How to upgrade the Splunk App for Microsoft Exchange

The commands that appear in this topic are for use on PowerShell. If you use *nix, substitute PowerShell commands with *nix counterparts. If you use different directories for Splunk Enterprise and deployment server, substitute the directories that appear here with your specific directories.

Disk space and memory requirements on dedicated search heads increase significantly because of app key value store, increased lookup sizes, and a data model. These requirements increase based on the number of hosts in your deployment. You might need to add more storage or replace search heads with hosts that have more memory and CPU cores available. See "Size and scale a Splunk App for Microsoft Exchange deployment."

From version 4.0.1 to this version

Follow the steps to upgrade your deployment to the new version of the Splunk App for Microsoft Exchange.

1. Download the Splunk App for Microsoft Exchange from Splunkbase.
2. Download the Splunk Add-on for Windows from Splunkbase.
3. Download the Splunk Add-ons for Microsoft Exchange from Splunkbase.
4. Unarchive the add-ons to a location that is accessible from all hosts in your Exchange deployment.

If you're using TA-Windows version 6.0.0 or later, you don't need TA_AD and TA_DNS. TA_AD and TA_DNS are merged with TA-Windows version 6.0.0.

Upgrade the Splunk App for Microsoft Exchange on each search head

The search head is the Splunk Enterprise instance that runs the Splunk App for Microsoft Exchange and shows all of the app data. These upgrade instructions should be performed on any host that has been designated as a search head in your Exchange deployment.

1. Backup local changes (local folder) created on the search head and search head deployer (Optional).
2. Remove the existing app and add-on from your search head (/etc/apps) or search head cluster (/etc/shcluster/apps) environment.
3. Put the new extracted exchange app and add-on in the /etc/shcluster/apps/ directory on your search head deployer. If you have a single search head, put the new extracted exchange app in /etc/apps/.
4. Copy the local folder in the /etc/shcluster/apps/splunk_app_microsoft_exchange/ on the searchhead deployer. In case of standalone searchhead, put the local folder in /etc/apps/splunk_app_microsoft_exchange/.
5. Push the updated bundle from the search head deployer to all your search heads.
6. Once the apps are pushed successfully, open the search & Reporting App.
7. Run the below upgradescript command in the search & Reporting app. After successfully running the command, you will see "upgrade script completed successfully". See the following example:
   The following Splunk search returns upgradescript command result:

   | upgradescript
   

   After successfully running the above command, this output should appear:

   messages
   ---------------------------------------
   upgrade script completed successfully
   

8. Perform a Rolling Restart on the search head
9. Once the apps are pushed successfully, run the guided setup again on any of the search heads.
10. Enable the acceleration for data models "Microsoft Exchange" and "MSExchange Messaging". See Enable data model acceleration and use data models.

Troubleshoot permissions issues after an upgrade

The Splunk App for Microsoft Exchange installs a new user role, exchange-admin. The Splunk user that uses the Splunk App for Microsoft Exchange must have this role, otherwise the app will not function correctly.

If, during the first time process, you see that the app does not find any data and you know that the data exists (such as in the case of an upgrade), be sure to add the exchange-admin role to the user that uses the app, as described in the troubleshooting page.