Splunk Universal/Heavy Forwarder Configuration
NOTE – does not include configuration of the forwarder to send your data to your Splunk. Read about that in Splunk’s documentation on configuring the UF.
- ON YOUR FORWARDER, Download and install our app into the Splunk Universal Forwarder’s install.
- ON YOUR FORWARDER, Configure the add-on
- Locate the extracted/installed version of the TA_cisco_cdr
- Inside there, create a “local” folder so that you have a directory “TA_cisco_cdr/local/”. If you already have that folder, then continue with the next step.
- Create a new file inside the “TA_cisco_cdr/local/” folder called “inputs.conf”, so you have a “TA_cisco_cdr/local/inputs.conf” file.
- To that file, add the following contents depending on your UF’s Operating System:
-
- for Windows, the contents of inputs.conf will look like these:
[batch://D:\path\to\files\cdr_*]
index = cisco_cdr
sourcetype = cucm_cdr
move_policy=sinkhole
[batch://D:\path\to\files\cmr_*]
index = cisco_cdr
sourcetype = cucm_cmr
move_policy=sinkhole
-
- for Linux or Unix, the contents of inputs.conf will look like these:
[batch:///path/to/files/cdr_*]
index = cisco_cdr
sourcetype = cucm_cdr
move_policy=sinkhole
[batch:///path/to/files/cmr_*]
index = cisco_cdr
sourcetype = cucm_cmr
move_policy=sinkhole
- Double check:
- the resulting file is in the right location; $SPLUNKHOME/etc/apps/TA_cisco_cdr/local/inputs.conf

- and that permissions are correct for the paths it points to so that the Splunk user can read and delete those files.
- Restart your forwarder.
Unlike much of our install, there’s a few extra notes for this process.
- It is critical that no mistakes be made in those files. Only the sections in bold should be edited. Leave everything else exactly as it is written above.
- Use appropriate slashes for your hosts Operating System, ie “/foo/bar/cdr_*” vs “C:\foo\bar\cdr_*”.
- Make sure to match the format of the paths
- Linux – Note the triple slashes at the front of the path – it’s “batch://” then the path starting with the leading slash, “/path/to/files/” hence three slashes like “batch:///path/to/files/”.
- Windows – Full path goes here, it’s “batch://” then your path, including drive letter, like “E:\SFTP”, for “batch://E:\SFTP\”.
- That “cdr_*” and “cmr_*” are present respectively on the end of each path, and that they correspond to the “cucm_cdr” and “cucm_cmr” sourcetypes in that same stanza.
If you have any comments at all about the documentation, please send it in to docs@sideviewapps.com.