Getting Data In

TA-Exchange-2013-Mailbox wasn't parsing events properly

edonze
Path Finder

Events were being split improperly when indexed:

One event:

2014-04-14T11:34:59-07:00 Database="<Database>" Active="Active" MasterType="Server" Status="Mounted" PublicFolderDatabase="<domain>/Configuration/Deleted Objects/Public Folder Database

separate event:

DEL:<GUID>" IsMailboxDatabase="True" IsPublicFolderDatabase="False" LogFolderPath="<path>\<Database>" LogPercFree=98.569 LogSize=1171259392 FilePath="<path>\<Database>.edb" MainPercFree=69.069 FileSize=156497870848 LocalCopy="False" CopyFilePath="" CopyPercFree=0 CopyFileSize=0 CopyStatus=Disabled SnapshotLastFullBackup="True" SnapshotLastIncrementalBackup="True" SnapshotLastDifferentialBackup="" SnapshotLastCopyBackup="" LastFullBackup="04/09/2014 20:59:37" LastIncrementalBackup="04/13/2014 20:59:46" LastDifferentialBackup="" LastCopyBackup=""
Tags (2)
0 Karma
1 Solution

edonze
Path Finder

Changed stanza in props.conf from:

[MSExchange:2013:Database-Stats]
CHARSET = UTF-8
SHOULD_LINEMERGE = false
CHECK_FOR_HEADER = false

to:

[MSExchange:2013:Database-Stats]
CHARSET = UTF-8
LINE_BREAKER = ([\r\n])\d{4}-\d{2}-\d{2}T
SHOULD_LINEMERGE = false
CHECK_FOR_HEADER = false

View solution in original post

0 Karma

ahall_splunk
Splunk Employee
Splunk Employee

Thanks for the bug report. I've filed it and will get into a future release.

0 Karma

edonze
Path Finder

Changed stanza in props.conf from:

[MSExchange:2013:Database-Stats]
CHARSET = UTF-8
SHOULD_LINEMERGE = false
CHECK_FOR_HEADER = false

to:

[MSExchange:2013:Database-Stats]
CHARSET = UTF-8
LINE_BREAKER = ([\r\n])\d{4}-\d{2}-\d{2}T
SHOULD_LINEMERGE = false
CHECK_FOR_HEADER = false

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...