Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Dashboards empty, my tracking logs don't seem to have the correct eventtypes

bobdoyle
Explorer
‎09-16-2011 01:58 PM

We've been trying to get the Splunk App for Exchange Server working on a test CAS/HUB. I've deployed the fwd_exchange2010_cas, fwd_win2008r2_iis, and fwd_exchange2010_hub apps to the system.

The following source types are showing up. MSWindows:2008R2:IIS, MSExchange:2010:MessageTracking, MSExchange:2010:Topology

I'm getting performance data counters and dashboards, but the Message Tracking dashboards all tell me that the searches didn't match any events. I don't see any of the eventtypes that the dashboards are looking for in the Tracking Logs themselves. Do the powershell scripts generate those?

I'm re-re-reviewing all my config files and am a little stumped. This is the first app I've used so, I'm a little stumped.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ahall_splunk
Splunk Employee
Splunk Employee
‎10-05-2011 04:17 AM

The normal reason the eventtypes are not working are:

  1. Different log location
  2. Different source type
  3. Different index

You've already checked #1 - you need to ensure that the message tracking events get the right source type and are stored in the right index. You can alter eventtypes.conf to specify the right index (which is normally the issue).

The final thing that can go wrong is that you have not placed the fwd_* apps on the search head, which means the field extractions don't happen - thus your dashboards don't get filled.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

scho228901
Engager
‎10-14-2013 07:09 AM

N00B question....

where do I put the fwd_*apps piece that you mentioned above?

0 Karma
Reply
Solved! Jump to solution
Solution

ahall_splunk
Splunk Employee
Splunk Employee
‎10-05-2011 04:17 AM

The normal reason the eventtypes are not working are:

  1. Different log location
  2. Different source type
  3. Different index

You've already checked #1 - you need to ensure that the message tracking events get the right source type and are stored in the right index. You can alter eventtypes.conf to specify the right index (which is normally the issue).

The final thing that can go wrong is that you have not placed the fwd_* apps on the search head, which means the field extractions don't happen - thus your dashboards don't get filled.

0 Karma
Reply
Solved! Jump to solution

bobdoyle
Explorer
‎10-07-2011 01:08 PM

Thank you! I didn't have the fwd_* apps in my apps directory on the indexer. I was really tearing my hair out. Thanks again!

0 Karma
Reply
Solved! Jump to solution

MarioM
Motivator
‎09-19-2011 07:58 AM

Have you checked that message tracking is enable in your exchange 2010 server Configure Message Tracking ?

It 's on the HUB server and by default in C:\Program Files\Microsoft\Exchange Server\V14\TransportRoles\Logs\MessageTracking

0 Karma
Reply
Solved! Jump to solution

bobdoyle
Explorer
‎09-20-2011 08:31 AM

I have, we are using a custom location and I've edited the inputs.conf for the app.

I'm getting tracking logs, but the dashboards aren't finding the eventtypes it expects. All message are msexchange-msgtrack. The dashboards are looking for eventtypes such as smtp-inbound, smtp-outbound, storedriver-deliver, storedriver-recieve, etc.

I can see results that would correlate to these fields in my data, but do I need to extract these eventtypes by hand?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...

Customer success is front and center at .conf25

Hi Splunkers, If you are not able to be at .conf25 in person, you can still learn about all the latest news ...