Skip to content

Upgrade the Splunk Add-on for Microsoft Office 365

Caution

Version 4.4.0 is not backward compatible, and downgrading from version 4.3.0 will result in complete data duplication due to major checkpoint changes.

Note

After Upgrading to version 4.4.0, inputs created with the same name but different content-types, or any input with a name that begins with “_“, cannot be edited.

Note

After upgrading the Splunk Add-on for Microsoft Office 365 from 4.0.0 and higher to version 4.2.0 or higher, your Splunk platform deployment might receive duplicate events for a maximum of 7 days, due to a change in checkpoint logic. Duplicate events will stop ingesting after 7 days.
Restarting the Splunk platform or disabling the input can cause duplication of management activity events that TA would be collecting at that time.

If the Splunk Add-on for Microsoft Office 365 was previously installed and configured, there are several prerequisite steps that must be completed before upgrading to versions 4.2.0 and higher. If you have not yet upgraded to version 2.0.0 or later, perform the steps in the Upgrade to version 2.0.0 and Upgrade to version 4.1.0 section of this topic. Follow the following migration steps if you are facing high memory usage.

  1. Disable all Management Activity Inputs.

  2. Download the latest version of Splunk Add-on for Microsoft Office 365 from Splunkbase.

  3. Install the add-on across your Splunk platform deployment.

  4. Enable one Management Activity input at a time.

    • Confirm Checkpoint migration for each input with the following information.
    • Check for the Checkpoint Migration Completed Successfully message in the UI.
    • Check for the Completed KVStore Migration for Input: <input_name> message log in the internal logs. Completed KVStore Migration for Input: <input_name>
  5. Repeat the above steps until each management activity input has been migrated successfully.

The following table displays the performance statistics of Splunk platform deployments when performing the upgrade steps for management activity inputs.

Splunk Platform Version/Type Memory OS Number of Inputs Checkpoint Size Main Input (GB) Checkpoint Size Other Input (individual) (GB) Theoretical Memory Utilization (%) Migration Time CPU Utilization(AVG) Memory Utilization(AVG) KVStore Health Check Migration Status Additional Comments
8.x(Enterprise) VCPU 2 / 8 GB Linux 1 1.1 25 Failed At the time of migration, Memory Error when reading the checkpoint file.
9.x(Enterprise/Heavy Forwarder) VCPU 2 / 8 GB Linux 2 0.5 0.7 65 Input 1 : 24m 20s Input 1 : 32m 14s ~45% ~60% Normal Success The migration process for both inputs ran in parallel.
9.x(Enterprise) VCPU 4 / 16 GB Linux 2 1.2 1.2 50 Input 1: 53m 08s Input 2: 51m 28s ~50% ~50% Normal Success The migration process for both inputs ran sequentially.
9.x(Enterprise/Heavy Forwarder) VCPU 8 / 32 GB Linux 3 1.3 1.3 30 Input 1: 01h 05m 56s Input 2: 01h 02m 51s Input 3: 01h 05m 43s ~45% ~60% Normal Success Started checkpoint migration for 2 input parallel and it was successful.
8.x(Victoria) VCPU 8 / 32 GB Linux 5 10 3 80 Input 1: ~ 01h Input 2: ~ 01h Input 3: ~ 01h Input 4: ~ 45m Input 5: ~ 45m Normal Success Started with 2 main inputs, then 3 inputs, and then the migration was complete.

Upgrade to version 4.1.0

Note

After upgrading the Splunk Add-on for Microsoft Office 365 to version 4.1.0, due to a change in checkpoint logic, your Splunk platform deployment might receive duplicate events for a maximum of 7 days. Duplicate events will stop ingesting after 7 days. You may observe a rise in the usage of your deployment’s memory/CPU resources.

If the Splunk Add-on for Microsoft Office 365 was previously installed and configured, there are several prerequisite steps that must be completed before upgrading to versions 4.1.0 and above. If you have not yet upgraded to version 2.0.0 or later, perform the steps in the Upgrade to version 2.0.0 section of this topic.

  1. Disable all inputs.
  2. Download the latest version of Splunk Add-on for Microsoft Office 365 from Splunkbase.
  3. Install the add-on across your deployment.
  4. For existing tenants configured with Cloud App Security Token, a warning sign will appear with a message to re-enter the tenant’s Cloud App Security Token. To mitigate the warning, edit that tenant and re-enter your Cloud App Security Token. On submitting a new Cloud App Security Token, if you are not allowed to proceed due to any validation errors, delete your tenant by clicking the “Delete” button and reconfigure the new tenant.
  5. Enable all the configured inputs to resume the data collection.

Upgrade to version 2.0.0

If the Splunk Add-on for Microsoft Office 365 was previously installed and configured, there are several prerequisite steps that must be completed before upgrading to versions 2.0.0 and later.

  1. Disable all inputs.
  2. Download the latest version of Splunk Add-on for Microsoft Office 365 from Splunkbase.
  3. Install the add-on across your deployment.
  4. Re-enter the tenant’s client secrets and proxy passwords. If an alert appears that says Re-enter client secret before the Edit button, update all applicable tenants in your environment. If you submit a new secret, and you are not allowed to proceed without also entering a Cloud Application Security Token. delete your tenant from your splunk_ta_o365_tenants.conf file, create a new one.
  5. Enable all the configured inputs to resume the data collection.

For Python 3 guidance on upgrading your Splunk Enterprise deployment to version 8.0.0 and above, see the Choose your Splunk Enterprise upgrade path for the Python 3 migration topic in the Splunk Enterprise manual.