I was running into the same issues. We have Splunk installed on Windows servers. Here is what I did.
Create a forwarder on the Heavy Forwarder Splunk server to the Indexer server if you are using a multi-server deployment. Make sure the Indexing server also has a receiver to receive data from that server and the ports match.
On the Splunk server that is a Heavy Forwarder, copy the TA-SMTP-Reputation folder from the C:\Program Files\Splunk\etc\apps\Splunk_for_Exchange\appserver\addons location and place it in the C:\Program Files\Splunk\etc\apps location.
Now open the TA-SMTP-Reputation folder you placed and create a folder named 'local'.
Open the 'default' folder and copy the 'inputs.conf' and 'reputation.conf' folders and paste them into the 'local' folder you created.
Open the 'reputation.conf' file in the local folder and add the IP addresses of the outbound mail servers separated by a semi-colon.
THIS IS A VERY IMPORTANT STEP. Open the 'inputs.conf' file in the local folder. By default, the stanza that uses the UNIX path is enabled and the WINDOWS path is disabled. Change the stanza that has the left leaning slashes to be 'disabled=false' and change the other to 'disabled=true'.
Restart the Splunk instances and it should work for you.
Additionally, our reputation was reporting as 'Mixed' even after getting it working. What I found was that one of the sites that the python script was checking was invalid and timing out and causing the degraded reputation. The web app was telling me that dnsbl.solid.net was timing out so I removed that one from the 'check_my_reputation.py' script in the C:\Program Files\Splunk\etc\apps\Splunk_for_Exchange\appserver\addons\TA-SMTP-Reputation\bin location. Once that entry was removed, our reputation was reported as 'Good'. A static file might not have been the best way to go on that one.
Hope this works for you.
... View more