Splunk® App for Microsoft Exchange

Deploy and Use the Splunk App for Microsoft Exchange

Acrobat logo Download manual as PDF


On October 22 2021, the Splunk App for Microsoft Exchange will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app is migrating to a content pack in Data Integrations. Learn about the Content Pack for Microsoft Exchange.
Acrobat logo Download topic as PDF

How to deploy the Splunk App for Microsoft Exchange

To install the app, complete the following sections in sequence:

  • Set up basic infrastructure
  • Get Windows data in
  • Get Active Directory data in
  • Get Domain Name Service (DNS) data in
  • Get Exchange Data in
  • Complete setup
  • Run the guided setup experience

If you're using TA-Windows version 6.0.0 or later, you don't need TA_AD and TA_DNS. TA_AD and TA_DNS are merged with TA-Windows version 6.0.0.

What if I know how to install Splunk Enterprise and Splunk apps?

If you already have indexers, search heads, forwarders, and a deployment server set up, then you can skip most of the basic infrastructure setup chapter. If you have experience installing Splunk Enterprise, then perform the installation methods you are comfortable with. It is still a good idea to review the new procedure to get an understanding of how the components work together.

The process is as follows:

  • Set up indexer(s) to receive data.
  • Configure universal forwarders to forward data to the indexers.
  • Follow the "Getting Data In" topics to get the required data into the indexers.
  • Follow the "Complete Setup" topics to set up the app on search heads.
  • Run the guided setup experience to check for data presence and correct any problems.

The table below lists what components to install and where to install them.

Recommended Splunk App for Microsoft Exchange Component Installation Locations
Search Head Indexer Univ. Fwder. Heavy Fwder. Deploy. Serv.
Splunk App for Microsoft Exchange X
Splunk Add-on for Windows1 X X X X XW
"Send to indexer" app2 X
Splunk Add-on for Microsoft Active Directory X
Splunk Add-on for Windows DNS X X X
Splunk Supporting Add-on for Active Dir. X
Splunk Add-on for Microsoft Exchange Indexes X
Recommended Splunk Add-on for Microsoft Exchange Component Installation Locations
Search Head Indexer Univ. Fwder. Heavy Fwder. Deploy. Serv.
TA-Exchange-ClientAccess X
TA-Exchange-HubTransport X
TA-Exchange-Mailbox X
TA-Windows-Exchange-IIS X
TA-SMTP-Reputation X3
  1. You must configure this add-on before you install or deploy it.
  2. You only require this app when you use a deployment server and want to control all forwarding configurations from there.
  3. This computer must have an outbound connection to the Internet.
W. Only if this host runs Windows and you want to monitor it with the app.

If you're using TA-Windows version 6.0.0 or later, you don't need TA_AD and TA_DNS. TA_AD and TA_DNS are merged with TA-Windows version 6.0.0.

Set up basic infrastructure

This chapter sets up the basic building blocks for the environment.

  1. Install and configure a Splunk indexer.
  2. Create the "send to indexer" app. This app configures forwarding on hosts that send data to the indexer.
  3. Set up a deployment server to manage the "send to indexer" and other apps.
  4. Install a universal forwarder on each Windows host and tell them to contact the deployment server for configuration and app downloads.
  5. As each universal forwarder connects, add them to a base "universal forwarder" server class to turn them into deployment clients.

Once you complete this chapter, you have the basic framework for a deployment.

Get Data In

The next chapters take you through configuring the apps and add-ons that the Splunk App for Microsoft Exchange needs and deploying them to the right deployment clients. At the end of each chapter, you can confirm that data is present on the indexer by running some sample search commands.

  1. The "Get Windows data" chapter discusses getting Windows data into the indexer. Complete it to install the Splunk Add-on for Windows on every Windows machine in the environment.
  2. The "Get Active Directory data" chapter details configuring Active Directory and getting AD data into the indexer. Complete the instructions in this chapter to install the Splunk Add-ons for Active Directory on Active Directory hosts in the environment.
  3. The "Get Domain Name Services (DNS) data" chapter provides instructions on how to get Windows DNS data into the service. Perform the procedures in this chapter to deploy the Splunk Add-ons for Windows DNS on DNS hosts and get DNS data.
  4. The "Get Exchange data" chapter completes the data consumption phase of setup. Finish the steps within to install the Splunk Add-ons for Microsoft Exchange and get in Exchange data.

If you're using TA-Windows version 6.0.0 or later, you don't need TA_AD and TA_DNS. TA_AD and TA_DNS are merged with TA-Windows version 6.0.0.

Complete setup

After getting data in and confirming that it is there, complete setup.

  1. Install the app and some add-ons onto the central instance.
  2. Install an app license.

The Splunk App for Microsoft Exchange comes with a 60-day trial license. The app will cease to function if it cannot find this license, or it expires. This license is a separate license, in addition to any license(s) you have for Splunk Enterprise. See the topic for additional information on how to get a license.

Enable data model acceleration

An admin can enable data acceleration or change the acceleration period. Complete the following steps on the search head to enable the acceleration of the "MSExchange_Messaging" and "Microsoft_Exchange" data model:

  1. Login to the search head.
  2. Go to Settings>Data models.
  3. Select Splunk App for Microsoft Exchange in the App filter to see the data models defined in the Splunk App for Microsoft Exchange.
  4. Select Edit next to the data model you want to enable acceleration for.
  5. Select Edit Acceleration.
  6. Check Accelerate.
  7. Select the summary range to specify the acceleration period. The default summary range is 1 day for the "MSExchange_Messaging" data model and 7 days for the "Microsoft_Exchange" data model.
  8. Click Save.

Run the guided setup experience

After you add a license, activate the app.

  1. Log into the search head.
  2. Select the app to start the guided setup experience. See Configure the Splunk App for Microsoft Exchange.
  3. Follow the prompts to confirm prerequisites, locate minimum data requirements, and configure aliases. You might need to go to other apps like the Splunk Supporting App for Active Directory to add or change configurations.
  4. Wait as the app searches for your data, builds lookups and data models, and enables features and pages.
  5. After setup completes, the app is ready for use.
  6. (Optional) See the Splunk App for Microsoft Exchange Reference manual to learn about the new pages that come with the app, and how to use all of the app dashboards.
Last modified on 13 July, 2021
PREVIOUS
What a Splunk App for Microsoft Exchange deployment looks like
  NEXT
Install and configure a Splunk Enterprise Indexer

This documentation applies to the following versions of Splunk® App for Microsoft Exchange: 4.0.2, 4.0.3


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters