Getting Data In

Not getting complete MSExchange management event information ingested into Splunk.

abhijit_mhatre
Path Finder

The configuration I have written to ingest MSExchange management data isn’t ingesting all the information contained in the event.
Configuration deployed:
[WinEventLog://MSExchange Management]
index =
sourcetype =

We are receiving data in the instance but we are only getting general information associated with each event. Is there a way to get detailed information for an event into splunk?

Let me know.

Tags (2)
0 Karma

DavidHourani
Super Champion

Hi @abhijit_mhatre, what kind of details are you looking for ? Is that detail already in WinEventLog ? If so you should be able to fetch it 🙂

0 Karma

abhijit_mhatre
Path Finder

Hi @davidhourani,
There are few additional details being generated on the MSexchange Server but the configuration is not ingesting all of it. It is only ingesting the general details.
Is there a way to modify the configuration and have it pick everything being generated on the server.

0 Karma

DavidHourani
Super Champion

Yes ! Of course. And first before adding anything new make sure you've followed this documentation to activate your required data inputs :
https://docs.splunk.com/Documentation/MSExchange/3.5.2/Add-Ons/ConfigureTA-Exchange-IIS

Sometimes its easy to miss activating inputs so you won't get everything. Double check that and then if you don't find what you're looking for let me know and we can work on making a new input.

0 Karma

abhijit_mhatre
Path Finder

Hi @davidhourani,
There is no configuration to ingest Msexchange Management logs in the TA-Exchange-IIS. I already have a configuration to ingest these logs, it is just that the complete information that can be seen in the event viewer is not getting ingested and only the general information in each event is being ingested.
Let me know if there is a way( like having a script or a configuration) to ingest the complete information present in an event and not just the general information.

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...