Archive

Exchange app

Explorer

I have two linux indexers 2 windows search heads and 1 deployment server. I have set up the search peers to talk to the indexers and received successful replication status. I installed the exchange app on one of the SH and it created the MSexchange index locally.

Questions
1. Is the above normal. How do move ensure the index is on the indexers
2. I'm going to create a Deployment servers. We are not planning on creating a shared file store. Do I have install the app on the deployment servers so that FWD are pushed to my exchange servers?

0 Karma

Splunk Employee
Splunk Employee

When installing on a "simple" configuration, it's as simple as dropping the Splunk_for_Exchange app on the combined search head and indexer, then using the Deployment Server to push out the Technology Add-ons (located in Splunk_for_Exchange/appserver/addons) to the right hosts. In your case, you have a more complex environment.

Firstly, use the "normal" method to create the appropriate indices on your indexers. There are two main indices - one for perfmon and one for "other stuff". If you have a Blackberry Enterprise Server, then there is an additional index for that. In addition, depending on load, you may want to segment the IIS logs and Message Tracking logs into their own indices.

Secondly, edit the macros.conf and eventtypes.conf in the main app so that the base searches (wherever you see an index=blah) are pointing to the right indices.

Now when you deploy the Technology Add-on to your exchange host(s), you will see the data flowing into the indexers in the right place. Literally, you can go to /opt/splunk/var/lib/splunk (or wherever you are holding the indices) and see them grow.

You won't have to worry about the msexchange/perfmon index on the SH because it will never get used. There won't be data in it because it's all flowing into your indexers. You will see it on your Windows SH in C:\Program Files\Splunk\var\lib\splunk, but the file sizes will be small and will never change.

For your second question, there is an area on your deployment server in $SPLUNK_HOME/etc/deployment-apps for storing the Technology Add-ons. You don't have to "install" the app on the deployment server (it doesn't need to be in .../etc/apps), but it does need to be unpacked in .../etc/deployment-apps.

I hope this helps.