Dashboard reference

This topic lists all the dashboards provided in the Splunk App for Microsoft Exchange broken out by menu name, and provides a brief description of each.

Overview

The Overview dashboard is displayed when you first launch the Splunk App for Microsoft Exchange. It lists all the source types and hosts that are generating Microsoft Exchange-specific data, and by default shows you the last 24 hours of activity. If you've installed and configured the reputation component, you'll also see the sender reputation of your outbound mail servers. If any of your Exchange hosts have not sent data recently, those are listed on the right.

You can change the time range for this dashboard, as well as perform ad-hoc searches across the time range you specify. To see all the data from any given host or source type, click on that host or source type.

Message Tracking

This set of dashboards shows you information about inbound, outbound, and internally distributed messages. Each dashboard shows you the message rate and the bandwidth usage for all your inbound, outbound, and internal mail as well as the top sending or receiving IPs and domains, and message counts and volume by sender or receiver.

To track a message, provide one or more of the following:

• Sender (email address)
• IP Address (of the sender)
• Recipient
• Subject

and click "Search". Click on a result to drill down into the path that message took through your environment.

To view email behavior for a domain, IP address, or an individual user:

• Select that option from the Message Tracking menu
• Enter the information you want to track on
• Select a time range. The default time range is over the last 60 minutes. To choose a custom time range, choose that option from the time range menu and select dates and times to box your investigation.

Client Behavior

This set of views shows you how your Mailbox Server resources are being used by size and broken down by mail client usage.

The Mailbox Store Overview shows you information about the top Mailbox Store users by overall size, size of Deleted Items folder, sizes of other Mailbox types, and top user Junk folder size.

The Microsoft Outlook overview shows you top users by Remote Procedure Call (RPC) session and IP address, and also based on RPC sessions per minute.

There are similar views for:

• Outlook Web Access (OWA)
• Microsoft ActiveSync
• Outlook Anywhere
• Post Office Protocol version 3 (POP3) and Internet Mail Access Protocol version 4rev1 (IMAP4) (for all users not using a Microsoft client)

To view user activity across all clients based on a username, specify the username. You will see the last time they were seen in your infrastructure, their database usage, their activity via OWA and ActiveSync, and RPC session information. Additionally, you can see the OSes and browsers that user uses, any access via mobile devices, and any POP3 or IMAP4 use.

Operations

The Operations menu offers views of the performance of your Exchange infrastructure from an operations perspective.

The Client Access views include performance details broken down by the client type or protocol you select from the drop-down:

• Client Access Performance shows you the standard performance counters (%CPU used, available memory, and network usage) for your Client Access Server systems.
• POP3 and IMAP4 Performance shows you the current and rejected connections over these protocols, and the processing time associated with them.
• Web Performance shows OWA and ActiveSync requests per second.

The Hub Transport views show you the size of each Hub Transport messaging queue. If you don't see any data in these views, make sure you have enabled the Performance Monitoring data set on each Hub Transport server.

• To see the queues on a specific host, choose it from the list. Microsoft recommends a maximum queue length of 250 for "active" queues and 100 for all other queues. The poison queue should be zero at all times. For more information about monitoring Hub Transport servers, check out "Monitoring Hub Transport servers" (http://technet.microsoft.com/en-us/library/bb201704(EXCHG.80).aspx) on Microsoft TechNet.

The Mailbox Store menu gives you views about the use and capacity of your Mailbox Store servers.

• To find out who in your organization is close to or over a given mailbox quota, enter the value of the quota and click the button.
• The Database overview shows all active Mailbox databases, backups, and local copies.
• The Clustering view shows the Copy and Replay queue lengths, plus the status of each Cluster in your deployment.
• The Managed Folder Assistants view shows the processing status of these automated processes.
• The Mailbox Store Performance view shows the standard performance counters (%CPU used, available memory, and network usage) as well as RPC system and sub-system latency and performance for your Mailbox Store servers.

The Forefront Security menu gives you views into the health and status of your Forefront Security for Exchange deployment:

• The Status view lets you explore your Forefront Security monitoring infrastructure, including when the last update happened, and ensuring that Forefront Security is running as intended on all servers that hold the Hub Transport role.
• The Viruses view shows the top senders and receivers of viruses in your organization, and shows you trends in virus propagation over time.
• The Performance view shows rates of scanning for attachments entering your environment.

Capacity Planning

The Capacity Planning menu gives you information about the volume of email and number of users your system is handling over time to help you to plan for future expansion.