How to upgrade the Splunk App for Microsoft Exchange
The commands that appear in this topic are for use on PowerShell. If you use *nix, substitute PowerShell commands with *nix counterparts. If you use different directories for Splunk Enterprise and deployment server, substitute the directories that appear here with your specific directories.
Disk space and memory requirements on dedicated search heads increase significantly because of app key value store, increased lookup sizes, and a data model. These requirements increase based on the number of hosts in your deployment. You might need to add more storage or replace search heads with hosts that have more memory and CPU cores available. See "Size and scale a Splunk App for Microsoft Exchange deployment."
From version 3.3.x to this version
Follow the steps to upgrade your deployment to the new version of the Splunk App for Microsoft Exchange.
- Download the Splunk App for Microsoft Exchange from Splunkbase.
- Download the Splunk Add-on for Windows from Splunkbase.
- Download the Splunk Add-on for Microsoft Active Directory from Splunkbase.
- Download the Splunk Add-on for Windows DNS from Splunkbase.
- Download the Splunk Add-ons for Microsoft Exchange from Splunkbase.
- Unarchive the add-ons to a location that is accessible from all hosts in your Exchange deployment.
Upgrade the Splunk App for Microsoft Exchange on each search head
The search head is the Splunk Enterprise instance that runs the Splunk App for Microsoft Exchange and shows all of the app data. These upgrade instructions should be performed on any host that has been designated as a search head in your Exchange deployment.
- Backup local changes (local folder) created on the search head and search head deployer (Optional).
- Remove the existing app and add-on from your search head (
/etc/apps
) or search head cluster (/etc/shcluster/apps
) environment. - Put the new extracted exchange app and add-on in the
/etc/shcluster/apps/
directory on your search head deployer. If you have a single search head, put the new extracted exchange app in/etc/apps/
. - Copy the local folder in the
/etc/shcluster/apps/splunk_app_microsoft_exchange/
on the searchhead deployer (in case of standalone searchhead, put the local folder in/etc/apps/splunk_app_microsoft_exchange/
) - Follow below steps to remove windows_apps.csv from the app and Push the updated bundle from the search head deployer to all your search heads.
- Remove
windows_apps
lookup if available from/etc/shcluster/apps/splunk_app_microsoft_exchange /lookups
on the searchhead deployer (in case of standalone searchhead, remove it from/etc/apps/splunk_app_microsoft_exchange/lookups
). - Remove following
windows_apps
lookup definition if available from/etc/shcluster/apps/splunk_app_microsoft_exchange/local/transforms.conf
on the searchhead deployer (in case of standalone searchhead, remove it from/etc/apps/splunk_app_microsoft_exchange/local/transforms.conf
)
[windows_app_lookup] filename = windows_apps.csv [windows_apps] filename=windows_apps.csv max_matches=1
- Remove
- Once the apps are pushed successfully, Run the guided setup again on any one of the search heads.
Troubleshoot permissions issues after an upgrade
The Splunk App for Microsoft Exchange installs a new user role,
exchange-admin
. The Splunk user that uses the Splunk App for Microsoft Exchange must have this role, otherwise the app will not function correctly.If, during the first time process, you see that the app does not find any data and you know that the data exists (such as in the case of an upgrade), be sure to add the
exchange-admin
role to the user that uses the app, as described in the troubleshooting page.
Install a license | Upgrade from 3.0.x and earlier |
This documentation applies to the following versions of Splunk® App for Microsoft Exchange (EOL): 3.5.1
Feedback submitted, thanks!