Splunk® App for Microsoft Exchange (EOL)

Deploy and Use the Splunk App for Microsoft Exchange

Acrobat logo Download manual as PDF


On October 22 2021, the Splunk App for Microsoft Exchange will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app is migrating to a content pack in Data Integrations. Learn about the Content Pack for Microsoft Exchange.
This documentation does not apply to the most recent version of Splunk® App for Microsoft Exchange (EOL). For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Release notes

This topic contains information on new features, known issues, and updates as we version the Splunk App and Technology Add-ons for Microsoft Exchange.

The latest version of the Splunk App for Microsoft Exchange was released on July 18, 2016.

What's new

Here's what's new in the latest version of the Splunk App for Microsoft Exchange:

Publication date Defect number Description
2016-7-11 TAG-11164, 11165 The app no longer includes the Splunk Add-ons for Microsoft Active Directory (TA-DomainController*) or Windows DNS (TA-DNSServer*). These add-ons now have new names and are available from Splunkbase as separate downloads (TA-Microsoft-AD for the Microsoft Active Directory add-on and TA-Microsoft-DNS for the Windows DNS add-on.) You must download and install them separately for the Splunk App for Microsoft Exchange to continue working. See Upgrade from version 3.2.x for the upgrade procedure.
2016-7-11 EXC-1970 The Splunk Add-ons for Microsoft Exchange that came with the app have been merged into the following:
  • TA-Exchange-Mailbox - For all supported versions of Exchange Server that hold the Mailbox Store role.
  • TA-Exchange-ClientAccess - For all supported versions of Exchange Server that hold the Client Access Server role.
  • TA-Exchange-HubTransport - For all supported versions of Exchange Server that hold the Hub Transport role.
  • TA-Windows-Exchange-IIS - For all supported versions of Exchange Server.

The add-ons no longer come with the app, and instead are available on Splunkbase. See Upgrade from version 3.2.x for instructions on how to upgrade the add-ons.

2016-7-11 EXC-1940 The app now displays all Exchange mailboxes that have been configured with inbox rules.
2016-7-11 EXC-880 Some dashboards for the Splunk App for Microsoft Exchange now have time pickers that let you control how much data the dashboards can display. Default time periods for these dashboards have been reduced from 24 hours to 4 hours. This reduces the amount of time it takes for those dashboards to display data.
2016-7-11 EXC-293, 363, 372, 550, 880, 1946 Some dashboards for the Splunk App for Microsoft Exchange have received additional updates to text, graphics, or other controls. The Reference Manual has been updated with these changes.

Current known issues

The Splunk App for Microsoft Exchange has the following known issues:

-
Publication date Defect number Description
2016-6-23 EXC-1981 Some drop-down lists do not populate for selection in app dashboards.
2016-5-11 EXC-1967 The app displays an error "Your license for Splunk App for Microsoft Exchange has expired or cannot be found" even though a valid license is present.
2015-5-29 EXC-759, 1816 Summary indexes that the app creates on a Splunk Enterprise 6.1 indexer do not return correct results when they are searched by a Splunk Enterprise 6.2 search head.
2016-5-20 EXC-1971 Exchange overview and Dashboard> Views display is blank under IE11. IE11 Debugger console shows error: "Object doesn't support property or method 'startsWith' . Related to %SPLUNK_HOME%\etc\apps\splunk_app_microsoft_exchange\appserver\templates\navredirect.tmpl Contact Support for updated navredirect.tmpl
2014-12-29 EXC-759 When you use the app on a Splunk Enterprise instance that has been configured for single sign on, some icons in the Overview page do not appear.
2016-2-29 TAG-10770 When you upgrade to Splunk Enterprise 6.3.3 or later, Splunk Enterprise generates the following messages on startup:

Invalid key in stanza [ui] in /opt/splunk/etc/apps/splunk_app_microsoft_exchange/default/app.conf, line 15: attribution_link (value: app.attributions). Your indexes and inputs configurations are not internally consistent. For more information, run 'splunk btool check --debug'

These messages can be safely ignored.

2016-2-29 TAG-10754 The PowerShell script within the TA-DomainController-2012R2 add-on does not exit after execution.
2016-2-29 TAG-10742 The app displays a 404 error during first-time setup even though data that the app needs is available and can be searched with the Search and Reporting app.
2016-2-29 TAG-10622 Some of the lookup files in the app are empty and this causes Splunk Enterprise to throw errors in splunkd.log such as WARN SearchResults - D:\Splunk\etc\apps\splunk_app_microsoft_exchange\ lookups\windows_processes_process.csv is empty, multi-line header is missing matching quotation, or could not parse CSV header.
2016-2-29 TAG-10588 The app incorrectly counts Kerberos events (such as Event Log ID 4768) as failed authentication events.
2016-2-29 TAG-10497 The msad-nt6-disabled-logons event type looks for Event Log ID 4625 events with status code C000006E (which translates to "invalid user name or bad password") instead of the correct status code C000006D.
2016-2-29 TAG-10484 The app menu bar does not appear regardless of browser; the app logs a message like the following in splunkd.log: appnav:379 - An unknown view name "setup" is referenced in the navigation definition for "splunk_app_windows_infrastructure".
2015-11-12 TAG-9913 The "User" panel of the "Account Lockout Activity" page only shows the latest entry for a user lockout regardless of the number of lockouts a user might have.
2015-11-12 TAG-9555 The split_ldapgroup macro does not split out the member list correctly. This affects the member list panel in the Active Directory > Groups > Group Audit dashboard.
2015-11-12 TAG-9508 The app causes search heads that run Hunk to generate errors because Hunk attempts to search both real and virtual indexes.

Change log (what's been fixed)

Publication date Defect number Description
2016-7-11 EXC-1976 In Splunk version 6.4.x, the Exchange Service Analyzer page now loads properly when you run the app.
2016-7-11 EXC-1957 A saved search "Exchange Service Analyzer - Unfilled Host-Service-Component Lookup" that generated lookup errors has been removed.
2016-7-11 EXC-1955 The TA-Exchange-MailboxStore add-on now extracts email-based field data properly.
2016-7-11 EXC-1954 The TA-Exchange-MailboxStore and TA-Exchange-ClientAccess add-ons now generate events with a sourcetype of MSExchange:2013:AdminAudit.
2016-7-11 EXC-1951 In the Host Overview dashboard, the "Exchange Version" dropdown and ExchangeVersion columns no longer display blank entries for hosts that run Exchange Server 2016.
2016-7-11 EXC-1944, 1945, 1946, 1950 The "Exchange -> Administrative Reports -> Anomalous Logons" and "Exchange -> Capacity Planning -> Unused Mailboxes" dashboards now populate properly because a macro that drives both has been fixed.
2016-7-11 EXC-613, 1949 The license check for the app now relies on a formula that includes license_usage.log rather than metrics.log.
2016-7-11 EXC-838, 1948 Exchange license violations can now be reset in both Splunk Enterprise and Splunk Cloud.
2016-7-11 EXC-1942 The "Analyze a User Mailbox" dashboard panel now uses more sensible column names to describe mailbox properties and values.
2016-7-11 EXC-1941 The "Host Performance" dashboard panel no longer displays a blank panel that shows "Search is waiting for input..." when you click on a host field in the dashboard.
2016-7-11 EXC-550 The "Windows Updates and Host Downtime" dashboard no longer shows all hosts as being down.
2016-7-11 EXC-549 The app no longer crashes Splunk Enterprise because of a large lookup file.
2016-7-11 EXC-539 The "Average Mailbox Size" graph on the "User Population" page now properly displays units.
2016-7-11 EXC-534 A problem with case on the Domain Controller status page has been fixed.
2016-7-11 EXC-468 The Service Analyzer Mailbox page no longer displays service components that have been disabled.
2016-7-11 EXC-430 The app no longer generates an error AttributeError: 'NonType' object has no attribute 'group' in useragent.py.
2016-7-11 EXC-398 In the Perfmon dashboard, two performance counters with similar names in the dashboard have been renamed for clarity.
2016-7-11 EXC-372 The "DNS Zone Information > Zone Settings" dashboard panel now uses more sensible column names to describe DNS zone setting properties and values.
2016-7-11 EXC-348 The Administrator Logons page no longer shows "No results found" even when there have been administrator logins.
2016-7-11 EXC-302 Some color schemes for the Composite page have been updated, and formatting for large values in value boxes has been changed.
2016-7-11 EXC-293 The "Analyze Logs" and "Inspect Host" buttons on the Composite page now display properly (previously, they said "Inspect Logs" and "Analyze Host".)
Last modified on 31 July, 2016
PREVIOUS
Best practices guide 		  NEXT
Known Issue: Disable Transport Handling and Mailbox components in Service Analyzer for Exchange Server 2007 and Server 2010 environments

This documentation applies to the following versions of Splunk® App for Microsoft Exchange (EOL): 3.3.0

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters