Splunk® App for Microsoft Exchange (EOL)

Deploy and Use the Splunk App for Microsoft Exchange

On October 22 2021, the Splunk App for Microsoft Exchange will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app is migrating to a content pack in Data Integrations. Learn about the Content Pack for Microsoft Exchange.
This documentation does not apply to the most recent version of Splunk® App for Microsoft Exchange (EOL). For documentation on the most recent version, go to the latest release.

Platform and hardware requirements

This topic discusses the underlying requirements for running the Splunk App for Microsoft Exchange.

What versions of Splunk Enterprise does the app support?

The Splunk App for Microsoft Exchange supports the following versions of Splunk Enterprise:

  • Splunk Enterprise 7.3.x through Splunk Enterprise 8.2.0
  • All indexers and search heads in a Splunk App for Microsoft Exchange deployment must run Splunk platform versions 7.3.x through 8.2.0
  • Universal forwarders and license masters in the deployment must run version 7.3.x through 8.2.0

Distributed installation of this app

This table provides a quick reference for installing this app onto a distributed deployment of Splunk Enterprise.

If you're using TA-Windows version 6.0.0 or later, you don't need TA_AD and TA_DNS. TA_AD and TA_DNS are merged with TA-Windows version 6.0.0.

Splunk instance type Supported Required Comments
Search Heads Yes Yes Install this app onto all search heads where you require knowledge management.
Indexers No No The Splunk App for Microsoft Exchange does not require installation on indexers, but some components that the app needs to work, such as the Splunk Add-on for Windows and Splunk Add-on for Microsoft Exchange Indexes must be installed there.
Heavy Forwarders No No The Splunk App for Microsoft Exchange does not do anything when you install it on a heavy forwarder, but you can install components that the app needs to function on HFs if you want.
Universal Forwarders No No Use universal forwarders to get the data you need for the app. See the following chapters for instructions on how to configure forwarders to get data (each link goes to the first topic in the chapter):
Light Forwarders No No You can use light forwarders to send data to indexers for the app, but remember that:
  • Light forwarders have been deprecated and could be removed in a future version of Splunk Enterprise.
  • Universal forwarders have better performance than light forwarders.

Distributed deployment compatibility

This table provides a quick reference for the compatibility of this add-on with Splunk distributed deployment features.

Distributed deployment feature Supported Comments
Search Head Clusters Yes You can install this app on a search head cluster. Follow the procedures that this manual outlines to get the data for the app, then install the app on the cluster.
Indexer Clusters Yes Before you start the Splunk App for Microsoft Exchange installation, configure your indexer cluster.
Deployment Server Yes These instructions use a deployment server to set up some of the basic environment for the Splunk App for Microsoft Exchange, including the "send to indexer" package, which tells forwarders that connect to the deployment server to send data to indexers or indexer clusters that you have configured for use with the app.

Hardware and Operating System requirements

Hardware requirements

The Splunk App for Microsoft Exchange installs onto a full Splunk Enterprise instance. The app does not install onto a universal forwarder or a light forwarder.

The app has memory, CPU, and disk requirements that are higher than the standard hardware requirements for the core Splunk Enterprise platform. The added resource requirements depend on how you deploy the app. Be sure to deploy hardware that meets or exceeds the hardware requirements listed in the core Splunk Enterprise documentation.

  • For additional details about supported versions of Windows for Splunk Enterprise, see "System requirements" in the core Splunk Enterprise documentation.
  • For information about estimating hardware requirements for a Splunk deployment, read the following core Splunk Enterprise documentation topics:

Additional requirements for dedicated search heads

If you either have or plan to use the Splunk App for Microsoft Exchange in a distributed environment with dedicated search heads that host the app, note that there are significantly higher CPU and disk space requirements because the app uses app key value store, extensive lookups, and a data model.

Prepare to have a minimum of the following per host on all dedicated search heads:

  • 8 available CPU cores (See "Reference Hardware" in the Capacity Planning manual for additional information on dedicated search heads)
  • 40 GB of available disk space (or more, depending on the number of Exchange hosts in your deployment.)

If you plan to upgrade from a previous version of the app, upgrade your hardware infrastructure prior to starting the upgrade process.

Operating system requirements

There are different operating system requirements depending on what components of the Splunk App for Microsoft Exchange you install.

Splunk App for Microsoft Exchange

You can install the Splunk App for Microsoft Exchange on Splunk Enterprise instances that run on current versions of Windows, including:

  • Windows Server 2012, 2012 R2, 2016 (64-bit only), 2019(64-bit only)

You can also install the app on a Splunk Enterprise instance that runs on other 64-bit operating systems such as Linux. In this scenario, the app displays Windows data coming from external Windows sources.

The app requires a 64-bit operating system because of App Key Value Store.

Splunk Add-ons for Microsoft Exchange

You can install the Splunk Add-ons for Microsoft Exchange on to universal forwarders on many versions of Windows, including:

  • Windows Server 2008, 2008 R2, 2012, 2012 R2, 2016 (64-bit only).

The add-on collects Exchange Server data for the Splunk App for Microsoft Exchange and must run only on Windows hosts.

Unsupported operating systems

Splunk Enterprise, the Splunk App for Microsoft Exchange, and the Splunk Add-ons for Microsoft Exchange do not run on:

  • Windows 95, 98, or Me
  • Windows NT Workstation or Server 3.1, 3.5, or 4.0
  • Windows 2000 Workstation or Server
  • Windows 2000, 2003, 2003 R2 Server

What versions of Microsoft Exchange Server does the app support?

  • Exchange Server 2010 (requires Windows Server 2008 SP2 or Server 2008 R2 SP1 or later)
  • Exchange Server 2013 (requires Windows Server 2012 RTM or later)
  • Exchange Server 2016 (requires Windows Server 2012 R2 RTM or later)
  • Exchange Server 2019 (requires Windows Server 2019 Standard or Datacenter)

Unsupported versions of Microsoft Exchange

The app does not support Exchange Server 2003 because it does not have the level of logging capabilities that Server 2010 does. The logging format for Exchange Server 2003 is also different from later versions of the product. The app also does not support Exchange Server 2000 or 2007.

What browsers does the Splunk App for Microsoft Exchange support?

The Splunk App for Microsoft Exchange supports all browsers that the current version of Splunk Enterprise supports, except Internet Explorer versions 7 or 8.

What are the other prerequisites?

The following table provides compatibility information for TA-windows versions 7.0.0, 8.0.0, and 8.1.2.

Compatible TA-Windows version Compatible Exchange app/add-on version Compatible Splunk platform version Compatible Exchange Server version Compatible Windows Server version Compatible TA-AD version Compatible TA-DNS version Compatible SA-LDAP version
6.0.0 4.0.1 7.2.x to 7.3.x 2010, 2013, 2016, 2019 2012, 2012 R2, 2016 N/A N/A 3.0.1
7.0.0 4.0.1 7.2.x to 8.1.0 2010, 2013, 2016, 2019 2012, 2012 R2, 2016, 2019 N/A N/A 3.0.1
7.0.0 4.0.2 7.3.x to 8.1.0 2010,2013,2016,2019 2012, 2012 R2, 2016 N/A N/A 3.0.2
8.0.0 4.0.2 7.3x to 8.1.0 2010, 2013, 2016, 2019 2012, 2012 R2, 2016, 2019 N/A N/A 3.0.2
8.1.2 4.0.3 7.3.x, 8.0.x, 8.1.x 2010, 2013, 2016, 2019 2012, 2012 R2, 2016, 2019 N/A N/A 3.0.2
8.1.2 4.0.3 8.0.x to 8.2.x 2010, 2013, 2016, 2019 2012, 2012 R2, 2016, 2019 N/A N/A 3.0.3

If you're using TA-Windows version 6.0.0 or later, you don't need TA_AD and TA_DNS. TA_AD and TA_DNS are merged with TA-Windows version 6.0.0.

The Splunk Add-on for Windows version 7.0.0 or later

In order to collect data from the Windows and Active Directory servers in your environment, you need the Splunk Technology Add-on for Windows version 7.0.0 or later

This add-on installs into the universal forwarder that you install on the Windows servers from which you want to collect Windows data. Optionally, it also installs onto all indexers in the central Splunk App for Microsoft Exchange instance for data collection (on Windows servers) and to add knowledge for extractions.

You can download the Splunk Add-on for Windows from Splunkbase.

The Splunk Add-ons for Microsoft Exchange version 4.0.2

The Splunk Add-ons for Microsoft Exchange must be installed on universal forwarders that have been installed on Exchange Server hosts in the deployment.

You can download the Splunk Add-ons for Microsoft Exchange from Splunkbase.

The Splunk Add-ons for Microsoft Active Directory and Windows DNS version 1.0.0 or later

The Splunk Add-ons for Microsoft Active Directory and Windows DNS must be installed on indexers, search heads, and universal forwarders in the deployment.

You can download the Splunk Add-on for Microsoft Active Directory and Splunk Add-on for Windows DNS from Splunkbase.

If you're using TA-Windows version 6.0.0 or later, you don't need TA_AD and TA_DNS. TA_AD and TA_DNS are merged with TA-Windows version 6.0.0.

The Splunk Supporting Add-on for Active Directory (SA-LDAPsearch) version 3.0.2

The Splunk Supporting Add-on for Active Directory (SA-LDAPsearch) version 3.0.2 or later must be installed on the same instance of Splunk Enterprise that the Splunk App for Microsoft Exchange resides.

You can download the Splunk Supporting Add-on for Active Directory from Splunkbase.

PowerShell version 2.0 or later

All Windows hosts from which you want to collect data - including those that participate in Exchange and Active Directory - require PowerShell 2.0 or later to be installed.

The Splunk Add-on for PowerShell

All of the add-ons that come with the Splunk App for Microsoft Exchange require the Splunk Add-on for PowerShell to function. You install this add-on into universal forwarders on machines that forward Active Directory and DNS data.

You can download the Splunk Add-on for PowerShell from Splunk Apps.

The Splunk Add-on for Microsoft Exchange Indexes version 4.0.3

The Splunk Add-on for Microsoft Exchange Indexes package must be installed on indexers as it has all indexes used by the Exchange app.

A Splunk App for Microsoft Exchange license

The Splunk App for Microsoft Exchange requires a license for indexing volume in addition to the license you get for Splunk Enterprise. See Install a license.

Splunk App for Microsoft Exchange licenses cannot be stacked.

A proficient understanding of distributed Splunk deployments

If you plan for your Splunk App for Microsoft Exchange deployment to monitor a large number of Exchange servers, or even a small number, you must understand how distributed Splunk works. You must understand how the instance of Splunk Enterprise that hosts the app interacts with the universal forwarders that send data to the app. You must also understand what you need to do to increase search and indexing performance to make the app run faster. Read the following core Splunk topics for additional information:

Time and patience

The Splunk App for Microsoft Exchange is an advanced application that has several components that must be configured correctly in order for the app to run. Depending on the size of your Exchange network, it can take a while to get a Splunk App for Microsoft Exchange deployment up and running correctly.

You will spend time procuring hardware, identifying servers you want to monitor, installing the app and its included add-ons, tweaking configurations, and troubleshooting any issues you come across.

The setup instructions in this manual span several chapters and uses the Splunk Enterprise deployment server for automation wherever possible. Still, expect to spend a minimum of 4 to 8 hours on the project, and longer if you have a large deployment.

If your deployment is large or complex, Splunk is here to help. You can contact Professional Services for assistance if you have an Enterprise support contract with us.

Do not install and configure the Splunk App for Windows Infrastructure and Splunk App for Microsoft Exchange on same search head

The Splunk App for Windows Infrastructure and the Splunk App for Microsoft Exchange should not be installed on the same search head. Both apps contain identical knowledge objects that may cause a conflict when installed on the same search head deployment. If you need dashboards and functionalities for both apps on the same SH, install only the Exchange app as it has all dashboards and functionalities as the Windows Infrastructure app.

Last modified on 13 July, 2021
How to get support and find more information about Splunk Enterprise   Permissions checklist

This documentation applies to the following versions of Splunk® App for Microsoft Exchange (EOL): 4.0.3


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters