Microsoft Exchange data model
The Splunk App for Microsoft Exchange comes with a data model that helps facilitate and improve the efficiency of searches within the app.
The fields and tags in the Microsoft Exchange data model describe various aspects of Microsoft Exchange operation, such as Exchange Server health, mail messaging, and Active Directory operations associated with Exchange.
Event Objects
Constraints for the "Microsoft_Exchange_Health" event object
The following constraints for the "Microsoft_Exchange_Health" event object identify events as being relevant to this data model. For more information, see "How to use these reference tables".
Object name | Constraint |
---|---|
Microsoft_Exchange_Health | `msperfmon-windows-index` tag = ms_ex_health ms_exchange_host="true" |
|
`msperfmon-windows-index` tag = ms_ex_health ms_exchange_host="true" |
tag=ms_ex_health_mailboxes | |
|
`msperfmon-windows-index` tag = ms_ex_health ms_exchange_host="true" |
tag=ms_ex_health_outlook_rpc | |
|
`msperfmon-windows-index` tag = ms_ex_health ms_exchange_host="true" |
tag=ms_ex_health_owa | |
|
`msperfmon-windows-index` tag = ms_ex_health ms_exchange_host="true" |
tag=ms_ex_health_active_sync | |
|
`msperfmon-windows-index` tag = ms_ex_health ms_exchange_host="true" |
tag=ms_ex_health_outlook_anywhere | |
|
`msperfmon-windows-index` tag = ms_ex_health ms_exchange_host="true" |
tag=ms_ex_health_legacy_clients | |
|
`msperfmon-windows-index` tag = ms_ex_health ms_exchange_host="true" |
tag=ms_ex_health_auto_discover | |
|
`msperfmon-windows-index` tag = ms_ex_health ms_exchange_host="true" |
tag=ms_ex_health_management | |
|
`msperfmon-windows-index` tag = ms_ex_health ms_exchange_host="true" |
tag=ms_ex_health_tx_handling | |
|
`msperfmon-windows-index` tag = ms_ex_health ms_exchange_host="true" |
tag=ms_ex_health_outbound_smtp | |
|
`msperfmon-windows-index` tag = ms_ex_health ms_exchange_host="true" |
tag=ms_ex_health_inbound_smtp |
The definition for macro (msperfmon-windows-index) is "index=perfmon OR index=windows" and these indexes are defined in Splunk Add-on for Windows v4.8.4 and earlier version. If you have created your own indexes, then you have to manually update this macro and rebuild the datamodel.
Constraints for the "Exchange Messaging" event object
The following constraints for the "Exchange Messaging" event object identify events as being relevant to this data model.
Object name | Constraint |
---|---|
Exchange Messaging | index=msexchange eventtype=msexchange-msgtrack (event_id=DELIVER OR event_id=SEND) |
|
index=msexchange eventtype=msexchange-msgtrack (event_id=DELIVER OR event_id=SEND) |
event_ID = DELIVER | |
|
index=msexchange eventtype=msexchange-msgtrack (event_id=DELIVER OR event_id=SEND) |
event_ID = SEND | |
|
index=msexchange eventtype=msexchange-msgtrack (event_id=DELIVER OR event_id=SEND) |
is_internal_message = 1 | |
|
index=msexchange eventtype=msexchange-msgtrack (event_id=DELIVER OR event_id=SEND) |
is_internal_message = 1
event_ID = DELIVER | |
|
index=msexchange eventtype=msexchange-msgtrack (event_id=DELIVER OR event_id=SEND) |
is_internal_message = 1
event_ID = DELIVER | |
|
index=msexchange eventtype=msexchange-msgtrack (event_id=DELIVER OR event_id=SEND) |
is_internal_message = 0 | |
|
index=msexchange eventtype=msexchange-msgtrack (event_id=DELIVER OR event_id=SEND) |
is_internal_message = 0
event_ID = DELIVER | |
|
index=msexchange eventtype=msexchange-msgtrack (event_id=DELIVER OR event_id=SEND) |
is_internal_message = 0
event_ID = DELIVER |
Fields for "Microsoft_Exchange_Health" event objects
The following table lists the extracted and calculated fields for the event objects in the model. Note that it does not include any inherited fields.
Object name | Field name | Data type | Description | Example values |
---|---|---|---|---|
Microsoft_Exchange_Health | ComponentId
|
string | Identifier for the Perfmon or WinHostMon component being collected | Perfmon-Processor-% Processor Time
WinHostMon-MSExchangeADTopology |
Microsoft_Exchange_Health | ComponentInstance
|
string | The instance of the component that's being collected. For perfmon, it's the counter instances and it's null or 0 for Winhostmon components | 0, _Total, null |
Microsoft_Exchange_Health | ComponentValue
|
number | The numerical value of the counter. It can be any value for Perfmon, or 0/1 for WinHostMon. | |
Microsoft_Exchange_Health | host
|
string | The host name | exch2013-cas-001 |
Microsoft_Exchange_Health | ServiceTag
|
string | List of services that this host has been tagged for. This is a multi-valued field | ms_ex_health_autodiscover
ms_ex_health_management |
Note: All child objects for "Microsoft_Exchange_Health" inherit the attributes shown in the table.
Fields for "Exchange Messaging" event objects
The following table lists the extracted and calculated fields for the "Exchange_Messaging" event object. It does not include any inherited fields.
Most of the fields are a translation of the fields that come from the Exchange message tracking logs. See "Description of Message Tracking Log fields" (http://technet.microsoft.com/en-us/library/cc539064.aspx) on MS TechNet.
Object name | Field name | Data type | Description | Example values |
---|---|---|---|---|
Exchange Messaging | app
|
string | ||
Exchange Messaging | client_hostname
|
string | The name of the messaging server or messaging client that submitted the message. | |
Exchange Messaging | connector_id
|
string | The name of source or destination Send connector or Receive connector. | |
Exchange Messaging | csip
|
string | The TCP/IP address of the messaging server or messaging client that submitted the message. | |
Exchange Messaging | date_time
|
string | The date and time of the message tracking event. The value is formatted as yyyy-mm-ddhh:mm:ss.fffZ, where yyyy = year, mm = month, dd = day, hh = hour, mm = minute, ss = second, fff = fractions of a second, and Z signifies Zulu, which is another way to denote UTC. | |
Exchange Messaging | event_id
|
string | The message event type. These events are described fully in the table earlier in this topic. The possible values are BADMAIL, DELIVER, DSN, EXPAND, FAIL, POISONMESSAGE, RECEIVE, REDIRECT, RESOLVE, SEND, SUBMIT, and TRANSFER. | |
Exchange Messaging | eventtype
|
string | The Splunk eventtypes | Msexchange-msgtrack |
Exchange Messaging | index
|
string | The index that contains the event. | |
Exchange Messaging | internal_message_id
|
number | Same as internal-message-id | |
Exchange Messaging | message_id
|
string | A message identifier that is assigned by the Exchange Server 2007 server that is currently processing the message. A specific message's value of internal-message-id is different in the message tracking log of every Exchange Server 2007 server that is involved in the delivery of the message. | |
Exchange Messaging | message_info
|
string | This field contains the message origination date-time for DELIVER and SEND events. The origination date-time is the time that the message first enters the Exchange organization. The value is formatted as yyyy-mm-ddhh:mm:ss.fffZ, where yyyy = year, mm = month, dd = day, hh = hour, mm = minute, ss = second, fff = fractions of a second, and Z signifies Zulu, which is another way to denote UTC. | |
Exchange Messaging | message_subject
|
string | The message's subject found in the Subject: header field. | |
Exchange Messaging | product
|
string | The name of the product | Exchange (usually) |
Exchange Messaging | recipient
|
string | A multi-valued field containing the list of recipients. | |
Exchange Messaging | recipient_count
|
number | The number of recipients in the message. | |
Exchange Messaging | recipient_domain
|
string | A multi-valued field containing the list of recipient domains | |
Exchange Messaging | recipient_status
|
string | The e-mail addresses of the message's recipients. Multiple e-mail addresses are separated by the semicolon character (;). | |
Exchange Messaging | recipient_username
|
string | A multi-valued field containing the list of recipient usernames. | |
Exchange Messaging | recipients
|
string | A semicolon-separated list of recipients. | |
Exchange Messaging | reference
|
number | This field contains additional information for specific types of events. | DSN - The Reference field contains the Internet-Message-Id of the message that caused the DSN.
SEND - The Reference field contains the Internet-Message-Id of any delivery status notification (DSN) messages. TRANSFER - The Reference field contains the Internal-Message-Id of the message that is being forked. For all other types of events, the Reference field is blank. |
Exchange Messaging | related_recipient_address
|
string | This field is used with EXPAND, REDIRECT, and RESOLVE events to display other recipient e-mail addresses associated with the message. | |
Exchange Messaging | return_path
|
string | The return e-mail address specified by MAIL FROM: in the message envelope. Although this field is never empty, it can have the null sender address value represented as <>. | |
Exchange Messaging | sender
|
string | The e-mail address specified in the Sender: header field, or the From: header field if Sender: is not present. | |
Exchange Messaging | sender_domain
|
string | Domain name extracted from 'sender'. | |
Exchange Messaging | sender_username
|
string | User name extracted from 'sender'. | |
Exchange Messaging | server_hostname
|
string | The name of the destination server. | |
Exchange Messaging | source_context
|
string | Extra information associated with the source field. | |
Exchange Messaging | source_id
|
string | The Exchange transport component responsible for the message tracking event. | |
Exchange Messaging | ss_ip
|
string | The TCP/IP address of the source or destination server running Microsoft Exchange Server. | |
Exchange Messaging | tag
|
string | Not used | |
Exchange Messaging | tag::event type
|
string | Not used | |
Exchange Messaging | total_bytes
|
number | The number of bytes in the message | |
Exchange Messaging | vendor
|
string | The vendor. | |
Exchange Messaging | Is Internal Message (calculated)
|
boolean | Set to 1 if the message was sent and received within the same domain. | |
Exchange Messaging | Recipients (MV) (calculated)
|
string | Another multi-value field. | |
Exchange Messaging | Count of recipients (calculated)
|
number | The number of recipients. |
Note: All child objects for "Exchange Messaging" inherit the attributes shown in the table.
Search Objects
Tags used with "Microsoft Exchange Health Events" search objects
The following tags act as constraints to identify your events as being relevant to this data model. For more information, see "How to use these reference tables".
Object name | Tag name |
---|---|
Microsoft Exchange Health Events | ms_ex_health_events |
Constraints for the "All Logons" search object
The following constraints for the "All Logons" search object identify events as being relevant to this data model.
Object name | Constraint |
---|---|
All Logons | eval cs_username=coalesce(Security_ID, cs_username) | transaction fields=cs_username maxspan=2s maxpause=1s maxevents=2 |
|
logontype=computer |
|
logontype="user" OR logontype="exchange" |
|
logontype="user" OR logontype="exchange" |
logontype="user" | |
|
logontype="user" OR logontype="exchange" |
logontype="exchange" | |
|
logontype="user" OR logontype="exchange" |
logontype="exchange"
eventtype="client-outlookanywhere-usage" | |
|
logontype="user" OR logontype="exchange" |
logontype="exchange"
eventtype="client-owa-usage" | |
|
logontype="user" OR logontype="exchange" |
logontype="exchange"
eventtype="client-ews-usage" | |
|
logontype="user" OR logontype="exchange" |
logontype="exchange"
eventtype="client-activesync-usage" | |
|
eventtype=client-popimap-usage |
event_ID = SEND | |
|
eventtype=client-popimap-usage |
ProtocolServiceName="POP3" | |
|
eventtype=client-popimap-usage |
ProtocolServiceName="IMAP4" |
Fields for "All Logons" search objects
The following table lists the extracted and calculated fields for the "All Logons" search object. It does not include any inherited fields.
Object name | Field name | Data type | Description | Example values |
---|---|---|---|---|
All Logons | _time
|
string | The time that the event was created. | |
All Logons | Account_Domain
|
string | The domain on which the logon occurred. | |
All Logons | Account_Name
|
string | The user that logged on. | |
All Logons | c_ip
|
string | The client IP address from which the logon request occurred. | |
All Logons | cs_method
|
string | The requested action | GET |
All Logons | cs_uri_query
|
string | The query, if any, that the client was trying to perform. | |
All Logons | cs_uri_stem
|
string | The Universal Resource Identifier, or target, of the action. | |
All Logons | cs_user_agent
|
string | The browser type that the client used | |
All Logons | cs_username
|
string | The name of the authenticated user who accessed your host. | |
All Logons | date
|
string | The date on which the request occurred. | |
All Logons | dest_nt_domain
|
string | The destination domain of the request. | |
All Logons | dest_nt_host
|
string | The destination host of the request. | |
All Logons | host
|
string | The host that generated the request. | |
All Logons | s_ip
|
string | The IP address of the server on which the log file entry was generated | |
All Logons | source
|
string | The source that Splunk tagged the logon event with. | |
All Logons | sourcetype
|
string | The source type that Splunk assigned to the event. | |
All Logons | src_ip
|
string | The IP address of the host that made the request. | |
All Logons | src_nt_domain
|
string | The domain from which the request was made. | |
All Logons | src_nt_host
|
string | The host that generated the request. | |
All Logons | src_user
|
string | The user that generated the request. | |
All Logons | logontype (calculated)
|
string | The type of Windows logon the host requested. | |
All Logons | status (calculated)
|
string | The return code provided by the host that processed the request. |
Note: All child objects for "All Logons" inherit the attributes shown in the table.
Fields for "Microsoft Exchange Health Events" search object
The following table lists the extracted and calculated fields for the "Microsoft Exchange Health Events" search object. It does not include any inherited fields.
Object name | Field name | Data type | Description | Example values |
---|---|---|---|---|
Microsoft Exchange Health Events | _time
|
string | The time that the host generated the event. | |
Microsoft Exchange Health Events | host
|
string | The host that generated the event. | |
Microsoft Exchange Health Events | source
|
string | The source of the event. | |
Microsoft Exchange Health Events | sourcetype
|
string | The source type of the event. |
Organizational Unit Audit | MSExchange Messaging data model |
This documentation applies to the following versions of Splunk® App for Microsoft Exchange (EOL): 3.4.4, 3.5.0, 3.5.1, 3.5.2, 4.0.0, 4.0.1, 4.0.2, 4.0.3
Feedback submitted, thanks!