The configuration I have written to ingest MSExchange management data isn’t ingesting all the information contained in the event.
Configuration deployed:
[WinEventLog://MSExchange Management]
index =
sourcetype =
We are receiving data in the instance but we are only getting general information associated with each event. Is there a way to get detailed information for an event into splunk?
Let me know.
Hi @abhijit_mhatre, what kind of details are you looking for ? Is that detail already in WinEventLog ? If so you should be able to fetch it 🙂
Hi @davidhourani,
There are few additional details being generated on the MSexchange Server but the configuration is not ingesting all of it. It is only ingesting the general details.
Is there a way to modify the configuration and have it pick everything being generated on the server.
Yes ! Of course. And first before adding anything new make sure you've followed this documentation to activate your required data inputs :
https://docs.splunk.com/Documentation/MSExchange/3.5.2/Add-Ons/ConfigureTA-Exchange-IIS
Sometimes its easy to miss activating inputs so you won't get everything. Double check that and then if you don't find what you're looking for let me know and we can work on making a new input.
Hi @davidhourani,
There is no configuration to ingest Msexchange Management logs in the TA-Exchange-IIS. I already have a configuration to ingest these logs, it is just that the complete information that can be seen in the event viewer is not getting ingested and only the general information in each event is being ingested.
Let me know if there is a way( like having a script or a configuration) to ingest the complete information present in an event and not just the general information.