Splunk® Supported Add-ons

Splunk Add-on for Microsoft Office 365

Upgrade the Splunk Add-on for Microsoft Office 365

Version 4.4.0 is not backward compatible, and downgrading from version 4.3.0 will result in complete data duplication due to major checkpoint changes.

After Upgrading to version 4.4.0, inputs created with the same name but different content-types, or any input with a name that begins with "_", cannot be edited.

After upgrading the Splunk Add-on for Microsoft Office 365 from 4.0.0 and higher to version 4.2.0 or higher, your Splunk platform deployment might receive duplicate events for a maximum of 7 days, due to a change in checkpoint logic. Duplicate events will stop ingesting after 7 days. Restarting the Splunk platform or disabling the input can cause duplication of management activity events that TA would be collecting at that time.

If the Splunk Add-on for Microsoft Office 365 was previously installed and configured, there are several prerequisite steps that must be completed before upgrading to versions 4.2.0 and higher. If you have not yet upgraded to version 2.0.0 or later, perform the steps in the Upgrade to version 2.0.0 and Upgrade to version 4.1.0 section of this topic. Follow the following migration steps if you are facing high memory usage.

  1. Disable all Management Activity Inputs.
  2. Download the latest version of Splunk Add-on for Microsoft Office 365 from Splunkbase.
  3. Install the add-on across your Splunk platform deployment.
  4. Enable one Management Activity input at a time.
    • Confirm Checkpoint migration for each input with the following information.
    • Check for the Checkpoint Migration Completed Successfully message in the UI.
    • Check for the Completed KVStore Migration for Input: <input_name> message log in the internal logs. Completed KVStore Migration for Input: <input_name>
  5. Repeat the above steps until each management activity input has been migrated successfully.

The following table displays the performance statistics of Splunk platform deployments when performing the upgrade steps for management activity inputs.

Splunk Platform

Version/Type

Memory OS Number of Inputs Checkpoint Size

Main Input (GB)

Checkpoint Size

Other Input (individual) (GB)

Theoretical Memory Utilization (%) Migration Time CPU Utilization(AVG) Memory Utilization(AVG) KVStore Health Check Migration Status Additional Comments
8.x(Enterprise) VCPU 2 / 8 GB Linux 1 1.1 25 Failed At the time of migration, Memory Error when reading the checkpoint file.
9.x(Enterprise/Heavy Forwarder) VCPU 2 / 8 GB Linux 2 0.5 0.7 65 Input 1 : 24m 20s

Input 1 : 32m 14s

~45% ~60% Normal Success The migration process for both inputs ran in parallel.
9.x(Enterprise) VCPU 4 / 16 GB Linux 2 1.2 1.2 50 Input 1: 53m 08s

Input 2: 51m 28s

~50% ~50% Normal Success The migration process for both inputs ran sequentially.
9.x(Enterprise/Heavy Forwarder) VCPU 8 / 32 GB Linux 3 1.3 1.3 30 Input 1: 01h 05m 56s

Input 2: 01h 02m 51s Input 3: 01h 05m 43s

~45% ~60% Normal Success Started checkpoint migration for 2 input parallel and it was successful.
8.x(Victoria) VCPU 8 / 32 GB Linux 5 10 3 80 Input 1: ~ 01h

Input 2: ~ 01h Input 3: ~ 01h Input 4: ~ 45m Input 5: ~ 45m

Normal Success Started with 2 main inputs, then 3 inputs, and then the migration was complete.



Upgrade to version 4.1.0

After upgrading the Splunk Add-on for Microsoft Office 365 to version 4.1.0, due to a change in checkpoint logic, your Splunk platform deployment might receive duplicate events for a maximum of 7 days. Duplicate events will stop ingesting after 7 days. You may observe a rise in the usage of your deployment's memory/CPU resources.

If the Splunk Add-on for Microsoft Office 365 was previously installed and configured, there are several prerequisite steps that must be completed before upgrading to versions 4.1.0 and above. If you have not yet upgraded to version 2.0.0 or later, perform the steps in the Upgrade to version 2.0.0 section of this topic.

  1. Disable all inputs.
  2. Download the latest version of Splunk Add-on for Microsoft Office 365 from Splunkbase.
  3. Install the add-on across your deployment.
  4. For existing tenants configured with Cloud App Security Token, a warning sign will appear with a message to re-enter the tenant's Cloud App Security Token. To mitigate the warning, edit that tenant and re-enter your Cloud App Security Token.
    On submitting a new Cloud App Security Token, if you are not allowed to proceed due to any validation errors, delete your tenant by clicking the "Delete" button and reconfigure the new tenant.
  5. Enable all the configured inputs to resume the data collection.

Upgrade to version 2.0.0

If the Splunk Add-on for Microsoft Office 365 was previously installed and configured, there are several prerequisite steps that must be completed before upgrading to versions 2.0.0 and later.

  1. Disable all inputs.
  2. Download the latest version of Splunk Add-on for Microsoft Office 365 from Splunkbase.
  3. Install the add-on across your deployment.
  4. Re-enter the tenant's client secrets and proxy passwords.
    If an alert appears that says Re-enter client secret before the Edit button, update all applicable tenants in your environment.
    If you submit a new secret, and you are not allowed to proceed without also entering a Cloud Application Security Token. delete your tenant from your splunk_ta_o365_tenants.conf file, create a new one.
  5. Enable all the configured inputs to resume the data collection.

For Python 3 guidance on upgrading your Splunk Enterprise deployment to version 8.0.0 and above, see the Choose your Splunk Enterprise upgrade path for the Python 3 migration topic in the Splunk Enterprise manual.

Last modified on 17 September, 2024
Install the Splunk Add-on for Microsoft Office 365   Configure an integration application in Azure AD for the Splunk Add-on for Microsoft Office 365

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters