Splunk® App for Microsoft Exchange (EOL)

Splunk App for Microsoft Exchange Reference

Acrobat logo Download manual as PDF


On October 22 2021, the Splunk App for Microsoft Exchange will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app is migrating to a content pack in Data Integrations. Learn about the Content Pack for Microsoft Exchange.
This documentation does not apply to the most recent version of MSExchange. Click here for the latest version.
Acrobat logo Download topic as PDF

Microsoft Exchange data model

The Splunk App for Microsoft Exchange comes with a data model that helps facilitate and improve the efficiency of searches within the app.

The fields and tags in the Microsoft Exchange data model describe various aspects of Microsoft Exchange operation, such as Exchange Server health, mail messaging, and Active Directory operations associated with Exchange.

Event Objects

Constraints for the "Microsoft_Exchange_Health" event object

The following constraints for the "Microsoft_Exchange_Health" event object identify events as being relevant to this data model. For more information, see "How to use these reference tables".

Object name Constraint
Microsoft_Exchange_Health `msperfmon-windows-index` tag = ms_ex_health ms_exchange_host="true"
|____ Mailboxes
`msperfmon-windows-index` tag = ms_ex_health ms_exchange_host="true"
tag=ms_ex_health_mailboxes
|____ Outlook RPC
`msperfmon-windows-index` tag = ms_ex_health ms_exchange_host="true"
tag=ms_ex_health_outlook_rpc
|____ Outlook Web Access
`msperfmon-windows-index` tag = ms_ex_health ms_exchange_host="true"
tag=ms_ex_health_owa
|____ Active Sync
`msperfmon-windows-index` tag = ms_ex_health ms_exchange_host="true"
tag=ms_ex_health_active_sync
|____ Outlook Anywhere
`msperfmon-windows-index` tag = ms_ex_health ms_exchange_host="true"
tag=ms_ex_health_outlook_anywhere
|____ Legacy Clients
`msperfmon-windows-index` tag = ms_ex_health ms_exchange_host="true"
tag=ms_ex_health_legacy_clients
|____ Auto Discover
`msperfmon-windows-index` tag = ms_ex_health ms_exchange_host="true"
tag=ms_ex_health_auto_discover
|____ Exchange Management
`msperfmon-windows-index` tag = ms_ex_health ms_exchange_host="true"
tag=ms_ex_health_management
|____ Transport Handling
`msperfmon-windows-index` tag = ms_ex_health ms_exchange_host="true"
tag=ms_ex_health_tx_handling
|____ Outbound SMTP
`msperfmon-windows-index` tag = ms_ex_health ms_exchange_host="true"
tag=ms_ex_health_outbound_smtp
|____ Inbound SMTP
`msperfmon-windows-index` tag = ms_ex_health ms_exchange_host="true"
tag=ms_ex_health_inbound_smtp

The definition for macro (msperfmon-windows-index) is "index=perfmon OR index=windows" and these indexes are defined in Splunk Add-on for Windows v4.8.4 and earlier version. If you have created your own indexes, then you have to manually update this macro and rebuild the datamodel.

Constraints for the "Exchange Messaging" event object

The following constraints for the "Exchange Messaging" event object identify events as being relevant to this data model.

Object name Constraint
Exchange Messaging index=msexchange eventtype=msexchange-msgtrack (event_id=DELIVER OR event_id=SEND)
|____ Received Messages
index=msexchange eventtype=msexchange-msgtrack (event_id=DELIVER OR event_id=SEND)
event_ID = DELIVER
|____ Sent Messages
index=msexchange eventtype=msexchange-msgtrack (event_id=DELIVER OR event_id=SEND)
event_ID = SEND
|____ Internal Messages
index=msexchange eventtype=msexchange-msgtrack (event_id=DELIVER OR event_id=SEND)
is_internal_message = 1
|____ Internal Received Messages
index=msexchange eventtype=msexchange-msgtrack (event_id=DELIVER OR event_id=SEND)
is_internal_message = 1

event_ID = DELIVER

|____ Internal Sent Messages
index=msexchange eventtype=msexchange-msgtrack (event_id=DELIVER OR event_id=SEND)
is_internal_message = 1

event_ID = DELIVER

|____ External Messages
index=msexchange eventtype=msexchange-msgtrack (event_id=DELIVER OR event_id=SEND)
is_internal_message = 0
|____ External Received Messages
index=msexchange eventtype=msexchange-msgtrack (event_id=DELIVER OR event_id=SEND)
is_internal_message = 0

event_ID = DELIVER

|____ External Sent Messages
index=msexchange eventtype=msexchange-msgtrack (event_id=DELIVER OR event_id=SEND)
is_internal_message = 0

event_ID = DELIVER

Fields for "Microsoft_Exchange_Health" event objects

The following table lists the extracted and calculated fields for the event objects in the model. Note that it does not include any inherited fields.

Object name Field name Data type Description Example values
Microsoft_Exchange_Health ComponentId string Identifier for the Perfmon or WinHostMon component being collected Perfmon-Processor-% Processor Time

WinHostMon-MSExchangeADTopology

Microsoft_Exchange_Health ComponentInstance string The instance of the component that's being collected. For perfmon, it's the counter instances and it's null or 0 for Winhostmon components 0, _Total, null
Microsoft_Exchange_Health ComponentValue number The numerical value of the counter. It can be any value for Perfmon, or 0/1 for WinHostMon.
Microsoft_Exchange_Health host string The host name exch2013-cas-001
Microsoft_Exchange_Health ServiceTag string List of services that this host has been tagged for. This is a multi-valued field ms_ex_health_autodiscover

ms_ex_health_management

Note: All child objects for "Microsoft_Exchange_Health" inherit the attributes shown in the table.

Fields for "Exchange Messaging" event objects

The following table lists the extracted and calculated fields for the "Exchange_Messaging" event object. It does not include any inherited fields.

Most of the fields are a translation of the fields that come from the Exchange message tracking logs. See "Description of Message Tracking Log fields" (http://technet.microsoft.com/en-us/library/cc539064.aspx) on MS TechNet.

Object name Field name Data type Description Example values
Exchange Messaging app string
Exchange Messaging client_hostname string The name of the messaging server or messaging client that submitted the message.
Exchange Messaging connector_id string The name of source or destination Send connector or Receive connector.
Exchange Messaging csip string The TCP/IP address of the messaging server or messaging client that submitted the message.
Exchange Messaging date_time string The date and time of the message tracking event. The value is formatted as yyyy-mm-ddhh:mm:ss.fffZ, where yyyy = year, mm = month, dd = day, hh = hour, mm = minute, ss = second, fff = fractions of a second, and Z signifies Zulu, which is another way to denote UTC.
Exchange Messaging event_id string The message event type. These events are described fully in the table earlier in this topic. The possible values are BADMAIL, DELIVER, DSN, EXPAND, FAIL, POISONMESSAGE, RECEIVE, REDIRECT, RESOLVE, SEND, SUBMIT, and TRANSFER.
Exchange Messaging eventtype string The Splunk eventtypes Msexchange-msgtrack
Exchange Messaging index string The index that contains the event.
Exchange Messaging internal_message_id number Same as internal-message-id
Exchange Messaging message_id string A message identifier that is assigned by the Exchange Server 2007 server that is currently processing the message. A specific message's value of internal-message-id is different in the message tracking log of every Exchange Server 2007 server that is involved in the delivery of the message.
Exchange Messaging message_info string This field contains the message origination date-time for DELIVER and SEND events. The origination date-time is the time that the message first enters the Exchange organization. The value is formatted as yyyy-mm-ddhh:mm:ss.fffZ, where yyyy = year, mm = month, dd = day, hh = hour, mm = minute, ss = second, fff = fractions of a second, and Z signifies Zulu, which is another way to denote UTC.
Exchange Messaging message_subject string The message's subject found in the Subject: header field.
Exchange Messaging product string The name of the product Exchange (usually)
Exchange Messaging recipient string A multi-valued field containing the list of recipients.
Exchange Messaging recipient_count number The number of recipients in the message.
Exchange Messaging recipient_domain string A multi-valued field containing the list of recipient domains
Exchange Messaging recipient_status string The e-mail addresses of the message's recipients. Multiple e-mail addresses are separated by the semicolon character (;).
Exchange Messaging recipient_username string A multi-valued field containing the list of recipient usernames.
Exchange Messaging recipients string A semicolon-separated list of recipients.
Exchange Messaging reference number This field contains additional information for specific types of events. DSN - The Reference field contains the Internet-Message-Id of the message that caused the DSN.

SEND - The Reference field contains the Internet-Message-Id of any delivery status notification (DSN) messages. TRANSFER - The Reference field contains the Internal-Message-Id of the message that is being forked. For all other types of events, the Reference field is blank.

Exchange Messaging related_recipient_address string This field is used with EXPAND, REDIRECT, and RESOLVE events to display other recipient e-mail addresses associated with the message.
Exchange Messaging return_path string The return e-mail address specified by MAIL FROM: in the message envelope. Although this field is never empty, it can have the null sender address value represented as <>.
Exchange Messaging sender string The e-mail address specified in the Sender: header field, or the From: header field if Sender: is not present.
Exchange Messaging sender_domain string Domain name extracted from 'sender'.
Exchange Messaging sender_username string User name extracted from 'sender'.
Exchange Messaging server_hostname string The name of the destination server.
Exchange Messaging source_context string Extra information associated with the source field.
Exchange Messaging source_id string The Exchange transport component responsible for the message tracking event.
Exchange Messaging ss_ip string The TCP/IP address of the source or destination server running Microsoft Exchange Server.
Exchange Messaging tag string Not used
Exchange Messaging tag::event type string Not used
Exchange Messaging total_bytes number The number of bytes in the message
Exchange Messaging vendor string The vendor.
Exchange Messaging Is Internal Message (calculated) boolean Set to 1 if the message was sent and received within the same domain.
Exchange Messaging Recipients (MV) (calculated) string Another multi-value field.
Exchange Messaging Count of recipients (calculated) number The number of recipients.

Note: All child objects for "Exchange Messaging" inherit the attributes shown in the table.

Search Objects

Tags used with "Microsoft Exchange Health Events" search objects

The following tags act as constraints to identify your events as being relevant to this data model. For more information, see "How to use these reference tables".

Object name Tag name
Microsoft Exchange Health Events ms_ex_health_events

Constraints for the "All Logons" search object

The following constraints for the "All Logons" search object identify events as being relevant to this data model.

Object name Constraint
All Logons eval cs_username=coalesce(Security_ID, cs_username) | transaction fields=cs_username maxspan=2s maxpause=1s maxevents=2
|____ Computer Logons
logontype=computer
|____ User Logons
logontype="user" OR logontype="exchange"
|____ Desktop Logons
logontype="user" OR logontype="exchange"
logontype="user"
|____ Exchange Logons
logontype="user" OR logontype="exchange"
logontype="exchange"
|____ Logon via Outlook Anywhere
logontype="user" OR logontype="exchange"
logontype="exchange"

eventtype="client-outlookanywhere-usage"

|____ Logon via Outlook Web Access
logontype="user" OR logontype="exchange"
logontype="exchange"

eventtype="client-owa-usage"

|____ External Logon via Exchange Web Services
logontype="user" OR logontype="exchange"
logontype="exchange"

eventtype="client-ews-usage"

|____ Logon via Activesync
logontype="user" OR logontype="exchange"
logontype="exchange"

eventtype="client-activesync-usage"

|____Legacy Client Logons
eventtype=client-popimap-usage
event_ID = SEND
|____ POP3 Logons
eventtype=client-popimap-usage
ProtocolServiceName="POP3"
|____ IMAP Logons
eventtype=client-popimap-usage
ProtocolServiceName="IMAP4"

Fields for "All Logons" search objects

The following table lists the extracted and calculated fields for the "All Logons" search object. It does not include any inherited fields.

Object name Field name Data type Description Example values
All Logons _time string The time that the event was created.
All Logons Account_Domain string The domain on which the logon occurred.
All Logons Account_Name string The user that logged on.
All Logons c_ip string The client IP address from which the logon request occurred.
All Logons cs_method string The requested action GET
All Logons cs_uri_query string The query, if any, that the client was trying to perform.
All Logons cs_uri_stem string The Universal Resource Identifier, or target, of the action.
All Logons cs_user_agent string The browser type that the client used
All Logons cs_username string The name of the authenticated user who accessed your host.
All Logons date string The date on which the request occurred.
All Logons dest_nt_domain string The destination domain of the request.
All Logons dest_nt_host string The destination host of the request.
All Logons host string The host that generated the request.
All Logons s_ip string The IP address of the server on which the log file entry was generated
All Logons source string The source that Splunk tagged the logon event with.
All Logons sourcetype string The source type that Splunk assigned to the event.
All Logons src_ip string The IP address of the host that made the request.
All Logons src_nt_domain string The domain from which the request was made.
All Logons src_nt_host string The host that generated the request.
All Logons src_user string The user that generated the request.
All Logons logontype (calculated) string The type of Windows logon the host requested.
All Logons status (calculated) string The return code provided by the host that processed the request.

Note: All child objects for "All Logons" inherit the attributes shown in the table.

Fields for "Microsoft Exchange Health Events" search object

The following table lists the extracted and calculated fields for the "Microsoft Exchange Health Events" search object. It does not include any inherited fields.

Object name Field name Data type Description Example values
Microsoft Exchange Health Events _time string The time that the host generated the event.
Microsoft Exchange Health Events host string The host that generated the event.
Microsoft Exchange Health Events source string The source of the event.
Microsoft Exchange Health Events sourcetype string The source type of the event.
Last modified on 08 June, 2018
PREVIOUS
Organizational Unit Audit
  NEXT
MSExchange Messaging data model

This documentation applies to the following versions of Splunk® App for Microsoft Exchange (EOL): 3.4.4, 3.5.0, 3.5.1, 3.5.2, 4.0.0, 4.0.1, 4.0.2, 4.0.3


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters