Splunk® App for Microsoft Exchange

Deploy and Use the Splunk Add-ons for Microsoft Exchange

Download manual as PDF

Download topic as PDF

Configure TA-Exchange-Mailbox

The Splunk Add-ons for Microsoft Exchange must be configured before you can deploy them to Exchange Server hosts. This is because you must specifically enable support for the version of Exchange Server that you run.

Each add-on within the Splunk Add-ons for Microsoft Exchange package includes an inputs.conf file that has all of the data inputs that are necessary to get Exchange Server data. These inputs are disabled by default.

Download and unpack the TA-Exchange-Mailbox add-on

  1. Download the Splunk Add-ons for Microsoft Exchange package from Splunkbase.
  2. Unpack the add-on bundle to an accessible location.

Create and edit inputs.conf

  1. Open a PowerShell window, command prompt, or Explorer window.
  2. Create a local directory within the TA-Exchange-Mailbox add-on.
  3. Copy inputs.conf from the TA-Exchange-Mailbox\default directory to the TA-Exchange-Mailbox\local directory.
  4. Use a text editor such as Notepad to open the TA-Exchange-Mailbox\local\inputs.conf file for editing.
  5. Modify the inputs.conf file so that the common data inputs and the inputs that are for the version of Exchange Server that you run are enabled. Do this by changing disabled = true to disabled = false for all input stanzas that are associated with your version of Exchange Server. See the example inputs.conf later in this topic.
  6. After you update the inputs.conf file, save it and close it.

Distribute the add-ons

If you do not have a deployment server to distribute apps and add-ons, set one up. A deployment server greatly reduces the overhead in distributing apps and add-ons to hosts. You can make one change on the deployment server and push that change to all universal forwarders in your Splunk App for Microsoft Exchange deployment. The Splunk App for Microsoft Exchange manual uses deployment server extensively in its setup instructions.

If you run more than one version of Exchange Server in your environment, set up a deployment server for each version of Exchange. This is because the Splunk Add-ons for Microsoft Exchange include data inputs for all versions of Exchange Server.

  1. Copy the TA-Exchange-Mailbox add-on to the %SPLUNK_HOME%\etc\deployment-apps directory on the deployment server.
  2. Create a server class for all hosts that run Exchange Server and hold the Mailbox Store role.
  3. Add all Exchange Server hosts that hold the Mailbox Server role to this server class.
  4. Push the add-on to all hosts in this server class.

Example inputs.conf

The following inputs.conf listing is an example of how you should configure the TA-Exchange-Mailbox add-on for installation on an Exchange Server 2010 host that holds the Mailbox Server role. In this example, Exchange Server 2010 block has had its input stanzas changed from disabled = true to disabled = false. All other data input blocks have not been changed.

Remember to save the inputs.conf file after editing it, as changes do not take effect until the file has been saved and the add-on has been pushed to Exchange Server hosts.

##################################################################################################
#User should enable the stanza specific to the exchange server version by setting disabled=false.#
##################################################################################################

####Common Stanzas - Start####

[WinHostMon://Processes]
index = windows
interval = 10
disabled = false
type = process

[WinHostMon://Services]
index = windows
interval = 10
disabled = false
type = service

[perfmon://Total_Processor_Time]
index=perfmon
object=Processor
counters=% Processor Time
instances=_Total
interval=10
disabled=false
useEnglishOnly=true

[perfmon://Processor]
index=perfmon
object=Processor
counters=% User Time; % Privileged Time
instances=_Total
interval=10
disabled=false
useEnglishOnly=true

[perfmon://System]
index=perfmon
object=System
counters=Processor Queue Length
instances=*
interval=10
disabled=false
useEnglishOnly=true

[perfmon://Available_Memory]
index=perfmon
object=Memory
counters=Available MBytes; Page Reads/sec
interval=10
disabled=false
useEnglishOnly=true

[perfmon://Memory]
index=perfmon
object=Memory
counters=Pool Nonpaged bytes; Pool Paged bytes; Cache Bytes; Committed Bytes; %Committed Bytes in Use; Transition Pages Repurposed/sec; Pages/sec; Pages Input/sec; Pages Output/sec
interval=10
disabled=false
useEnglishOnly=true

[perfmon://DotNET_CLR_Memory]
index=perfmon
object=.NET CLR Memory
counters=% Time in GC; # Bytes in all Heaps
instances=*
interval=10
disabled=false
useEnglishOnly=true

[perfmon://Network_Utilization]
index=perfmon
object=Network Interface
counters=Bytes Total/sec; Packets Outbound Errors
instances=*
interval=10
disabled=false
useEnglishOnly=true

[perfmon://TCPv4]
index=perfmon
object=TCPv4
counters=Connections Established; Connections Reset
interval=10
disabled=false
useEnglishOnly=true

[perfmon://TCPv6]
index=perfmon
object=TCPv6
counters=Connection Failures
interval=10
disabled=false
useEnglishOnly=true

[perfmon://MSExchange_Search_Indices]
index=perfmon
object=MSExchange Search Indices
counters=Average Latency of RPCs Used to Obtain Content; Average Document Indexing Time; Full Crawl Mode Status
instances=*
interval=10
disabled=false
useEnglishOnly=true

[perfmon://MSExchange_Control_Panel]
index=perfmon
object=MSExchange Control Panel
counters=Outbound Proxy Requests - Average Response Time; Requests - Average Response Time; ASP.Net Request Failures/sec; Explicit Sign-On Inbound Proxy Requests/sec; Explicit Sign-On Inbound Proxy Sessions/sec; Explicit Sign-On Outbound Proxy Requests/sec; Explicit Sign-On Outbound Session Requests/sec; Explicit Sign-On Standard RBAC Requests/sec; Explicit Sign-On Standard RBAC Sessions/sec; Inbound Proxy Requests/sec; Inbound Proxy Sessions/sec; Outbound Proxy Requests - Average Response Time; Outbound Proxy Requests/sec; Outbound Proxy Sessions/sec; PowerShell Runspaces - Activations/sec; PowerShell Runspaces - Average Active Time; PowerShell Runspaces/sec; RBAC Sessions/sec; Requests - Activations/sec; Requests - Average Response Time
interval=10
disabled=false
useEnglishOnly=true

[perfmon://Process_Microsoft.Exchange.Search.ExSearch]
index=perfmon
object=Process
counters=% Processor Time
instances=Microsoft.Exchange.Search.ExSearch
interval=10
disabled=false
useEnglishOnly=true

[perfmon://Process_MSExchangeMailboxAssistants]
index=perfmon
object=Process
counters=%Processor Time
instances=MSExchangeMailboxAssistants
interval=10
disabled=false
useEnglishOnly=true

[perfmon://Process_msftesq]
index=perfmon
object=Process
counters=%Processor Time
instances=msftesq
interval=10
disabled=false
useEnglishOnly=true

[perfmon://MSExchange_Assistants_Per_Assistant]
index=perfmon
object=MSExchange Assistants - Per Database
counters=Events in Queue; Average Event Processing Time in Seconds
instances=*
interval=10
disabled=false
useEnglishOnly=true

[perfmon://MSExchange_Assistants_Per_DB]
index=perfmon
object=MSExchange Assistants - Per Database
counters=Events in Queue; Average Event Processing Time in Seconds; Mailboxes Processed/sec; Events Polled/sec
instances=*
interval=10
disabled=false
useEnglishOnly=true

[perfmon://MSExchange_Store_Interface_Total]
index=perfmon
object=MSExchange Store Interface
counters=RPC Latency average (msec); RPC Requests outstanding
instances=_Total
interval=10
disabled=false
useEnglishOnly=true

[perfmon://MSExchange_Store_Interface]
index=perfmon
object=MSExchange Store Interface
counters=ROP Requests outstanding; RPC Requests Outstanding; RPC Requests Sent/sec; RPC Slow Requests latency average (msec); RPC Requests failed (%); RPC Slow Requests (%); 
instances=*
interval=10
disabled=false
useEnglishOnly=true

[perfmon://MSExchange_Mail_Submission]
index=perfmon
object=MSExchange Mail Submission
counters=Successful Submissions Per Second; Hub Servers In Retry; Failed Submissions Per Second; Temporary Submission Failures/sec
instances=*
interval=10
disabled=false
useEnglishOnly=true

[perfmon://MSExchange_ADAccess_Processes]
index=perfmon
object=MSExchange ADAccess Processes
instances=*
counters=LDAP Read Time; LDAP Search Time
interval=10
disabled=false
useEnglishOnly=true

[perfmon://LogicalDisk]
index=perfmon
object=LogicalDisk
instances=*
counters=Avg. Disk sec/Read; Avg. Disk sec/Write
interval=10
disabled=false
useEnglishOnly=true

[perfmon://MSExchangeIS]
index=perfmon
object=MSExchangeIS
counters=RPC Requests; RPC Averaged Latency; RPC Operations/sec; RPC Client Backoff/sec; Client: RPCs Failed/sec; Slow QP Threads; Slow Search Threads; User Count
interval=10
disabled=false
useEnglishOnly=true

[perfmon://MSExchange_Database_Edge_Transport]
index=perfmon
object=MSExchange Database ==> Instances
counters=I/O Log Writes/sec; I/O Log Reads/sec; Log Generation Checkpoint Depth; Version buckets allocated; I/O Database Reads/sec; I/O Database Writes/sec; Log Record Stalls/sec; Log Threads Waiting
instances=edgetransport/Transport Mail Database
interval=10
disabled=false
useEnglishOnly=true

[perfmon://MSExchange_Database_NoInstances]
index=perfmon
object=MSExchange Database
counters=I/O Database Reads (Attached) Average Latency; I/O Database Writes (Attached) Average Latency; IO Log Writes Average Latency; Log Record Stalls/sec; Log Threads Waiting; I/O Database Reads (Recovery) Average Latency; I/O Database Writes (Recovery) Average Latency; IO Log Read Average Latency; 
interval=10
disabled=false
useEnglishOnly=true

[perfmon://MSExchange_Resourcebooking]
index=perfmon
object=MSExchange Resource Booking
counters=Average Resource Booking Processing Time; Requests Submitted; Requests Failed; Requests Processed
interval=30
disabled=false
useEnglishOnly=true

[perfmon://MSExchange_IS_Public]
index=perfmon
object=MSExchangeIS Public
counters=Replication Receive Queue Size; Messages Queued for Submission
instances=_Total
interval=10
disabled=false
useEnglishOnly=true

[perfmon://MSExchange_Replication]
index=perfmon
object=MSExchange Replication
instances=*
counters=CopyQueueLength; ReplayQueueLength; ReplayGenerationsPerMinute
interval=10
disabled=false
useEnglishOnly=true

[perfmon://MSExchange_Calendarattendant]
index=perfmon
object=MSExchange Calendar Attendant
instances=*
counters=Average Calendar Attendant Processing Time; Meeting Messages Processed; Requests Failed
interval=30
disabled=false
useEnglishOnly=true

[perfmon://MSExchange_IS_Mailbox]
index=perfmon
object=MSExchangeIS Mailbox
counters=Slow Findrow Rate; RPC Averaged Latency; Search Task Rate
instances=*
interval=10
disabled=false
useEnglishOnly=true

####Common stanzas - End####

###From Exchange app/add-on version 3.5.2,support for exchange server 2007 has ended.###
####Exchange Server 2007 - Start####

[WinEventLog://Exchange Auditing]
sourcetype="WinEventLog:Exchange Auditing"
index=msexchange
queue=parsingQueue
disabled=true

[perfmon://MSExchangeIS_Mailbox_2007]
index=perfmon
object=MSExchangeIS Mailbox
instances=_Total
counters=Messages Delivered/sec; Messages Sent/sec; Messages Submitted/sec; Messages Queued for Submission; RPC Averaged Latency
interval=10
disabled=true
useEnglishOnly=true

[perfmon://MRM_Assistants_2007]
index=perfmon
object=MSExchange Assistants
instances=msexchangemailboxassistants-total
counters=Average Event Processing Time in Seconds;Average Event Queue Time in seconds;Average Mailbox Processing Time In seconds;Events Polled/sec;Mailboxes processed/sec;Number of Failed Event Dispatchers;Percentage of Failed Event Dispatchers
interval=30
disabled=true
useEnglishOnly=true

[perfmon://MSExchange_ADAccess_Caching_2007]
index=perfmon
object=MSExchange ADAccess Caches
instances=*
counters=LDAP Searches/sec
interval=10
disabled=true
useEnglishOnly=true

[perfmon://MSExchange_ADAccess_DC_2007]
index=perfmon
object=MSExchange ADAccess Domain Controllers
instances=*
counters=LDAP Read Time; LDAP Search Time; LDAP Searches timed out per minute; Long running LDAP operations/Min
interval=10
disabled=true
useEnglishOnly=true

[perfmon://MSExchangeIS_Client_2007]
index=perfmon
object=MSExchangeIS Client
instances=*
counters=RPC Average Latency; RPC Operations/sec; JET Log Records/sec; JET Pages Read/sec; Directory Access: LDAP Reads/sec; Directory Access: LDAP Searches/sec
interval=10
disabled=true
useEnglishOnly=true

[perfmon://MRM_Counters_2007]
index=perfmon
object=MSExchange Managed Folder Assistant
counters=Items Moved; Items Deleted but Recoverable; Items Permanently Deleted; Items Moved to Discovery Holds; Items deleted due to Eha expiry date; Items moved due to Eha expiry date; Items deleted by EHA hidden folder cleanup enforcer; Items Marked as Past Retention Date; Items Subject to Retention Policy; Items Journaled; Mailbox Dumpsters Skipped; Mailbox Dumpsters Expired Items; System Data Expired Items; Total Over Quota Dumpsters; Total Over Quota Dumpster Items; Total Over Quota Dumpster Items Deleted; Size of Items subject to Retention Policy (In Bytes); Size of Items Deleted but Recoverable (In Bytes); Size of Items Permanently Deleted (In Bytes); Size of Items Moved to Discovery Holds (In Bytes); Size of Items Moved due to an Archive policy tag (In Bytes); Items Moved to Archive due to migration; Migrated items Hard deleted due to item age based hold; Items stamped with Personal Tag; Items stamped with Default Tag; Items stamped with Cleanup System Tag; Items expired by a Default Policy Tag; Total items expired by a Personal Tag; Total items moved by a default Archive tag; Items Moved due to an Archive Tag; Mailbox Dumpsters Moved Items; Health Monitor Average Delay (In Milliseconds); Health Monitor Delays/sec; Health Monitor Count of Unhealthy Database Hits
interval=30
disabled=true
useEnglishOnly=true

[perfmon://MSExchange_Database_2007]
index=perfmon
object=MSExchange Database
counters=Log Generation Checkpoint Depth; Database Page Fault Stalls/sec; Log Record Stalls/sec; Log Threads Waiting; Version buckets allocated; Database Cache Size (MB); Database Cache % Hit; Log Bytes Write/sec
instances=Information Store
interval=10
disabled=true
useEnglishOnly=true

[perfmon://MSExchange_Database_Instances_2007]
index=perfmon
object=MSExchange Database ==> Instances
counters=I/O Database Reads Average Latency; I/O Database Writes Average Latency
instances=_Total
interval=10
disabled=true
useEnglishOnly=true

[script://.\bin\exchangepowershell.cmd v8.0 get-databasestats_2007.ps1]
source=Powershell
sourcetype=MSExchange:2007:Database-Stats
interval=3600
index=msexchange
disabled=true

[script://.\bin\exchangepowershell.cmd v8.0 get-folderstats_2007.ps1]
source=Powershell
sourcetype=MSExchange:2007:Folder-Usage
interval=3600
index=msexchange
disabled=true

[script://.\bin\exchangepowershell.cmd v8.0 get-publicfolderstats_2007.ps1]
source=Powershell
sourcetype=MSExchange:2007:PublicFolder-Stats
interval=3600
index=msexchange
disabled=true

[script://.\bin\exchangepowershell.cmd v8.0 get-hoststats_2007.ps1]
source=Powershell
sourcetype=MSExchange:2007:Topology
interval=300
index=msexchange
disabled=true

[script://.\bin\exchangepowershell.cmd v8.0 get-mailboxstats_2007.ps1]
source=Powershell
sourcetype=MSExchange:2007:Mailbox-Usage
interval=3600
index=msexchange
disabled=true

####Exchange Server 2007 - End####


####Exchange Server 2010 - Start####

[perfmon://MSExchangeIS_Mailbox_2010]
index=perfmon
object=MSExchangeIS Mailbox
instances=_Total
counters=Messages Delivered/sec; Messages Sent/sec; Messages Submitted/sec; Messages Queued for Submission
interval=10
disabled=false
useEnglishOnly=true

[perfmon://MSExchange_Database_2010]
index=perfmon
object=MSExchange Database
instances=Information Store
counters=Defragmentation Tasks; Defragmentation Tasks Pending; Sessions In Use; Sessions % Used; Table Open Cache % Hit; Table Open Cache Hits/sec; Table Open Cache Misses/sec; Table Opens/sec; Table Closes/sec; Tables Open; Log Bytes Write/sec; Log Bytes Generated/sec; Log Threads Waiting; Log Writes/sec; Log Record Stalls/sec; Version Buckets Allocated; Database Cache Misses/sec; Database Cache % Hit; Database Cache % Hit (Uncorrelated); Database Cache Requests/sec; Database Page Faults/sec; Database Page Evictions/sec; Database Page Fault Stalls/sec; Database Cache Size (MB); Database Cache Size; Database Cache Size Effective (MB); Database Cache Size Effective; Database Cache Memory Committed (MB); Database Cache Memory Committed; Database Cache Memory Reserved (MB); Database Cache Memory Reserved; Database Cache Size Resident; Database Cache Size Resident (MB); Database Cache % Dehydrated; Database Maintenance Duration; Database Maintenance Pages Bad Checksums; I/O Database Reads (Attached)/sec; I/O Database Reads (Attached) Average Latency; I/O Database Reads (Recovery)/sec; I/O Database Reads (Recovery) Average Latency; I/O Database Reads/sec; I/O Database Reads Average Latency; I/O Log Reads/sec; I/O Log Reads Average Latency; I/O Database Writes (Attached)/sec; I/O Database Writes (Attached) Average Latency; I/O Database Writes (Recovery)/sec; I/O Database Writes (Recovery) Average Latency; I/O Database Writes/sec; I/O Database Writes Average Latency; I/O Log Writes/sec; I/O Log Writes Average Latency
interval=10
disabled=false
useEnglishOnly=true

[perfmon://MSExchange_Database_Instances_2010]
index=perfmon
object=MSExchange Database ==> Instances
counters=I/O Database Reads Average Latency; I/O Database Writes Average Latency
instances=_Total
interval=10
disabled=false
useEnglishOnly=true

[perfmon://MSExchangeIS_Client_2010]
index=perfmon
object=MSExchangeIS Client
instances=*
counters=RPC Average Latency; RPC Operations/sec; JET Log Records/sec; JET Pages Read/sec; Directory Access: LDAP Reads/sec; Directory Access: LDAP Searches/sec
interval=10
disabled=false
useEnglishOnly=true

[perfmon://MRM_Assistants_2010]
index=perfmon
object=MSExchange Assistants - Per Database
instances=msexchangemailboxassistants-total
counters=Events in queue; Average Event Processing Time In seconds; Events Polled; Events Polled/sec; Polling Delay; Highest Event Counter Polled; Elapsed Time Since Last Event Polled; Elapsed Time Since Last Event Polling Attempt; Elapsed Time Since Last Database Status Update Attempt; Percentage of Interesting Events; Events Interesting to Multiple Asssitants; Mailbox Dispatchers; Mailbox Sessions In Use By Dispatchers; Average Mailbox Processing Time In seconds; Mailboxes Processed; Mailboxes processed/sec; Number of Threads Used; Health Measure
interval=30
disabled=false
useEnglishOnly=true

[perfmon://MSExchange_ADAccess_Caching_2010]
index=perfmon
object=MSExchange ADAccess Caches
instances=*
counters=LDAP Searches/sec
interval=10
disabled=false
useEnglishOnly=true

[perfmon://MRM_Counters_2010]
index=perfmon
object=MSExchange Managed Folder Assistant
counters=Items Moved; Items Deleted but Recoverable; Items Permanently Deleted; Items Moved to Discovery Holds; Items deleted due to Eha expiry date; Items moved due to Eha expiry date; Items deleted by EHA hidden folder cleanup enforcer; Items Marked as Past Retention Date; Items Subject to Retention Policy; Items Journaled; Mailbox Dumpsters Skipped; Mailbox Dumpsters Expired Items; System Data Expired Items; Total Over Quota Dumpsters; Total Over Quota Dumpster Items; Total Over Quota Dumpster Items Deleted; Size of Items subject to Retention Policy (In Bytes); Size of Items Deleted but Recoverable (In Bytes); Size of Items Permanently Deleted (In Bytes); Size of Items Moved to Discovery Holds (In Bytes); Size of Items Moved due to an Archive policy tag (In Bytes); Items Moved to Archive due to migration; Migrated items Hard deleted due to item age based hold; Items stamped with Personal Tag; Items stamped with Default Tag; Items stamped with Cleanup System Tag; Items expired by a Default Policy Tag; Total items expired by a Personal Tag; Total items moved by a default Archive tag; Items Moved due to an Archive Tag; Mailbox Dumpsters Moved Items; Health Monitor Average Delay (In Milliseconds); Health Monitor Delays/sec; Health Monitor Count of Unhealthy Database Hits
interval=30
disabled=false
useEnglishOnly=true

[perfmon://MSExchange_ADAccess_DC_2010]
index=perfmon
object=MSExchange ADAccess Domain Controllers
instances=*
counters=LDAP Read Time; LDAP Search Time; LDAP Searches timed out per minute; Long running LDAP operations/Min
interval=10
disabled=false
useEnglishOnly=true

[script://.\bin\exchangepowershell.cmd v14 get-publicfolderstats_2010.ps1]
source=Powershell
sourcetype=MSExchange:2010:PublicFolder-Stats
interval=3600
index=msexchange
disabled=false

[script://.\bin\exchangepowershell.cmd v14 get-databasestats_2010.ps1]
source=Powershell
sourcetype=MSExchange:2010:Database-Stats
interval=3600
index=msexchange
disabled=false

[script://.\bin\exchangepowershell.cmd v14 get-folderstats_2010.ps1]
source=Powershell
sourcetype=MSExchange:2010:Folder-Usage
interval=3600
index=msexchange
disabled=false

[script://.\bin\exchangepowershell.cmd v14 get-distlists_2010_2013.ps1]
source=Powershell
sourcetype=MSExchange:2010:DistributionLists
interval=14400
index=msexchange
disabled=false

[script://.\bin\exchangepowershell.cmd v14 get-hoststats_2010_2013.ps1]
source=Powershell
sourcetype=MSExchange:2010:Topology
interval=300
index=msexchange
disabled=false

[script://.\bin\exchangepowershell.cmd v14 read-audit-logs_2010_2013.ps1]
source=Powershell
sourcetype=MSExchange:2010:AdminAudit
interval=300
index=msexchange
disabled=false

[script://.\bin\exchangepowershell.cmd v14 read-mailbox-audit-logs_2010_2013.ps1]
source=Powershell
sourcetype=MSExchange:2010:MailboxAudit
interval=300
index=msexchange
disabled=false

[script://.\bin\exchangepowershell.cmd v14 get-mailboxstats_2010_2013.ps1]
source=Powershell
sourcetype=MSExchange:2010:Mailbox-Usage
interval=3600
index=msexchange
disabled=false

[script://.\bin\exchangepowershell.cmd v14 get-inboxrules_2010_2013.ps1]
source=Powershell
sourcetype=MSExchange:2010:InboxRules
interval=86400
index=msexchange
disabled=false

####Exchange Server 2010 - End####


####Exchange Server 2013/2016/2019 - Start####

[perfmon://OWA]
index=perfmon
object=MSExchange OWA
counters=Average Response Time; Average Search Time; Requests/sec; Current Unique Users
interval=10
disabled=true
useEnglishOnly=true

[perfmon://ActiveSync]
index=perfmon
object=MSExchange ActiveSync
counters=Average Request Time; Requests/sec; Ping Commands Pending; Sync Commands/sec; Sync Commands Pending; Current Requests
interval=10
disabled=true
useEnglishOnly=true

[perfmon://MSExchangePop3]
index=perfmon
object=MSExchangePop3
instances=_Total
counters=AUTH Failures; Connections Current; Connections Rejected; Average Command Processing Time (milliseconds)
interval=30
disabled=true
useEnglishOnly=true

[perfmon://MSExchangeImap4]
index=perfmon
object=MSExchangeImap4
instances=_Total
counters=Authenticate Failures; Login Failures; Current Connections; Connections Rejected; Average Command Processing Time (milliseconds)
interval=30
disabled=true
useEnglishOnly=true

[perfmon://Disk]
index=perfmon
object=Logical/Physical Disk
counters=Avg. Disk sec/Read; Avg. Disk sec/Write
instances=*
interval=10
disabled=true
useEnglishOnly=true

[perfmon://MSExchangeIS_Store]
index=perfmon
object=MSExchangeIS Store
instances=*
counters=RPC Requests; RPC Average Latency; RPC Operations/sec; RPC Client Backoff/sec; Client: RPCs Failed/sec
interval=10
disabled=true
useEnglishOnly=true

[perfmon://MSExchange_Queue_Lengths]
index=perfmon
object=MSExchangeTransport Queues
counters=External Active Remote Delivery Queue Length; Internal Active Remote Delivery Queue Length; External Retry Remote Delivery Queue Length; Internal Retry Remote Delivery Queue Length; Active Mailbox Delivery Queue Length; Retry Mailbox Delivery Queue Length; Active Non-Smtp Delivery Queue Length; Retry Non-Smtp Delivery Queue Length; Internal Aggregate Delivery Queue Length (All Internal Queues); External Aggregate Delivery Queue Length (All External Queues); Internal Largest Delivery Queue Length; Internal Largest Unlocked Delivery Queue Length; External Largest Delivery Queue Length; External Largest Unlocked Delivery Queue Length; Items Queued For Delivery Total; Items Queued for Delivery Per Second; Items Completed Delivery Total; Items Completed Delivery Per Second; Items Queued For Delivery Expired Total; Locks Expired In Delivery Total; Items Deleted By Admin Total; Items Resubmitted Total; Messages Deferred Due To Local Loop; Messages Queued For Delivery; Messages Queued For Delivery Total; Messages Queued for Delivery Per Second; Messages Completed Delivery Total; Messages Completed Delivery Per Second; Unreachable Queue Length; Poison Queue Length; Submission Queue Length; Messages Submitted Total; Messages Submitted Per Second; Messages Submitted Recently; Submission Queue Items Expired Total; Submission Queue Locks Expired Total; Aggregate Shadow Queue Length; Shadow Queue Auto Discards Total; Messages Completing Categorization; Messages Deferred during Categorization; Messages Resubmitted during Categorization; Categorizer Job Availability
instances=*
interval=10
disabled=true
useEnglishOnly=true

[perfmon://MSExchange_Transport_Dumpster]
index=perfmon
object=MSExchangeTransport Dumpster
counters=Dumpster Size; Dumpster Inserts/sec; Dumpster Item Count; Dumpster Deletes/sec
interval=10
disabled=true
useEnglishOnly=true

[perfmon://MSExchange_Store_Driver]
index=perfmon
object=MSExchange Store Driver
counters=Inbound: LocalDeliveryCallsPerSecond; Outbound: Submitted Mail Items Per Second; Inbound: MessageDeliveryAttemptsPerSecond; Inbound: Recipients Delivered Per Second
interval=10
disabled=true
useEnglishOnly=true

[perfmon://MSExchange_SmtpReceive]
index=perfmon
object=MSExchangeTransport SMTPReceive
counters=Average bytes/message; Messages Received/sec
instances=_total
interval=10
disabled=true
useEnglishOnly=true

[perfmon://MSExchange_SmtpSend]
index=perfmon
object=MSExchangeTransport SmtpSend
counters=Average message bytes/message; Messages Sent/sec
instances=_total
interval=10
disabled=true
useEnglishOnly=true

[perfmon://MSExchange_Extensibility_Agents]
index=perfmon
object=MSExchange Extensibility Agents
counters=Average Agent Processing Time (sec); Total Agent Invocations
instances=*
interval=10
disabled=true
useEnglishOnly=true

[perfmon://MSExchangeIS_Client_2013]
index=perfmon
object=MSExchangeIS Client Type
instances=*
counters=RPC Average Latency; RPC Operations/sec; JET Log Records/sec; JET Pages Read/sec; Directory Access: LDAP Reads/sec; Directory Access: LDAP Searches/sec
interval=10
disabled=true
useEnglishOnly=true

[perfmon://MSExchange_ADAccess_Caching_2013]
index=perfmon
object=MSExchange ADAccess Caches
instances=_Total
counters=LDAP Searches/sec
interval=10
disabled=true
useEnglishOnly=true

[perfmon://MRM_Counters_2013]
index=perfmon
object=MSExchange Managed Folder Assistant
instances=msexchangemailboxassistants-total
counters=Items Moved; Items Deleted but Recoverable; Items Permanently Deleted; Items Moved to Discovery Holds; Items deleted due to Eha expiry date; Items moved due to Eha expiry date; Items deleted by EHA hidden folder cleanup enforcer; Items Marked as Past Retention Date; Items Subject to Retention Policy; Items Journaled; Mailbox Dumpsters Skipped; Mailbox Dumpsters Expired Items; System Data Expired Items; Total Over Quota Dumpsters; Total Over Quota Dumpster Items; Total Over Quota Dumpster Items Deleted; Size of Items subject to Retention Policy (In Bytes); Size of Items Deleted but Recoverable (In Bytes); Size of Items Permanently Deleted (In Bytes); Size of Items Moved to Discovery Holds (In Bytes); Size of Items Moved due to an Archive policy tag (In Bytes); Items Moved to Archive due to migration; Migrated items Hard deleted due to item age based hold; Items stamped with Personal Tag; Items stamped with Default Tag; Items stamped with Cleanup System Tag; Items expired by a Default Policy Tag; Total items expired by a Personal Tag; Total items moved by a default Archive tag; Items Moved due to an Archive Tag; Mailbox Dumpsters Moved Items; Health Monitor Average Delay (In Milliseconds); Health Monitor Delays/sec; Health Monitor Count of Unhealthy Database Hits
interval=30
disabled=true
useEnglishOnly=true

[perfmon://MSExchange_Database_2013]
index=perfmon
object=MSExchange Database
instances=*
counters=Defragmentation Tasks; Defragmentation Tasks Pending; Sessions In Use; Sessions % Used; Table Open Cache % Hit; Table Open Cache Hits/sec; Table Open Cache Misses/sec; Table Opens/sec; Table Closes/sec; Tables Open; Log Bytes Write/sec; Log Bytes Generated/sec; Log Threads Waiting; Log Writes/sec; Log Record Stalls/sec; Version Buckets Allocated; Database Cache Misses/sec; Database Cache % Hit; Database Cache % Hit (Uncorrelated); Database Cache Requests/sec; Database Page Faults/sec; Database Page Evictions/sec; Database Page Fault Stalls/sec; Database Cache Size (MB); Database Cache Size; Database Cache Size Effective (MB); Database Cache Size Effective; Database Cache Memory Committed (MB); Database Cache Memory Committed; Database Cache Memory Reserved (MB); Database Cache Memory Reserved; Database Cache Size Resident; Database Cache Size Resident (MB); Database Cache % Dehydrated; Database Maintenance Duration; Database Maintenance Pages Bad Checksums; I/O Database Reads (Attached)/sec; I/O Database Reads (Attached) Average Latency; I/O Database Reads (Recovery)/sec; I/O Database Reads (Recovery) Average Latency; I/O Database Reads/sec; I/O Database Reads Average Latency; I/O Log Reads/sec; I/O Log Reads Average Latency; I/O Database Writes (Attached)/sec; I/O Database Writes (Attached) Average Latency; I/O Database Writes (Recovery)/sec; I/O Database Writes (Recovery) Average Latency; I/O Database Writes/sec; I/O Database Writes Average Latency; I/O Log Writes/sec; I/O Log Writes Average Latency
interval=10
disabled=true
useEnglishOnly=true

[perfmon://MSExchange_Database_Instances_2013]
index=perfmon
object=MSExchange Database ==> Instances
counters=I/O Database Reads Average Latency; I/O Database Writes Average Latency
instances=*
interval=10
disabled=true
useEnglishOnly=true

[perfmon://MSExchange_ADAccess_DC_2013]
index=perfmon
object=MSExchange ADAccess Domain Controllers
instances=_Total
counters=LDAP Read Time; LDAP Search Time; LDAP Searches timed out per minute; Long running LDAP operations/Min
interval=10
disabled=true
useEnglishOnly=true

[perfmon://MRM_Assistants_2013]
index=perfmon
object=MSExchange Assistants - Per Database
instances=msexchangemailboxassistants-total
counters=Average Event Processing Time In Seconds;Average Mailbox Processing Time In seconds;Events Polled/sec;Mailboxes processed/sec
interval=30
disabled=true
useEnglishOnly=true

[monitor://C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\MessageTracking]
whitelist=\.log$|\.LOG$
time_before_close = 0
sourcetype=MSExchange:2013:MessageTracking
queue=parsingQueue
index=msexchange
disabled=true

[script://.\bin\exchangepowershell.cmd v15 get-databasestats_2013.ps1]
source=Powershell
sourcetype=MSExchange:2013:Database-Stats
interval=3600
index=msexchange
disabled=true

[script://.\bin\exchangepowershell.cmd v15 get-folderstats_2013.ps1]
source=Powershell
sourcetype=MSExchange:2013:Folder-Usage
interval=3600
index=msexchange
disabled=true

[script://.\bin\exchangepowershell.cmd v15 get-distlists_2010_2013.ps1]
source=Powershell
sourcetype=MSExchange:2013:DistributionLists
interval=14400
index=msexchange
disabled=true

[script://.\bin\exchangepowershell.cmd v15 get-hoststats_2010_2013.ps1]
source=Powershell
sourcetype=MSExchange:2013:Topology
interval=300
index=msexchange
disabled=true

[script://.\bin\exchangepowershell.cmd v15 read-audit-logs_2010_2013.ps1]
source=Powershell
sourcetype=MSExchange:2013:AdminAudit
interval=300
index=msexchange
disabled=true

[script://.\bin\exchangepowershell.cmd v15 read-mailbox-audit-logs_2010_2013.ps1]
source=Powershell
sourcetype=MSExchange:2013:MailboxAudit
interval=300
index=msexchange
disabled=true

[script://.\bin\exchangepowershell.cmd v15 get-mailboxstats_2010_2013.ps1]
source=Powershell
sourcetype=MSExchange:2013:Mailbox-Usage
interval=3600
index=msexchange
disabled=true

[script://.\bin\exchangepowershell.cmd v15 get-inboxrules_2010_2013.ps1]
source=Powershell
sourcetype=MSExchange:2013:InboxRules
interval=86400
index=msexchange
disabled=true

####Exchange Server 2013/2016/2019 - End####
Last modified on 11 April, 2019
PREVIOUS
TA-Exchange-Mailbox inputs
  NEXT
Troubleshoot TA-Exchange-Mailbox

This documentation applies to the following versions of Splunk® App for Microsoft Exchange: 3.5.2, 4.0.0, 4.0.1


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters