Other deployment considerations
This topic discusses additional considerations that you should be aware of during your deployment of the Splunk App for Microsoft Exchange.
If your Splunk deployment is large or complex, you might want to engage a member of Splunk's Professional Services team to assist you in deploying the Splunk App for Microsoft Exchange.
Where the Splunk App for Microsoft Exchange stores data
By default, the Splunk App for Exchange puts all the data it needs into several indexes:
msexchange
(for data collected from Exchange servers)perfmon
(for performance metrics)msad
(for data collected from Active Directory domain controllers)winevents
(for Windows event logs and associated data)
Before you deploy the Splunk App for Microsoft Exchange, read the rest of this topic to learn how to edit the Splunk App for Microsoft Exchange's included add-ons to make the relevant configuration changes. There are also example procedures for making edits in "Make configuration changes to match your existing environment" in this manual.
If some of your data is already in Splunk
Your organization might already be using Splunk to monitor IIS and/or Exchange Message Tracking logs. If so, then you don't have to index the data again. Instead, you can edit the configuration files in the Splunk App for Microsoft Exchange so that it can access this data from the existing location(s) and perform the field extractions that it needs.
For example, if you already send IIS logs to an index called iislogs
, then perform the following steps to tell the Splunk for Exchange app about the existing index:
1. In the %SPLUNK_HOME%\etc\apps\splunk_app_microsoft_exchange\appserver\addons\TA-Windows-XXXX-Exchange-IIS
add-on, make a copy of default\inputs.conf
and move it to local\
.
2. Edit inputs.conf
and remove the input stanza that monitors the IIS logs.
3. Save the file.
4. Within the %SPLUNK_HOME%\etc\apps\splunk_app_microsoft_exchange
directory, make a copy of default\eventtypes.conf
and move it to local\
Note: This step is not required if an eventtypes.conf
already exists in local\
.
5. Edit eventtypes.conf
and change the search
attribute for all stanzas that begin with [client-
. For example, change:
[client-iis-logs] search = eventtype=msexchange-index sourcetype=MSWindows:*:IIS cs_username!="*\$*" cs_username!="-"
to
[client-iis-logs] search = eventtype=iislogs-index sourcetype=MSWindows:*:IIS cs_username!="*\$*" cs_username!="-"
6. Save the file.
Important: If at all possible, make any edits to the Splunk App for Microsoft Exchange configuration files that your existing infrastructure requires before you deploy the app and its components. If you've already deployed the app and its components, you run the risk of re-indexing data you already have on hand. The instructions in this topic assume that you've already deployed the various components to their respective universal forwarders and are having to edit the configurations in place. To edit the configuration files before deploying via deployment server, use the instructions in "Make configuration changes to match your existing environment" in this manual.
Change the indexes that the Splunk App for Microsoft Exchange uses
By default, the Splunk App for Microsoft Exchange assumes your data is in the "msexchange
" index. If you're indexing data that the Splunk App for Microsoft Exchange needs, but are storing it in a different index, you can change where the app looks for data.
All of the base searches that the Splunk App for Microsoft Exchange uses in its dashboards and for summary indexing are defined as event types in %SPLUNK_HOME%\etc\apps\splunk_app_microsoft_exchange\default\eventtypes.conf
on the central Splunk instance. Each data type has its own event type. To specify a different sourcetype or index for the data, do the following:
1. On the central Splunk instance, create a copy of eventtypes.conf
and put it in %SPLUNK_HOME%\etc\apps\splunk_app_microsoft_exchange\local
.
2. Edit the copy to add an index setting for the event type or types as needed so that they search in the correct index.
Note: Refer to the eventtypes.conf
spec file to learn how to properly configure eventtypes.conf
.
3. Save the file.
If your existing data is already labeled as a different source type in Splunk
If you already index data that the Splunk App for Microsoft Exchange needs, but have defined it to use a different source type than one the app expects, you can alter the app's configuration files to use the existing source type. To do this:
1. On the central Splunk instance, create a copy of %SPLUNK_HOME%\etc\apps\splunk_app_microsoft_exchange\default\eventtypes.conf
and put it in %SPLUNK_HOME%\etc\apps\splunk_app_microsoft_exchange\local
.
2. Edit the copied file to change the source type value for any relevant event type definitions.
3. Then, on every Exchange server in your environment that has a Splunk App for Microsoft Exchange add-on installed on it, create a copy of %SPLUNK_HOME%\etc\apps\splunk_app_microsoft_exchange\appserver\addons\<Addon-name>\default\props.conf
and put it in $SPLUNK_HOME\etc\apps\splunk_app_microsoft_exchange\appserver\addons\<Addon-name>\local
.
4. Edit the copied file to change the stanza headings to match the source types you have already defined.
5. Save the file and restart the Splunk forwarder if it is already running.
Configure summary indexing for the Splunk App for Microsoft Exchange
The Capacity Planning and Sizing dashboards in the central Splunk instance use summary indexing to ensure that the dashboard performs well over large time ranges (even if the time range is years). We recommend that you put these summary indexing results in a separate index to keep for as long as you need it. By default, this is the "summary
" index, which exists on all Splunk servers. If you already using this index for something else, you can change the index that the Splunk App for Microsoft Exchange uses. To change the summary index destination:
1. Create a new index on the indexers in the central Splunk instance by following the instructions in "Set up multiple indexes" in the Splunk Enterprise documentation.
2. Create $SPLUNK_HOME\etc\apps\splunk_app_microsoft_exchange\local\savedsearches.conf
and add a stanza to point all of the si-*
searches to the new location.
Note: Review the savedsearches.conf
spec file to learn how to properly configure savedsearches.conf
.
3. Create $SPLUNK_HOME\etc\apps\splunk_app_microsoft_exchange\local\eventtypes.conf
and add a stanza that tells the app to read from the new location.
What data the Splunk App for Microsoft Exchange collects | What a Splunk App for Microsoft Exchange deployment looks like |
This documentation applies to the following versions of Splunk® App for Microsoft Exchange (EOL): 3.0, 3.0.1, 3.0.2, 3.0.3
Feedback submitted, thanks!