This product, whether deployed as a 90 day trial or as a production install, can be deployed in two types of scenarios.

  1. On One Standalone Splunk Indexer

    In this scenario our software and Splunk’s software is only ever installed on one host. The general outline is:

    1. Configure Callmanager to SFTP records to that host.
    2. Install and run Splunk Enterprise on that host.
    3. Install main app “Cisco CDR Reporting and Analytics” aka “cisco_cdr” into Splunk.

    In this case, you log into and use the App’s user interface on that host, over port 8000.

  2. Into a Distributed Splunk Deployment.

    This scenario covers the non-trivial use cases. Although it is similar to the above, it differs in some very important ways:

    1. Deploy the main app “Cisco CDR Reporting and Analytics” aka “cisco_cdr” on the Splunk Search Head instance(s).
    2. Install Splunk’s “Universal Forwarder” on another host and configure Callmanager to SFTP records to this host.
    3. Into that Splunk Universal Forwarder we will install a small app called “TA_cisco_cdr”.
    4. That Universal Forwarder will then be configured to forward its data to your Splunk indexer(s).
    5. Last but not least, we will configure the Universal Forwarder to start indexing the data.

    In this case, you will be logging into your existing Search Head and using the app through that. This may be through http on port 8000, https on port 8443, or any other port your administrator had set up for that Search Head.

Which Should I Use?

If you already have Splunk in your organization, chances are the existing Splunk admins already have a distributed deployment and making friends with them is the way to go (if you haven’t already). Aside from the parts inside CM Administration, these docs should be easy for them to follow.

If on the other extreme you just want to test it out and you only have a few dozen or a few hundred endpoints, definitely start with a single instance demo.

In the middle, feel free to contact us and describe your situation and we can quickly offer advice.

What Else Might I Need?

There are some minor additional pieces – hinted at above – that are required because of how CallManager does things.  You can think of this as plumbing.  We just want to use the sink, but until all the pieces are hooked up to get water there, sinks are largely useless.

The plumbing pieces we’ll talk about farther down –

  • An SFTP server
  • Rights to create a “Billing Server” in CallManager
  • How the CDR data flows between those, and into Splunk.

So a bit more detail on each.

The SFTP server

In both standalone and distributed cases, an SFTP server must be installed and configured.  This is how CallManager will “send” the CDR data.

If you are using Windows, you will have to download and configure one. The docs page (linked at the bottom of this section) has a link for a free SFTP program customers have had reasonable luck with.

If you are using a Linux server(s), Linux already has this bundled with it (SFTP is a “flavor” of SSH, which is the primary way to log into a Linux box remotely).

In either case, we don’t actually care where this SFTP server is installed, as long as it is somewhere where either a Splunk UF can read the files it writes and forward them in to your indexers, or on the indexer itself (the all-in-one solution).

This technically has nothing to do with our app, or even Splunk, but it needs to be set up because of how CallManager does this.

Rights to create a “Billing Server” in CallManager

Someone has to have the rights/logon to create a “Billing Server” inside CallManager.

This also has almost nothing to do with our app or Splunk, it’s so that CallManager will send those files to the SFTP server you set up.

Data flow

Once those two things are set up,

  1. CallManager will send files via SFTP to the SFTP server
  2. The SFTP server will write those received files to disk.
  3. Once those are on disk, we use one of two ways for Splunk to “pick them up”.
    • In a standalone instance, the SFTP server is on the indexer/Splunk server itself.
      In this case, the indexer can read the files directly from its own file system and we offer a little wizard in the app that helps you set that up.
    • In the distributed versions, the SFTP server is NOT your Splunk server, so you install the Splunk Universal Forwarder on the SFTP server, configure it to read those files, tag them with the right index and sourcetype, do the extractions on them, and send them to your indexers.
      While this is mostly a Splunk task, we do provide the TA that has most of that configuration – you tell the TA where your data lives, and the TA does the rest.
With this data flowing, our plumbing is complete, so now we can flush the toil… wait, that doesn’t sound right.  “Now we can use the sink”.  Yes, that sounds much better.

If you are ready to proceed, please continue to the next section.

If you have any comments at all about the documentation, please send it in to