Because of great demand, we’ve written up a Splunk migration for the Cisco CDR Reporting and Analytics app!
(So where does that leave the rest of this page?)
I don’t really know. I’ll review it and see if it’s still useful, but maybe the above link is all that’s needed now.
Splunk is typically installed at /opt/splunk on Linux or at “C:\Program Files\Splunk” on Windows. We’ll follow Splunk’s convention and refer to this directory as $SPLUNK_HOME. Our app lives at $SPLUNK_HOME/etc/apps/cisco_cdr.
Sites, Groups, Clusters and Devices lookups
If anyone has spent time building the contents of these lookups, you’ll want to carry them over. They are all in $SPLUNK_HOME/etc/apps/cisco_cdr/lookups and are : cidr.csv, groups.csv, clusters.csv and devices.csv.
Most relevant config will be at the app level and located in two top level folders inside $SPLUNK_HOME/cisco_cdr – “default” and “local”. (If you have time, you can read here in much more detail about Splunk’s configuration file precedence).
Rule #1 about “default” and “local” is that you should never make any edits to “default” – for one thing any changes there would be overwritten every time you upgrade to one of our maintenance releases. If you’ve broken this rule in the past then contact us but assuming you haven’t, all the files in the “local” directory are probably worth migrating.
However when you’re logged into Splunk and using the app to create reports and dashboards, if the end results weren’t “shared” with other users at the app level, the config may very well be living over in $SPLUNK_HOME/etc/users/USERNAME/cisco_cdr/local/. If you only have one user it’s only one directory to worry about migrating. If you have 50 users it’s 50.
The simplest way to deal with this is to simply copy over all of $SPLUNK_HOME/etc/users/ when you backup. However this may conflict with other sensible directives to “clean things up” during the migration, and it can be a bit of a grey area. One direction that can be good, is to educate users on how to go into “Settings” and find things they want to migrate, click “Permissions” and explicitly move it from user-level to app-level. If you have any questions or if you need any advice, you guessed it, contact us.
If you have any comments at all about the documentation, please send it in to firstname.lastname@example.org.