Splunk® App for Microsoft Exchange

Deploy and Use the Splunk Add-ons for Microsoft Exchange

Acrobat logo Download manual as PDF


On October 22 2021, the Splunk App for Microsoft Exchange will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app is migrating to a content pack in Data Integrations. Learn about the Content Pack for Microsoft Exchange.
This documentation does not apply to the most recent version of MSExchange. Click here for the latest version.
Acrobat logo Download topic as PDF

Upgrade the Splunk Add-on for Microsoft Exchange

Step 1. Upgrade the Forwarders

Upgrade the forwarders with the deployment server

Prepare the new Add-ons

  1. Download the Splunk Add-on for Microsoft Exchange from Splunkbase.
  2. Extract the Splunk Add-on for Microsoft Exchange to the deployment apps directory %SPLUNK_HOME%\etc\deployment-apps on the deployment server.
  3. Within each Exchange Add-on directory in the deployment apps directory, create a local directory. For example, in %SPLUNK_HOME%\etc\deployment-apps\TA-Exchange-ClientAccess, create %SPLUNK_HOME%\etc\deployment-apps\TA-Exchange-ClientAccess\local.
  4. For each Exchange add-on, copy the inputs.conf from the default directory of the add-on to the local directory you just created.
  5. For each Exchange add-on, use a text editor to edit the inputs.conf files in the local directory and enable stanzas for the version of Exchange server that you run.
  6. If you have made any customizations to the old set of Exchange add-ons, copy and paste those configurations from the local directory of those add-ons into the local directory of the new Exchange add-ons.

Create server classes, push the new add-ons, and delete old add-ons

  1. On the deployment server, create a server class for each of the new Exchange add-ons.
  2. Assign the add-ons to the appropriate server class. For example, the TA-Exchange-HubTransport add-on should be assigned to the Exchange HubTransport server class.
  3. Assign the Windows Server, Exchange Server, and Active Directory hosts in your Exchange deployment to the appropriate server classes, depending on the roles that they perform. For example, Exchange Server hosts that hold the Hub Transport role should be assigned to the server class that has the TA-Exchange-HubTransport add-on assigned to it.
  4. Delete all of the old add-ons on the deployment server (for example: TA-DomainController-NT5, TA-Exchange-2013-Mailbox).
  5. Use the deployment server to push the new add-ons to all of the hosts in the deployment.
  6. Restart the deployment server.
  7. Restart all forwarders.

Upgrade the forwarders without the deployment server

Perform these steps on all the Exchange servers:

  1. Download the Splunk Add-on for Microsoft Exchange from Splunkbase.
  2. Stop the Splunk forwarder.
  3. Extract the Splunk Add-on for Microsoft Exchange to the apps directory %SPLUNK_HOME%\etc\apps.
  4. Start the Splunk forwarder.

Step 2. Upgrade the indexers

  1. Download the Splunk Add-on for Microsoft Exchange Indexes from Splunkbase and extract its components to the /apps folder for your deployment.
    1. For a non-indexer cluster deployment, extract to $SPLUNK_HOME/etc/apps.
    2. For the indexer-clustering deployments, extract to $SPLUNK_HOME/etc/master-apps.
  2. For indexer-clustering deployments, push the configuration bundle from the cluster master node.
  3. For non-clustered indexers, restart Splunk on each indexer.
  4. Disable maintenance mode on the cluster master node.
Last modified on 21 July, 2021
PREVIOUS
Release Notes for Splunk Add-ons for Microsoft Exchange
  NEXT
Overview of TA-Exchange-ClientAccess

This documentation applies to the following versions of Splunk® App for Microsoft Exchange: 4.0.3


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters