Splunk® App for Microsoft Exchange

Deploy and Use the Splunk App for Microsoft Exchange

Acrobat logo Download manual as PDF

On October 22 2021, the Splunk App for Microsoft Exchange will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app is migrating to a content pack in Data Integrations. Learn about the Content Pack for Microsoft Exchange.
This documentation does not apply to the most recent version of MSExchange. Click here for the latest version.
Acrobat logo Download topic as PDF

What a Splunk App for Microsoft Exchange deployment looks like

This topic discusses the overall architecture of a Splunk App for Microsoft Exchange deployment.


A Splunk App for Microsoft Exchange deployment consists of a Splunk Enterprise instance (that contains the index and runs Splunk Web, and that users access to view the app) and a number of universal forwarders--one for each Exchange, Active Directory, or Windows server you want to include in the deployment.

This manual guides you through the install of nearly all components on one host. This means that:

  • The host acts as the indexer to receive incoming data from forwarders.
  • The host acts as a deployment server to manage forwarders and deploy apps and configurations.
  • The host acts as a search head to host the app and view the incoming data.

Only the universal forwarders in this deployment are on different hosts. This helps reduce confusion on what components need to be installed where.

After you gain an understanding of how the app and its components work, see Size a Splunk App for Microsoft Exchange deployment for information on how to scale your Exchange App deployment for increased performance on larger environments.

How it comes together

The diagram below depicts an example Splunk App for Microsoft Exchange deployment.

Exch 33 Setup Basicupdate.png

In this deployment:

  • You set up a Splunk Enterprise instance that acts as the indexer.
  • You configure the instance to be a deployment server. The deployment server handles apps, add-ons, and other configurations for universal forwarders that connect to it (deployment clients).
  • You install a universal forwarder on each Windows, Exchange, and Active Directory host in your environment. You tell the forwarder to connect to the deployment server.
  • You configure the deployment server to install the add-on which collects the appropriate data for the role that server plays in the Exchange deployment. The universal forwarder then sends that data to the indexer.

If you're using TA-Windows version 6.0.0 or later, you don't need TA_AD and TA_DNS. TA_AD and TA_DNS are merged with TA-Windows version 6.0.0.

Get started

The next page details the installation of the first piece of your Splunk App for Microsoft Exchange deployment: setting up the indexer that will act as the hub for the entire operation.

Last modified on 18 October, 2019
What data the Splunk App for Microsoft Exchange collects
How to deploy the Splunk App for Microsoft Exchange

This documentation applies to the following versions of Splunk® App for Microsoft Exchange: 4.0.0, 4.0.1, 4.0.2, 4.0.3

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters