
Migrate from the Splunk App for Microsoft Exchange to the Content Pack for Microsoft Exchange
The Content Pack for Microsoft Exchange replicates the dashboards and reports available in the Splunk App for Microsoft Exchange. Users of ITSI version 4.9.0 or higher, or IT Essentials Work version 4.9.0 or higher can migrate from the legacy app to the content pack to take advantage of a consolidated experience. In addition, migrating means you can upgrade all content packs by upgrading the one app, the Splunk App for Content Packs.
Refer to the following table to compare the features of the app versus the content pack:
Feature | Splunk App for Microsoft Exchange | Splunk Content Pack for Microsoft Exchange |
---|---|---|
Installation and Configuration | Manual | Automatic with Splunk App for Content Packs |
Built-in Microsoft Best Practices | No | Yes |
Dashboards | 48 | 48 |
Glass Tables | 0 | 3 |
KPIs | 0 | 440 |
Services | 0 | 64 |
On October 22 2021, the Splunk App for Microsoft Exchange will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app is migrating to the Content Pack for Microsoft Exchange.
If you are currently using the Splunk App for Microsoft Exchange your deployment might look like the following image:
Exchange forwarder | Indexer | Search head | |
---|---|---|---|
Splunk Add-on for Microsoft Exchange | ✓ | ✓ | |
Splunk Add-on for Windows | ✓ | ✓ | ✓ |
Splunk App for Microsoft Exchange | ✓ | ||
Splunk Supporting Add-on for Active Directory | ✓ |
You can review the dashboards included in the Content Pack for Microsoft Exchange before you migrate. See, Dashboard reference for the Content Pack for Microsoft Exchange.
Migration steps for Cloud environments
For migration on Cloud, file a ticket on the Splunk Support Portal on the Support and Services section. Splunk Cloud TechOps will assist you with the migration from Splunk App for Microsoft Exchange to Content Pack for Microsoft Exchange.
Migration steps for on-premises standalone or distributed environments
You can migrate from Splunk App for Microsoft Exchange to the Content Pack for Microsoft Exchange by following the procedures in this section.
Before you migrate
Before migrating to Content Pack for Microsoft Exchange, make sure to follow the steps below to make a backup of your custom configurations and lookups.
- Make a backup of the directories below present in the
splunk_app_microsoft_exchange
package in $SPLUNK_HOME/etc/apps on each search head:/local
directory which contains all the local configurations under conf files/lookups
directory which contains the CSV lookups/metadata/local.meta
directory which contains the updated permissions for the Knowledge Objects.
- Make a backup of the KV Store lookups present in the app:
- Identify the KV store captain from each search head (perform this step if you have multiple search heads in your environment):
$SPLUNK_HOME/bin/splunk show kvstore-status
- Log in to the KV store captain search head and run the following command:
$SPLUNK_HOME/bin/splunk backup kvstore -archiveName splunk_app_microsoft_exchange_kvstore_backup -appName splunk_app_microsoft_exchange
- Identify the latest backup in
$SPLUNK_HOME/var/lib/splunk/kvstorebackup
and copy the splunk_app_microsoft_exchange_kvstore_backup.tar.gz backup file to $SPLUNK_HOME/tmp. This archive file will be required to restore the App lookup data during migration.
- Identify the KV store captain from each search head (perform this step if you have multiple search heads in your environment):
- Perform the following steps on each user inheriting the
exchange-admin
role. - Navigate to Settings > Users.
- Click on Edit > Edit.
- Navigate to Assign Roles.
- From Selected item(s) > Remove
exchange-admin
role. - Click on Save.
If you are currently using the Splunk App for Microsoft Exchange, your deployment setup might resemble the following table:
Data collection node (forwarder) | Indexer | Search head | |
---|---|---|---|
Splunk Add-on for Windows | ✓ | ✓ | ✓ |
Splunk App for Microsoft Exchange | ✓ | ||
Splunk Supporting Add-on for Active Directory | ✓ |
Steps to migrate from Splunk App for Microsoft Exchange to Content Pack for Microsoft Exchange
Follow these steps to migrate from Splunk App for Microsoft Exchange to Content Pack for Microsoft Exchange. Be sure to make a backup of existing lookups and custom configurations before you migrate, as described in Before you migrate.
- Perform the following steps on each search head present in your deployment to disable the Splunk App for Microsoft Exchange:
- Navigate to {SPLUNK_HOME}/etc/apps/splunk_app_microsoft_exchange/local/app.conf (create app.conf file in local directory if it is not present) and edit the "state" property of "install" stanza as mentioned below:
[install]
state = disabled - Restart the instance:
$SPLUNK_HOME/bin/splunk restart
- Install ITSI or IT Essentials Work on the same search head with Exchange data according to your type of deployment. Refer to these topics in the Splunk IT Service Intelligence Install and Upgrade Manual:
- Install the Splunk App for Content Packs according to your type of deployment:
When you've completed the previous steps, the deployment is installed as shown in the following table:
Data collection node (forwarder) | Indexer | Search head | |
---|---|---|---|
Splunk Add-on for Windows | ✓ | ✓ | ✓ |
ITSI or IT Essentials Work | ✓ | ✓ | |
Splunk App for Microsoft Exchange | Disabled | ||
Splunk App for Content Packs | ✓ | ||
Splunk Supporting Add on For Active Directory | ✓ |
After following the previous steps, the deployment looks like the following image:
After you migrate
- Restore the backup of the KV Store lookup:
- Identify the KV store captain from different search heads. (Perform this step if the you have a search head cluster deployment). For a single search head deployment, the only search head will be the KV store captain:
$SPLUNK_HOME/bin/splunk show kvstore-status
- If KV store captain is changed, then move the KV store backup file from the old KV store captain to the current KV store captain. Run the following command on the search head where KV store backup taken as part of the Before you migrate section:
scp /path_of_splunk_app_microsoft_exchange_kvstore_backup.tar.gz {SPLUNK_USER}@{$search_head_ip}:/{SPLUNK_HOME}/tmp
- On your current KV store captain, untar the backup tar file:
tar -xzvf $SPLUNK_HOME/tmp/splunk_app_microsoft_exchange_kvstore_backup.tar.gz
- Rename the folder name:
mv $SPLUNK_HOME/tmp/splunk_app_microsoft_exchange $SPLUNK_HOME/tmp/DA-ITSI-CP-microsoft-exchange
- Tar the upgraded folder name:
tar -czf $SPLUNK_HOME/tmp/DA-ITSI-CP-microsoft-exchange_kvstore_backup.tar.gz DA-ITSI-CP-microsoft-exchange
- Move the
$SPLUNK_HOME/tmp/DA-ITSI-CP-microsoft-exchange_kvstore_backup.tar.gz
file in $SPLUNK_HOME/var/lib/splunk/kvstorebackup. - Restore the backup
splunk restore kvstore -archiveName DA-ITSI-CP-microsoft-exchange_kvstore_backup.tar.gz -appName DA-ITSI-CP-microsoft-exchange
- Perform the steps below on each search head present in your deployment:
- Move the following directories from the App package to DA-ITSI-CP-microsoft-exchange folder that are backed up as part of the Before you migrate section:
/local
directory collected from the app which contains all the local configurations of the app/lookups
directory/metadata/local.meta
directory
- Remove
app.conf
file from local directory. - Remove
msftapps_exchange_setup.conf
file from local directory. - Remove
splunk_msftapp.conf
file from local directory. - Restart the instance:
$SPLUNK_HOME/bin/splunk restart
The searches of the Splunk App for Microsoft Exchange use a macro-based index, but searches of Content Pack for Microsoft Exchange contain eventtype-based specifications. You will need to configure corresponding eventtype indexes after migrating to Content Pack for Microsoft Exchange.
For more information about configuring eventtype indexes, see Set up multiple indexes.
Install and configure the content pack
You can now install the content pack and make configurations:
- Make sure that the Exchange data collected using Splunk Add-on for Microsoft Exchange is searchable from the search head where you installed the Splunk App for Content Packs.
- Follow the steps to install and configure the Content Pack for Microsoft Exchange.
Access the dashboards in the content pack
You can now access the dashboards from the content pack:
- In Splunk Web, open ITSI or IT Essentials Work.
- From the main navigation bar choose Dashboards > Dashboards.
- From the list of dashboards, those with the App name of DA-ITSI-CP-microsoft-exchange are from the Content Pack for Microsoft Exchange. Select the dashboard title to open the dashboard.
PREVIOUS Install and configure the Content Pack for Microsoft Exchange |
NEXT Use the Content Pack for Microsoft Exchange |
This documentation applies to the following versions of Content Pack for Microsoft Exchange: 1.5.1
Feedback submitted, thanks!