Splunk® App for Microsoft Exchange (EOL)

Deploy and Use the Splunk App for Microsoft Exchange

Acrobat logo Download manual as PDF


On October 22 2021, the Splunk App for Microsoft Exchange will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app is migrating to a content pack in Data Integrations. Learn about the Content Pack for Microsoft Exchange.
This documentation does not apply to the most recent version of Splunk® App for Microsoft Exchange (EOL). For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Upgrade the Splunk App for Microsoft Exchange

If you are using version 1.0 of the Splunk App for Microsoft Exchange and wish to upgrade to version 1.1, you must understand the changes between the previous version and this one. You must also follow some procedures to ensure that the new version of the app sees the existing data.

If your Splunk App for Microsoft Exchange deployment is large or complex, you might want to consult Splunk's Professional Services team for assistance.

Major differences between versions 1.0 and 1.1

The major differences between version 1.0 and 1.1 of the Splunk App for Microsoft Exchange are as follows:

  • While version 1.0 of the app uses one index, main, to store its data, version 1.1 of the app uses three indexes:
    • msexchange for the Exchange, IIS and other application logs
    • perfmon for the Performance monitoring logs
    • blackberry for the Blackberry Enterprise Server (BES) logs

The updated app will not see data in the main index without reconfiguration. Read the instructions below on how to reconfigure the app to look at the main index.

  • The forwarder application components (FACs, the directories within the app that begin with fwd_*, are deprecated and no longer needed. They are replaced by the technology add-ons (TAs) which perform the same function and are easier to install, deploy and configure.
  • The Splunk App for Microsoft Exchange now requires an updated version of the Sideview Utils app. Make sure that you upgrade Sideview Utils to version 1.2.5 before upgrading the Splunk App for Microsoft Exchange. Review "Platform and hardware requirements" for specifics on what needs to be installed, and where.

Upgrade version 1.0 to version 1.1

If you are doing an in-place upgrade of the Splunk App for Microsoft Exchange from version 1.0 to 1.1, following are the steps you need to take to ensure that the updated version of the app is able to read data generated by the older version. There are several steps to this process:

Remove the forwarder application components

The first step in reconfiguring the Splunk App for Microsoft Exchange is to remove all FACs from all of the servers in your Splunk App for Microsoft Exchange deployment. This prevents data from getting incorrectly indexed into the app after you upgrade. The FACs must be removed from every Exchange server on which you installed a universal forwarder, as well as the central Splunk App for Microsoft Exchange instance.

  • If you are running a deployment server, you can simply remove the fwd_* directories from %SPLUNK_HOME%\etc\deployment-apps on that server.
  • If you are not running a deployment server, you will need to manually remove the fwd_* components from %SPLUNK_HOME%\etc\apps on each server.

Upgrade the Splunk App for Microsoft Exchange

Next, install the new Splunk App for Microsoft Exchange on the central Splunk instance (or on indexers and search heads) in the deployment.

  • Do not install the app on the universal forwarders on your Exchange servers.

Deploy the technology add-ons to the appropriate servers in your environment

Once you have removed the FACs, you must then deploy the technology add-ons as required to all servers in your Splunk App for Microsoft Exchange deployment.

Configure the Splunk App for Microsoft Exchange to include the 'main' index

The final step in upgrading the Splunk App for Microsoft Exchange is to reconfigure the upgraded app to include the main index, as well as the three new indexes, to store and retrieve data.

  • The new entries in eventtypes.conf must include both the main and either the msexchange, perfmon, or blackberry indexes, depending on the event types that you are changing.
Last modified on 24 January, 2012
PREVIOUS
Install the central Splunk for Microsoft Exchange app instance 		  NEXT
Log in and get started

This documentation applies to the following versions of Splunk® App for Microsoft Exchange (EOL): 1.1, 1.1.1, 1.1.4, 1.1.5, 1.1.6

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters