So I installed universal forwarder on my Exchange 2010 server, during install specified the splunk server's FQDN.
On the web console - under "manager" - "forwarding and receiving" - receiving data - made sure there is an entry for prot 9997.
Downloaded Splunk app for Exchange and Sideview.
Problem - no data.
What should I do?
It's possible that when you installed the universal forwarder on your Exchange server, you enabled some of the default inputs. You also have to install the technology add-ons where you installed the forwarder. We've added a troubleshooting topic to the docs to highlight these points.
Have you tested that DNS lookup is working from the mail server? It might be worth testing it with the IP instead. Also are there any firewalls blocking the ports on either machine or on the link between them?
Did you create new inputs.conf files in the local directory for each technology add-on? See the Make configuration changes... topic in Deploy and Use the Splunk App for Microsoft Exchange.
Whether or not you're running Splunk Free should not affect where the data goes (although I am not sure that the Exchange App officially supports Splunk Free). I have talked to other customers who have installed version 1.1 and it sends the data to the correct three indexes (exchange, perfmon, and blackberry). There is a topic in the Exchange App documentation that tells you how to make configuration changes to match your existing environment. But it seems as if there is something going on with your config--it's hard to diagnose with the information you've provided. You might want to try to reinstall the trial version of Splunk and follow the procedures in the Exchange App doc to reinstall that afterwards, see if it just clears up.
It's the latest as I just downloaded it yesterday.
Does it matter if I'm running Splunk free (eg. it restricts all data to main index)? I want to use this to demo the value of Splunk before we make the leap / purchase.
Are you using version 1.1 of the app? In 1.1, the default is not to use main. See What data the Splunk App for Microsoft Exchange collects for an explanation of what goes where in the current release. If you are using 1.0, I suggest an upgrade.
found that the data is coming in, but going into main. How do I get it into the Exchange index?