Splunk® App for Microsoft Exchange

Deploy and Use the Splunk App for Microsoft Exchange

Acrobat logo Download manual as PDF

This documentation does not apply to the most recent version of MSExchange. Click here for the latest version.
Acrobat logo Download topic as PDF

Download and configure the Splunk Add-on for Windows

In this part of the setup process, you get Windows data into the Exchange App environment by installing the Splunk Add-on for Windows.

About the Splunk Add-on for Windows

The Splunk Add-on for Windows collects Windows data from Windows hosts. In the context of the Splunk App for Microsoft Exchange, the add-on collects Windows data and provides knowledge objects for the app. You should deploy the Splunk Add-on for Windows to the following components of a Splunk App for Microsoft Exchange environment:

  • All hosts that run Exchange Server.
  • All hosts that run Active Directory Domain Services (including domain controllers and DNS servers).
  • All Windows hosts from which you want Windows data.
  • All indexers.
  • All search heads.
  • Basically, everywhere.

Download the Splunk Add-on for Windows

You can download the Splunk Add-on for Windows from Splunkbase.

  1. In a web browser, proceed to the Splunk Add-on for Windows download page.
  2. Click the download link to begin the download process. You might need to sign in with your Splunk account before the download starts.
  3. When prompted, choose an accessible location on your deployment server to save the download. Do not attempt to run the download.
  4. Use an archive utility such as WinZip to unarchive the file to an accessible location.

Configure the Splunk Add-on for Windows

Before the add-on can collect Windows data, you must configure it.

  1. In the location where you unarchived the download file, locate the Splunk_TA_Windows directory.
  2. Inside this directory, make a subdirectory local.
  3. Copy the inputs.conf file in the default subdirectory to the local directory.
  4. Open the inputs.conf in the local subdirectory with a text editor, such as Notepad.
  5. Enable the Windows inputs you want to get data for. Do this by changing the value of the disabled attribute in each input stanza from 1 to 0.
    Note: At a minimum, enable the following sets of inputs:
    Input: Supported page(s):
    [WinEventLog://Application], [WinEventLog://Security], [WinEventLog://System] POP3/IMAP4 access from Exchange Client Access Servers

    Event Monitoring

    [perfmon://FreeDiskSpace], [perfmon://Memory], [perfmon://LocalNetwork], [perfmon://CPUTime] Performance Monitoring
    Network Monitoring inputs Network Monitoring
    Print Monitoring inputs Print Monitoring
    Host Monitoring inputs Host Monitoring
  6. Save the inputs.conf file in the local subdirectory.

Next Step

You have downloaded and configured the Splunk Add-on for Windows. Next, you will deploy it to the deployment clients. After they receive the add-on, they use the configuration in the "send to indexer" app to send Windows data to the indexer.

Deploy the Splunk Add-on for Windows

Last modified on 13 January, 2017
Add the universal forwarder to the server class
Deploy the Splunk Add-on for Windows

This documentation applies to the following versions of Splunk® App for Microsoft Exchange: 3.4.1

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters