Does anyone know where this data comes from? I can't see a sourcetype similar in my msexchange index.
Exchange distribution lists are retrieved directly from Active Directory using the ldapgroup command from the SA-ldapsearch component. Reference here for installing the Supporting Add-on for Active Directory (SA-ldapsearch) here: http://docs.splunk.com/Documentation/MSExchange/latest/DeployMSX/InstallthecentralSplunkforMSExchang...
I have this installed and configured and can use it to query AD, this all works okay. I did have some config errors in ldap.conf which seem to have been fixed. My Active directory App doesn't seem suffer the same issue.