The Cisco CDR app contains a simple facility to extract device types based on regex matches against the device names. Many of the ones we ship will work out of the box however most likely you will also have one or more device types that don’t match. This page will tell you how to customize those extractions so as to get all, or nearly all, of these populating.

Examples: The most well known example is the “SEP” prefix on hardphone devicenames. This is what the app uses to assign “orig_device_type”, “dest_device_type” to “hardphone”. Another example is the common (but not universal) prefix “CSF” for jabber devices.

Note: it’s tempting to call these “extractions” since they are really very simple. However that term implies slightly different config in the Splunk world, and these are called “transforms” so I am using that nomenclature here.

To see the existing transforms

  1. log into Splunk as an admin user
  2. Go to the Cisco CDR Reporting and Analytics app, if you aren’t there already.
  3. In the top right click “settings”, then “Fields”, then “Field transformations”
  4. In the little search box (that may say “filter”), enter “device_type” and hit return. (This is just to filter out some extraneous transforms that have nothing to do with device_types.)

To edit an existing transform

Let’s say that our default extraction for IP Communicator devices is wrong. Click the transform that says “cisco-cdr-origipcom”. Edit its regex as necessary and then click ‘save’. Now do the same with “cisco-cdr-destipcom”.

Note that all of these extractions are in pairs – one for the “orig” side, one for the “dest” side.

To create a new transform

This takes two steps. For Step 1 we “clone” an existing pair. Note the “clone” links next to each extraction. Pick a simple one to clone like “cisco-cdr-destsoftphone” and “cisco-cdr-origsoftphone”. Follow the existing naming scheme of course.

After you’ve cloned them, set their regex to match whatever devices you’re trying to extract a type for. (The desktop app “RegexBuddy” is your friend and it may be worth purchasing if you’re going to spend a lot of time on Splunk)

You may note that the regex doesn’t actually do anything at this point – nothing is extracted yet because our transform exists only in a vacuum and it’s not being run yet. To get it to run automatically we have to do step 2.

Step 2 In the breadcrumb link click “fields” and then “Field extractions”.

Search for entries matching “phone”.  If there is one “cucm_cdr : REPORT-custom-phone-types”, click on it to use it (and skip the next step). Otherwise, click the button for “New Field Extraction” in the top right.

If you are adding a new entry, name it “custom-phone-types”, apply it to sourcetype cucm_cdr, and make its type “Uses transform”, then continue below.

Everyone continue here: In the “Extraction/Transform” field, use the name of the two extractions you created above at the end of whatever’s there, separating them by commas.

Things to watch out for

  • These must be defined in pairs, as it takes one to capture the orig_device_type from origDeviceName field and another to capture the dest_device_type from the destDeviceName field.
  • Each must have a regex, and must have a “dest_device_type::foo” or “orig_device_type::foo” value in the FORMAT. You might notice that some of the existing transforms also have other fields. These are optional and you don’t have to do any beyond the orig|dest device type fields.
  • Leave “create multivalued fields” unchecked. Leave “Automatically clean field names” checked.
  • before you begin making these changes, have a test search at hand in another window so you can test your changes and see what you’re doing.
  • Remember that Splunk has NO BUILT IN BACKUPS for config of any kind. If you would like to backup your config that is something you or your admins would have to be doing.
  • Don’t worry about the “device_type” field. the app creates that one automatically by taking the union of the orig_ and dest_ field values.

If you have any comments at all about the documentation, please send it in to