Hello,
I have deployed the Splunk App for Microsoft Exchange, and I'm getting good data everywhere in the app except the Exchange Service Analyzer, which simply says "no results found". I've been through all the documentation I can find and can't find anything missing in my configuration. This is a distributed deployment of Splunk, the Splunk App for Microsoft Exchange is on all the Search Heads, and all the required TAs are deployed to my Exchange Servers and Indexers. Can anyone point me in the right direction for troubleshooting no input on the Exchange Service Analyzer dashboard?
Thanks
Hello, I have the same problem, someone could solve it and could help me how to do it ?.
Regards!
FYI - We traced the macro back to the actual search string and the below returns data:
| tstats latest("Microsoft_Exchange_Health.componentValue") AS ComponentValue
values("Microsoft_Exchange_Health.componentInstance") AS ComponentInstances
from datamodel=Microsoft_Exchange where (nodename = Microsoft_Exchange_Health)
groupby "Microsoft_Exchange_Health.componentId",
"Microsoft_Exchange_Health.tag",
host
_time span=1m
summariesonly=true
| rename "Microsoft_Exchange_Health.componentId" AS ComponentId
"Microsoft_Exchange_Health.tag" AS ServiceTag
| eval Host = lower(host)
| search * ServiceTag="ms_ex_health_*"
| appendpipe [
| fields _time
| dedup _time
| rename _time as time
| map [
| inputlookup state_store_cfw_combined_hosts_services_components
| search * ServiceTag="ms_ex_health_*"
| eval _time=_time
| fields _time, ComponentId, Host, ServiceTag
]
maxsearches=50000
]
| stats latest(ComponentValue) AS ComponentValue,
values(ComponentInstances) AS ComponentInstances
by ComponentId,
Host,
ServiceTag
_time
The below does not:
| tstats latest("Microsoft_Exchange_Health.componentValue") AS ComponentValue
values("Microsoft_Exchange_Health.componentInstance") AS ComponentInstances
from datamodel=Microsoft_Exchange where (nodename = Microsoft_Exchange_Health)
groupby "Microsoft_Exchange_Health.componentId",
"Microsoft_Exchange_Health.tag",
host
_time span=1m
summariesonly=true
| rename "Microsoft_Exchange_Health.componentId" AS ComponentId
"Microsoft_Exchange_Health.tag" AS ServiceTag
| eval Host = lower(host)
| search * ServiceTag="ms_ex_health_*"
| appendpipe [
| fields _time
| dedup _time
| rename _time as time
| map [
| inputlookup state_store_cfw_combined_hosts_services_components
| search * ServiceTag="ms_ex_health_*"
| eval _time=_time
| fields _time, ComponentId, Host, ServiceTag
]
maxsearches=50000
]
| stats latest(ComponentValue) AS ComponentValue,
values(ComponentInstances) AS ComponentInstances
by ComponentId,
Host,
ServiceTag
_time
| `cfw-component-info-lookup`
The Data Model appears to be good, but the lookups are empty.
HI morrelljt,
Can you verify the data model is built 100%?
Navigate to settings -> data models -> click the arrow next to the mail DM and see percentage. you might need to click rebuild. If it is a large environment, rebuild can take a while
Thanks, for the response adonio.
Yes, the data model is built 100%, and I have tried rebuilding it, no change.
Can you check if this search returns any results on the app?
| cfw-service-scores-by-time(*)
Returns "Unknown search command 'cfw'"
sorry about that the command is: | cfw-service-scores-by-time(*)
with the pipe |
I ran it with the pipe the first time, that's what generated the error. It's a macro...perhaps that would require macro expansion? So | cfw-service-scores-by-time(*)
??
| 'cfw-service-scores-by-time(*) '
| 'cfw-service-scores-by-time(*) ' returns a search error. If the single quotes were intended to represent tildas, then that search (with tildas) yeilds "No results found."
Can you verify the DM Microsoft Exchange is accelerated? has a little yellow lightning next to it
It is indeed accelerated, or at least has the yellow lightning next to it.
try this just to see if you can view the data in the DM
| tstats count AS "Count of Microsoft_Exchange_Health" from datamodel=Microsoft_Exchange where (nodename = Microsoft_Exchange_Health) groupby host prestats=true
That does return results.
great, just saw an answer posted. if its lookup related, navigate back to guided setup and walk through it and make sure the lookups are populated. You can verify by navigating to settings -> lookups -> lookup tables and then search for the lookups with the command | inputlookup <yourLookup>
@adonio : We are experiencing the same issue,the kvstore is not returning any results. The following command returns no results.What would be the way to populate it,please help.
| inputlookup state_store_cfw_combined_hosts_services_components
The following macrocfw-component-info-lookup
also gets data from same kvstore and is not returning any results.
lookup state_store_cfw_combined_hosts_services_components ComponentId, Host, ServiceTag OUTPUT
HostDescription, HostEnabled,
ServiceName, ServiceDescription, ServiceEnabled,
ComponentName, ComponentDescription, ComponentEnabled,
HostAndService, HostServiceComponent, Enabled,
StatusRuleLow, StatusRuleLowThreshold,
StatusRuleMid,
StatusRuleHigh, StatusRuleHighThreshold, Units
state_store_cfw_combined_hosts_services_components
is available in transforms.conf
, it points to ExchangeCFWCombinedHostsServicesComponents
under collections.conf
[ExchangeCFWCombinedHostsServicesComponents]
enforceTypes = false
profilingEnabled = false
accelerated_fields.component_host_service = { "ComponentId" : 1, "Host" : 1, "ServiceTag" : 1 }
The attributes enforceTypes = false and profilingEnabled = false is false,does it mean this is disabled?
Sorry, that had tildas "`"before and after...didn't come through in the webform.