Splunk® App for Microsoft Exchange (EOL)

Deploy and Use the Splunk App for Microsoft Exchange

On October 22 2021, the Splunk App for Microsoft Exchange will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app is migrating to a content pack in Data Integrations. Learn about the Content Pack for Microsoft Exchange.

Size and scale a Splunk App for Microsoft Exchange deployment

How to size an initial deployment

To initially size a Splunk App for Microsoft Exchange deployment and determine an initial hardware outlay, follow these guidelines:

Get a host count

  1. Determine the number of machines that the environment should monitor.
  2. Count the number of Exchange servers in the network.

Estimate indexing volume

  1. Determine the amount of daily indexing volume that will occur. You can use a trial version of Splunk Enterprise to estimate all of this data. See Estimate your storage requirements in the Capacity planning manual.
  2. Provision a test environment and log the following samples over a day:
    • Exchange Server data (for all Exchange Server roles).
    • Active Directory data (from a domain controller and a DNS server).
    • Windows data (from a single Windows host)
  3. Multiply the figure for each of these data types by the number of hosts in your environment that match the type.
  4. Add these figures together to come up with the estimated daily indexing volume.
  5. (Optional) See Forwarder to indexer ratios in Capacity Planning to determine how many indexers you need to handle incoming data streams from the forwarders.

If you're using TA-Windows version 6.0.0 or later, you don't need TA_AD and TA_DNS. TA_AD and TA_DNS are merged with TA-Windows version 6.0.0.

Estimate number of Splunk users

  1. Determine the number of people who will have access to the app. With these values, you can determine how much of an initial hardware outlay you need.
  2. (Optional) See Summary of performance recommendations in Capacity Planning to determine how many search heads you should use in the environment based on indexing volume and number of people who will have access.

Licensing requirements

The Splunk App for Microsoft Exchange requires a separate license to cover the Exchange data that the app has collected. This is in addition to the license you need to cover the Windows and Active Directory data that has been indexed. When you estimate storage requirements, take note of the amount of Exchange data that the app has collected. Exchange app license usage is counted against the following source types, and you can estimate the license size you need based on this number.

  • msexchange:*:topology
  • msexchange:*:messagetracking
  • msexchange:*:mailbox-usage
  • msexchange:*:folder-usage
  • msexchange:*:database-stats
  • msexchange:*:publicfolder-stats
  • msexchange:*:rpcclientaccess
  • msexchange:*:adminaudit
  • msexchange:*:throttlingpolicy
  • msexchange:*:mailboxaudit
  • msexchange:*:inboxrules
  • msexchange:*:distributionlists
  • msexchange:reputation

How to scale an existing environment

When you install the Splunk App for Microsoft Exchange using the process described in this manual, you install most of the services on one host. This is to help you familiarize yourself with the Splunk Enterprise features as well as show that a single indexer based on Splunk reference hardware can support such an installation.

In larger environments, running all components on one server is not feasible. Searching has a heavy impact on an indexer and multiple searches happening at once can overwhelm an indexer.

To address this problem, distribute the environment. You already have in a sense: universal forwarders on every host that provides data make the Splunk App for Microsoft Exchange environment distributed. The next step involves splitting out indexing and search operations into separate tiers to reduce performance pressure on both.

The general rules are:

  • The more app users you have, the more indexers you should have. Splunk users create searches, and searches tax an indexer quickly. More indexers means more bandwidth for search heads to get data and return it to the requesting user. As numbers of users increase, you should add more search heads, which subsequently means adding more indexers.
  • The more hosts with data that you have, the more indexers you should have. While not nearly as harsh on indexers, a lot of data coming into one indexer can cause that indexer to bottleneck, reducing performance drastically. As indexing volume increases, you should add more indexers - at least one for every 1000 hosts.
  • Use data models to increase search efficiency. The Splunk App for Microsoft Exchange includes a data model.
  • All environments differ. Because the Splunk App for Microsoft Exchange collects so much data, there is no one-size-fits-all calculation that you can make. A group that runs one version of Exchange might collect far more data than another group that runs a different version. Fluctuations in mail traffic, local LAN traffic, and Exchange usage patterns also determine how much indexing throughput you will need.

See the Splunk Enterprise Capacity Planning manual for information on these concepts.

Last modified on 06 October, 2021
Dashboard reference   Dashboard reference: Build custom dashboards

This documentation applies to the following versions of Splunk® App for Microsoft Exchange (EOL): 4.0.4

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters