Content Pack for Microsoft Exchange

Content Pack for Microsoft Exchange

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Migrate from the Splunk App for Microsoft Exchange to the Content Pack for Microsoft Exchange

Dashboards of Splunk App for Microsoft Exchange are packaged and available in Splunk App for Content Packs. Based on the use case scenarios for the dashboards, these dashboards have been packaged in the following two content packs:

Depending on the scenario that you're using Splunk App for Microsoft Exchange for, you may want to use one or both of the above mentioned Content Packs.

Users of ITSI version 4.9.0 or higher, or IT Essentials Work version 4.9.0 or higher, can migrate from the legacy app to the content pack to take advantage of a consolidated experience. In addition, migrating means you can upgrade all content packs by upgrading the one app, the Splunk App for Content Packs.

Refer to the following table to compare the features of the app versus the content pack:

Feature Splunk App for Microsoft Exchange Splunk Content Pack for Microsoft Exchange Splunk Content Pack for Windows Dashboards and Reports
Installation and Configuration Manual Automatic with Splunk App for Content Packs Automatic with Splunk App for Content Packs
Built-in Microsoft Best Practices No Yes Yes
Dashboards Yes - Exchange + Windows + Active Directory use case Yes - Exchange use case Yes - Windows use case + Active Directory
Entity Types 0 0 1
Glass Tables 0 3 0
KPIs 0 440 0
Services 0 64 0


On October 22 2021, the Splunk App for Microsoft Exchange will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app is migrating to the Content Pack for Microsoft Exchange.

If you are currently using the Splunk App for Microsoft Exchange your deployment might look like the following image:

This image is a diagram of a pre-migration to the content pack deployment. A series of connected boxes represent different parts of a deployment and include the Exchange Forwarders, Indexers, and Search Heads. Review the table that follows for more info.
Exchange forwarder Indexer Search head
Splunk Add-on for Microsoft Exchange
Splunk Add-on for Windows
Splunk App for Microsoft Exchange
Splunk Supporting Add-on for Active Directory

You can review the dashboards included in the Content Pack for Microsoft Exchange before you migrate. See, Dashboard reference for the Content Pack for Microsoft Exchange.

Migration steps for Cloud environments

For migration on Cloud, file a ticket on the Splunk Support Portal in the Support and Services section. Splunk Cloud TechOps personnel will assist you with the migration from Splunk App for Microsoft Exchange to Content Pack for Microsoft Exchange. Follow the steps mentioned in the sub-sections below to update the configurations (in the case of custom index usage), and access the dashboards.

Update configuration and access dashboards for Microsoft Exchange

If you are ingesting Exchange data in custom indexes other than the default indexes used by Splunk Add-on for Microsoft Exchange and Splunk App for Microsoft Windows, then perform the following steps after your stack is migrated from Splunk App for Microsoft Exchange to Splunk App for Content Packs (which includes the Content Pack for Windows Dashboards and Reports and the Content Pack for Microsoft Exchange).

  1. Open the Splunk IT Essentials Work or Splunk IT Service Intelligence application.
  2. Navigate to Settings > Event types.
  3. Search for the respective Event type in Search bar mentioned in the RHS column of the table.
  4. Click on Event type.
  5. Update the definition with the custom index value.
Type of data ingested from Splunk Add-on for Microsoft Exchange/Splunk Add-on for Microsoft Windows in custom index Corresponding Eventtype to be configured in Microsoft Exchange Content Pack to configure custom indexes Example value for Eventtype
Wineventlog data wineventlog-index index = custom_index1 AND index = custom_index2
Perfmon data msperfmon-index index = custom_index1 AND index = custom_index2
MSAD data msad-index index = custom_index1 AND index = custom_index2
Windows data windows-index index = custom_index1 AND index = custom_index2
MS Exchange data msexchange-index index = custom_index1 AND index = custom_index2

After you perform the steps above, you can use the knowledge objects included in the Content Pack for Microsoft Exchange. For a list of the included dashboards, see Dashboard reference for the Content Pack for Microsoft Exchange.

Update configuration and access the dashboards for Windows

For an explanation of how to update the configuration of and access to dashboards for Windows, see the "Update configuration and access the dashboards" section of Migration for cloud environments in the Content Pack for Windows Dashboards and Reports.

Migration steps for on-premises standalone or distributed environments

You can migrate from Splunk App for Microsoft Exchange to the Content Pack for Microsoft Exchange by following the procedures in this section.

Before you migrate

Before migrating to Content Pack for Microsoft Exchange, make sure to follow the steps below to make a backup of your custom configurations and lookups.

  1. Make a backup of the directories below present in the splunk_app_microsoft_exchange package in $SPLUNK_HOME/etc/apps on each search head:
    • /local directory which contains all the local configurations under conf files
    • /lookups directory which contains the CSV lookups
  2. Make a backup of the KV Store lookups present in the app:
    1. Identify the KV store captain from each search head (perform this step if you have multiple search heads in your environment):
      $SPLUNK_HOME/bin/splunk show kvstore-status
    2. Log in to the KV store captain search head and run the following command:
      $SPLUNK_HOME/bin/splunk backup kvstore -archiveName splunk_app_microsoft_exchange_kvstore_backup -appName splunk_app_microsoft_exchange
    3. Identify the latest backup in $SPLUNK_HOME/var/lib/splunk/kvstorebackup and copy the splunk_app_microsoft_exchange_kvstore_backup.tar.gz backup file to $SPLUNK_HOME/tmp. This archive file will be required to restore the App lookup data during migration.
  3. Perform the following steps on each role present in the instance.
    1. Navigate to Settings > Roles.
    2. Click on Edit > Edit.
    3. Navigate to Assign Roles.
    4. Deselect the exchange-admin role in the inheritance tab if it is selected.
    5. Click on Save.
  4. Perform the following steps on each user inheriting the exchange-admin role.
    1. Navigate to Settings > Users.
    2. Click on Edit > Edit.
    3. Navigate to Assign Roles.
    4. From Selected item(s) > Remove exchange-admin role.
    5. Click on Save.

If you are currently using the Splunk App for Microsoft Exchange, your deployment setup might resemble the following table:

Data collection node (forwarder) Indexer Search head
Splunk Add-on for Windows
Splunk App for Microsoft Exchange
Splunk Supporting Add-on for Active Directory

Steps to migrate from Splunk App for Microsoft Exchange to Content Pack for Microsoft Exchange

Follow these steps to migrate from Splunk App for Microsoft Exchange to Content Pack for Microsoft Exchange. Be sure to make a backup of existing lookups and custom configurations before you migrate, as described in Before you migrate.

  1. Perform the following steps on each search head present in your deployment to disable the Splunk App for Microsoft Exchange:
    1. Navigate to {SPLUNK_HOME}/etc/apps/splunk_app_microsoft_exchange/local/app.conf (create app.conf file in local directory if it is not present) and edit the "state" property of "install" stanza as mentioned below:
      [install]
      state = disabled
    2. Restart the instance:
      $SPLUNK_HOME/bin/splunk restart
  2. Install ITSI or IT Essentials Work on the same search head with Exchange data according to your type of deployment. Refer to these topics in the Splunk IT Service Intelligence Install and Upgrade Manual:
  3. Install the Splunk App for Content Packs according to your type of deployment:

When you've completed the previous steps, the deployment is installed as shown in the following table:

Data collection node (forwarder) Indexer Search head
Splunk Add-on for Windows
ITSI or IT Essentials Work
Splunk App for Microsoft Exchange Disabled
Splunk App for Content Packs
Splunk Supporting Add on For Active Directory

After following the previous steps, the deployment looks like the following image:

This image is a diagram of a post-migration to the content pack deployment. A series of connected boxes represent different parts of a deployment and include the Exchange Forwarders, Indexers, and Search Heads. Review the table that follows for more info.

After you install the Splunk App for Content Packs with Content Pack for Microsoft Exchange and Content Pack for Windows Dashboards and Reports

  1. Restore the backup of the KV Store lookup:
    1. Identify the KV store captain from different search heads. (Perform this step if the you have a search head cluster deployment). For a single search head deployment, the only search head will be the KV store captain:
      $SPLUNK_HOME/bin/splunk show kvstore-status
    2. If KV store captain is changed, then move the KV store backup file from the old KV store captain to the current KV store captain. Run the following command on the search head where KV store backup taken as part of the Before you migrate section:
      scp /path_of_splunk_app_microsoft_exchange_kvstore_backup.tar.gz {SPLUNK_USER}@{$search_head_ip}:/{SPLUNK_HOME}/tmp
    3. On your current KV store captain, untar the backup tar file:
      tar -xzvf $SPLUNK_HOME/tmp/splunk_app_microsoft_exchange_kvstore_backup.tar.gz
    4. Rename the folder name:
      mv $SPLUNK_HOME/tmp/splunk_app_microsoft_exchange $SPLUNK_HOME/tmp/DA-ITSI-CP-microsoft-exchange
    5. Tar the upgraded folder name:
      tar -czf $SPLUNK_HOME/tmp/DA-ITSI-CP-microsoft-exchange_kvstore_backup.tar.gz DA-ITSI-CP-microsoft-exchange
    6. Rename the folder name:
      mv $SPLUNK_HOME/tmp/DA-ITSI-CP-microsoft-exchange $SPLUNK_HOME/tmp/DA-ITSI-CP-windows-dashboards
    7. Tar the upgraded folder name:
      tar -czf $SPLUNK_HOME/tmp/DA-ITSI-CP-microsoft-exchange_kvstore_backup.tar.gz DA-ITSI-CP-windows-dashboards
    8. Move the $SPLUNK_HOME/tmp/DA-ITSI-CP-microsoft-exchange_kvstore_backup.tar.gz file in $SPLUNK_HOME/var/lib/splunk/kvstorebackup.
    9. Move the $SPLUNK_HOME/tmp/DA-ITSI-CP-windows-dashboards_kvstore_backup.tar.gz file in $SPLUNK_HOME/var/lib/splunk/kvstorebackup.
    10. Restore the backup for Content Pack for Microsoft Exchange content pack
      splunk restore kvstore -archiveName DA-ITSI-CP-microsoft-exchange_kvstore_backup.tar.gz -appName DA-ITSI-CP-microsoft-exchange
    11. Restore the backup for Content Pack for Windows Dashboards and Reports content pack
      splunk restore kvstore -archiveName DA-ITSI-CP-windows-dashboards_kvstore_backup.tar.gz -appName DA-ITSI-CP-windows-dashboards
  2. Perform the steps below on each search head present in your deployment:
    1. Move the following directories from the App package to DA-ITSI-CP-microsoft-exchange folder that are backed up as part of the Before you migrate section:
      • /local directory collected from the app which contains all the local configurations of the app
      • /lookups directory
    2. Remove app.conf file from local directory.
    3. Remove msftapps_exchange_setup.conf file from local directory.
    4. Remove splunk_msftapp.conf file from local directory.
    5. Restart the instance: $SPLUNK_HOME/bin/splunk restart
  3. If you are ingesting the Exchange data in custom indexes other than the default indexes used by Splunk Add-on for Microsoft Exchange and Splunk App for Microsoft Windows, then perform the following steps after your stack is migrated from Splunk App for Microsoft Exchange to Splunk App for Content Packs (with the Content Pack for Windows Dashboards and Reports and Content Pack for Microsoft Exchange).
    1. Go to Splunk IT Essentials Work or Splunk IT Service Intelligence.
    2. Navigate to Settings > Event types
    3. Search for Event type in the Search bar mentioned in the RHS column of the table
    4. Click on Event type
    5. Update the definition with the custom index value
Type of data ingested from Splunk Add-on for Microsoft Exchange/Splunk Add-on for Microsoft Windows in custom index Corresponding Eventtype to be configured in Microsoft Exchange Content Pack to configure custom indexes Example value for Eventtype
Wineventlog data wineventlog-index index = custom_index1 AND index = custom_index2
Perfmon data msperfmon-index index = custom_index1 AND index = custom_index2
MSAD data msad-index index = custom_index1 AND index = custom_index2
Windows data windows-index index = custom_index1 AND index = custom_index2
MS Exchange data msexchange-index index = custom_index1 AND index = custom_index2
Type of data ingested from Splunk Add-on for Microsoft Windows in custom index Corresponding Eventtype to be configured in Windows Dashboards and Reports Content Pack to configure custom indexes Example value for Eventtype
Wineventlog data wineventlog_index_windows index = custom_index1 AND index = custom_index2
Perfmon data perfmon_index_windows index = custom_index1 AND index = custom_index2
MSAD data msad_index_windows index = custom_index1 AND index = custom_index2
Windows data windows-index index = custom_index1 AND index = custom_index2

The searches of the Splunk App for Microsoft Exchange use a macro-based index, but searches of Content Pack for Microsoft Exchange contain eventtype-based specifications. You will need to configure corresponding eventtype indexes after migrating to Content Pack for Microsoft Exchange.

For more information about configuring eventtype indexes, see Set up multiple indexes.

Install and configure the Content Pack for Microsoft Exchange

Dashboards present in the Splunk App for Microsoft Exchange are installed by default in Content Pack for Microsoft Exchange. Follow the steps below to enable the Savedsearches used by Content Pack Dashboards and ITSI objects, and install additional ITSI objects provided by Content Pack:

  1. Make sure that the Exchange data collected using Splunk Add-on for Microsoft Exchange is searchable from the search head where you installed the Splunk App for Content Packs.
  2. Follow the steps to install and configure the Content Pack for Microsoft Exchange.
  3. Access the dashboards of Microsoft Exchange Content Pack by opening Dashboards > Dashboards from ITSI or IT Essentials Work. The dashboards listed with App name of DA-ITSI-CP-microsoft-exchange are from the Content Pack. Select the name of the dashboard you want to open.

Install and configure the Content Pack for Windows Dashboards and Reports

Dashboards present in the Splunk App for Windows Infrastructure are installed by default in Content Pack for Windows Dashboards and Reports. Follow the below steps to enable the Savedsearches used by Content Pack Dashboards and ITSI objects, and install additional ITSI objects provided by Content Pack.

  1. Make sure that the Windows data collected using Splunk Add-on for Microsoft Windows is searchable from the search head where you installed the Splunk App for Content Packs.
  2. Follow the steps to install and configure the Content Pack for Windows Dashboards and Reports.
  3. Access the dashboards of Windows Dashboards and Reports Content Pack by opening Dashboards > Dashboards from ITSI or IT Essentials Work. The dashboards listed with App name of DA-ITSI-CP-windows-dashboards are from the Content Pack. Select the name of the dashboard you want to open.

Access the Microsoft Exchange dashboards in the content pack

To access the dashboards from the Content Pack for Microsoft Exchange:

  1. In Splunk Web, open ITSI or IT Essentials Work.
  2. From the main navigation bar choose Dashboards > Dashboards.
  3. From the list of dashboards, those with the App name of DA-ITSI-CP-microsoft-exchange are from the Content Pack for Microsoft Exchange. Select the name of the dashboard you want to open.
Last modified on 08 September, 2023
PREVIOUS
Install and configure the Content Pack for Microsoft Exchange 		  NEXT
Use the Content Pack for Microsoft Exchange

This documentation applies to the following versions of Content Pack for Microsoft Exchange: 1.5.1, 1.6.0

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters