Skip to main content
Os artigos do Splunk Lantern estão agora disponíveis em português.
Splunk Lantern

Gaining better visibility into Microsoft Exchange


Your business uses Microsoft Exchange environments heavily. Because of this, it's vital that you are able to see everything going on across your Microsoft Exchange environment, and can find and fix issues quickly.

Different areas of your organization have different requirements for insights and information relating to Microsoft Exchange data, for example:

  1. IT Operations needs to have an accurate and real-time picture of services and ensure proper alerting and automation, along with machine learning and predictive analytics capabilities, to provide technology CIO and CTO leadership with visibility so customers have access to service at all times.
  2. CIOs or CTOs need to have a dashboard and executive-level metrics to show the service level being delivered, so they can balance distribution of ITOps resources and ensure Business Leaders are getting the service that they have committed to providing.
  3. Business leaders are responsible for providing email, calendar, and communications services to staff so they can be sure to deliver on and exceed the SLAs and SLOs established for partners and customers.

Data required

Microsoft Exchange data

How to use Splunk software for this use case

The Content Pack for Microsoft Exchange provides the elements necessary to collect data from the hosts in your Microsoft Exchange server environment. You can use the content pack to monitor the health and performance of your Microsoft Exchange environment, from Edge and Hub Transport servers, to Client Access Servers and the Mailbox Store.

If you are a customer using IT Essentials Work, some of the features you'll see in the Content Pack for Microsoft Exchange will be more limited than the features available for customers using Splunk ITSI.

The Content Pack provides:

Glass tables

The Content Pack for Microsoft Exchange includes several preconfigured glass tables that you can use to monitor critical Exchange functions:

  1. Exchange Functional Overview glass table
  2. Exchange Executive Overview glass table
  3. Exchange System Overview glass table

You can access the glass tables from the Splunk ITSI main menu under Glass Tables.

Exchange Functional Overview glass table

CIOs or CTOs especially can gain the most value from the Exchange Functional Overview glass table. It provides full visibility across your Microsoft Exchange service by breaking it down into four key components - Mailbox, Client access, Transport, and Legacy. This level of awareness and visibility helps you to more efficiently and proactively communicate about activities and events that impact your customers’ experience. It also helps you manage your resources and budget appropriately so you can effectively perform your essential functions. Further down the glass table, you can monitor availability, performance, and base metrics. 


You can click into any area of this glass table to investigate a metric further. In the example above, under Client Access, Outlook Web Access functionality is at 70%, color-coded yellow to quickly draw your attention. Clicking this metric takes you to the Service Analyzer which shows you connected KPIs. In the example below, you can see straight away that OWA Avg. Search Time is trending high. An 81-second average search time could likely be an issue contributing to the functionality score.


Exchange Executive Overview glass table

This glass table is great for business leaders who need to know the value of having Microsoft Exchange up and running efficiently and the impact it can have on your business. The glass table shows the overall performance and availability metrics which help you understand overall health and focus on where there might be availability concerns or performance problems. These insights are in real-time and self-service, and even dynamic if you want to dive a little deeper. This glass table helps you quickly discover what’s going on across your Microsoft Exchange technology stack.

At the top of this glass table you can see four major areas covering Mailbox, Client Access, Hub Transport, and Legacy Clients, each split into Availability and Performance. Below that you can see health scores for the next level down. At the bottom you can see base metrics covering Network, Memory, Compute, and Disk. You can click into any of these metrics to go to the Service Analyzer where you can investigate further.


Exchange System Overview glass table

IT operations engineers can gain a lot of value from this glass table. This glass table can help you understand not only top-level service health, but also the details of each of the major components and sub-level services. With a few clicks, you can identify root cause and remediate issues so they don’t impact your customers and their experience.

This glass table is similar to the Functional Overview glass table except it moves Availability, Performance, and Base Metrics into focus at the top of the glass table, with Mailbox, Client access, Transport, and Legacy underneath.


Exchange Service Analyzer

The Exchange Service Analyzer is the home page for Splunk ITSI and serves as your starting point for monitoring your Exchange service, so you can see the health of your environment at a glance.

The Exchange Service Analyzer provides an overview of Splunk ITSI service health scores and KPI search results that are trending at the highest severity levels, as well as the dependencies between services. Click any tile in the Exchange Service Analyzer to drill down to the deep dives for further analysis and comparison of search results over time.

How to use the Exchange Service Analyzer

The tree view of the Exchange Service Analyzer shows you five top-level tree items:

  • MSExchange_Legacy_Clients
  • MSExchange_Transport
  • MSExchange_ClientAccess
  • MSExchange_BaseMetrics
  • MSExchange_Mailbox

In the next level down in the tree, you can see the performance and availability of services which are color-coded to reflect which services are experiencing errors or performing outside of expected parameters.

In the example below, within the MSExchange_BaseMetrics node, you can see that the service MSExchange_BaseMetrics_LogicalDisk is yellow, indicating that it is not performing optimally. The exclamation point shows there is a critical issue.


Clicking on that service shows that the Free Megabytes KPI is critical, and the entity name shows the host that's experiencing these issues.


Often, this level of information is all you need to identify what the issue is and know where you need to allocate more resources. But if you do need to investigate further, clicking on the entity brings you to the Event Data search which shows the raw events that are coming in. On the right-hand side of the screen, under Entity Information, you can see the other services and KPIs for the same host. Using this information, you can quickly understand how a particular host is performing and see if there are additional issues.


If you need advanced analytics, click Analytics at the top of the screen to view specific types of event data such as memory, disk, or processor analytics, as well as select the timeframe of these that you're concerned with. The charts in this area show how this particular host has performed in these specific areas over time.



A service is a logical mapping of objects that applies to your business goals. Some services might have dependencies on other services. Services contain KPIs that make it possible to monitor service health, perform root cause analysis, receive alerts, and ensure that your operations are in compliance with business service-level agreements (SLAs).

The Exchange Service Analyzer shows insights across all 64 services and their status for the time range selected. You can also click into more results for any of these services to see their KPIs and entities.

If you want to view and edit these services, or delete or disable any you don't use, select the Configuration menu in the Splunk ITSI toolbar.


A Key Performance Indicator (KPI) is a recurring saved search that returns the value of an IT performance metric, such as CPU load percentage, memory used percentage, or response time. KPIs are used to monitor the health of a service.

You create a KPI within a specific service. It defines everything needed to generate searches to understand the underlying data, including how to access, aggregate, and qualify with thresholds. You can use the search result values to monitor service health, check the status of IT components, and troubleshoot trends that might indicate an issue with your IT systems.

Within the Content Pack for Microsoft Exchange there are 400+ KPIs included, so you have deep insights across your Exchange service. You can easily access results and see the underlying entity that is causing issues.

If you want to view and work with the KPI base searches, select the Configuration menu in the Splunk ITSI toolbar.

For a full list of services and KPIs, see the KPI reference for the Content Pack for Microsoft Exchange.

Entity types and vital metrics

The content pack includes a custom Microsoft Exchange Host entity type that associates all Microsoft Exchange entities with each other. You can use this association to visualize and troubleshoot Microsoft Exchange entities.

The Microsoft Exchange Host entity type also contains a set of vital metrics which describe the overall performance of entities of that type, including average CPU processor time, average network utilization, and average available memory. You can view these metrics on the Entity Health page and drill down further into individual Microsoft Exchange entities.

If you want to view and work with entities and entity types, select the Configuration menu in the Splunk ITSI toolbar.

For more information about entity types and vital metrics, see Overview of entity types in ITSI.


A dashboard holds tables or charts which are related to some business meaning. The panels in a dashboard hold the chart or summarized data in a visually appealing manner. You can add multiple panels, multiple reports, and charts to the same dashboard.

Within the Content Pack for Microsoft Exchange, there are 43 dashboards to provide easy access to valuable information in a quick and easy manner for you. Each dashboard is powered by data collected from your Microsoft Exchange environment using one or more input types configured in the Splunk Add-on for Microsoft Exchange.

You can use the dashboards included in the content pack to:

  • Monitor the performance of all servers throughout your Exchange environment
  • Track messages throughout your messaging environment
  • Monitor client usage, including mobility usage with ActiveSync or Outlook Anywhere
  • Monitor security events, such as virus outbreaks and anomalous logons
  • Track administrative changes to the environment
  • Analyze long-term mail operations trends
  • Plan for capacity expansion
  • Monitor your organization's outbound email sender reputation

For detailed descriptions of each dashboard, see the Dashboard reference for the Content Pack for Microsoft Exchange.

Additional resources

The content in this guide comes from a previously published blog and a Tech Talk, one of the thousands of Splunk resources available to help users succeed. In addition, these Splunk resources might help you understand and implement this use case: