Splunk Search

newbie question: Exchange data input

itrcb4
New Member

So I installed universal forwarder on my Exchange 2010 server, during install specified the splunk server's FQDN.

On the web console - under "manager" - "forwarding and receiving" - receiving data - made sure there is an entry for prot 9997.

Downloaded Splunk app for Exchange and Sideview.

Problem - no data.

What should I do?

0 Karma

ChrisG
Splunk Employee
Splunk Employee

It's possible that when you installed the universal forwarder on your Exchange server, you enabled some of the default inputs. You also have to install the technology add-ons where you installed the forwarder. We've added a troubleshooting topic to the docs to highlight these points.

0 Karma

Drainy
Champion

Have you tested that DNS lookup is working from the mail server? It might be worth testing it with the IP instead. Also are there any firewalls blocking the ports on either machine or on the link between them?

0 Karma

ChrisG
Splunk Employee
Splunk Employee

Did you create new inputs.conf files in the local directory for each technology add-on? See the Make configuration changes... topic in Deploy and Use the Splunk App for Microsoft Exchange.

0 Karma

ChrisG
Splunk Employee
Splunk Employee

Whether or not you're running Splunk Free should not affect where the data goes (although I am not sure that the Exchange App officially supports Splunk Free). I have talked to other customers who have installed version 1.1 and it sends the data to the correct three indexes (exchange, perfmon, and blackberry). There is a topic in the Exchange App documentation that tells you how to make configuration changes to match your existing environment. But it seems as if there is something going on with your config--it's hard to diagnose with the information you've provided. You might want to try to reinstall the trial version of Splunk and follow the procedures in the Exchange App doc to reinstall that afterwards, see if it just clears up.

0 Karma

itrcb4
New Member

It's the latest as I just downloaded it yesterday.

Does it matter if I'm running Splunk free (eg. it restricts all data to main index)? I want to use this to demo the value of Splunk before we make the leap / purchase.

0 Karma

ChrisG
Splunk Employee
Splunk Employee

Are you using version 1.1 of the app? In 1.1, the default is not to use main. See What data the Splunk App for Microsoft Exchange collects for an explanation of what goes where in the current release. If you are using 1.0, I suggest an upgrade.

0 Karma

itrcb4
New Member

found that the data is coming in, but going into main. How do I get it into the Exchange index?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...