Deploy configurations for all server roles
This procedure describes using the Splunk deployment server to deploy the Splunk App for Microsoft Exchange configurations to Splunk universal forwarders already installed on each of the Exchange server systems in your environment. Before you proceed, make sure you have followed the instructions in "Install a universal forwarder on each Exchange server".
You do not have to use deployment server to deploy the Splunk App for Microsoft Exchange--you can copy the appropriate components to the forwarders and search heads by hand if you like. A benefit to using deployment server is that you can update the components very easily when a new version of the app becomes available.
You can configure your central Splunk instance to be a deployment server, or install full Splunk on another server and configure it as the deployment server.
- For information on using the deployment server, refer to "About deployment server" in the core Splunk documentation.
Caution: The Splunk App for Microsoft Exchange puts all the data it indexes into the default Splunk index, main
. If you don't want to use this index for the data, you must change the app's configuration as described in "Other deployment considerations" and "Make configuration changes to match your existing environment" in this manual, before you deploy it to the forwarders.
Prepare the deployment on deployment server
To configure your deployment server:
1. Edit $SPLUNK_HOME\etc\system\local\serverclass.conf
on your deployment server to specify a server class for each server role and Windows Server version and optionally one for the server running the reputation service (which must have Internet access). The recommended naming convention is:
- Exchange-<version>-<role>
- Exchange-Windows-<version>
- Exchange-Reputation
2. Make sure that you have unpacked the components you want to deploy into $SPLUNK_HOME\etc\deployment-apps
and have made all necessary edits to their configurations as described in "Make configuration changes to match your existing environment".
3. In $SPLUNK_HOME\etc\system\local\serverclass.conf
ensure that the components you want to deploy are configured to be pushed to the right machines:
- Each universal forwarder gets the appropriate forwarder application components (FACs) for the Exchange roles running on that system.
- Indexers get all of the
fwd_*
FACs. - Search heads get all of the
fwd_*
FACs and theSplunk-for-Exchange
component.
Push the components to their respective locations
Once you've completed all desired configuration changes, push the prepared components to their respective locations in your infrastructure:
1. On the deployment server, run the following command to reload the deployment server and update the various Splunk instances:
$SPLUNK_HOME\bin\splunk reload deploy-server
2. After a few minutes, check that the deployment was pushed correctly with the following command:
$SPLUNK_HOME\bin\splunk list deploy-clients
3. Wait 10 minutes, then follow the instructions in "Log in and get started" in this manual to view the Splunk App for Microsoft Exchange overview dashboard and confirm that data is coming into the app.
Make configuration changes to match your existing environment | Additional tasks for the Exchange server roles |
This documentation applies to the following versions of Splunk® App for Microsoft Exchange (EOL): 1.0
Feedback submitted, thanks!