Splunk® Supported Add-ons

Splunk Add-on for Microsoft Cloud Services

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Upgrade the Splunk Add-on for Microsoft Cloud Services

The following migration guide is required for upgrading from version 4.0.1 or later. Upgrading from any version older than 3.0.0 requires a fresh installation of version 4.0.1 or later.

After upgrading to version 5.0.0 or later of this add-on, you might observe a rise in the usage of memory and CPU resources within your deployment.

Version 4.1.0 of the Splunk Add-on for Microsoft Cloud Services cannot be installed on the same Splunk platform instance as one that has the Microsoft Azure Add-on for Splunk installed.

A best practice for upgrading the Splunk Add-on for Microsoft Cloud Services is to remove your older version before re-installing version 4.0.1 or later of the Splunk Add-on for Microsoft Cloud Services.

Standard Upgrade Guide

  1. Verify that you are running version 8.0.0 or later of the Splunk software.
  2. (Optional) Plan your Splunk Enterprise upgrade to work with the Python 3 migration.
  3. Disable all your inputs before you upgrade the add-on. Otherwise, you might see errors in the log files, resulting in data loss against your already configured inputs.
  4. Upgrade the Splunk Add-on for Microsoft Cloud Services to the required version and follow the version-specific upgrade guide.
  5. Navigate to the input page of the Splunk Add-on for Microsoft Cloud Services. Alerts will appear, indicating incomplete account authorization.
  6. Edit each required input by clicking the click here link to navigate to the account configuration page or by directly navigating to the account configuration page.
  7. Complete the authorization of your account by adding your account secret key/account token.
  8. Repeat the above steps for all inputs with alert signs against them.
  9. Enable each desired input to start data collection. Enable Storage Blob inputs in small batches.

Upgrade to version 5.0.0 or later

  1. Follow the Standard Upgrade Guide
  2. After enabling the Storage Blob inputs, wait for the completion of file-based checkpoint to KV Store migration by following the successful migration notification in the Splunk Messages.
  3. Once all Storage Blob inputs are successfully migrated from file-based checkpoint to KV Store checkpoint and the environment is stable, then enable the Allow Storage Blob Deletion option in the Configuration -> Advanced tab to start the deletion of checkpoint files. It will delete the files gradually in the subsequent input executions.
  4. Check the successful deletion of files for inputs in the logs using the below search query.

search index=_internal source=*storage_blob* "Checkpoint has been migrated to KVstore"

Upgrade to version 4.4.0 or later

  1. If Eventhub inputs were configured using a version earlier than 4.4.0 and any third-party apps that use Event Hub data formatting should follow the below-mentioned steps:
    1. Before upgrading disable the Event Hub inputs.
    2. Upgrade the TA to the latest version.
    3. For the event hub inputs add event_format_flags = 1
    4. Enable the Event Hub inputs.
  2. While creating a new Event Hub input, add event_format_flags = 1 for the Apps which are dependent on the EventHub data formatting.

Upgrade to version 4.0.1 or later from any version older than 3.0.0

  1. Install the Splunk Add-on for Microsoft Cloud Services version 4.0.1 and later from the Splunk Web UI (make sure Upgrade App checkbox is selected).
  2. Restart the Splunk platform.
  3. Navigate to the input page of the Splunk Add-on for Microsoft Cloud Services. Alerts will appear, indicating incomplete account authorization.
  4. Edit each required input by clicking the click here link to navigate to the account configuration page or by directly navigating to the account configuration page.
  5. Complete the authorization of your account by adding your account secret key/account token.
  6. Repeat the above steps for all inputs with alert signs against them.


In previous versions, settings including proxy, logging, and performance were stored in splunk_ta_o365_client_setting.conf and splunk_ta_o365_server_setting.conf. In version 3.0.0 and above of the Splunk Add-on for Microsoft Cloud Services, all setting and performance tuning configurations are in splunk_ta_mscs_setting.conf. The default log level is INFO.

Versions 3.0.0 and above of the Splunk Add-on for Microsoft Cloud Services removes the Microsoft Office 365 module. See the Splunk Add-on for Microsoft Office 365.

Last modified on 12 September, 2023
PREVIOUS
Install the Splunk Add-on for Microsoft Cloud Services 		  NEXT
Migrate from the Splunk Add-on for Microsoft Azure

This documentation applies to the following versions of Splunk® Supported Add-ons: released

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters