Upgrade the Splunk Add-on for Microsoft Office 365
Version 4.4.0 is not backward compatible, and downgrading from version 4.3.0 will result in complete data duplication due to major checkpoint changes.
After Upgrading to version 4.4.0, inputs created with the same name but different content-types, or any input with a name that begins with "_", cannot be edited.
After upgrading the Splunk Add-on for Microsoft Office 365 from 4.0.0 and higher to version 4.2.0 or higher, your Splunk platform deployment might receive duplicate events for a maximum of 7 days, due to a change in checkpoint logic. Duplicate events will stop ingesting after 7 days. Restarting the Splunk platform or disabling the input can cause duplication of management activity events that TA would be collecting at that time.
If the Splunk Add-on for Microsoft Office 365 was previously installed and configured, there are several prerequisite steps that must be completed before upgrading to versions 4.2.0 and higher. If you have not yet upgraded to version 2.0.0 or later, perform the steps in the Upgrade to version 2.0.0 and Upgrade to version 4.1.0 section of this topic. Follow the following migration steps if you are facing high memory usage.
- Disable all Management Activity Inputs.
- Download the latest version of Splunk Add-on for Microsoft Office 365 from Splunkbase.
- Install the add-on across your Splunk platform deployment.
- Enable one Management Activity input at a time.
- Confirm Checkpoint migration for each input with the following information.
- Check for the
Checkpoint Migration Completed Successfully
message in the UI. - Check for the
Completed KVStore Migration for Input: <input_name>
message log in the internal logs.Completed KVStore Migration for Input: <input_name>
- Repeat the above steps until each management activity input has been migrated successfully.
The following table displays the performance statistics of Splunk platform deployments when performing the upgrade steps for management activity inputs.
Splunk Platform
Version/Type |
Memory | OS | Number of Inputs | Checkpoint Size
Main Input (GB) |
Checkpoint Size
Other Input (individual) (GB) |
Theoretical Memory Utilization (%) | Migration Time | CPU Utilization(AVG) | Memory Utilization(AVG) | KVStore Health Check | Migration Status | Additional Comments |
8.x(Enterprise) | VCPU 2 / 8 GB | Linux | 1 | 1.1 | 25 | Failed | At the time of migration, Memory Error when reading the checkpoint file. | |||||
9.x(Enterprise/Heavy Forwarder) | VCPU 2 / 8 GB | Linux | 2 | 0.5 | 0.7 | 65 | Input 1 : 24m 20s
Input 1 : 32m 14s |
~45% | ~60% | Normal | Success | The migration process for both inputs ran in parallel. |
9.x(Enterprise) | VCPU 4 / 16 GB | Linux | 2 | 1.2 | 1.2 | 50 | Input 1: 53m 08s
Input 2: 51m 28s |
~50% | ~50% | Normal | Success | The migration process for both inputs ran sequentially. |
9.x(Enterprise/Heavy Forwarder) | VCPU 8 / 32 GB | Linux | 3 | 1.3 | 1.3 | 30 | Input 1: 01h 05m 56s
Input 2: 01h 02m 51s Input 3: 01h 05m 43s |
~45% | ~60% | Normal | Success | Started checkpoint migration for 2 input parallel and it was successful. |
8.x(Victoria) | VCPU 8 / 32 GB | Linux | 5 | 10 | 3 | 80 | Input 1: ~ 01h
Input 2: ~ 01h Input 3: ~ 01h Input 4: ~ 45m Input 5: ~ 45m |
Normal | Success | Started with 2 main inputs, then 3 inputs, and then the migration was complete. |
Upgrade to version 4.1.0
After upgrading the Splunk Add-on for Microsoft Office 365 to version 4.1.0, due to a change in checkpoint logic, your Splunk platform deployment might receive duplicate events for a maximum of 7 days. Duplicate events will stop ingesting after 7 days. You may observe a rise in the usage of your deployment's memory/CPU resources.
If the Splunk Add-on for Microsoft Office 365 was previously installed and configured, there are several prerequisite steps that must be completed before upgrading to versions 4.1.0 and above. If you have not yet upgraded to version 2.0.0 or later, perform the steps in the Upgrade to version 2.0.0 section of this topic.
- Disable all inputs.
- Download the latest version of Splunk Add-on for Microsoft Office 365 from Splunkbase.
- Install the add-on across your deployment.
- For existing tenants configured with Cloud App Security Token, a warning sign will appear with a message to re-enter the tenant's Cloud App Security Token. To mitigate the warning, edit that tenant and re-enter your Cloud App Security Token.
On submitting a new Cloud App Security Token, if you are not allowed to proceed due to any validation errors, delete your tenant by clicking the "Delete" button and reconfigure the new tenant. - Enable all the configured inputs to resume the data collection.
Upgrade to version 2.0.0
If the Splunk Add-on for Microsoft Office 365 was previously installed and configured, there are several prerequisite steps that must be completed before upgrading to versions 2.0.0 and later.
- Disable all inputs.
- Download the latest version of Splunk Add-on for Microsoft Office 365 from Splunkbase.
- Install the add-on across your deployment.
- Re-enter the tenant's client secrets and proxy passwords.
If an alert appears that says Re-enter client secret before the Edit button, update all applicable tenants in your environment.
If you submit a new secret, and you are not allowed to proceed without also entering a Cloud Application Security Token. delete your tenant from yoursplunk_ta_o365_tenants.conf
file, create a new one. - Enable all the configured inputs to resume the data collection.
For Python 3 guidance on upgrading your Splunk Enterprise deployment to version 8.0.0 and above, see the Choose your Splunk Enterprise upgrade path for the Python 3 migration topic in the Splunk Enterprise manual.
Install the Splunk Add-on for Microsoft Office 365 | Configure an integration application in Azure AD for the Splunk Add-on for Microsoft Office 365 |
This documentation applies to the following versions of Splunk® Supported Add-ons: released
Feedback submitted, thanks!