Splunk® App for Microsoft Exchange (EOL)

Deploy and Use the Splunk App for Microsoft Exchange

On October 22 2021, the Splunk App for Microsoft Exchange will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app is migrating to a content pack in Data Integrations. Learn about the Content Pack for Microsoft Exchange.

Install and configure a Splunk Enterprise Indexer

This topic discusses installing the basic building block of a Splunk App for Microsoft Exchange deployment: a Splunk Enterprise indexer.

In this procedure, you install the indexer and then configure it to receive data from other Splunk Enterprise instances.

Install the indexer

For information on the Splunk Enterprise system requirements, see System requirements in the Installation Manual. For installation instructions for a specific operating system, see Installation instructions in the Installation Manual.

  1. Prepare a host that meets or exceeds the Splunk Enterprise system requirements.
  2. Write down the host name and IP address for the host that you are preparing.
  3. Confirm that no firewall blocks any network traffic into or out of this host.
  4. Download the Splunk Enterprise software onto the host.
  5. Install the correct version of the Splunk software for the operating system that the host runs.
  6. After installation, confirm that the Splunk Enterprise software functions. At a minimum:
  7. If everything checks out, configure the indexer to have the correct indexes for the Splunk App for Microsoft Exchange.

Configure indexes

The indexer must have the indexes for the Splunk App for Microsoft Exchange defined before you can begin indexing the data. The Splunk Add-on for Microsoft Exchange Indexes defines those indexes. Every indexer in a Splunk App for Microsoft Exchange environment needs this configuration file.

  1. Download the latest version of the Splunk Add-on for Microsoft Exchange Indexes.
  2. When prompted, choose an accessible location to save the download. Do not attempt to run the download.
  3. Extract the package content to $SPLUNK_Home/etc/apps directory.
  4. Restart Splunk Enterprise. From the same PowerShell window:
> cd \Program Files\Splunk\bin
> .\splunk restart

Configure receiving

The Splunk App for Microsoft Exchange depends on an indexer that can receive data from other hosts. Without this capability, the app cannot function. You will now enable receiving on this indexer.

To configure the indexer to receive data from other Splunk Enterprise instances:

  1. Log into Splunk Enterprise on the indexer.
  2. In the system bar, click Settings > Forwarding and Receiving. Splunk Enterprise loads the "Forwarding and Receiving" page.
  3. Under "Receive Data" click Configure Receiving.
  4. Click New.
    Exch 31 setupfwdrecv.png
  5. In the Listen on this port field, enter the port number that you want Splunk Enterprise to listen on for incoming data from other Splunk instances. The conventional port number is 9997.
  6. Click Save. Splunk Enterprise saves the port number and enables receiving on the indexer.

Next Steps

With the indexer set up, you have begun the process of building out a Splunk App for Microsoft Exchange deployment.

Confirm that you have written down the host name or IP address and port number of the indexer. You need it for the next step of the setup process.

Before you proceed, read our documentation on apps. You will create a simple app in the next step.

Create the send to indexer app

Last modified on 06 October, 2021
How to deploy the Splunk App for Microsoft Exchange   Create the "send to indexer" app

This documentation applies to the following versions of Splunk® App for Microsoft Exchange (EOL): 4.0.4

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters