Splunk® Supported Add-ons

Splunk Add-on for Microsoft Cloud Services

Upgrade the Splunk Add-on for Microsoft Cloud Services

The following migration guide is required for upgrading from version 4.0.1 or later. Upgrading from any version older than 3.0.0 requires a fresh installation of version 4.0.1 or later.

Version 4.1.0 of the Splunk Add-on for Microsoft Cloud Services cannot be installed on the same Splunk platform instance as one that has the Microsoft Azure Add-on for Splunk installed.

A best practice for upgrading the Splunk Add-on for Microsoft Cloud Services is to remove your older version before re-installing version 4.0.1 or later of the Splunk Add-on for Microsoft Cloud Services.

Standard Upgrade Guide

  1. Verify that you are running version 8.0.0 or later of the Splunk software.
  2. (Optional) Plan your Splunk Enterprise upgrade to work with the Python 3 migration.
  3. Disable all your inputs before you upgrade the add-on. Otherwise, you might see errors in the log files, resulting in data loss against your already configured inputs.
  4. Upgrade to version 5.0.0 of the Splunk Add-on for Microsoft Cloud Services before upgrading to any later version.
  5. Upgrade the Splunk Add-on for Microsoft Cloud Services to the required version and follow the version-specific upgrade guide.
  6. Enable each desired input to start data collection. Enable Storage Blob inputs in small batches.

Upgrade to versions 5.x

Versions 5.1.0 and 5.2.0 are dependent on version 5.0 for upgrade. Upgrade to version 5.0 first before upgrading these versions. Please note that this dependency has been eliminated in versions 5.1.2 and 5.2.1. Please refer the release notes sections for more details.

This is a mandatory step before proceeding to any later version.

  1. Follow the Standard Upgrade Guide.
  2. After enabling the Storage Blob inputs, wait for the completion of file-based checkpoint to KV Store migration by following the successful migration notification in the Splunk Messages.
    1. The following SPL query is used to verify the successful KV Migration for Storage Blob inputs: search index=_internal source=*storage_blob* "Checkpoint has been migrated to KVstore".
    2. (Optional)This occurs when all Storage Blob inputs are successfully migrated from file-based checkpoint to the KV Store checkpoint and the customers are interested in deletion of stale file checkpoint entries. For more information, see the Configure Advanced settings in Splunk Add-on for Microsoft Cloud Services topic in this manual.

In version 5.2.x, Step 2 has been automated, resulting in the commencement of checkpoint deletion immediately upon successful completion of migration.

Upgrade to version 4.4.0 or later

  1. If Eventhub inputs were configured using a version earlier than 4.4.0 and any third-party apps that use Event Hub data formatting should follow the below-mentioned steps:
    1. Before upgrading, disable the Event Hub inputs.
    2. Upgrade the TA to the latest version.
    3. For the event hub inputs add event_format_flags = 1
    4. Enable the Event Hub inputs.
  2. While creating a new Event Hub input, add event_format_flags = 1 for the Apps which are dependent on the EventHub data formatting.

Upgrade to version 4.0.1 or later from any version older than 3.0.0

  1. Install the Splunk Add-on for Microsoft Cloud Services version 4.0.1 and later from the Splunk Web UI (make sure Upgrade App checkbox is selected).
  2. Restart the Splunk platform.
  3. Navigate to the input page of the Splunk Add-on for Microsoft Cloud Services. Alerts will appear, indicating incomplete account authorization.
  4. Edit each required input by clicking the click here link to navigate to the account configuration page or by directly navigating to the account configuration page.
  5. Complete the authorization of your account by adding your account secret key/account token.
  6. Repeat the above steps for all inputs with alert signs against them.


In previous versions, settings including proxy, logging, and performance were stored in splunk_ta_o365_client_setting.conf and splunk_ta_o365_server_setting.conf. In version 3.0.0 and above of the Splunk Add-on for Microsoft Cloud Services, all setting and performance tuning configurations are in splunk_ta_mscs_setting.conf. The default log level is INFO.

Versions 3.0.0 and above of the Splunk Add-on for Microsoft Cloud Services removes the Microsoft Office 365 module. See the Splunk Add-on for Microsoft Office 365.

Last modified on 05 February, 2024
Install the Splunk Add-on for Microsoft Cloud Services   Migrate from the Splunk Add-on for Microsoft Azure

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters