The Splunk IT Service Intelligence (ITSI) Content Pack for Microsoft Exchange provides a “quick start” out-of-the-box solution that delivers fast results and maximizes the value realized from ITSI. The content pack gives you depth and breadth of visibility across your Microsoft Exchange environments.
This content pack provides measurable results and value to the following customers:
This content pack is a replacement for the legacy Splunk App for Microsoft Exchange. It’s available for download through the ITSI Content Library, or through the content pack documentation. You can install it in your ITSI environment, see everything going on across your Microsoft Exchange environment, and find and fix issues with three clicks or less, all at no additional cost!
For the last three years, the Splunk App for Microsoft Exchange has served our customers well by providing visibility into the health and performance of their Microsoft Exchange environments. Splunk is now enhancing its capabilities to leverage the latest ITSI features, simplify the implementation, and speed up time to results. The app’s functionality will now be encompassed in an ITSI content pack. All you need to do is download the required add-on, install the content pack, and see results in minutes.
On April 30, 2021, we will end the sale of the Splunk App for Exchange. As an alternative, customers can choose between IT Essentials Work 4.9 and ITSI 4.9 (releasing early May), based on their requirements. Existing support contracts will be honored until their end date providing sufficient time for the current Splunk App for Exchange users to migrate to the new experience.
Customers that manage Splunk in their data centers can download IT Essentials Work for free from Splunkbase. Customers that use Splunk Cloud can request support-assisted installation for IT Essentials Work through the ticketing workflow. Splunk sales and customer success teams can help determine whether IT Essentials Work or ITSI is the right option moving forward.
The ITSI Content Pack for Microsoft Exchange provides the elements necessary to collect Exchange data from the hosts in your Microsoft Exchange server environment and monitor your various Exchange services such as database, transport, and performance metrics. The content pack provides preconfigured services with KPIs that monitor critical functions. It also includes a default entity type to help you group and analyze Exchange entities in your ITSI environment.
The Content Pack for Microsoft Exchange relies on data from the Splunk Add-on for Microsoft Exchange, which collects Exchange data from the hosts in your Exchange server environment.
The content pack provides a robust collection of results for you to best manage your Microsoft Exchange environment. The following are major associated capabilities that are covered later in more detail:
The Content Pack for Microsoft Exchange contains more than 64 services that represent different components of your Exchange server environment. A service is a logical mapping of IT objects that applies to your business goals such as an application, an infrastructure tier, or a single process running on a host.
Some services are dependent on other services. Services contain KPIs which make it possible to monitor service health and ensure your IT operations are in compliance with business SLAs.
The following image shows the Microsoft Exchange Service Analyzer tree:
The content pack contains over 300 KPIs built using Microsoft best practices and Splunk research, each with configured thresholds and alerting rules. A KPI is a recurring saved search that returns the value of an IT performance metric and is used to monitor the health of a service. For more information about KPIs, see Overview of creating KPIs in ITSI in the Service Insights manual.
The following image shows the configuration of a KPI in the Content Pack for Microsoft Exchange. KPI alerting is enabled and aggregate thresholds are configured:
Another great feature of the Content Pack for Microsoft Exchange is the preconfigured Service Analyzer view called Exchange Service Analyzer, which provides a visual representation of your Microsoft Exchange services and the dependencies between them. You can use this custom view to see the KPIs, entities, and most critical episodes associated with a service.
The Exchange Service Analyzer is organized according to the following key components of Microsoft Exchange and its base metrics:
The following image shows some of the services in the Content Pack for Microsoft Exchange, along with the quick-click capability to view associated KPIs, entities, and episodes:
Select an Exchange service in the dependency tree to investigate its associated KPIs and entities, and perform more granular root cause analysis of issues that arise. You can click View All to manage all critical and high episodes in Episode Review, or select an individual entity to view its health page.
For a reference of all KPIs included in the content pack as well as their descriptions, search schedules, and lookback times, see KPI reference for the Content Pack for Microsoft Exchange in the ITSI Content Packs manual.
The Content Pack for Microsoft Exchange includes a custom entity type called “Microsoft Exchange Host” which associates all Microsoft Exchange entities with each other. You can use this association to visualize and troubleshoot Exchange entities. For example, you can group entities by entity type in the Infrastructure Overview to visualize key metrics relating to the health of Exchange entities.
The “Microsoft Exchange Host” entity type contains a set of vital metrics which describe the overall health of entities of that type, including things like average CPU processor time, average network utilization, and average available memory. You can view these metrics on the Entity Health page and drill down further into individual Exchange entities.
The content pack ships with two custom dashboards for all Microsoft Exchange Host entities:
The Event Data Search dashboard displays the 100 most recent log events associated with an entity for the last 60 minutes. The dashboard provides a high-level overview of entity performance across your whole environment, regardless of the entity type you associated with the entity.
The Entity Analytics dashboard lets you analyze metrics and logs for specific entities in ITSI. You can populate the dashboard with metrics and logs according to analysis data filters ITSI associates with a given entity.
You can optionally add, modify, or delete the preconfigured Microsoft Exchange Host entity type. For instructions to create and edit entity types, see Create custom entity types in ITSI.
For more information about the entity dashboards included in this content pack, see Monitor Exchange entities in the content pack documentation.
Some services in the Content Pack for Microsoft Exchange are configured to generate notable events when aggregate KPI threshold values reach specific levels. ITSI then aggregates these events into meaningful groups, or episodes.
To monitor and investigate the episodes related to your Exchange environment, navigate to Episode Review. Episode Review provides a unified view of all your service-impacting episodes. You can drill down into individual episodes to perform more granular root cause analysis, such as viewing an events timeline or examining common fields.
You can interact with an episode in a variety of ways, including the following:
As an analyst, you can use Episode Review to gain insight into the severity of episodes occurring in your Microsoft Exchange environment. Use the console to triage new episodes, assign episodes to analysts for review, and examine episode details for investigative leads.
For more information about Episode Review, see Overview of Episode Review in ITSI.
The Content Pack for Microsoft Exchange includes several preconfigured glass tables you can use to monitor critical Exchange functions. Each glass table is specifically designed to deliver value to one of the following personas:
As a business leader, you’ll gain the most value from the Exchange Executive Overview glass table. You know the value of having Microsoft Exchange up and running efficiently and the impact it can have on your business, so the overall performance and availability metrics are the most valuable elements for you. These two key insights help you understand overall health and focus on where there might be availability concerns or performance problems. These insights are in real-time and self-service, and even dynamic if you want to dive a little deeper. This glass table helps you quickly discover what’s going on across your Microsoft Exchange technology stack and lets you focus on running your business.
As a CIO or CTO, you’ll gain the most value from the Exchange Functional Overview glass table. It provides full visibility across your Microsoft Exchange service by breaking it down into four key components - mailbox, client access, transport, and legacy. This level of awareness and visibility helps you to more efficiently and proactively communicate about activities and events that impact your customers’ experience. It also helps you manage your resources and budget appropriately so you can effectively perform your essential functions.
As an IT operations engineer, you’ll gain the most value from the Exchange System Overview glass table. It will benefit you in your role as you seek to know not only the top-level service health, but also the details of each of the major components and sub-level services. With a few clicks you can identify root cause and remediate issues so they don’t impact your customers and their experience.
The following image shows the Exchange Executive Overview glass table:
For more information about glass tables, see Overview of the glass table editor in ITSI and a video Getting started with Splunk ITSI Glass Tables.
Now that you know all about the Content Pack for Microsoft Exchange, it’s time to install it and start discovering its value yourself!
For detailed installation steps, see Install and configure the Content Pack for Microsoft Exchange.
Join us for a Tech Talk session on the Splunk ITSI Content Pack for Microsoft Exchange. Splunk Tech Talks are short, technical webinars for Splunk users. These 20-30 minute webinars are practitioner based overviews with a live demo to highlight best practices, scenarios and new functionality.
This blog post was authored by Todd DeCapua, IT Markets, Advisory Engineer, Splunk with special help from Marie Duran, Full Stack Developer, Splunk.
The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.
Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.