Splunk® App for Microsoft Exchange (EOL)

Deploy and Use the Splunk App for Microsoft Exchange

On October 22 2021, the Splunk App for Microsoft Exchange will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app is migrating to a content pack in Data Integrations. Learn about the Content Pack for Microsoft Exchange.
This documentation does not apply to the most recent version of Splunk® App for Microsoft Exchange (EOL). For documentation on the most recent version, go to the latest release.

How to upgrade the Splunk App for Microsoft Exchange

This topic discusses supported upgrade scenarios for the Splunk App for Microsoft Exchange.

The commands shown in this topic are PowerShell. If you use *nix, substitute the PowerShell directives with their *nix counterparts. If you use different directories for Splunk Enterprise and deployment server, substitute the directories shown with your specific directories.

Upgrade overview

There are two supported upgrade scenarios available for the Splunk App for Microsoft Exchange:

  • From version 3.0.x to this version.
  • From version 3.1.x to this version.

If you run a previous version of the Splunk App for Microsoft Exchange (version 2.x and earlier), follow the setup instructions as if it were a new install. You will be given the opportunity to resolve any data location issues as part of the new setup.

Upgrade from version 3.1.x to this version

To upgrade from version 3.1.x to this version, update the search head(s) in the instance with the updated app:

1. Download the updated app installation package from Splunkbase and save it to an accessible location.

2. Unpack the archive.

3. Copy the splunk_app_microsoft_exchange folder to the %SPLUNK_HOME%\etc\apps folder on the search head(s) in the instance.

Note: If prompted, overwrite the existing folder.

4. Restart Splunk Enterprise on the search head(s).

5. Log back into Splunk Enterprise.

6. Activate the Splunk App for Microsoft Exchange. Choose Apps > Splunk App for Microsoft Exchange.

Upgrade Caveats

When you upgrade the app from version 3.1.1 to version 3.1.2, note the following caveats:

1. The upgrade process deletes the local settings in the app key value store. This means that once you complete the upgrade, you must:

  • Reconfigure any thresholds that you set up in the "Thresholds" dialog. See "Change thresholds".

Upgrade from version 3.0.x to this version

How to upgrade If you have a deployment server

Use your deployment server to update the search heads with the updated app.

1. Copy the updated app to the

Upgrade Splunk Enterprise if necessary

1. Upgrade Splunk Enterprise and universal forwarders on all hosts in the deployment to version 6.2 or later.

Download and unpack apps and add-ons

1. Download the following apps and add-ons from Splunk Apps and save them to an accessible location:

2. Use WinZip or another archive utility to unarchive the Splunk App for Microsoft Exchange and Splunk Add-on for Windows packages.

Configure and deploy add-ons to the deployment server

1. Configure the Splunk Add-on for Windows, as described in "Download and configure the Splunk Add-on for Windows."

2. Copy the following updated add-ons from the Splunk App for Microsoft Exchange installation package to the deployment apps directory on the deployment server:

  • The Splunk Add-on for Windows (Splunk_TA_windows)
  • The Splunk Add-ons for Active Directory: TA-DomainController-NT5/TA-DomainController-NT6
  • The Splunk Add-ons for Windows DNS: TA-DNSServer-NT5/TA-DNSServer_NT6
  • The Splunk Add-ons for Microsoft Exchange: TA-Exchange-*
PS > $exch_apps="C:\Downloads\splunk_app_microsoft_exchange\appserver\addons"
PS > foreach ( $source in @("C:\Downloads\Splunk_TA_windows","$exch_apps\TA-DomainController*","$exch_apps\TA-DNSServer*","$exch_apps\TA-Exchange*") ) { Copy-Item -Path $source -Destination "C:\Program Files\Splunk\etc\deployment-apps" -Recurse }

3. Log into Splunk Enterprise the deployment server.

4. Go to Forwarder Management and deploy the add-ons to the appropriate Windows, Active Directory, and Exchange deployment clients:

Exchange and DNS add-ons

If the Exchange server runs: and it holds this Exchange role: then install or deploy:
Exchange Server 2007 Client Access Server TA-Exchange-2007-CAS
TA-Windows-2003-Exchange-IIS
The Splunk Add-on for Windows Splunk_TA_Windows
Edge Transport TA-Exchange-2007-HubTransport
Splunk_TA_Windows
Hub Transport TA-Exchange-2007-HubTransport
Splunk_TA_Windows
Mailbox Server TA-Exchange-2007-MailboxStore
Splunk_TA_Windows
Exchange Server 2010 Client Access Server TA-Exchange-2010-CAS
TA-Windows-2008R2-Exchange-IIS
Splunk_TA_Windows
Edge Transport TA-Exchange-2010-HubTransport
Splunk_TA_Windows
Hub Transport TA-Exchange-2010-HubTransport
Splunk_TA_Windows
Mailbox Server TA-Exchange-2010-MailboxStore
Splunk_TA_Windows
Exchange Server 2013 Client Access Server TA-Exchange-2013-ClientAccess
TA-Windows-2012-Exchange-IIS
Splunk_TA_Windows
Mailbox Server TA-Exchange-2013-Mailbox
Splunk_TA_Windows

Active Directory add-ons

If the server: and it runs: then install or deploy:
does not have a role in Active Directory any supported version of Windows Server Splunk_TA_Windows
is a domain controller Windows Server 2003 or Server 2003 R2 Splunk_TA_Windows
TA-DomainController-NT5
Windows Server 2008, Server 2008 R2, Server 2008 R2 Core, or Server 2012 Splunk_TA_Windows
TA-DomainController-NT6
Windows Server 2012 R2 Splunk_TA_Windows
TA-DomainController-2012r2
SA-ModularInput-PowerShell
is a DNS server Windows Server 2003 or Server 2003 R2 Splunk_TA_Windows
TA-DNSServer-NT5
Windows Server 2008, Server 2008 R2, Server 2008 R2 Core, Server 2012, or Server 2012 R2 Splunk_TA_Windows
TA-DNSServer-NT6
is a domain controller and a DNS server Windows Server 2003 or Server 2003 R2 Splunk_TA_Windows
TA-DomainController-NT5
TA-DNSServer-NT5
Windows Server 2008, Server 2008 R2, Server 2008 R2 Core, or Server 2012 Splunk_TA_Windows
TA-DomainController-NT6
TA-DNSServer-NT6
Windows Server 2012 R2 Splunk_TA_Windows
TA-DomainController-2012r2
TA-DNSServer-NT6
SA-ModularInput-PowerShell

3. Install the updated Splunk Add-on for Windows onto all hosts in the central Splunk App for Microsoft Exchange instance.

4. Install the updated Splunk Supporting Add-on for Active Directory onto all search heads in the central Splunk App for Microsoft Exchange instance.

  • If you operate a search head cluster, install the add-on into the cluster master.

5. Install the updated Splunk App for Microsoft Exchange into all search heads in the central Splunk App for Microsoft Exchange instance.

  • If you operate a search head cluster, install the add-on into the cluster master.

6. Restart all servers in the central Splunk App for Microsoft Exchange instance in order for the changes to take effect.

Log in and run the first time experience

1. Log into Splunk Enterprise on a search head in the central Splunk App for Microsoft Exchange instance. This activates the first-time setup experience.

2. Proceed through the first-time setup experience. Address any missing data issues by following the on-screen prompts.

3. Wait. As part of the upgrade, the Splunk App for Microsoft Exchange builds an accelerated data model which, depending on the size of your environment, can take some time. You can check the progress of the data model build by following the instructions in "Check data model build progress."

4. After the accelerated data model build is complete, use the app and confirm that all of the data is present and the pages show data as you expect.


How to upgrade if you do not have a deployment server

If you do not have a deployment server, you will set up one now as part of the upgrade process.

A deployment server reduces deployment complexity and room for errors due to typos in configuration files. Once you complete setup, you then only need to make app and configuration changes in one place.

Read more about deployment server

See the following topics to learn more about deployment server:

Upgrade Splunk Enterprise if necessary

1. Upgrade Splunk Enterprise and universal forwarders on all hosts in the deployment to version 6.2 or later.

Download and unpack apps and add-ons

1. Download the following apps and add-ons from Splunk Apps and save them to an accessible location:

2. Use WinZip or another archive utility to unarchive the Splunk App for Microsoft Exchange and Splunk Add-on for Windows packages.

Activate a deployment server and define server classes

1. Configure the Splunk Add-on for Windows, as described in "Download and configure the Splunk Add-on for Windows."

2. Choose a host in your deployment that does not regularly experience high CPU or disk utilization and note the host name or IP address of the host.

  • If the host does not already have Splunk Enterprise installed on it, perform the installation.

3. On this host, log into Splunk Enterprise.

4. Create the "Send to indexer" app, as described in "Create the 'send to indexer' app."

5. Activate deployment server on the host by copying the following objects to the deployment apps directory:

  • The Splunk Add-on for Windows (Splunk_TA_windows).
  • The "Send to Indexer" app (sendtoindexer).
  • The Splunk Add-ons for Active Directory (TA-DomainController-*).
  • The Splunk Add-ons for Windows DNS (TA-DNSServer-*)
  • The Splunk Add-ons for Microsoft Exchange (TA-Exchange-*).
  • The SMTP Reputation Add-on (TA-SMTP-Reputation)
PS > $exch_apps="C:\Downloads\splunk_app_microsoft_exchange\appserver\addons"
PS > foreach ( $source in @("C:\Downloads\Splunk_TA_windows","C:\Program Files\Splunk\etc\apps\sendtoindexer","$exch_apps\TA-DomainController*","$exch_apps\TA-DNSServer*","$exch_apps\TA-Exchange*","$exch_apps\TA-SMTP-Reputation") ) { Copy-Item -Path $source -Destination "C:\Program Files\Splunk\etc\deployment-apps" -Recurse }

6. In Splunk Enterprise on the deployment server, define server classes:

7. Assign apps to the server classes according to the following table:

Server Class Name Add-ons to Add to the Server Class
Universal Forwarder Splunk_TA_windows

sendtoindexer

Active Directory

TA-DomainController-NT5 (on Windows Server 2003) TA-DomainController-NT6 (on Windows Server 2008) TA-DomainController-2012r2 and SA-ModularInput-PowerShell (on Windows Server 2012 R2)

Windows DNS TA-DNSServer-NT5 or TA-DNSServer-NT6

TA-Windows-2003-Exchange-IIS

Exchange Server 2007 - CAS TA-Exchange-2007-CAS

TA-Windows-2003-Exchange-IIS

Exchange Server 2007 - Hub Transport TA-Exchange-2007-HubTransport
Exchange Server 2007 - Mailbox Store TA-Exchange-2007-MailboxStore
Exchange Server 2010 - CAS TA-Exchange-2010-CAS

TA-Windows-2008R2-Exchange-IIS

Exchange Server 2010 - Hub Transport TA-Exchange-2010-HubTransport
Exchange Server 2010 - Mailbox Store TA-Exchange-2010-MailboxStore
Exchange Server 2013 - Client Access TA-Exchange-2013-ClientAccess

TA-Windows-2012-Exchange-IIS

Exchange Server 2013 - Mailbox TA-Exchange-2007-Mailbox
SMTP Reputation TA-SMTP-Reputation

8. Restart Splunk Enterprise on the deployment server.

Reconfigure universal forwarders as deployment clients

1. On every universal forwarder in the deployment, issue the following command to turn the forwarder into a deployment client:

PS > cd <Splunk Directory>\bin
PS > .\splunk set deploy-poll <host name or ip address of deployment server>:<port>
  • In the above example: <port> is the management port on the deployment server, and defaults to 8089.

2. On every universal forwarder in the deployment, remove the following add-ons from the Splunk apps directory (%SPLUNK_HOME%\etc\apps):

  • The Splunk Add-on for Windows.
  • The Splunk Add-ons for Active Directory (on Active Directory hosts).
  • The Splunk Add-ons for Microsoft Exchange (on Exchange hosts).
  • The SMTP Reputation add-on (from the host with the outbound connection to the Internet)

3. Restart the universal forwarders.

Confirm that the deployment server sees the universal forwarders

1. Log back into the deployment server.

2. Use Forwarder Management to confirm that universal forwarders have phoned in to the deployment server.

3. Assign the clients to the server classes you defined earlier.

  • Assign all clients to the "Universal Forwarder" class.
  • Assign Exchange hosts to the Exchange server classes based on their Exchange Server version and role(s).
  • Assign AD hosts to the AD server classes based on the version of Windows Server they run.
  • Assign DNS hosts to the DNS server classes based on the version of Windows Server they run.
  • Assign the SMTP Reputation host to the SMTP Reputation server class.

4. In Forwarder Management, confirm that the apps deploy to the correct hosts.

5. Log into Splunk Enterprise on a search head in the deployment.

6. Load the Search App

7. Confirm that you see new data coming in from the deployment clients.

Log in and run the first time experience

1. Continuing on the search head, choose Apps > Splunk App for Microsoft Exchange. This activates the first-time setup experience.

2. Proceed through the first-time setup experience.

  • Address any missing data issues by following the prompts on-screen.

3. Wait. As part of the upgrade, the Splunk App for Microsoft Exchange builds an accelerated data model which, depending on the size of your environment, can take some time. You can check the progress of the data model build by following the instructions in "Check data model build progress."

4. After the accelerated data model build is complete, use the app and confirm that all of the data is present.

Migrate lookups to KV store

The Splunk App for Microsoft Exchange uses app key value store to store its configurations.

When you upgrade the Splunk App for Microsoft Exchange, the guided setup experience migrates existing lookups into KV store. If you want the process to run again after completing the upgrade, select Tools & Settings > Migrate lookups to KV store.

Troubleshoot permissions issues after an upgrade

When you upgrade the Splunk App for Microsoft Exchange to version 3.1.x, the app installs a new user role, exchange-admin. The Splunk user that uses the Splunk App for Microsoft Exchange must have this role, otherwise the app will not function correctly.

If, during the first time process, you see that the app does not find any data and you know that the data exists (such as in the case of an upgrade), be sure to add the exchange-admin role to the user that uses the app, as described in the troubleshooting page.

Upgrade Caveats

When you upgrade the app from version 3.1.1 to version 3.1.2, note the following important caveats:

1. The upgrade process deletes the local settings in the app key value store. This means that once you complete the upgrade, you must:

  • Reconfigure any thresholds that you set up in the "Thresholds" dialog. See "Change thresholds".
Last modified on 07 March, 2015
Install a license   Upgrade from 3.0.x and earlier

This documentation applies to the following versions of Splunk® App for Microsoft Exchange (EOL): 3.1.0, 3.1.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters