Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: Exchange app - no events displaying
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am encountering similar behaviour to http://splunk-base.splunk.com/answers/69273/splunk-for-exchange-not-showing-data . Our setup is Exchange 2007 running on Windows 2003, but the issue I'm seeing is that no events are going to client behavior dashboard. I checked the events and there are events showing for Windows:2003:IIS and client-iis-logs but none for the rest of the eventtype the search in client behavior dashboard requires.
I checked props.conf and transforms.conf and in my understanding, from Windows:2003:IIS it has to extract and create eventtype for client-owa-usage, client-activesync-usage and so on, but for some reason it's not being populated.
I can see events such as "2013-01-02 08:15:08 W3SVC1 EXCHANGETH 1.1.1.61 POST /owa/ev.owa oeh=1&ns=Notify&ev=Poll&prfltncy=0&prfrpccnt=0&prfrpcltncy=0&prfldpcnt=0&prfldpltncy=0&prfavlcnt=0&prfavlltncy=0 443 protodom\wolverine 1.2.120.53 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+Trident/4.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+InfoPath.3) exchangeth 200 0 0"
So I am assuming that data is being forwarded. I tried to change some extractions from transforms.conf from indexer server, and change
[extract_webapp]
SOURCE_KEY = cs_uri_stem
REGEX = (?i)^[^/]*/(?P
to make field "WebApplication" appear but maybe I am barking at the wrong tree.
thanks,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The basic problem here is that the WebApplication is not being extracted.
The proper IIS sourcetype is "MSWindows:2003:IIS" - first of all, do a search for
eventtype=client-iis-logs
Make sure the cs_uri_stem field is being extracted. If it isn't, then it's likely that there have been changes in the format of the IIS logs. Take a typical IIS log file (on disk) and look at the first ten lines. The format of the file is clearly described. Then alter the transforms.conf for the stanza mswin_2003_iis_fields to match what you are actually seeing on disk.
Once the cs_uri_stem has been properly extracted, you can move on to the WebApplication field. This should just appear once cs_uri_stem is working, but, again, it depends on what you are actually seeing.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Ahall,
I finally fixed it. You were right, the fields in the transforms.conf for mswin_2003_iis_fields were off, there were some fields that are not included that's why the values for cs_uri_stem were not correct.
Everything's seems to be showing now.
thanks a lot.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Ahall,
I finally fixed it. You were right, the fields in the transforms.conf for mswin_2003_iis_fields were off, there were some fields that are not included that's why the values for cs_uri_stem were not correct.
Everything's seems to be showing now.
thanks a lot.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I can see eventtype=client-iis-logs, even the cs_uri_stem which has GET and POST etc values. even cs_uri_query. However I am not seeing client-owa-usage nor client-ews-usage, which tells me that WebApplication is not being extracted correctly.
I can see from IIS logs;
2013-01-02 08:15:08 W3SVC1 EXCHANGETH 1.1.1.61 POST /owa/ev.owa oeh=1&ns=Notify&ev=Poll&prfltncy=0&prfrpccnt=0&prfrpcltncy=0&prfldpcnt=0&prfldpltncy=0&prfavlcnt=0&prfavlltncy=0 443 protodomwolverine 1.2.120.53 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+Trident/4.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+InfoPath.3) exchangeth 200 0 0"
Is this the correct line I should be looking at?
thanks,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The basic problem here is that the WebApplication is not being extracted.
The proper IIS sourcetype is "MSWindows:2003:IIS" - first of all, do a search for
eventtype=client-iis-logs
Make sure the cs_uri_stem field is being extracted. If it isn't, then it's likely that there have been changes in the format of the IIS logs. Take a typical IIS log file (on disk) and look at the first ten lines. The format of the file is clearly described. Then alter the transforms.conf for the stanza mswin_2003_iis_fields to match what you are actually seeing on disk.
Once the cs_uri_stem has been properly extracted, you can move on to the WebApplication field. This should just appear once cs_uri_stem is working, but, again, it depends on what you are actually seeing.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've spun this off as its own quesiton as I think the other user may have just been confused and not added the inputs whilst yours is a bit more specific 🙂
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
