Getting the Most Out of Microsoft Exchange and Splunk ITSI

The Splunk IT Service Intelligence (ITSI) Content Pack for Microsoft Exchange provides a “quick start” out-of-the-box solution that delivers fast results and maximizes the value realized from ITSI. The content pack gives you depth and breadth of visibility across your Microsoft Exchange environments.

This content pack provides measurable results and value to the following customers:

  • ITOps: As the individual maintaining and supporting the Microsoft Exchange service across the enterprise, I need to have an accurate and real-time picture of services and ensure proper alerting and automation, along with machine learning and predictive analytics capabilities, to provide technology CIO and CTO leadership with visibility so our Business Leader customers have access to our service at all times.
  • CIO / CTO: As the technology leaders responsible for delivering email, calendar, and communications across our organization, I need to have a dashboard and executive-level metrics to show the service level we are delivering, so I can balance distribution of ITOps resources and ensure our Business Leaders are getting the service we committed to providing.
  • Business Leader: As a business leader within our organization, I’m responsible for providing email, calendar, and communications services to our staff so we can be sure to deliver on and exceed the SLAs and SLOs established for our partners and customers.

This content pack is a replacement for the legacy Splunk App for Microsoft Exchange. It’s available for download through the ITSI Content Library, or through the content pack documentation. You can install it in your ITSI environment, see everything going on across your Microsoft Exchange environment, and find and fix issues with three clicks or less, all at no additional cost!

Splunk App for Microsoft Exchange

For the last three years, the Splunk App for Microsoft Exchange has served our customers well by providing visibility into the health and performance of their Microsoft Exchange environments. Splunk is now enhancing its capabilities to leverage the latest ITSI features, simplify the implementation, and speed up time to results. The app’s functionality will now be encompassed in an ITSI content pack. All you need to do is download the required add-on, install the content pack, and see results in minutes.

On April 30, 2021, we will end the sale of the Splunk App for Exchange. As an alternative, customers can choose between IT Essentials Work 4.9 and ITSI 4.9 (releasing early May), based on their requirements. Existing support contracts will be honored until their end date providing sufficient time for the current Splunk App for Exchange users to migrate to the new experience.

Customers that manage Splunk in their data centers can download IT Essentials Work for free from Splunkbase. Customers that use Splunk Cloud can request support-assisted installation for IT Essentials Work through the ticketing workflow. Splunk sales and customer success teams can help determine whether IT Essentials Work or ITSI is the right option moving forward.

ITSI Content Pack for Microsoft Exchange

The ITSI Content Pack for Microsoft Exchange provides the elements necessary to collect Exchange data from the hosts in your Microsoft Exchange server environment and monitor your various Exchange services such as database, transport, and performance metrics. The content pack provides preconfigured services with KPIs that monitor critical functions. It also includes a default entity type to help you group and analyze Exchange entities in your ITSI environment.  

The Content Pack for Microsoft Exchange relies on data from the Splunk Add-on for Microsoft Exchange, which collects Exchange data from the hosts in your Exchange server environment. 

The content pack provides a robust collection of results for you to best manage your Microsoft Exchange environment. The following are major associated capabilities that are covered later in more detail:

  • Services and KPIs
  • Entity type and vital metrics
  • Glass table

Services and KPIs

The Content Pack for Microsoft Exchange contains more than 64 services that represent different components of your Exchange server environment. A service is a logical mapping of IT objects that applies to your business goals such as an application, an infrastructure tier, or a single process running on a host. 

Some services are dependent on other services. Services contain KPIs which make it possible to monitor service health and ensure your IT operations are in compliance with business SLAs.

The following image shows the Microsoft Exchange Service Analyzer tree:

The content pack contains over 300 KPIs built using Microsoft best practices and Splunk research, each with configured thresholds and alerting rules. A KPI is a recurring saved search that returns the value of an IT performance metric and is used to monitor the health of a service. For more information about KPIs, see Overview of creating KPIs in ITSI in the Service Insights manual.

The following image shows the configuration of a KPI in the Content Pack for Microsoft Exchange. KPI alerting is enabled and aggregate thresholds are configured: 

Another great feature of the Content Pack for Microsoft Exchange is the preconfigured Service Analyzer view called Exchange Service Analyzer, which provides a visual representation of your Microsoft Exchange services and the dependencies between them. You can use this custom view to see the KPIs, entities, and most critical episodes associated with a service. 

The Exchange Service Analyzer is organized according to the following key components of Microsoft Exchange and its base metrics:

  1. Mailbox
  2. Client Access
  3. Legacy: POP3 and IMAP
  4. Base Metrics

The following image shows some of the services in the Content Pack for Microsoft Exchange, along with the quick-click capability to view associated KPIs, entities, and episodes:

Select an Exchange service in the dependency tree to investigate its associated KPIs and entities, and perform more granular root cause analysis of issues that arise. You can click View All to manage all critical and high episodes in Episode Review, or select an individual entity to view its health page.

For a reference of all KPIs included in the content pack as well as their descriptions, search schedules, and lookback times, see KPI reference for the Content Pack for Microsoft Exchange in the ITSI Content Packs manual.

Entity Types and Vital Metrics

The Content Pack for Microsoft Exchange includes a custom entity type called “Microsoft Exchange Host” which associates all Microsoft Exchange entities with each other. You can use this association to visualize and troubleshoot Exchange entities. For example, you can group entities by entity type in the Infrastructure Overview to visualize key metrics relating to the health of Exchange entities. 

Vital Metrics

The “Microsoft Exchange Host” entity type contains a set of vital metrics which describe the overall health of entities of that type, including things like average CPU processor time, average network utilization, and average available memory. You can view these metrics on the Entity Health page and drill down further into individual Exchange entities. 

The content pack ships with two custom dashboards for all Microsoft Exchange Host entities:

Event Data Search Dashboard

The Event Data Search dashboard displays the 100 most recent log events associated with an entity for the last 60 minutes. The dashboard provides a high-level overview of entity performance across your whole environment, regardless of the entity type you associated with the entity. 

Entity Analytics Dashboard

The Entity Analytics dashboard lets you analyze metrics and logs for specific entities in ITSI. You can populate the dashboard with metrics and logs according to analysis data filters ITSI associates with a given entity. 

You can optionally add, modify, or delete the preconfigured Microsoft Exchange Host entity type. For instructions to create and edit entity types, see Create custom entity types in ITSI.

For more information about the entity dashboards included in this content pack, see Monitor Exchange entities in the content pack documentation.

Episode Review

Some services in the Content Pack for Microsoft Exchange are configured to generate notable events when aggregate KPI threshold values reach specific levels. ITSI then aggregates these events into meaningful groups, or episodes. 

To monitor and investigate the episodes related to your Exchange environment, navigate to Episode Review. Episode Review provides a unified view of all your service-impacting episodes. You can drill down into individual episodes to perform more granular root cause analysis, such as viewing an events timeline or examining common fields. 

You can interact with an episode in a variety of ways, including the following:

  • Acknowledge it to indicate the episode has been identified and accepted.
  • Change the severity depending on the perceived impact on your organization.
  • Change the status to indicate its current place in the episode workflow.
  • Assign the episode to an individual or team for investigation and remediation.
  • Take a specific action on the episode, such as pinging a host or running a script. For an overview of all available actions you can take on an episode, see Take action on an episode in ITSI

As an analyst, you can use Episode Review to gain insight into the severity of episodes occurring in your Microsoft Exchange environment. Use the console to triage new episodes, assign episodes to analysts for review, and examine episode details for investigative leads. 

For more information about Episode Review, see Overview of Episode Review in ITSI.

Glass Tables

The Content Pack for Microsoft Exchange includes several preconfigured glass tables you can use to monitor critical Exchange functions. Each glass table is specifically designed to deliver value to one of the following personas:

Business Leader

As a business leader, you’ll gain the most value from the Exchange Executive Overview glass table. You know the value of having Microsoft Exchange up and running efficiently and the impact it can have on your business, so the overall performance and availability metrics are the most valuable elements for you. These two key insights help you understand overall health and focus on where there might be availability concerns or performance problems. These insights are in real-time and self-service, and even dynamic if you want to dive a little deeper. This glass table helps you quickly discover what’s going on across your Microsoft Exchange technology stack and lets you focus on running your business. 


As a CIO or CTO, you’ll gain the most value from the Exchange Functional Overview glass table. It provides full visibility across your Microsoft Exchange service by breaking it down into four key components - mailbox, client access, transport, and legacy. This level of awareness and visibility helps you to more efficiently and proactively communicate about activities and events that impact your customers’ experience. It also helps you manage your resources and budget appropriately so you can effectively perform your essential functions.

IT Operations

As an IT operations engineer, you’ll gain the most value from the Exchange System Overview glass table. It will benefit you in your role as you seek to know not only the top-level service health, but also the details of each of the major components and sub-level services. With a few clicks you can identify root cause and remediate issues so they don’t impact your customers and their experience.

The following image shows the Exchange Executive Overview glass table:

For more information about glass tables, see Overview of the glass table editor in ITSI and a video Getting started with Splunk ITSI Glass Tables.

Install the Content Pack for Microsoft Exchange

Now that you know all about the Content Pack for Microsoft Exchange, it’s time to install it and start discovering its value yourself!

For detailed installation steps, see Install and configure the Content Pack for Microsoft Exchange.

Join us for a Tech Talk session on the Splunk ITSI Content Pack for Microsoft Exchange. Splunk Tech Talks are short, technical webinars for Splunk users. These 20-30 minute webinars are practitioner based overviews with a live demo to highlight best practices, scenarios and new functionality.

This blog post was authored by Todd DeCapua, IT Markets, Advisory Engineer, Splunk with special help from Marie Duran, Full Stack Developer, Splunk.

Todd DeCapua
Posted by

Todd DeCapua

Todd DeCapua is a passionate software executive, technology evangelist and business leader with extensive hands-on expertise.

Throughout his career, he has held various leadership and strategic roles in organizations like: Splunk, JPMorgan Chase & Co., CSC, Hewlett Packard, Shunra Software,, Vivit Worldwide, Apposite Technologies, TEDx Wilmington, ING Direct, Andersen Consulting, and more.

He is also an author and contributor, well known speaker / evangelist, and co-author of the O’Reilly published book titled, “Effective Performance Engineering” and “Blockchain for the Enterprise” and now completing a book on ‘Data’ with Manning Publications.

Show All Tags
Show Less Tags