- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Not getting complete MSExchange management eve...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not getting complete MSExchange management event information ingested into Splunk.
The configuration I have written to ingest MSExchange management data isn’t ingesting all the information contained in the event.
Configuration deployed:
[WinEventLog://MSExchange Management]
index =
sourcetype =
We are receiving data in the instance but we are only getting general information associated with each event. Is there a way to get detailed information for an event into splunk?
Let me know.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @abhijit_mhatre, what kind of details are you looking for ? Is that detail already in WinEventLog ? If so you should be able to fetch it 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @davidhourani,
There are few additional details being generated on the MSexchange Server but the configuration is not ingesting all of it. It is only ingesting the general details.
Is there a way to modify the configuration and have it pick everything being generated on the server.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes ! Of course. And first before adding anything new make sure you've followed this documentation to activate your required data inputs :
https://docs.splunk.com/Documentation/MSExchange/3.5.2/Add-Ons/ConfigureTA-Exchange-IIS
Sometimes its easy to miss activating inputs so you won't get everything. Double check that and then if you don't find what you're looking for let me know and we can work on making a new input.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @davidhourani,
There is no configuration to ingest Msexchange Management logs in the TA-Exchange-IIS. I already have a configuration to ingest these logs, it is just that the complete information that can be seen in the event viewer is not getting ingested and only the general information in each event is being ingested.
Let me know if there is a way( like having a script or a configuration) to ingest the complete information present in an event and not just the general information.
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
