Splunk® App for Microsoft Exchange (EOL)

Deploy and Use the Splunk App for Microsoft Exchange

Acrobat logo Download manual as PDF


On October 22 2021, the Splunk App for Microsoft Exchange will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app is migrating to a content pack in Data Integrations. Learn about the Content Pack for Microsoft Exchange.
This documentation does not apply to the most recent version of Splunk® App for Microsoft Exchange (EOL). For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Set up a deployment server and create a server class

What is deployment server?

The Splunk Enterprise deployment server is a system that distributes apps, configurations, and other assets to other Splunk instances. Deployment server can send assets to other full Splunk Enterprise instances as well as light and universal forwarders.

Deployment server is available on every full Splunk Enterprise instance. To use it, activate it.

In this setup you will use the deployment server to distribute the "send to indexer" app to all universal forwarders in the Splunk App for Microsoft Exchange deployment. You accomplish this through the Forwarder Management scheme.

Learn more about deployment server at About deployment server and forwarder management in Updating Splunk Enterprise Instances.

Why use deployment server?

Deployment server is the fastest way to get apps and configurations deployed to your Splunk universal forwarders. It is the most native way to get your environment up and running. It's also free with Splunk Enterprise.

This procedure uses deployment server to get you familiarized with the concept of using it to distribute apps and configurations quickly and efficiently.

It is not a requirement to use deployment server, however. If you want, you can use an external tool, such as Windows System Center Configuration Manager or chef, puppet, or salt if your deployment runs on *nix servers.

Activate deployment server

To activate deployment server, you must place at least one app into %SPLUNK_HOME%\etc\deployment-apps on the host you want to act as deployment server. In this case, the app is the "send to indexer" app you created earlier, and the host is the indexer you set up initially.

  1. On the indexer, use your operating system file management tools to copy the "sendtoindexer" folder from the Splunk Apps directory to the Splunk Deployment Apps directory. Open a PowerShell window and type the following:
    > Copy-Item -Path C:\Program Files\Splunk\etc\apps\sendtoindexer -Destination C:\Program Files\Splunk\etc\deployment-apps\sendtoindexer
    
  2. From the same command-line prompt, restart Splunk Enterprise.
    > cd C:\Program Files\Splunk\bin
    > .\splunk restart
    
  3. Log back into Splunk Enterprise. The indexer has now gained the deployment server capability.

View apps in Forwarder Management

After you have logged back in, confirm that deployment server has activated and is aware of the new "send to indexer" app.

  1. In the system bar, click Settings > Forwarder Management.
  2. Click the Apps tab. You should see the "sendtoindexer" app in the list.

If you don't see the app, review the instructions in "Activate deployment server" and confirm that you have copied the entire "sendtoindexer" folder over to the Splunk deployment apps directory.

Configure a server class for the app

The next step is to define a server class for the "send to indexer" app.

Server classes are logical data structures that tell deployment servers where and what to send to one or more deployment clients. A server class treats a set of deployment clients as a group - any member of a server class receives apps and configurations that the server class defines.

In this case, server classes tell deployment server when and where to deploy the "send to indexer" app. This procedure creates the server class, then assign the "send to indexer" app to this class. Later, you add universal forwarder clients to the class.

When you set up server classes later on in the setup process, you can enter a unique name for the server class that describes the hosts that belong in the class, and that you will remember.

Exch 31 serverclass.png

  1. From the Apps tab in Forwarder Management, in the "sendtoindexer" listing under "Actions", click Edit. Splunk Enterprise loads the "Edit app: sendtoindexer" page.
  2. Click "+" under "Server Classes."
  3. In the pop-up that appears, click New Server Class.
  4. In the "New Server Class" dialog box that pops up, enter "Universal Forwarders".
  5. Click Save. Splunk Enterprise saves the class and loads the information page for the server class you just created.
    Note: When you first create a server class, the page says you have not added any apps or clients yet. This is okay.
  6. Click Add apps. The "Edit Apps" page loads.
  7. Locate and click the "sendtoindexer" app in the "Unselected Apps" pane on the left. The app moves to the "Selected Apps" pane on the right.
  8. Click Save. The configuration saves and the server class information page reappears.

Next step

You have activated deployment server and configured a server class for the "send to indexer" app. Clients that are a member of this class will receive the app automatically when they connect to this deployment server.

Install a universal forwarder on each Windows host

Last modified on 04 April, 2017
PREVIOUS
Create the "send to indexer" app
  NEXT
Install a universal forwarder on each Windows host

This documentation applies to the following versions of Splunk® App for Microsoft Exchange (EOL): 3.4.2, 3.4.3, 3.4.4, 3.5.0, 3.5.1, 3.5.2, 4.0.0, 4.0.1, 4.0.2, 4.0.3


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters