Distributed Splunk Architecture
There are a thousand minor variations on this theme, so pay attention as you go through. But, we assume you generally know what you are doing and just need the broad picture.
- IN CUCM, add a new Billing Server entry pointing to your SFTP server.
- ON THE INDEXING TIER create an index “cisco_cdr”
- Use the method appropriate for your environment. Via the Cluster’s Master Node (I’m just trying to use the ‘official’ words Splunk wants us to use, we all know it as “the CM” ), directly, with API, whatever.
- Index name *can be different and can be customized*, but please do NOT mix this data with other unrelated data so give it its own index.
- If you change the name, the last step #6 will become important when you get down to it, so don’t forget it!
- ON THE Search Head (SH) you are going to use, install the two Sideview apps
- SHC folks – do this on the deployer and deploy as usual
- If your SH has access to the internet you can use Manage Apps, or just download from Splunkbase and upload, or download and untar into place – whatever your usual method is:
- Restart the SH after installing the second one.
- ON THE SH Install a trial license key (or full production key) in our app
- FOR (or on) THE FORWARDER that will accepts SFTP from CUCM and saves files, create the inputs as per our requirements
- WE PROVIDE A TA for this, please use it! It’s linked below when appropriate.
- We assume you generally know what you are doing here, so the first two steps below may be old hat to you. Please be sure to follow exactly the last one, in bold.
- Deploy that, plus the rest of the TA (including the props and transforms and all other files), via whatever method is appropriate to your environment. Deployment server, git, puppet, whatever you use should be fine.
- If in Step 2 you used an index named something other than our default, ‘cisco_cdr’:
- On the Search Head, edit the macro ‘custom_index’ in our app context to point to your index. Make sure permissions are right on it afterwards.
- Important – Configure your clusters. This should only take a few seconds and will ensure external numbers are parsed properly and provide location information.
- Sites – Add IP address ranges to identify sites, see cross-site call volume, and to optionally enable mapping to work for your own infrastructure.
- Groups – Track calls by ‘groups’ of people – ‘groups’ being whatever you’d like to define as a mapping of groups, subgroups, and names to extensions. Use it to report on your sales team, help desk or to build your own mini call center.
If you have any comments at all about the documentation, please send it in to email@example.com.