Migrate from the Splunk App for Microsoft Exchange to the Content Pack for Microsoft Exchange

The Content Pack for Microsoft Exchange replicates the dashboards and reports available in the Splunk App for Microsoft Exchange. Users of ITSI version 4.9.0 or higher, or IT Essentials Work version 4.9.0 or higher can migrate from the legacy app to the content pack to take advantage of a consolidated experience. In addition, migrating means you can upgrade all content packs by upgrading the one app, the Splunk App for Content Packs.

Refer to the following table to compare the features of the app versus the content pack:

On October 22 2021, the Splunk App for Microsoft Exchange will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app is migrating to the Content Pack for Microsoft Exchange.

If you are currently using the Splunk App for Microsoft Exchange your deployment might look like the following image:

You can review the dashboards included in the Content Pack for Microsoft Exchange before you migrate. See, Dashboard reference for the Content Pack for Microsoft Exchange.

Migration steps for Cloud environments

For migration on Cloud, file a ticket on the Splunk Support Portal on the Support and Services section. Splunk Cloud TechOps will assist you with the migration from Splunk App for Microsoft Exchange to Content Pack for Microsoft Exchange.

Migration steps for on-premises standalone or distributed environments

You can migrate from Splunk App for Microsoft Exchange to the Content Pack for Microsoft Exchange by following the procedures in this section.

Before you migrate

Before migrating to Content Pack for Microsoft Exchange, make sure to follow the steps below to make a backup of your custom configurations and lookups.

1. Make a backup of the directories below present in the splunk_app_microsoft_exchange package in $SPLUNK_HOME/etc/apps on each search head:
   • /local directory which contains all the local configurations under conf files
   • /lookups directory which contains the CSV lookups
   • /metadata/local.meta directory which contains the updated permissions for the Knowledge Objects.
2. Make a backup of the KV Store lookups present in the app:
   1. Identify the KV store captain from each search head (perform this step if you have multiple search heads in your environment):
      $SPLUNK_HOME/bin/splunk show kvstore-status
   2. Log in to the KV store captain search head and run the following command:
      $SPLUNK_HOME/bin/splunk backup kvstore -archiveName splunk_app_microsoft_exchange_kvstore_backup -appName splunk_app_microsoft_exchange
   3. Identify the latest backup in $SPLUNK_HOME/var/lib/splunk/kvstorebackup and copy the splunk_app_microsoft_exchange_kvstore_backup.tar.gz backup file to $SPLUNK_HOME/tmp. This archive file will be required to restore the App lookup data during migration.
3. Perform the following steps on each user inheriting the exchange-admin role.
1. Navigate to Settings > Users.
2. Click on Edit > Edit.
3. Navigate to Assign Roles.
4. From Selected item(s) > Remove exchange-admin role.
5. Click on Save.

If you are currently using the Splunk App for Microsoft Exchange, your deployment setup might resemble the following table:

Steps to migrate from Splunk App for Microsoft Exchange to Content Pack for Microsoft Exchange

Follow these steps to migrate from Splunk App for Microsoft Exchange to Content Pack for Microsoft Exchange. Be sure to make a backup of existing lookups and custom configurations before you migrate, as described in Before you migrate.

1. Perform the following steps on each search head present in your deployment to disable the Splunk App for Microsoft Exchange:
1. Navigate to {SPLUNK_HOME}/etc/apps/splunk_app_microsoft_exchange/local/app.conf (create app.conf file in local directory if it is not present) and edit the "state" property of "install" stanza as mentioned below:
   [install]
state = disabled
2. Restart the instance:
   $SPLUNK_HOME/bin/splunk restart
2. Install ITSI or IT Essentials Work on the same search head with Exchange data according to your type of deployment. Refer to these topics in the Splunk IT Service Intelligence Install and Upgrade Manual:
   • Install Splunk IT Service Intelligence on a single instance.
   • Install Splunk IT Service intelligence in a distributed environment.
   • Install IT Essentials Work.
3. Install the Splunk App for Content Packs according to your type of deployment:
   • Install the Splunk App for Content Packs on a single, on-premises environment.
   • Install the Splunk App for Content Packs on a distributed environment.

When you've completed the previous steps, the deployment is installed as shown in the following table:

After following the previous steps, the deployment looks like the following image:

After you migrate

1. Restore the backup of the KV Store lookup:
1. Identify the KV store captain from different search heads. (Perform this step if the you have a search head cluster deployment). For a single search head deployment, the only search head will be the KV store captain:
   $SPLUNK_HOME/bin/splunk show kvstore-status
2. If KV store captain is changed, then move the KV store backup file from the old KV store captain to the current KV store captain. Run the following command on the search head where KV store backup taken as part of the Before you migrate section:
   scp /path_of_splunk_app_microsoft_exchange_kvstore_backup.tar.gz {SPLUNK_USER}@{$search_head_ip}:/{SPLUNK_HOME}/tmp
3. On your current KV store captain, untar the backup tar file:
   tar -xzvf $SPLUNK_HOME/tmp/splunk_app_microsoft_exchange_kvstore_backup.tar.gz
4. Rename the folder name:
   mv $SPLUNK_HOME/tmp/splunk_app_microsoft_exchange $SPLUNK_HOME/tmp/DA-ITSI-CP-microsoft-exchange
5. Tar the upgraded folder name:
   tar -czf $SPLUNK_HOME/tmp/DA-ITSI-CP-microsoft-exchange_kvstore_backup.tar.gz DA-ITSI-CP-microsoft-exchange
6. Move the $SPLUNK_HOME/tmp/DA-ITSI-CP-microsoft-exchange_kvstore_backup.tar.gz file in $SPLUNK_HOME/var/lib/splunk/kvstorebackup.
7. Restore the backup
   splunk restore kvstore -archiveName DA-ITSI-CP-microsoft-exchange_kvstore_backup.tar.gz -appName DA-ITSI-CP-microsoft-exchange
2. Perform the steps below on each search head present in your deployment:
1. Move the following directories from the App package to DA-ITSI-CP-microsoft-exchange folder that are backed up as part of the Before you migrate section:
   • /local directory collected from the app which contains all the local configurations of the app
   • /lookups directory
   • /metadata/local.meta directory
2. Remove app.conf file from local directory.
3. Remove msftapps_exchange_setup.conf file from local directory.
4. Remove splunk_msftapp.conf file from local directory.
5. Restart the instance: $SPLUNK_HOME/bin/splunk restart

The searches of the Splunk App for Microsoft Exchange use a macro-based index, but searches of Content Pack for Microsoft Exchange contain eventtype-based specifications. You will need to configure corresponding eventtype indexes after migrating to Content Pack for Microsoft Exchange.

For more information about configuring eventtype indexes, see Set up multiple indexes.

Install and configure the content pack

You can now install the content pack and make configurations:

1. Make sure that the Exchange data collected using Splunk Add-on for Microsoft Exchange is searchable from the search head where you installed the Splunk App for Content Packs.
2. Follow the steps to install and configure the Content Pack for Microsoft Exchange.

Access the dashboards in the content pack

You can now access the dashboards from the content pack:

1. In Splunk Web, open ITSI or IT Essentials Work.
2. From the main navigation bar choose Dashboards > Dashboards.
3. From the list of dashboards, those with the App name of DA-ITSI-CP-microsoft-exchange are from the Content Pack for Microsoft Exchange. Select the dashboard title to open the dashboard.