recently we deployed IT Essential Works with latest Exchange Content Pack. we also deployed the three addons for the Exchange in the exchange nodes (including IIS and OWA logs).
Now we are in the process of validation of the ITSI dashboards, External Logins Map is one of them, and we realized that the extracted source IP (c_ip field) corresponds to our load balancer (XXX.XXX.XXX.XXX) instead of the remote host (IP shown at the end of the event).
below an example of exchange event that reach our splunk infra.
I created a extracted field called c_ip2 containing the last IP shown in the event and I changed the query on the map. That approach worked but this solution is not valid for other built-in dashboards that use a macros such as Outlook Web Access dashboard which uses the macro `client-ews-events`.
Also, I would like to dont change much the ITSI internals so I can easily upgrade it whenever needed.
So, my goal would be to fix the issue completely by keeping only the original c_ip field but with the correct external IP.