Getting Data In

Splunk for Exchange - Database information not showing

deepcovelabs
New Member

Hello,

We are int he process of setting up Splunk for Exchange App and we seem to has it running, somewhat correctly, but the app does not display the mailstore db size at all we are get no values. We get values for the log files, all other part of the application seem to be displaying the correct data.

This is under Mailbox Database Overview

DatabaseMailboxStoreDatabaseSize(MB)DBFreeSpace(%)LogSize(MB)LogFreeSpace(%)
MB-­Net-­01Juno0.0072.6133.0094.29

Anyone have any ideas on how to correct this?

Thanks
Kevin

Tags (1)
0 Karma
1 Solution

ahall_splunk
Splunk Employee
Splunk Employee

The Exchange 2010 SP2 is likely the cause. As detailed in the documentation (specifically: here), upgrading to SP2 sometimes (actually, most of the time) turns off the Exchange cmdlets, causing a loss of information. That same page also contains a link to a blog post about a fix for the issue.

A good test is to log onto your mailbox store, bring up the Exchange Powershell and run

Get-MailboxServer -Identity $env:ComputerName
Get-MailboxDatabase -server $env:ComputerName -Status

These are the two Exchange cmdlets that give us the information you are looking for.

View solution in original post

ahall_splunk
Splunk Employee
Splunk Employee

The Exchange 2010 SP2 is likely the cause. As detailed in the documentation (specifically: here), upgrading to SP2 sometimes (actually, most of the time) turns off the Exchange cmdlets, causing a loss of information. That same page also contains a link to a blog post about a fix for the issue.

A good test is to log onto your mailbox store, bring up the Exchange Powershell and run

Get-MailboxServer -Identity $env:ComputerName
Get-MailboxDatabase -server $env:ComputerName -Status

These are the two Exchange cmdlets that give us the information you are looking for.

deepcovelabs
New Member

Thanks for all the help.

0 Karma

ahall_splunk
Splunk Employee
Splunk Employee

DNSBL Reputation relay is in the TA-SMTP-Reputation

0 Karma

ahall_splunk
Splunk Employee
Splunk Employee

I posted v2.0.1 of the Splunk app for Exchange that has this fix in it as well.

0 Karma

deepcovelabs
New Member

Side question: What script does DNSBL Reputation relay on?

0 Karma

deepcovelabs
New Member

Thanks...

I made the edit on the script on friday and we are now seeing the value being populated. Thanks for your help.

0 Karma

ahall_splunk
Splunk Employee
Splunk Employee

Im just looking at the script now. I do believe you are right. Its correct in the 2007 and 2013 Exchange scripts. I'll correct it here and it will go out with the next release. Feel free to edit the script as you suggested.

0 Karma

deepcovelabs
New Member

to me this looked like a code error, I guess I am wrong:

$EdbSize = ($EdbFilePath.PathName | Get-ChildItem).Length

Shouldn't it be:

$EdbSize = ($Database.EdbFilePath.PathName | Get-ChildItem).Length

0 Karma

ahall_splunk
Splunk Employee
Splunk Employee

If you do a search for eventtype=msexchange-database-stats then the number you want is in the FileSize field.

0 Karma

deepcovelabs
New Member

Hmmm... I had a look at the get-databasestats.ps1 and I don't see any object Member with DatabaseSize. I'll keep digging

0 Karma

deepcovelabs
New Member

The 2 powershell cmds work, and so did the work-around test command with the small change in path.

I change this:
cd "C:\Program Files\SplunkUniversalForwarder\etc\apps\TA-Exchange-2010-MailboxStore"
"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" cmd exchangepowershell.cmd get-hoststats.ps1

to this:
cd "C:\Program Files\SplunkUniversalForwarder\etc\apps\TA-Exchange-2010-MailboxStore"
"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" cmd .\bin\exchangepowershell.cmd get-hoststats.ps1

result is as expected: white text result

0 Karma

ahall_splunk
Splunk Employee
Splunk Employee

No worries - if the scripts are running without issue and the size of the database is showing up in the scripts, the dashboard should work.

The script you want to be concentrating your efforts on is the get-databasestats.ps1 script.

0 Karma

ahall_splunk
Splunk Employee
Splunk Employee

I need a little more information on the environment you are running in to be able to ask a follow-questions appropriate to diagnose. If you have a support contract, then follow up through a support call. If not:

  • What version of the App are you running?
  • What version of Exchange is running on the server in question?
  • What version of Splunk Universal Forwarder are you running on your mailbox store?
0 Karma

deepcovelabs
New Member

Sorry about not including the version info:

-Splunk: version 4.3.4, build 136012
-Splunk for Exchange: v1.1.6
-Exchange 2010 SP2: v14.2 build 247.5
-Splunk Forwarder Win_x64: version 4.3.4, build 136012

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...