- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: Dashboards empty, my tracking logs don't seem ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We've been trying to get the Splunk App for Exchange Server working on a test CAS/HUB. I've deployed the fwd_exchange2010_cas, fwd_win2008r2_iis, and fwd_exchange2010_hub apps to the system.
The following source types are showing up. MSWindows:2008R2:IIS, MSExchange:2010:MessageTracking, MSExchange:2010:Topology
I'm getting performance data counters and dashboards, but the Message Tracking dashboards all tell me that the searches didn't match any events. I don't see any of the eventtypes that the dashboards are looking for in the Tracking Logs themselves. Do the powershell scripts generate those?
I'm re-re-reviewing all my config files and am a little stumped. This is the first app I've used so, I'm a little stumped.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The normal reason the eventtypes are not working are:
- Different log location
- Different source type
- Different index
You've already checked #1 - you need to ensure that the message tracking events get the right source type and are stored in the right index. You can alter eventtypes.conf to specify the right index (which is normally the issue).
The final thing that can go wrong is that you have not placed the fwd_* apps on the search head, which means the field extractions don't happen - thus your dashboards don't get filled.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
N00B question....
where do I put the fwd_*apps piece that you mentioned above?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The normal reason the eventtypes are not working are:
- Different log location
- Different source type
- Different index
You've already checked #1 - you need to ensure that the message tracking events get the right source type and are stored in the right index. You can alter eventtypes.conf to specify the right index (which is normally the issue).
The final thing that can go wrong is that you have not placed the fwd_* apps on the search head, which means the field extractions don't happen - thus your dashboards don't get filled.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you! I didn't have the fwd_* apps in my apps directory on the indexer. I was really tearing my hair out. Thanks again!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you checked that message tracking is enable in your exchange 2010 server Configure Message Tracking ?
It 's on the HUB server and by default in C:\Program Files\Microsoft\Exchange Server\V14\TransportRoles\Logs\MessageTracking
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have, we are using a custom location and I've edited the inputs.conf for the app.
I'm getting tracking logs, but the dashboards aren't finding the eventtypes it expects. All message are msexchange-msgtrack. The dashboards are looking for eventtypes such as smtp-inbound, smtp-outbound, storedriver-deliver, storedriver-recieve, etc.
I can see results that would correlate to these fields in my data, but do I need to extract these eventtypes by hand?
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
