Splunk® App for Microsoft Exchange (EOL)

Deploy and Use the Splunk App for Microsoft Exchange

On October 22 2021, the Splunk App for Microsoft Exchange will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app is migrating to a content pack in Data Integrations. Learn about the Content Pack for Microsoft Exchange.
This documentation does not apply to the most recent version of Splunk® App for Microsoft Exchange (EOL). For documentation on the most recent version, go to the latest release.

Other deployment considerations

This topic discusses information you should review before planning your deployment of the Splunk App for Microsoft Exchange.

If your Splunk deployment is large or complex, you might want to engage a member of Splunk's Professional Services team to assist you in deploying the Splunk App for Microsoft Exchange.

Where the Splunk for Microsoft Exchange app stores data

By default, the Splunk App for Exchange puts all the data it needs into three indexes: msexchange, perfmon and blackberry.

Before you deploy the Splunk App for Microsoft Exchange, read the rest of this topic to learn how to edit the technology add-ons to make the relevant configuration changes. There are also example procedures for making edits in "Make configuration changes to match your existing environment" in this manual.

If some of your data is already in Splunk

Your organization may already be Splunking IIS and/or Message Tracking logs. If that's the case, you don't have to index the data again. Instead, you can edit the configuration files used by the Splunk for Exchange app so that it can access this data from the existing location(s) and perform the field extractions that it needs.

For example, if you are already sending IIS logs to an index called iislogs, then perform the following steps to tell the Splunk for Exchange app about the existing index:

1. In the TA-Windows-XXXX-Exchange-IIS component, make a copy of default\inputs.conf and move it to local\.

2. Edit inputs.conf and remove the input stanza that monitors the IIS logs.

3. Save the file.

4. Within the %SPLUNK_HOME%\etc\apps\Splunk_for_Exchange directory, make a copy of default\eventtypes.conf and move it to local\

Note: This step is not required if an eventtypes.conf already exists in local\.

5. Edit eventtypes.conf and change the search attribute for all stanzas that begin with [client-. For example, change:

[client-iis-logs]
search = eventtype=msexchange-index sourcetype=MSWindows:*:IIS cs_username!="*\$*" cs_username!="-"

to

[client-iis-logs]
search = eventtype=iislogs-index sourcetype=MSWindows:*:IIS cs_username!="*\$*" cs_username!="-"

6. Save the file.

Important: If at all possible, make any edits to the Splunk App for Microsoft Exchange configuration files that your existing infrastructure requires before you deploy the app and its components. If you've already deployed the app and its components, you run the risk of re-indexing data you already have on hand. The instructions in this topic assume that you've already deployed the various components to their respective universal forwarders and are having to edit the configurations in place. To edit the configuration files before deploying via deployment server, use the instructions in "Make configuration changes to match your existing environment" in this manual.

Change the indexes that the Splunk App for Microsoft Exchange use

By default, the Splunk App for Microsoft Exchange assumes your data is in the "msexchange" index. If you're indexing data that the Splunk App for Microsoft Exchange needs, but are storing it in a different index, you can change where the app looks for data.

All of the base searches that the Splunk App for Microsoft Exchange uses in its dashboards and for summary indexing are defined as event types in %SPLUNK_HOME%\etc\apps\Splunk_for_Exchange\default\eventtypes.conf on the central Splunk instance. Each data type has its own event type. To specify a different sourcetype or index for the data, do the following:

1. On the central Splunk instance, create a copy of eventtypes.conf and put it in %SPLUNK_HOME%\etc\apps\Splunk_for_Exchange\local.

2. Edit the copy to add an index setting for the event type or types as needed so that they search in the correct index.

Note: Refer to the eventtypes.conf spec file to learn how to properly configure eventtypes.conf.

3. Save the file.

If your existing data is already labeled as a different source type in Splunk

If you are already indexing data that the Splunk App for Microsoft Exchange needs, but have defined it to use a different source type than one the app is expecting, you can alter the app's configuration files to use the existing source type. To do this: 1. On the central Splunk instance, create a copy of eventtypes.conf and put it in %SPLUNK_HOME%\etc\apps\Splunk_for_Exchange\local.

2. Edit the copied file to change the source type value for any relevant event type definitions.

3. Then, on every Exchange server system in your environment that has a Splunk App for Microsoft Exchange technology add-on installed on it, create a copy of props.conf and put it in $SPLUNK_HOME\etc\apps\Splunk_for_Exchange\appserver\addons\<TA>\local.

4. Edit the copied file to change the stanza headings to match the source types you have already defined.

5. Save the file and restart your Splunk forwarder if it is already running.

Configure summary indexing for the Splunk for Exchange app

The Capacity Planning and Sizing dashboards in the central instance of the app use summary indexing to ensure that the dashboard performs well over large time ranges (even if the time range is years). We recommend that you put these summary indexing results in a separate index that is kept for as long as you need it. By default, this is "summary", which exists on all Splunk servers. If you're already using this index for something else, you can change the index that the Splunk App for Microsoft Exchange uses. To change the summary index destination:

1. Create a new index on your Splunk indexer following the instructions in "Set up multiple indexes" in the core Splunk product documentation.

2. Create $SPLUNK_HOME\etc\apps\Splunk_for_Exchange\local\savedsearches.conf and add a stanza to point all of the si-* searches to the new location.

Note: Review the savedsearches.conf spec file to learn how to properly configure savedsearches.conf.

3. Create $SPLUNK_HOME\etc\apps\Splunk_for_Exchange\local\eventtypes.conf and add a stanza that tells the app to read from the new location.

Last modified on 22 January, 2012
What data the Splunk App for Microsoft Exchange collects   What a Splunk App for Microsoft Exchange deployment looks like

This documentation applies to the following versions of Splunk® App for Microsoft Exchange (EOL): 1.1, 1.1.1, 1.1.4, 1.1.5, 1.1.6


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters