I have the Splunk App for Exchange but Splunk documentation is unclear on how to handle my situation.
I have servers with IIS and thus IIS logs, so my generic ALL-WINDOWS server class detects the IIS logs and sets the sourcetype=iis so that all the fields get parsed properly.
The Splunk TA for Exchange IIS is here but obviously my Exchange_IIS Serverclass is lesser precedence. Regardless, it doesnt make sense that TA-Windows-Exchange-IIS sets sourcetype=MSWindows:2008R2:IIS when it misses out on the dynamic IIS log parsing.
How can I make all the Exchange dashboards properly populate using sourcetype=iis?