Splunk® App for Microsoft Exchange (EOL)

Deploy and Use the Splunk App for Microsoft Exchange

On October 22 2021, the Splunk App for Microsoft Exchange will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app is migrating to a content pack in Data Integrations. Learn about the Content Pack for Microsoft Exchange.
This documentation does not apply to the most recent version of Splunk® App for Microsoft Exchange (EOL). For documentation on the most recent version, go to the latest release.

Other deployment considerations

This topic discusses additional considerations that you should be aware of during your deployment of the Splunk App for Microsoft Exchange.

If your Splunk deployment is large or complex, you might want to engage a member of Splunk's Professional Services team to assist you in deploying the Splunk App for Microsoft Exchange.

Where the Splunk App for Microsoft Exchange stores data

By default, the Splunk App for Exchange puts all the data it needs into several indexes:

  • msexchange (for data collected from Exchange servers)
  • perfmon (for performance metrics)
  • msad (for data collected from Active Directory domain controllers)
  • winevents (for Windows event logs and associated data)

Before you deploy the Splunk App for Microsoft Exchange, read the rest of this topic to learn how to edit the Splunk App for Microsoft Exchange's included add-ons to make the relevant configuration changes. There are also example procedures for making edits in "Make configuration changes to match your existing environment" in this manual.

If some of your data is already in Splunk

Your organization might already be using Splunk to monitor IIS and/or Exchange Message Tracking logs. If so, then you don't have to index the data again. Instead, you can edit the configuration files in the Splunk App for Microsoft Exchange so that it can access this data from the existing location(s) and perform the field extractions that it needs.

For example, if you already send IIS logs to an index called iislogs, then perform the following steps to tell the Splunk for Exchange app about the existing index:

1. In the %SPLUNK_HOME%\etc\apps\splunk_app_microsoft_exchange\appserver\addons\TA-Windows-XXXX-Exchange-IIS add-on, make a copy of default\inputs.conf and move it to local\.

2. Edit inputs.conf and remove the input stanza that monitors the IIS logs.

3. Save the file.

4. Within the %SPLUNK_HOME%\etc\apps\splunk_app_microsoft_exchange directory, make a copy of default\eventtypes.conf and move it to local\

Note: This step is not required if an eventtypes.conf already exists in local\.

5. Edit eventtypes.conf and change the search attribute for all stanzas that begin with [client-. For example, change:

[client-iis-logs]
search = eventtype=msexchange-index sourcetype=MSWindows:*:IIS cs_username!="*\$*" cs_username!="-"

to

[client-iis-logs]
search = eventtype=iislogs-index sourcetype=MSWindows:*:IIS cs_username!="*\$*" cs_username!="-"

6. Save the file.

Important: If at all possible, make any edits to the Splunk App for Microsoft Exchange configuration files that your existing infrastructure requires before you deploy the app and its components. If you've already deployed the app and its components, you run the risk of re-indexing data you already have on hand. The instructions in this topic assume that you've already deployed the various components to their respective universal forwarders and are having to edit the configurations in place. To edit the configuration files before deploying via deployment server, use the instructions in "Make configuration changes to match your existing environment" in this manual.

Change the indexes that the Splunk App for Microsoft Exchange uses

By default, the Splunk App for Microsoft Exchange assumes your data is in the "msexchange" index. If you're indexing data that the Splunk App for Microsoft Exchange needs, but are storing it in a different index, you can change where the app looks for data.

All of the base searches that the Splunk App for Microsoft Exchange uses in its dashboards and for summary indexing are defined as event types in %SPLUNK_HOME%\etc\apps\splunk_app_microsoft_exchange\default\eventtypes.conf on the central Splunk instance. Each data type has its own event type. To specify a different sourcetype or index for the data, do the following:

1. On the central Splunk instance, create a copy of eventtypes.conf and put it in %SPLUNK_HOME%\etc\apps\splunk_app_microsoft_exchange\local.

2. Edit the copy to add an index setting for the event type or types as needed so that they search in the correct index.

Note: Refer to the eventtypes.conf spec file to learn how to properly configure eventtypes.conf.

3. Save the file.

If your existing data is already labeled as a different source type in Splunk

If you already index data that the Splunk App for Microsoft Exchange needs, but have defined it to use a different source type than one the app expects, you can alter the app's configuration files to use the existing source type. To do this:

1. On the central Splunk instance, create a copy of %SPLUNK_HOME%\etc\apps\splunk_app_microsoft_exchange\default\eventtypes.conf and put it in %SPLUNK_HOME%\etc\apps\splunk_app_microsoft_exchange\local.

2. Edit the copied file to change the source type value for any relevant event type definitions.

3. Then, on every Exchange server in your environment that has a Splunk App for Microsoft Exchange add-on installed on it, create a copy of %SPLUNK_HOME%\etc\apps\splunk_app_microsoft_exchange\appserver\addons\<Addon-name>\default\props.conf and put it in $SPLUNK_HOME\etc\apps\splunk_app_microsoft_exchange\appserver\addons\<Addon-name>\local.

4. Edit the copied file to change the stanza headings to match the source types you have already defined.

5. Save the file and restart the Splunk forwarder if it is already running.

Configure summary indexing for the Splunk App for Microsoft Exchange

The Capacity Planning and Sizing dashboards in the central Splunk instance use summary indexing to ensure that the dashboard performs well over large time ranges (even if the time range is years). We recommend that you put these summary indexing results in a separate index to keep for as long as you need it. By default, this is the "summary" index, which exists on all Splunk servers. If you already using this index for something else, you can change the index that the Splunk App for Microsoft Exchange uses. To change the summary index destination:

1. Create a new index on the indexers in the central Splunk instance by following the instructions in "Set up multiple indexes" in the Splunk Enterprise documentation.

2. Create $SPLUNK_HOME\etc\apps\splunk_app_microsoft_exchange\local\savedsearches.conf and add a stanza to point all of the si-* searches to the new location.

Note: Review the savedsearches.conf spec file to learn how to properly configure savedsearches.conf.

3. Create $SPLUNK_HOME\etc\apps\splunk_app_microsoft_exchange\local\eventtypes.conf and add a stanza that tells the app to read from the new location.

Last modified on 18 March, 2014
What data the Splunk App for Microsoft Exchange collects   What a Splunk App for Microsoft Exchange deployment looks like

This documentation applies to the following versions of Splunk® App for Microsoft Exchange (EOL): 3.0, 3.0.1, 3.0.2, 3.0.3


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters