashboard provides a snapshot of the rate of messages going out of your Exchange network. Outbound messages are messages that your Hub or Edge Transport servers receive using a remote procedure call (RPC) and then send using SMTP. The dashboard uses Message Tracking logs to present this data.

The dashboard displays data in both line charts and dashboard panels:

  • Line charts display both incoming message rate (in messages per minute) and volume (in kilobytes per second).
  • Dashboard panels display the top remote IP addresses and domains, as well as the top senders by message count and volume.

Use this dashboard

You can navigate within the dashboard to see more outbound message related information:

  • To learn about the activity of a top remote IP address, click the IP address's name in the Top Remote IPs list. The content pack loads the Message Activity by IP Address page for the selected IP address.
  • To learn about the activity of a top remote domain, click the domain's name in the Top Remote Domains list. The page loads the Message Activity by Domain page for the selected domain.
  • To learn about the activity of a top sender, click the recipient's name in the Top Senders by Message Count or Top Senders by Volume list. The page loads the Message Activity by User page for the selected user.
  • Clicking on a node in either of the line charts brings up the base search that produced the events at that point in time, along with the events that occurred at that point in time.

Internal Messages

This dashboard provides a snapshot of the rate of messages that stay entirely within your Exchange network. The dashboard uses Message Tracking logs to present this data.

The dashboard displays data in both line charts and dashboard panels:

  • Line charts display both internal message rate (in messages per minute) and volume (in kilobytes per second).
  • Dashboard panels display the top senders and recipients in-network by message count and volume.

Use this dashboard

You can navigate within the dashboard to see more internal message related information:

  • To learn about the activity of a top remote IP address, click the IP address's name in the Top Remote IPs list. The page loads the Message Activity by IP Address page for the selected IP address.
  • To learn about the activity of a top sender, click the sender's name in the Top Senders by Message Count or Top Senders by Volume list. The content pack loads the Message Activity by User page for the selected user.
  • To learn about the activity of a top recipient, click the recipient's name in the Top Recipients by Message Count or Top Recipients by Volume list. The content pack loads the Message Activity by User page for the selected user.
  • Clicking on a node in either of the line charts brings up the base search that produced the events at that point in time, along with the events that occurred at that point in time.

Message Activity by Username

This dashboard provides insight into the usage patterns of a single user on your Exchange network.

The dashboard has line charts that display message rate (in messages per minute) and message volume (in kilobytes per second).

The dashboard also shows Top Senders, Top Recipients, Top Sending Domains, and Top Receiving Domains. These panels display information about a particular user's interactions within the Exchange network. The results that these panels display are specific to the user that you specify.

Use this dashboard

To specify a user, follow these steps:

  1. Enter that user's email address in the Username text box at the top of the page.
  2. Set your preferred time range using the time range picker.
  3. Click Search. The content pack updates the page with entries that match the email address and the date or time range entered.

You can navigate within the dashboard to see more message activity related information:

  • To learn about the activity between the user and the addresses that user exchanged email with most frequently, click the email address in the Top Senders or Top Recipients lists. The page loads the Message Activity by User page for the selected email address.
  • To learn about the activity between the user and the domains that user exchanged email with most frequently, click the domain in the Top Sending Domains or Top Receiving Domains lists. The page loads the Message Activity by Domain page for the selected domain.
  • Clicking on a node in either of the line charts brings up the base search that produced the events at that point in time, along with the events that occurred at that point in time.

Message Activity by Domain

This dashboard provides insight into the usage patterns of a single domain that your Exchange network has sent email to or received email from.

The dashboard has line charts that display message rate (in messages per minute) and message volume (in kilobytes per second).

The dashboard also shows Top Senders and Top Recipients. The panels display information about a particular domain's interactions with your Exchange network. The results displayed are specific to the domain that you specify.

Use this dashboard

To specify a domain, follow these steps:

  1. Enter that domain in the Domain text box at the top of the page.
  2. Set your preferred time range using the time range picker.
  3. Click Search. The content pack updates the page with the selected domain's message activity.

You can navigate within the dashboard to see more message activity by domain related information:

  • To learn about the activity between the domain and the email addresses in your organization that exchanged email with most frequently, click the email address in the Top Senders or Top Recipients lists. The page loads the Message Activity by User page for the selected email address.
  • Clicking on a node in either of the line charts brings up the base search that produced the events at that point in time, along with the events that occurred at that point in time.

Message Activity by IP Address

This dashboard provides insights into the usage patterns of a single IP address on your Exchange network.

The dashboard has line charts that display message rate (in messages per minute) and message volume (in kilobytes per second).

The dashboard also shows Top Senders, Top Recipients, Top Sending Domains, and Top Receiving Domains. These panels display information specific to a particular IP address's interactions within the Exchange network.

Use this dashboard

To specify an IP address, follow these steps:

  1. Enter that address in the IP Address text box at the top of the page.
  2. Set your preferred time range using the time range picker.
  3. Click Search. The content pack updates the page with the selected IP address's message activity.

You can navigate within the dashboard to see more message activity related information:

  • To learn about the activity between the IP address and the addresses it exchanged email with most frequently, click the email address in the Top Senders or Top Recipients lists. The page loads the Message Activity by User page for the selected email address.
  • To learn about the activity between the IP address and the domains it exchanged email with most frequently, click the domain in the Top Sending Domains or Top Receiving Domains lists. This loads the Message Activity by Domain page for the selected domain.
  • Clicking on a node in either of the line charts brings up the base search that produced the events at that point in time, along with the events that occurred at that point in time.

User Behavior Overview

This dashboard displays information about Exchange users' behavior within the Exchange network.

The dashboard includes several panels:

Panel name Description
Browser Usage Shows browser usage based on percentage of use.
Database History Shows the latest updates to the active Exchange mailbox databases, based on update time.
Desktop Usage / Mobile OS Usage Shows information about the top desktop and mobile operating systems, based on percentage of use.
Mailbox Information / Mailbox Growth Shows information about mailbox databases and mailbox growth over time.
Recent Activity Shows the users who have accessed the system most recently, and includes a usage sparkline and information on when they last logged on, what IP address they logged on from, and the geographical location of that IP address.
Top Folders Shows information about the largest folders in the Exchange network, sorted by disk usage.

Use this dashboard

You can navigate within the dashboard to see more user behavior related information:

  • To configure the view to a specific user, enter that user's email address in the Username text box at the top of the page and set your preferred time period using the time range picker. Click Search.
  • Sort the contents by clicking on the column header button. Clicking more than once on the same column header toggles between an ascending and descending sort.
  • Mouse over the line in the Mailbox Growth area chart to see individual data points for the chosen metric.
  • Click on any point in the chart to load the base search that produced the results for the chart at that time.

Client Service Overview

Clients can access Microsoft Exchange through a variety of methods. This dashboard provides insight on how the users in your organization access Exchange services in your network.

The dashboard has panels that show the main points of ingress into Exchange including Outlook Web Access, ActiveSync, Exchange Web Services, and Outlook Anywhere. Each panel has an icon that depicts the health of each service.

When all services are operating properly, the panels display green check marks. If there are problems, the panels display yellow triangles with exclamation points.

Use this dashboard

To find out more about a client access method, click on the client access method's status icon. The content pack loads the appropriate page for the client access method you selected.

External Logins Map

The External Logins Map shows you the places from where users have logged into your Exchange environment.

Use this dashboard

Follow these steps from the dashboard to see more detailed external logins map information:

  1. In the Username field, type in all or part of a username. To show all users that begin with a certain string, use an asterisk (*) at the end of the string.
  2. Select the Application that the user used to log in, or click the 'x' icon at the right of the listbox to specify any application. You have the following Application options: Outlook Web Access, Exchange Web Services, or ActiveSync.
  3. Set your preferred time range using the time range picker and clicking Search. The content pack updates the page with entries that match the date or time range entered.
  4. Mouse over the resulting entries to see additional information about the user.

Outlook (RPC)

This dashboard shows you information about the usage of Microsoft Outlook over the local area network. The dashboard uses Exchange Audit event logs to produce the events it displays.

This client access method is relevant only for Exchange 2007 in many cases.

The dashboard displays data in dashboard panels:

  • One panel displays the access method's top users by email and IP address.
  • Another panel shows the total number of Remote Procedure Call (RPC) sessions over time, in connections per minute.

By default, the time period for all dashboard panels is the last 24 hours. You can change this setting by editing the dashboard.

Use this dashboard

You can navigate within the dashboard to see more Outlook (RPC) related information:

  • To learn out more about an Outlook RPC top user, click on that user in the Top Users or Top IP Addresses list. The content pack loads the User Behavior Overview page and filters results to the specified user.
  • Click on a node in the RPC Sessions over Time line chart. The content pack brings up the base search that produced the events at that point in time, along with the events that occurred at that point in time.

Outlook Web Access

This dashboard provides insights into the usage of the Outlook Web Access (OWA) client access method. The dashboard uses Internet Information Server (IIS) logs to produce the events it displays.

The dashboard displays data in dashboard panels including:

  • A panel that chronicles the service's top users by email and IP address.
  • A panel that lists the top operating systems (OS) and browsers that access the service.
  • A panel of a line chart that displays total page impressions over time, in pages per minute.

All dashboard panels default sort by count, but you can change the sorting by clicking the header in any of the panels.

By default, the time period for all of these panels is the last 24 hours. You can change this setting by editing the dashboard.

Use this dashboard

You can navigate within the dashboard to see more OWA related information:

  • To find out more about an OWA top user, click on that user in the Top Users or Top Users by IP Addresses list. The content pack loads the User Behavior Overview page and filters results to the specified user:
  • Clicking on an entry in the Top Operating Systems or Top Browsers panels brings up the base search that produced the selected operating system or browser, as well as any events which contain the OS or browser.
  • Clicking on a node in the Page Impressions line chart brings up the base search that produced the events at that point in time, along with the events that occurred at that point in time.

ActiveSync

This dashboard provides insight into use of the ActiveSync client access method. The dashboard page uses Internet Information Server (IIS) logs to produce the events it displays.

The dashboard offers several panels including:

  • A panel that chronicles the service's top users by email and device ID.
  • A panel that lists the top device types and sync events over time (in events per minute).
  • A panel that documents remote device wipes and user-initiated device wipe requests.

All panels default sort by count, but you can change the sorting by clicking a header in any of the panels.

By default, the time period for all panels is the last 24 hours. You can change this setting by editing the dashboard.

Use this dashboard

You can navigate within the dashboard to see more ActiveSync related information:

  • To find out more about an ActiveSync top user, click on that user in the Top Users or Top Users by Device ID list. The content pack loads the User Behavior Overview page and filters results to the specified user.
  • You can click on an entry in the Top Devices, Remote Device Wipes, or User-initiated Device Wipe Requests panels. The content pack brings up the base search that produced the selected operating system or browser, as well as any events which contain the OS or browser.
  • You can click on a node in the Sync Events Over Time line chart. The content pack brings up the base search that produced the events at that point in time, along with the events that occurred at that point in time.

Outlook Anywhere

This dashboard shows you information about the usage of Microsoft Outlook with RPC over HTTP. The dashboard uses IIS logs to produce the events it displays.

The dashboard has panels that display the method's top users by email and IP address. The dashboard also includes a panel that shows the total number of RPC sessions over time, in connections per minute.

By default, the time period for all of these panels is the last 24 hours. You can change this setting by editing the dashboard.

Use this dashboard

You can navigate within the dashboard to see more Outlook Anywhere related information:

  • To find out more about an Outlook Anywhere top user, click on that user in the Top Users or Top IP Addresses list. The content pack loads the User Behavior Overview page and filters results to the specified user.
  • You can click on a node in the RPC Sessions Over Time line chart. The content pack brings up the base search that produced the events at that point in time, along with the events that occurred at that point in time.

Exchange Web Services

This dashboard shows usage of the Exchange Web Services (EWS) client access method. Clients such as Apple Mail use EWS to access Exchange. Microsoft Outlook 2010 can also use EWS when accessing an Exchange Server 2010 network. The dashboard uses IIS logs to produce the events it displays.

The dashboard offers several panels including:

  • A panel for the method's top users by email and IP address.
  • Panels that list the top operating systems and mail clients that access EWS.
  • A panel showing the total number of requests to EWS over time, in requests per minute.

All panels default sort by count, but you can change the sorting by clicking a header in any of the panels.

By default, the time period for all of these panels is the last 24 hours. You can change this setting by editing the dashboard.

Use this dashboard

You can navigate within the dashboard to see more EWS related information:

  • To find out more about an EWS top user, click on that user in the Top Users or Top IP Addresses list. The content pack loads the User Behavior Overview page and filters results to the specified user.
  • You can click on an entry in the Top Operating Systems or Top Mail Clients panels. The content pack brings up the base search that produced the selected operating system or browser, as well as any events which contain the OS or browser.
  • You can click on a node in the Requests Over Time line chart. The content pack brings up the base search that produced the events at that point in time, along with the events that occurred at that point in time.

POP3 and IMAP4

This dashboard shows you information about POP3 and IMAP4 client access methods. The dashboard uses IIS logs to produce the events it displays.

The dashboard has panels that display these methods' top users by protocol. Also included is a panel that shows the total number of logins over time, in connections per minute.

By default, the time period for all of these panels is the last 24 hours. You can change this setting by editing the dashboard.

Use this dashboard

You can navigate within the dashboard to see more POP3 or IMAP4 related information:

  • To find out more about a POP3 or IMAP4 top user, click on that user in the Top POP3 Users or Top IMAP4 Users list. The content pack loads the User Behavior Overview page and filters results to the specified user.
  • You can click on a node in the Logins over Time line chart. The content pack brings up the base search that produced the events at that point in time, along with the events that occurred at that point in time.

Environment Overview

This dashboard provides high-level information about your Exchange Server environment.

The dashboard displays information gathered over the last 30 days including:

Exchange Server information Description
External clients The access methods used to connect to Exchange externally, and how many users use each method.
Internal clients The access methods used to connect to Exchange internally, and how many users use each method.
Mailbox statistics Includes the total number of mailboxes, and mailboxes over 200 MB, 500 MB, and 1 GB in size, average mailbox size, and maximum mailbox size.
Message throughput Includes the total number of messages sent and received, further divided into numbers sent by users and over SMTP.

Use this dashboard

From the dashboard panels, click the entry for which you want more Exchange Server environment information. Clicking the entry loads the base search that produced the selected entry, as well as any events which contain the selected entry.

Mailbox Quota Usage

This dashboard provides a report of users that are near or exceeding their mailbox storage quota.

The dashboard panel lists users that either meet or exceed the percentage quota you specify in the Min Quota Level (%age) text box at the top of the page.

By default, the panel sorts by percentage used, but you can change the sorting by clicking a header on the panel.

Use this dashboard

From the dashboard, click the user name for which you want more mailbox quota usage information. Clicking the user name loads the User Behavior Overview page for that user.

Message Volume

This dashboard provides information on message volumes both inside and outside your Exchange network. You can use this dashboard to plan capacity changes in the near term.

The dashboard includes two area charts:

  • Message volume for mail to and from the Internet.
  • Message volume for mail to and from users within the Exchange network.

Use this dashboard

You can use the time picker from the top of the page to change the time range of data displayed for the dashboard area charts. Click Search to complete any time range change.

From within either area chart, click on a node to get more message volume information. Clicking a node loads both the base search that produced the events at that point of time, as well as the events that occurred at that point of time.

Public Folder Usage

This dashboard provides insight into the usage of Public Folders in your Exchange network.

This dashboard is only available if you have Public Folders enabled.

Top Mailboxes and Folders by Size

This dashboard displays information on the top users and folders in your Exchange network.

The dashboard offers several panels including:

  • A panel showing top users by total mailbox size.
  • A panel showing top users by the size of their Deleted Items folder.
  • A panel showing top folder types by size.
  • A panel showing top users by the size of their Junk Email folder.

The dashboard also includes any events which match the selected folder, and displays a statistics page that lists the users who have items in that folder, sorted alphabetically.

Use this dashboard

You can navigate within the dashboard to see top mailbox related information:

  • To find out more about a top user, click on that user in any of the Top Users by Mailbox Size, Top Users by Deleted Items Size, or Top Users with Junk Email lists. The content pack loads the User Behavior Overview page and filters results to the specified user.
  • You can click on an entry in the Top Folder Types by Size panel. The content pack brings up the base search that produced the selected folder size events.

Unused Mailboxes

This dashboard provides information on Exchange mailboxes that have not sent an email during the last 24 hours, but have received an email during that same period. This information can be used to identify unused mailboxes.

User Counts and Mailbox Sizes

This dashboard provides information on user counts and average mailbox size in your Exchange network. You can use this information to plan capacity changes in the near term.

The dashboard includes two area charts:

  • Message user counts.
  • Average mailbox size for all mailboxes on the system.

Use this dashboard

You can use the time picker from the top of the page to change the time range of data displayed for the dashboard area charts. Click Search to complete any time range change.

From within either area chart, click on a node to get more user count and mailbox size information. Clicking a node loads both the base search that produced the events at that point of time, as well as the events that occurred at that point of time.

Administrator Audit

This dashboard searches for change events initiated by administrators in your environment. Whenever an admin makes a change to a user, mailbox, database, or other resource on your Exchange servers, Exchange logs this information and the content pack displays it on this dashboard.

Exchange does not log read events and the content pack does not display them.

This dashboard is only valid on Exchange Server 2010 environments.

Use this dashboard

Follow these steps from the dashboard to begin auditing:

  1. Enter as much detail as possible into the Host, Administrator, Command, and/or Parameters fields. To specify all of a certain category, use an asterisk (*).
  2. Set your preferred time range using the time range picker and clicking Search. The content pack updates the page with entries that match the date or time range entered.
  3. In the resulting dashboard panels, click any entry to display the base search that produced the results.

Anomalous Logons

This dashboard displays anomalous logon information into the Exchange network, including:

  • Failed logons by IP address.
  • Failed logons by username.
  • A list of users who log in from multiple countries or regions.
  • A list of the top 10 server access attempts by locked out users over the last 24 hours.
  • The event codes that Exchange logged when those users attempted to connect to the system.

Use this dashboard

Follow these steps from the dashboard to see more anomalous logon related information:

  1. Set your preferred time range using the time range picker.
  2. Click Search to see anomalous logons and other activities that have occurred in the time range you specified.
  3. In any of the resulting dashboard panels, click any entry to display the base search that produced the results.

To get more information about the status of your Mailbox Store services, click the icon next to Exchange Mailbox Store. The content pack takes you to the Mailbox Store page.

Internal Spammers

This dashboard shows information about internal Exchange users who send large quantities of messages to large numbers of users within the Exchange network.

Use this dashboard

Follow these steps from the dashboard to see more internal spammer related information:

  1. Enter the minimum amount of messages sent in the Minimum Messages field.
  2. Enter the minimum message rate. Minimum message rate is the amount of messages sent in the range of time you define in the time range picker.
  3. Set your preferred time range using the time range picker.
  4. Click Search. The content pack updates the page with entries that match the number of messages, message rate, and time range you specified.

Litigation Hold

This dashboard provides a report of users that are currently on Litigation Hold, together with their mailbox size.

Use this dashboard

From the dashboard, click the user name for which you want more litigation hold and mailbox size information. Clicking the user name loads the User Behavior Overview page for that user.

Multi-mailbox Search Usage

Multi-Mailbox Search can be used for a lot of totally reasonable use cases. However, it can also be abused. The records here show the administrative actions that affect multi-mailbox search.

Use this dashboard

From the dashboard, click the user name for which you want more multi-mailbox search usage information. Clicking the user name loads the User Behavior Overview page for that user.

Non-owner Mailbox Access

This dashboard shows Exchange mailbox access by a user who is not the owner of that mailbox.

Before you can use this dashboard, you must enable Mailbox Auditing.

To enable Mailbox Auditing for a user, use the Exchange Management Shell's Set-Mailbox command. For more information on this command, see http://technet.microsoft.com/en-us/library/bb123981.aspx.

Use this dashboard

From the dashboard, click the user name for which you want more mailbox access activity information. Clicking the user name loads the User Behavior Overview page for that user.

Last modified on 18 October, 2021
PREVIOUS
Troubleshoot the Content Pack for Microsoft Exchange
  NEXT
KPI reference for the Content Pack for Microsoft Exchange

This documentation applies to the following versions of Splunk® Content Packs for ITSI and IT Essentials Work: current


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters