Dashboards & Visualizations
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Dashboards empty, my tracking logs don't seem to have the correct eventtypes

bobdoyle
Explorer
‎09-16-2011 01:58 PM

We've been trying to get the Splunk App for Exchange Server working on a test CAS/HUB. I've deployed the fwd_exchange2010_cas, fwd_win2008r2_iis, and fwd_exchange2010_hub apps to the system.

The following source types are showing up. MSWindows:2008R2:IIS, MSExchange:2010:MessageTracking, MSExchange:2010:Topology

I'm getting performance data counters and dashboards, but the Message Tracking dashboards all tell me that the searches didn't match any events. I don't see any of the eventtypes that the dashboards are looking for in the Tracking Logs themselves. Do the powershell scripts generate those?

I'm re-re-reviewing all my config files and am a little stumped. This is the first app I've used so, I'm a little stumped.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ahall_splunk
Splunk Employee
Splunk Employee
‎10-05-2011 04:17 AM

The normal reason the eventtypes are not working are:

  1. Different log location
  2. Different source type
  3. Different index

You've already checked #1 - you need to ensure that the message tracking events get the right source type and are stored in the right index. You can alter eventtypes.conf to specify the right index (which is normally the issue).

The final thing that can go wrong is that you have not placed the fwd_* apps on the search head, which means the field extractions don't happen - thus your dashboards don't get filled.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

scho228901
Engager
‎10-14-2013 07:09 AM

N00B question....

where do I put the fwd_*apps piece that you mentioned above?

0 Karma
Reply
Solved! Jump to solution
Solution

ahall_splunk
Splunk Employee
Splunk Employee
‎10-05-2011 04:17 AM

The normal reason the eventtypes are not working are:

  1. Different log location
  2. Different source type
  3. Different index

You've already checked #1 - you need to ensure that the message tracking events get the right source type and are stored in the right index. You can alter eventtypes.conf to specify the right index (which is normally the issue).

The final thing that can go wrong is that you have not placed the fwd_* apps on the search head, which means the field extractions don't happen - thus your dashboards don't get filled.

0 Karma
Reply
Solved! Jump to solution

bobdoyle
Explorer
‎10-07-2011 01:08 PM

Thank you! I didn't have the fwd_* apps in my apps directory on the indexer. I was really tearing my hair out. Thanks again!

0 Karma
Reply
Solved! Jump to solution

MarioM
Motivator
‎09-19-2011 07:58 AM

Have you checked that message tracking is enable in your exchange 2010 server Configure Message Tracking ?

It 's on the HUB server and by default in C:\Program Files\Microsoft\Exchange Server\V14\TransportRoles\Logs\MessageTracking

0 Karma
Reply
Solved! Jump to solution

bobdoyle
Explorer
‎09-20-2011 08:31 AM

I have, we are using a custom location and I've edited the inputs.conf for the app.

I'm getting tracking logs, but the dashboards aren't finding the eventtypes it expects. All message are msexchange-msgtrack. The dashboards are looking for eventtypes such as smtp-inbound, smtp-outbound, storedriver-deliver, storedriver-recieve, etc.

I can see results that would correlate to these fields in my data, but do I need to extract these eventtypes by hand?

0 Karma
Reply
Get Updates on the Splunk Community!

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...
Top