Other deployment considerations

This topic discusses information you should review before planning your deployment of the Splunk App for Microsoft Exchange.

If your Splunk deployment is large or complex, you might want to engage a member of Splunk's Professional Services team to assist you in deploying the Splunk App for Microsoft Exchange.

Where the Splunk for Microsoft Exchange app stores data

By default, the Splunk App for Exchange puts all the data it needs into the main index. The main index is the default index in Splunk. If you've already got Splunk running and are using the default index for something else, you might want to alter the index that the Splunk App for Microsoft Exchange uses.

Before you deploy the Splunk App for Microsoft Exchange, read the rest of this topic to learn how to edit the app packages to make the relevant configuration changes. There are also example procedures for making edits in "Make configuration changes to match your existing environment" in this manual.

If some of your data is already in Splunk

Your organization may already be Splunking IIS and/or Message Tracking logs. If that's the case, you don't have to index the data again. Instead, you can edit the configuration files used by the Splunk for Exchange app so that it can access this data from the existing location(s) and perform the field extractions that it needs.

Important: If at all possible, make any edits to the Splunk App for Microsoft Exchange configuration files that your existing infrastructure requires before you deploy the app and its components. If you've already deployed the app and its components, you run the risk of re-indexing data you already have on hand, and polluting the "main" index with it. The instructions in this topic assume that you've already deployed the various components to their respective universal forwarders and are having to edit the configurations in place. To edit the configuration files before deploying via deployment server, use the instructions in "Make configuration changes to match your existing environment" in this manual.

Change the index that the Splunk App for Microsoft Exchange uses

By default, the Splunk App for Microsoft Exchange assumes all your data is in the "main" index. If you're indexing data that the Splunk App for Microsoft Exchange needs, but are storing it in a different index, you can change where the app looks for data.

All of the base searches that the Splunk App for Microsoft Exchange uses in its dashboards and for summary indexing are defined as event types in %SPLUNK_HOME%\etc\apps\Splunk_for_Exchange\default/eventtypes.conf on the central Splunk instance. Each data type has its own event type. To specify a different sourcetype or index for the data, do the following:

1. On the central Splunk instance, create a copy of eventtypes.conf and put it in %SPLUNK_HOME%\etc\apps\Splunk_for_Exchange\local.

2. Edit the copy to add an index setting for the event type or types as needed so that they search in the correct index.

Note: Refer to the eventtypes.conf spec file to learn how to properly configure eventtypes.conf.

3. Save the file.

If your existing data is already labeled as a different source type in Splunk

If you are already indexing data that the Splunk App for Microsoft Exchange needs, but have defined it to use a different source type than one the app is expecting, you can alter the app's configuration files to use the existing source type. To do this: 1. On the central Splunk instance, create a copy of eventtypes.conf and put it in %SPLUNK_HOME%\etc\apps\Splunk_for_Exchange\local.

2. Edit the copied file to change the source type value for any relevant event type definitions.

3. Then, on every Exchange server system in your environment that has a Splunk App for Microsoft Exchange <fwd_*> component installed on it, create a copy of props.conf and put it in $SPLUNK_HOME\etc\apps\<fwd_*>\local.

4. Edit the copied file to change the stanza headings to match the source types you have already defined.

5. Save the file and restart your Splunk forwarder if it is already running.

Configure summary indexing for the Splunk for Exchange app

The Capacity Planning and Sizing dashboards in the central instance of the app use summary indexing to ensure that the dashboard performs well over large time ranges (even if the time range is years). We recommend that you put these summary indexing results in a separate index that is kept for as long as you need it. By default, this is "summary", which exists on all Splunk servers. If you're already using this index for something else, you can change the index that the Splunk App for Microsoft Exchange uses. To change the summary index destination:

1. Create a new index on your Splunk indexer following the instructions in "Set up multiple indexes" in the core Splunk product documentation.

2. Create $SPLUNK_HOME\etc\apps\Splunk_for_Exchange\local\savedsearches.conf and add a stanza to point all of the si-* searches to the new location.

Note: Review the savedsearches.conf spec file to learn how to properly configure savedsearches.conf.

3. Create $SPLUNK_HOME\etc\apps\Splunk_for_Exchange\local\eventtypes.conf and add a stanza that tells the app to read from the new location.