Dashboards & Visualizations
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Dashboards empty, my tracking logs don't seem to have the correct eventtypes

bobdoyle
Explorer
‎09-16-2011 01:58 PM

We've been trying to get the Splunk App for Exchange Server working on a test CAS/HUB. I've deployed the fwd_exchange2010_cas, fwd_win2008r2_iis, and fwd_exchange2010_hub apps to the system.

The following source types are showing up. MSWindows:2008R2:IIS, MSExchange:2010:MessageTracking, MSExchange:2010:Topology

I'm getting performance data counters and dashboards, but the Message Tracking dashboards all tell me that the searches didn't match any events. I don't see any of the eventtypes that the dashboards are looking for in the Tracking Logs themselves. Do the powershell scripts generate those?

I'm re-re-reviewing all my config files and am a little stumped. This is the first app I've used so, I'm a little stumped.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ahall_splunk
Splunk Employee
Splunk Employee
‎10-05-2011 04:17 AM

The normal reason the eventtypes are not working are:

  1. Different log location
  2. Different source type
  3. Different index

You've already checked #1 - you need to ensure that the message tracking events get the right source type and are stored in the right index. You can alter eventtypes.conf to specify the right index (which is normally the issue).

The final thing that can go wrong is that you have not placed the fwd_* apps on the search head, which means the field extractions don't happen - thus your dashboards don't get filled.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

scho228901
Engager
‎10-14-2013 07:09 AM

N00B question....

where do I put the fwd_*apps piece that you mentioned above?

0 Karma
Reply
Solved! Jump to solution
Solution

ahall_splunk
Splunk Employee
Splunk Employee
‎10-05-2011 04:17 AM

The normal reason the eventtypes are not working are:

  1. Different log location
  2. Different source type
  3. Different index

You've already checked #1 - you need to ensure that the message tracking events get the right source type and are stored in the right index. You can alter eventtypes.conf to specify the right index (which is normally the issue).

The final thing that can go wrong is that you have not placed the fwd_* apps on the search head, which means the field extractions don't happen - thus your dashboards don't get filled.

0 Karma
Reply
Solved! Jump to solution

bobdoyle
Explorer
‎10-07-2011 01:08 PM

Thank you! I didn't have the fwd_* apps in my apps directory on the indexer. I was really tearing my hair out. Thanks again!

0 Karma
Reply
Solved! Jump to solution

MarioM
Motivator
‎09-19-2011 07:58 AM

Have you checked that message tracking is enable in your exchange 2010 server Configure Message Tracking ?

It 's on the HUB server and by default in C:\Program Files\Microsoft\Exchange Server\V14\TransportRoles\Logs\MessageTracking

0 Karma
Reply
Solved! Jump to solution

bobdoyle
Explorer
‎09-20-2011 08:31 AM

I have, we are using a custom location and I've edited the inputs.conf for the app.

I'm getting tracking logs, but the dashboards aren't finding the eventtypes it expects. All message are msexchange-msgtrack. The dashboards are looking for eventtypes such as smtp-inbound, smtp-outbound, storedriver-deliver, storedriver-recieve, etc.

I can see results that would correlate to these fields in my data, but do I need to extract these eventtypes by hand?

0 Karma
Reply
Get Updates on the Splunk Community!

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco + Splunk! We’ve ...

AI Adoption Hub Launch | Curated Resources to Get Started with AI in Splunk

Hey Splunk Practitioners and AI Enthusiasts! It’s no secret (or surprise) that AI is at the forefront of ...
Top