Getting Data In

TA-Exchange-2013-Mailbox wasn't parsing events properly

edonze
Path Finder

Events were being split improperly when indexed:

One event:

2014-04-14T11:34:59-07:00 Database="<Database>" Active="Active" MasterType="Server" Status="Mounted" PublicFolderDatabase="<domain>/Configuration/Deleted Objects/Public Folder Database

separate event:

DEL:<GUID>" IsMailboxDatabase="True" IsPublicFolderDatabase="False" LogFolderPath="<path>\<Database>" LogPercFree=98.569 LogSize=1171259392 FilePath="<path>\<Database>.edb" MainPercFree=69.069 FileSize=156497870848 LocalCopy="False" CopyFilePath="" CopyPercFree=0 CopyFileSize=0 CopyStatus=Disabled SnapshotLastFullBackup="True" SnapshotLastIncrementalBackup="True" SnapshotLastDifferentialBackup="" SnapshotLastCopyBackup="" LastFullBackup="04/09/2014 20:59:37" LastIncrementalBackup="04/13/2014 20:59:46" LastDifferentialBackup="" LastCopyBackup=""
Tags (2)
0 Karma
1 Solution

edonze
Path Finder

Changed stanza in props.conf from:

[MSExchange:2013:Database-Stats]
CHARSET = UTF-8
SHOULD_LINEMERGE = false
CHECK_FOR_HEADER = false

to:

[MSExchange:2013:Database-Stats]
CHARSET = UTF-8
LINE_BREAKER = ([\r\n])\d{4}-\d{2}-\d{2}T
SHOULD_LINEMERGE = false
CHECK_FOR_HEADER = false

View solution in original post

0 Karma

ahall_splunk
Splunk Employee
Splunk Employee

Thanks for the bug report. I've filed it and will get into a future release.

0 Karma

edonze
Path Finder

Changed stanza in props.conf from:

[MSExchange:2013:Database-Stats]
CHARSET = UTF-8
SHOULD_LINEMERGE = false
CHECK_FOR_HEADER = false

to:

[MSExchange:2013:Database-Stats]
CHARSET = UTF-8
LINE_BREAKER = ([\r\n])\d{4}-\d{2}-\d{2}T
SHOULD_LINEMERGE = false
CHECK_FOR_HEADER = false

0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...