How to upgrade the Splunk App for Microsoft Exchange
This topic discusses supported upgrade scenarios for the Splunk App for Microsoft Exchange.
The commands shown in this topic are PowerShell. If you use *nix, substitute the PowerShell directives with their *nix counterparts. If you use different directories for Splunk Enterprise and deployment server, substitute the directories shown with your specific directories.
Upgrade overview
There are two supported upgrade scenarios available for the Splunk App for Microsoft Exchange:
- From version 3.0.x to this version.
- From version 3.1.x to this version.
If you run a previous version of the Splunk App for Microsoft Exchange (version 2.x and earlier), follow the setup instructions as if it were a new install. You will be given the opportunity to resolve any data location issues as part of the new setup.
Upgrade from version 3.1.x to this version
To upgrade from version 3.1.x to this version, update the search head(s) in the instance with the updated app:
1. Download the updated app installation package from Splunkbase and save it to an accessible location.
2. Unpack the archive.
3. Copy the splunk_app_microsoft_exchange folder to the %SPLUNK_HOME%\etc\apps folder on the search head(s) in the instance.
Note: If prompted, overwrite the existing folder.
4. Restart Splunk Enterprise on the search head(s).
5. Log back into Splunk Enterprise.
6. Activate the Splunk App for Microsoft Exchange. Choose Apps > Splunk App for Microsoft Exchange.
Upgrade Caveats
When you upgrade the app from version 3.1.1 to version 3.1.2, note the following caveats:
1. The upgrade process deletes the local settings in the app key value store. This means that once you complete the upgrade, you must:
- Rebuild lookups for the app. See "Configure the Splunk App for Microsoft Exchange".
- Reconfigure any thresholds that you set up in the "Thresholds" dialog. See "Change thresholds".
Upgrade from version 3.0.x to this version
How to upgrade If you have a deployment server
Use your deployment server to update the search heads with the updated app.
1. Copy the updated app to the
Upgrade Splunk Enterprise if necessary
1. Upgrade Splunk Enterprise and universal forwarders on all hosts in the deployment to version 6.2 or later.
Download and unpack apps and add-ons
1. Download the following apps and add-ons from Splunk Apps and save them to an accessible location:
- The latest version of the Splunk App for Microsoft Exchange.
- The Splunk Add-on for Windows version 4.7.3 or later.
- The Splunk Supporting Add-on for Active Directory version 2.0.2 or later.
- The Splunk Modular Input for PowerShell.
2. Use WinZip or another archive utility to unarchive the Splunk App for Microsoft Exchange and Splunk Add-on for Windows packages.
Configure and deploy add-ons to the deployment server
1. Configure the Splunk Add-on for Windows, as described in "Download and configure the Splunk Add-on for Windows."
2. Copy the following updated add-ons from the Splunk App for Microsoft Exchange installation package to the deployment apps directory on the deployment server:
- The Splunk Add-on for Windows (Splunk_TA_windows)
- The Splunk Add-ons for Active Directory: TA-DomainController-NT5/TA-DomainController-NT6
- The Splunk Add-ons for Windows DNS: TA-DNSServer-NT5/TA-DNSServer_NT6
- The Splunk Add-ons for Microsoft Exchange: TA-Exchange-*
PS > $exch_apps="C:\Downloads\splunk_app_microsoft_exchange\appserver\addons"
PS > foreach ( $source in @("C:\Downloads\Splunk_TA_windows","$exch_apps\TA-DomainController*","$exch_apps\TA-DNSServer*","$exch_apps\TA-Exchange*") ) { Copy-Item -Path $source -Destination "C:\Program Files\Splunk\etc\deployment-apps" -Recurse }
3. Log into Splunk Enterprise the deployment server.
4. Go to Forwarder Management and deploy the add-ons to the appropriate Windows, Active Directory, and Exchange deployment clients:
Exchange and DNS add-ons
| If the Exchange server runs: | and it holds this Exchange role: | then install or deploy: |
|---|---|---|
| Exchange Server 2007 | Client Access Server | TA-Exchange-2007-CASTA-Windows-2003-Exchange-IISThe Splunk Add-on for Windows Splunk_TA_Windows
|
| Edge Transport | TA-Exchange-2007-HubTransportSplunk_TA_Windows
| |
| Hub Transport | TA-Exchange-2007-HubTransportSplunk_TA_Windows
| |
| Mailbox Server | TA-Exchange-2007-MailboxStoreSplunk_TA_Windows
| |
| Exchange Server 2010 | Client Access Server | TA-Exchange-2010-CASTA-Windows-2008R2-Exchange-IISSplunk_TA_Windows
|
| Edge Transport | TA-Exchange-2010-HubTransportSplunk_TA_Windows
| |
| Hub Transport | TA-Exchange-2010-HubTransportSplunk_TA_Windows
| |
| Mailbox Server | TA-Exchange-2010-MailboxStoreSplunk_TA_Windows
| |
| Exchange Server 2013 | Client Access Server | TA-Exchange-2013-ClientAccessTA-Windows-2012-Exchange-IISSplunk_TA_Windows
|
| Mailbox Server | TA-Exchange-2013-MailboxSplunk_TA_Windows
|
Active Directory add-ons
| If the server: | and it runs: | then install or deploy: |
|---|---|---|
| does not have a role in Active Directory | any supported version of Windows Server | Splunk_TA_Windows
|
| is a domain controller | Windows Server 2003 or Server 2003 R2 | Splunk_TA_WindowsTA-DomainController-NT5
|
| Windows Server 2008, Server 2008 R2, Server 2008 R2 Core, or Server 2012 | Splunk_TA_WindowsTA-DomainController-NT6
| |
| Windows Server 2012 R2 | Splunk_TA_WindowsTA-DomainController-2012r2SA-ModularInput-PowerShell
| |
| is a DNS server | Windows Server 2003 or Server 2003 R2 | Splunk_TA_WindowsTA-DNSServer-NT5
|
| Windows Server 2008, Server 2008 R2, Server 2008 R2 Core, Server 2012, or Server 2012 R2 | Splunk_TA_WindowsTA-DNSServer-NT6
| |
| is a domain controller and a DNS server | Windows Server 2003 or Server 2003 R2 | Splunk_TA_WindowsTA-DomainController-NT5TA-DNSServer-NT5
|
| Windows Server 2008, Server 2008 R2, Server 2008 R2 Core, or Server 2012 | Splunk_TA_WindowsTA-DomainController-NT6TA-DNSServer-NT6
| |
| Windows Server 2012 R2 | Splunk_TA_WindowsTA-DomainController-2012r2TA-DNSServer-NT6SA-ModularInput-PowerShell
|
3. Install the updated Splunk Add-on for Windows onto all hosts in the central Splunk App for Microsoft Exchange instance.
4. Install the updated Splunk Supporting Add-on for Active Directory onto all search heads in the central Splunk App for Microsoft Exchange instance.
- If you operate a search head cluster, install the add-on into the cluster master.
5. Install the updated Splunk App for Microsoft Exchange into all search heads in the central Splunk App for Microsoft Exchange instance.
- If you operate a search head cluster, install the add-on into the cluster master.
6. Restart all servers in the central Splunk App for Microsoft Exchange instance in order for the changes to take effect.
Log in and run the first time experience
1. Log into Splunk Enterprise on a search head in the central Splunk App for Microsoft Exchange instance. This activates the first-time setup experience.
2. Proceed through the first-time setup experience. Address any missing data issues by following the on-screen prompts.
3. Wait. As part of the upgrade, the Splunk App for Microsoft Exchange builds an accelerated data model which, depending on the size of your environment, can take some time. You can check the progress of the data model build by following the instructions in "Check data model build progress."
4. After the accelerated data model build is complete, use the app and confirm that all of the data is present and the pages show data as you expect.
How to upgrade if you do not have a deployment server
If you do not have a deployment server, you will set up one now as part of the upgrade process.
A deployment server reduces deployment complexity and room for errors due to typos in configuration files. Once you complete setup, you then only need to make app and configuration changes in one place.
Read more about deployment server
See the following topics to learn more about deployment server:
- "About deployment server and forwarder management" in the core Splunk Enterprise platform documentation.
- "Set up a deployment server and create a server class" in this manual.
Upgrade Splunk Enterprise if necessary
1. Upgrade Splunk Enterprise and universal forwarders on all hosts in the deployment to version 6.2 or later.
Download and unpack apps and add-ons
1. Download the following apps and add-ons from Splunk Apps and save them to an accessible location:
- The latest version of the Splunk App for Microsoft Exchange.
- The Splunk Add-on for Windows version 4.7.3 or later.
- The Splunk Supporting Add-on for Active Directory version 2.0.1 or later.
- The Splunk Modular Input for PowerShell.
2. Use WinZip or another archive utility to unarchive the Splunk App for Microsoft Exchange and Splunk Add-on for Windows packages.
Activate a deployment server and define server classes
1. Configure the Splunk Add-on for Windows, as described in "Download and configure the Splunk Add-on for Windows."
2. Choose a host in your deployment that does not regularly experience high CPU or disk utilization and note the host name or IP address of the host.
- If the host does not already have Splunk Enterprise installed on it, perform the installation.
3. On this host, log into Splunk Enterprise.
4. Create the "Send to indexer" app, as described in "Create the 'send to indexer' app."
5. Activate deployment server on the host by copying the following objects to the deployment apps directory:
- The Splunk Add-on for Windows (Splunk_TA_windows).
- The "Send to Indexer" app (sendtoindexer).
- The Splunk Add-ons for Active Directory (TA-DomainController-*).
- The Splunk Add-ons for Windows DNS (TA-DNSServer-*)
- The Splunk Add-ons for Microsoft Exchange (TA-Exchange-*).
- The SMTP Reputation Add-on (TA-SMTP-Reputation)
PS > $exch_apps="C:\Downloads\splunk_app_microsoft_exchange\appserver\addons"
PS > foreach ( $source in @("C:\Downloads\Splunk_TA_windows","C:\Program Files\Splunk\etc\apps\sendtoindexer","$exch_apps\TA-DomainController*","$exch_apps\TA-DNSServer*","$exch_apps\TA-Exchange*","$exch_apps\TA-SMTP-Reputation") ) { Copy-Item -Path $source -Destination "C:\Program Files\Splunk\etc\deployment-apps" -Recurse }
6. In Splunk Enterprise on the deployment server, define server classes:
- A "universal forwarders" server class for all hosts in the deployment with a universal forwarder installed.
- A server class for Active Directory.
- A server class for Windows DNS.
- Server classes for each Exchange server version and role.
- A server class for the TA-SMTP-Reputation add-on.
7. Assign apps to the server classes according to the following table:
| Server Class Name | Add-ons to Add to the Server Class |
|---|---|
| Universal Forwarder | Splunk_TA_windows
sendtoindexer |
| Active Directory |
TA-DomainController-NT5 (on Windows Server 2003) TA-DomainController-NT6 (on Windows Server 2008) TA-DomainController-2012r2 and SA-ModularInput-PowerShell (on Windows Server 2012 R2) |
| Windows DNS | TA-DNSServer-NT5 or TA-DNSServer-NT6
TA-Windows-2003-Exchange-IIS |
| Exchange Server 2007 - CAS | TA-Exchange-2007-CAS
TA-Windows-2003-Exchange-IIS |
| Exchange Server 2007 - Hub Transport | TA-Exchange-2007-HubTransport |
| Exchange Server 2007 - Mailbox Store | TA-Exchange-2007-MailboxStore |
| Exchange Server 2010 - CAS | TA-Exchange-2010-CAS
TA-Windows-2008R2-Exchange-IIS |
| Exchange Server 2010 - Hub Transport | TA-Exchange-2010-HubTransport |
| Exchange Server 2010 - Mailbox Store | TA-Exchange-2010-MailboxStore |
| Exchange Server 2013 - Client Access | TA-Exchange-2013-ClientAccess
TA-Windows-2012-Exchange-IIS |
| Exchange Server 2013 - Mailbox | TA-Exchange-2007-Mailbox |
| SMTP Reputation | TA-SMTP-Reputation |
8. Restart Splunk Enterprise on the deployment server.
Reconfigure universal forwarders as deployment clients
1. On every universal forwarder in the deployment, issue the following command to turn the forwarder into a deployment client:
PS > cd <Splunk Directory>\bin PS > .\splunk set deploy-poll <host name or ip address of deployment server>:<port>
- In the above example: <port> is the management port on the deployment server, and defaults to 8089.
2. On every universal forwarder in the deployment, remove the following add-ons from the Splunk apps directory (%SPLUNK_HOME%\etc\apps):
- The Splunk Add-on for Windows.
- The Splunk Add-ons for Active Directory (on Active Directory hosts).
- The Splunk Add-ons for Microsoft Exchange (on Exchange hosts).
- The SMTP Reputation add-on (from the host with the outbound connection to the Internet)
3. Restart the universal forwarders.
Confirm that the deployment server sees the universal forwarders
1. Log back into the deployment server.
2. Use Forwarder Management to confirm that universal forwarders have phoned in to the deployment server.
3. Assign the clients to the server classes you defined earlier.
- Assign all clients to the "Universal Forwarder" class.
- Assign Exchange hosts to the Exchange server classes based on their Exchange Server version and role(s).
- Assign AD hosts to the AD server classes based on the version of Windows Server they run.
- Assign DNS hosts to the DNS server classes based on the version of Windows Server they run.
- Assign the SMTP Reputation host to the SMTP Reputation server class.
4. In Forwarder Management, confirm that the apps deploy to the correct hosts.
5. Log into Splunk Enterprise on a search head in the deployment.
6. Load the Search App
7. Confirm that you see new data coming in from the deployment clients.
Log in and run the first time experience
1. Continuing on the search head, choose Apps > Splunk App for Microsoft Exchange. This activates the first-time setup experience.
2. Proceed through the first-time setup experience.
- Address any missing data issues by following the prompts on-screen.
3. Wait. As part of the upgrade, the Splunk App for Microsoft Exchange builds an accelerated data model which, depending on the size of your environment, can take some time. You can check the progress of the data model build by following the instructions in "Check data model build progress."
4. After the accelerated data model build is complete, use the app and confirm that all of the data is present.
Migrate lookups to KV store
The Splunk App for Microsoft Exchange uses app key value store to store its configurations.
When you upgrade the Splunk App for Microsoft Exchange, the guided setup experience migrates existing lookups into KV store. If you want the process to run again after completing the upgrade, select Tools & Settings > Migrate lookups to KV store.
Troubleshoot permissions issues after an upgrade
When you upgrade the Splunk App for Microsoft Exchange to version 3.1.x, the app installs a new user role, exchange-admin. The Splunk user that uses the Splunk App for Microsoft Exchange must have this role, otherwise the app will not function correctly.
If, during the first time process, you see that the app does not find any data and you know that the data exists (such as in the case of an upgrade), be sure to add the exchange-admin role to the user that uses the app, as described in the troubleshooting page.
Upgrade Caveats
When you upgrade the app from version 3.1.1 to version 3.1.2, note the following important caveats:
1. The upgrade process deletes the local settings in the app key value store. This means that once you complete the upgrade, you must:
- Rebuild lookups for the app. See "Configure the Splunk App for Microsoft Exchange".
- Reconfigure any thresholds that you set up in the "Thresholds" dialog. See "Change thresholds".
| Install a license | Upgrade from 3.0.x and earlier |
This documentation applies to the following versions of Splunk® App for Microsoft Exchange (EOL): 3.1.0, 3.1.1
Download manual
Feedback submitted, thanks!