Splunk Search

newbie question: Exchange data input

itrcb4
New Member

So I installed universal forwarder on my Exchange 2010 server, during install specified the splunk server's FQDN.

On the web console - under "manager" - "forwarding and receiving" - receiving data - made sure there is an entry for prot 9997.

Downloaded Splunk app for Exchange and Sideview.

Problem - no data.

What should I do?

0 Karma

ChrisG
Splunk Employee
Splunk Employee

It's possible that when you installed the universal forwarder on your Exchange server, you enabled some of the default inputs. You also have to install the technology add-ons where you installed the forwarder. We've added a troubleshooting topic to the docs to highlight these points.

0 Karma

Drainy
Champion

Have you tested that DNS lookup is working from the mail server? It might be worth testing it with the IP instead. Also are there any firewalls blocking the ports on either machine or on the link between them?

0 Karma

ChrisG
Splunk Employee
Splunk Employee

Did you create new inputs.conf files in the local directory for each technology add-on? See the Make configuration changes... topic in Deploy and Use the Splunk App for Microsoft Exchange.

0 Karma

ChrisG
Splunk Employee
Splunk Employee

Whether or not you're running Splunk Free should not affect where the data goes (although I am not sure that the Exchange App officially supports Splunk Free). I have talked to other customers who have installed version 1.1 and it sends the data to the correct three indexes (exchange, perfmon, and blackberry). There is a topic in the Exchange App documentation that tells you how to make configuration changes to match your existing environment. But it seems as if there is something going on with your config--it's hard to diagnose with the information you've provided. You might want to try to reinstall the trial version of Splunk and follow the procedures in the Exchange App doc to reinstall that afterwards, see if it just clears up.

0 Karma

itrcb4
New Member

It's the latest as I just downloaded it yesterday.

Does it matter if I'm running Splunk free (eg. it restricts all data to main index)? I want to use this to demo the value of Splunk before we make the leap / purchase.

0 Karma

ChrisG
Splunk Employee
Splunk Employee

Are you using version 1.1 of the app? In 1.1, the default is not to use main. See What data the Splunk App for Microsoft Exchange collects for an explanation of what goes where in the current release. If you are using 1.0, I suggest an upgrade.

0 Karma

itrcb4
New Member

found that the data is coming in, but going into main. How do I get it into the Exchange index?

0 Karma
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...