Skip to content

Upgrade the Splunk Add-on for Microsoft Cloud Services

The following migration guide is required for upgrading from version 4.0.1 or later. Upgrading from any version older than 3.0.0 requires a fresh installation of version 4.0.1 or later.

A best practice for upgrading the Splunk Add-on for Microsoft Cloud Services is to remove your older version before re-installing the latest version of the Splunk Add-on for Microsoft Cloud Services.

Upgrade from a version older than 3.0.0

  1. Install the Splunk Add-on for Microsoft Cloud Services version 4.0.1 and later from the Splunk Web UI (make sure Upgrade App checkbox is selected).
  2. Restart the Splunk platform.
  3. Navigate to the input page of the Splunk Add-on for Microsoft Cloud Services. Alerts will appear, indicating incomplete account authorization.
  4. Edit each required input by clicking the click here link to navigate to the account configuration page or by directly navigating to the account configuration page.
  5. Complete the authorization of your account by adding your account secret key/account token.
  6. Repeat the above steps for all inputs with alert signs against them.

In previous versions, settings including proxy, logging, and performance were stored in splunk_ta_o365_client_setting.conf and splunk_ta_o365_server_setting.conf. In version 3.0.0 and above of the Splunk Add-on for Microsoft Cloud Services, all setting and performance tuning configurations are in splunk_ta_mscs_setting.conf. The default log level is INFO.

Versions 3.0.0 and above of the Splunk Add-on for Microsoft Cloud Services removes the Microsoft Office 365 module. See the Splunk Add-on for Microsoft Office 365.

Upgrade from a version older than 4.4.0

  1. If Eventhub inputs were configured using a version earlier than 4.4.0 and any third-party apps that use Event Hub data formatting should follow the below-mentioned steps:
    1. Before upgrading, disable the Event Hub inputs.
    2. Upgrade the TA to the latest version.
    3. For the Event Hub inputs add event_format_flags = 1
    4. Enable the Event Hub inputs.
  2. While creating a new Event Hub input, add event_format_flags = 1 for the Apps which are dependent on the EventHub data formatting.

Upgrade from a version older than 5.0.0

  1. Follow the Standard Upgrade Guide.
  2. After enabling the Storage Blob inputs, wait for the completion of file-based checkpoint to KV Store migration by following the successful migration notification in the Splunk Messages.
    1. The following SPL query is used to verify the successful KV Migration for Storage Blob inputs:

    Search

    index=\_internal source=\*storage_blob\* "Checkpoint has been migrated to KVstore"

Standard Upgrade Guide

  1. Verify that you are running version 8.0.0 or later of the Splunk software.
  2. (Optional) Plan your Splunk Enterprise upgrade to work with the Python 3 migration.
  3. Disable all your inputs before you upgrade the add-on. Otherwise, you might see errors in the log files, resulting in data loss against your already configured inputs.
  4. Upgrade the Splunk Add-on for Microsoft Cloud Services to the required version, and follow the version-specific upgrade guide.
  5. Enable each desired input to start data collection. Enable Storage Blob inputs in small batches.