All Apps and Add-ons

Splunk App for Microsoft Exchange: Why are there "no results found" on the Exchange Service Analyzer dashboard?

morrelljt
Explorer

Hello,

I have deployed the Splunk App for Microsoft Exchange, and I'm getting good data everywhere in the app except the Exchange Service Analyzer, which simply says "no results found". I've been through all the documentation I can find and can't find anything missing in my configuration. This is a distributed deployment of Splunk, the Splunk App for Microsoft Exchange is on all the Search Heads, and all the required TAs are deployed to my Exchange Servers and Indexers. Can anyone point me in the right direction for troubleshooting no input on the Exchange Service Analyzer dashboard?

Thanks

leonardoguerra
New Member

Hello, I have the same problem, someone could solve it and could help me how to do it ?.

Regards!

0 Karma

GRMcCauley
Explorer

FYI - We traced the macro back to the actual search string and the below returns data:

| tstats latest("Microsoft_Exchange_Health.componentValue") AS ComponentValue 
                values("Microsoft_Exchange_Health.componentInstance") AS ComponentInstances 
                from datamodel=Microsoft_Exchange where (nodename = Microsoft_Exchange_Health) 
                groupby "Microsoft_Exchange_Health.componentId", 
                    "Microsoft_Exchange_Health.tag", 
                    host 
                    _time span=1m 
                    summariesonly=true 
                | rename "Microsoft_Exchange_Health.componentId" AS ComponentId 
                    "Microsoft_Exchange_Health.tag" AS ServiceTag 
                | eval Host = lower(host) 
                | search * ServiceTag="ms_ex_health_*" 
                | appendpipe [ 
                    | fields _time 
                    | dedup _time 
                    | rename _time as time 
                    | map [ 
                        | inputlookup state_store_cfw_combined_hosts_services_components 
                        | search * ServiceTag="ms_ex_health_*" 
                        | eval _time=_time 
                        | fields _time, ComponentId, Host, ServiceTag 
                    ] 
                    maxsearches=50000 
                ] 
                | stats latest(ComponentValue) AS ComponentValue, 
                    values(ComponentInstances) AS ComponentInstances 
                    by ComponentId, 
                        Host, 
                        ServiceTag 
                        _time 

The below does not:

| tstats latest("Microsoft_Exchange_Health.componentValue") AS ComponentValue 
                values("Microsoft_Exchange_Health.componentInstance") AS ComponentInstances 
                from datamodel=Microsoft_Exchange where (nodename = Microsoft_Exchange_Health) 
                groupby "Microsoft_Exchange_Health.componentId", 
                    "Microsoft_Exchange_Health.tag", 
                    host 
                    _time span=1m 
                    summariesonly=true 
                | rename "Microsoft_Exchange_Health.componentId" AS ComponentId 
                    "Microsoft_Exchange_Health.tag" AS ServiceTag 
                | eval Host = lower(host) 
                | search * ServiceTag="ms_ex_health_*" 
                | appendpipe [ 
                    | fields _time 
                    | dedup _time 
                    | rename _time as time 
                    | map [ 
                        | inputlookup state_store_cfw_combined_hosts_services_components 
                        | search * ServiceTag="ms_ex_health_*" 
                        | eval _time=_time 
                        | fields _time, ComponentId, Host, ServiceTag 
                    ] 
                    maxsearches=50000 
                ] 
                | stats latest(ComponentValue) AS ComponentValue, 
                    values(ComponentInstances) AS ComponentInstances 
                    by ComponentId, 
                        Host, 
                        ServiceTag 
                        _time 
                | `cfw-component-info-lookup` 

The Data Model appears to be good, but the lookups are empty.

0 Karma

adonio
Ultra Champion

HI morrelljt,
Can you verify the data model is built 100%?
Navigate to settings -> data models -> click the arrow next to the mail DM and see percentage. you might need to click rebuild. If it is a large environment, rebuild can take a while

0 Karma

morrelljt
Explorer

Thanks, for the response adonio.

Yes, the data model is built 100%, and I have tried rebuilding it, no change.

0 Karma

adonio
Ultra Champion

Can you check if this search returns any results on the app?
| cfw-service-scores-by-time(*)

0 Karma

morrelljt
Explorer

Returns "Unknown search command 'cfw'"

0 Karma

adonio
Ultra Champion

sorry about that the command is: | cfw-service-scores-by-time(*)
with the pipe |

0 Karma

morrelljt
Explorer

I ran it with the pipe the first time, that's what generated the error. It's a macro...perhaps that would require macro expansion? So | cfw-service-scores-by-time(*) ??

0 Karma

adonio
Ultra Champion
 | 'cfw-service-scores-by-time(*) '
0 Karma

morrelljt
Explorer

| 'cfw-service-scores-by-time(*) ' returns a search error. If the single quotes were intended to represent tildas, then that search (with tildas) yeilds "No results found."

0 Karma

adonio
Ultra Champion

Can you verify the DM Microsoft Exchange is accelerated? has a little yellow lightning next to it

0 Karma

morrelljt
Explorer

It is indeed accelerated, or at least has the yellow lightning next to it.

0 Karma

adonio
Ultra Champion

try this just to see if you can view the data in the DM
| tstats count AS "Count of Microsoft_Exchange_Health" from datamodel=Microsoft_Exchange where (nodename = Microsoft_Exchange_Health) groupby host prestats=true

0 Karma

morrelljt
Explorer

That does return results.

0 Karma

adonio
Ultra Champion

great, just saw an answer posted. if its lookup related, navigate back to guided setup and walk through it and make sure the lookups are populated. You can verify by navigating to settings -> lookups -> lookup tables and then search for the lookups with the command | inputlookup <yourLookup>

0 Karma

ansif
Motivator

@adonio : We are experiencing the same issue,the kvstore is not returning any results. The following command returns no results.What would be the way to populate it,please help.

| inputlookup state_store_cfw_combined_hosts_services_components 

The following macrocfw-component-info-lookupalso gets data from same kvstore and is not returning any results.

lookup state_store_cfw_combined_hosts_services_components ComponentId, Host, ServiceTag OUTPUT 
                HostDescription, HostEnabled, 
                ServiceName, ServiceDescription, ServiceEnabled, 
                ComponentName, ComponentDescription, ComponentEnabled, 
                HostAndService, HostServiceComponent, Enabled, 
                StatusRuleLow, StatusRuleLowThreshold, 
                StatusRuleMid, 
                StatusRuleHigh, StatusRuleHighThreshold, Units

state_store_cfw_combined_hosts_services_components is available in transforms.conf, it points to ExchangeCFWCombinedHostsServicesComponents under collections.conf

 [ExchangeCFWCombinedHostsServicesComponents]
    enforceTypes = false
    profilingEnabled = false
    accelerated_fields.component_host_service = { "ComponentId" : 1, "Host" : 1, "ServiceTag" : 1 }


  The attributes  enforceTypes = false and profilingEnabled = false is false,does it mean this is disabled?
0 Karma

morrelljt
Explorer

Sorry, that had tildas "`"before and after...didn't come through in the webform.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...