Splunk® App for Microsoft Exchange (EOL)

Deploy and Use the Splunk App for Microsoft Exchange

On October 22 2021, the Splunk App for Microsoft Exchange will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app is migrating to a content pack in Data Integrations. Learn about the Content Pack for Microsoft Exchange.
This documentation does not apply to the most recent version of Splunk® App for Microsoft Exchange (EOL). For documentation on the most recent version, go to the latest release.

Dashboard reference

This topic lists all the dashboards provided in the Splunk App for Microsoft Exchange broken out by menu name, and provides a brief description of each.

Overview

The Overview dashboard is displayed when you first launch the Splunk App for Microsoft Exchange.

This dashboard is divided into six sections.

On the top left, the DNS-based Blocking List (DNSBL) Reputation displays the current status of your organization's email reputation. This is based on the information in a number of DNSBL services that are commonly used by internet-facing email relays. You can click on the reputation status to get detailed information about the systems that have a Poor or Neutral rating.

A poor rating indicates that one or more of your listed outbound servers is listed in a DNSBL server. A good rating indicates that all of your listed outbound servers are not listed in any DNSBL server. A neutral rating indicates that some DNSBL services could not be checked.

The top center view, Service Availability shows you a list of servers that are not running services they should be, based on the Exchange server roles they hold. If a server appears in this list, clicking on it gives you detailed information about the services that are configured for it, as well as which of those services is not running.

The top right view displays information about Exchange servers which have not reported new data within the last 30 minutes. If a server shows up in this list, it might not be sending data. You can click to get additional information on the server that is not reporting.

The bottom left view lists all the source types and hosts that are generating Microsoft Exchange-specific data.

The bottom center view is a gauge that displays an instant count of the number of messages transiting your Exchange network per hour. It is configurable by editing configuration files within the app.

The bottom right view displays all exchange hosts configured to send data to the Splunk App for Microsoft Exchange, along with the number of events they have sent to the app over time.

You can change the time range for this dashboard from the default of "Last 15 minutes," as well as perform ad-hoc searches across the time range you specify. To see all the data from any given host or source type, click on that host or source type.

System Overview

The System Overview dashboard is displayed when you select "Systems Overview" from the System menu.

This dashboard displays information on all of the Exchange servers that are sending data to the Splunk App for Microsoft Exchange. The list is divided into views that represent servers that run the Hub and Edge Transport, Client Access Server, and Mailbox Server roles.

You can narrow the results displayed by clicking on any of the entries shown in the Site list.

Message Tracking

This set of dashboards shows you information about inbound, outbound, and internally distributed messages. Each dashboard shows you the message rate and the bandwidth usage for all your inbound, outbound, and internal mail as well as the top sending or receiving IPs and domains, and message counts and volume by sender or receiver.

To track a message, select "Track a Message", and on the page that appears, provide one or more of the following:

  • Sender (email address)
  • Recipient (email address)
  • IP Address (of the sender)
  • Subject

and click "Search". Wildcards are accepted in any of the fields above. Click on a result to drill down into the path that message took through your environment.

To view email behavior for a domain, IP address, or an individual user:

  • Select that option from the Message Tracking menu
  • Enter the information you want to track on
  • Select a time range. The default time range is over the last 60 minutes. To choose a custom time range, choose that option from the time range menu and select dates and times to frame your investigation.

Client Behavior

This set of views shows you how your Mailbox Server resources are being used by size and broken down by mail client usage.

The Mailbox Store Overview shows you information about the top Mailbox Store users by overall size, size of Deleted Items folder, sizes of other Mailbox types, and top user Junk folder size.

The Microsoft Outlook overview shows you top users by Remote Procedure Call (RPC) session and IP address, and also based on RPC sessions per minute.

There are similar views for:

  • Outlook Web Access (OWA)
  • Microsoft ActiveSync
  • Outlook Anywhere
  • Post Office Protocol version 3 (POP3) and Internet Mail Access Protocol version 4 revision 1 (IMAP4) (for all users not using a Microsoft client)
  • Blackberry Enterprise Server

To view user activity across all clients based on a username, specify the username. You will see the last time they were seen in your infrastructure, their database usage, their activity via OWA and ActiveSync, and RPC session information. Additionally, you can see the OSes and browsers that user uses, any access via mobile devices, and any POP3 or IMAP4 use.

Operations

The Operations menu offers views of the performance of your Exchange infrastructure from an operations perspective.

The Client Access views include performance details broken down by the client type or protocol you select from the drop-down:

  • Client Access Performance shows you the standard performance counters (%CPU used, available memory, and network usage) for your Client Access Server systems.
  • POP3 and IMAP4 Performance shows you the current and rejected connections over these protocols, and the processing time associated with them.
  • Web Performance shows OWA and ActiveSync requests per second.

The Hub Transport views show you the size of each Hub Transport messaging queue. If you don't see any data in these views, make sure you have enabled the Performance Monitoring data set on each Hub Transport server.

The Mailbox Store menu gives you views about the use and capacity of your Mailbox Store servers.

  • To find out who in your organization is close to or over a given mailbox quota, enter the value of the quota and click the button.
  • The Database overview shows all active Mailbox databases, backups, and local copies.
  • The Clustering view shows the Copy and Replay queue lengths, plus the status of each Cluster in your deployment.
  • The Managed Folder Assistants view shows the processing status of these automated processes.
  • The Mailbox Store Performance view shows the standard performance counters (%CPU used, available memory, and network usage) as well as RPC system and sub-system latency and performance for your Mailbox Store servers.

The Forefront Security menu gives you views into the health and status of your Forefront Security for Exchange deployment:

  • The Status view lets you explore your Forefront Security monitoring infrastructure, including when the last update happened, and ensuring that Forefront Security is running as intended on all servers that hold the Hub Transport role.
  • The Viruses view shows the top senders and receivers of viruses in your organization, and shows you trends in virus propagation over time.
  • The Performance view shows rates of scanning for attachments entering your environment.

The Exchange 2010 Administrator Audit dashboard allows you to search for change events initiated by administrators in your environment. Whenever an admin makes a change to a user, mailbox, database or other resource on your Exchange servers, Exchange logs this information and the Splunk App for Microsoft Exchange displays it here. Read events are not logged. This dashboard is only valid on Exchange Server 2010 environments.

The Anomalous Logins Report dashboard displays failed logins by IP address and username, as well as a list of users who log in from multiple countries or regions.

Capacity Planning

The Capacity Planning menu gives you information about the volume of email and number of users your system is handling over time to help you to plan for future expansion.

The Message Volume dashboard displays information about the number of messages your organization receives over a period of time, including mail sent to and from the Internet and internal activity.

The User Population dashboard shows you how many users use your Exchange server resources over time. It also shows the amount of space that each user's mailbox takes up on average.

The Environment Report dashboard gives a high level overview of all of the information on your system over a specified period of time, which, by default, is the last 30 days. This dashboard displays statistics on mailbox usage, number of messages sent and received, and which mail user agents - both internal and external - are connecting to your Exchange services.

Last modified on 20 June, 2012
Log in and get started   Troubleshoot the Splunk App for Microsoft Exchange

This documentation applies to the following versions of Splunk® App for Microsoft Exchange (EOL): 1.1, 1.1.1, 1.1.4, 1.1.5, 1.1.6


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters