All Apps and Add-ons

Exchange app - no events displaying

agonist_inhaler
Explorer

I am encountering similar behaviour to http://splunk-base.splunk.com/answers/69273/splunk-for-exchange-not-showing-data . Our setup is Exchange 2007 running on Windows 2003, but the issue I'm seeing is that no events are going to client behavior dashboard. I checked the events and there are events showing for Windows:2003:IIS and client-iis-logs but none for the rest of the eventtype the search in client behavior dashboard requires.

I checked props.conf and transforms.conf and in my understanding, from Windows:2003:IIS it has to extract and create eventtype for client-owa-usage, client-activesync-usage and so on, but for some reason it's not being populated.

I can see events such as "2013-01-02 08:15:08 W3SVC1 EXCHANGETH 1.1.1.61 POST /owa/ev.owa oeh=1&ns=Notify&ev=Poll&prfltncy=0&prfrpccnt=0&prfrpcltncy=0&prfldpcnt=0&prfldpltncy=0&prfavlcnt=0&prfavlltncy=0 443 protodom\wolverine 1.2.120.53 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+Trident/4.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+InfoPath.3) exchangeth 200 0 0"

So I am assuming that data is being forwarded. I tried to change some extractions from transforms.conf from indexer server, and change
[extract_webapp]
SOURCE_KEY = cs_uri_stem
REGEX = (?i)^[^/]*/(?P[^/]+)

to make field "WebApplication" appear but maybe I am barking at the wrong tree.

thanks,

1 Solution

ahall_splunk
Splunk Employee
Splunk Employee

The basic problem here is that the WebApplication is not being extracted.

The proper IIS sourcetype is "MSWindows:2003:IIS" - first of all, do a search for

eventtype=client-iis-logs

Make sure the cs_uri_stem field is being extracted. If it isn't, then it's likely that there have been changes in the format of the IIS logs. Take a typical IIS log file (on disk) and look at the first ten lines. The format of the file is clearly described. Then alter the transforms.conf for the stanza mswin_2003_iis_fields to match what you are actually seeing on disk.

Once the cs_uri_stem has been properly extracted, you can move on to the WebApplication field. This should just appear once cs_uri_stem is working, but, again, it depends on what you are actually seeing.

View solution in original post

agonist_inhaler
Explorer

Hi Ahall,

I finally fixed it. You were right, the fields in the transforms.conf for mswin_2003_iis_fields were off, there were some fields that are not included that's why the values for cs_uri_stem were not correct.

Everything's seems to be showing now.

thanks a lot.

0 Karma

agonist_inhaler
Explorer

Hi Ahall,

I finally fixed it. You were right, the fields in the transforms.conf for mswin_2003_iis_fields were off, there were some fields that are not included that's why the values for cs_uri_stem were not correct.

Everything's seems to be showing now.

thanks a lot.

0 Karma

agonist_inhaler
Explorer

I can see eventtype=client-iis-logs, even the cs_uri_stem which has GET and POST etc values. even cs_uri_query. However I am not seeing client-owa-usage nor client-ews-usage, which tells me that WebApplication is not being extracted correctly.

I can see from IIS logs;
2013-01-02 08:15:08 W3SVC1 EXCHANGETH 1.1.1.61 POST /owa/ev.owa oeh=1&ns=Notify&ev=Poll&prfltncy=0&prfrpccnt=0&prfrpcltncy=0&prfldpcnt=0&prfldpltncy=0&prfavlcnt=0&prfavlltncy=0 443 protodomwolverine 1.2.120.53 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+Trident/4.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729;+Media+Center+PC+6.0;+InfoPath.3) exchangeth 200 0 0"
Is this the correct line I should be looking at?

thanks,

0 Karma

ahall_splunk
Splunk Employee
Splunk Employee

The basic problem here is that the WebApplication is not being extracted.

The proper IIS sourcetype is "MSWindows:2003:IIS" - first of all, do a search for

eventtype=client-iis-logs

Make sure the cs_uri_stem field is being extracted. If it isn't, then it's likely that there have been changes in the format of the IIS logs. Take a typical IIS log file (on disk) and look at the first ten lines. The format of the file is clearly described. Then alter the transforms.conf for the stanza mswin_2003_iis_fields to match what you are actually seeing on disk.

Once the cs_uri_stem has been properly extracted, you can move on to the WebApplication field. This should just appear once cs_uri_stem is working, but, again, it depends on what you are actually seeing.

View solution in original post

Drainy
Champion

I've spun this off as its own quesiton as I think the other user may have just been confused and not added the inputs whilst yours is a bit more specific 🙂

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!