Splunk Universal/Heavy Forwarder Configuration

NOTE – does not include configuration of the forwarder to send your data to your Splunk.  Read about that in Splunk’s documentation on configuring the UF.

1. ON YOUR FORWARDER, Download and install our app into the Splunk Universal Forwarder’s install.
   • You can get it from this link on Splunkbase.
   • It installs like any other add-on for a UF, see Splunk’s documentation for installing add-ons to universal forwarders.
   • It’s also fine to push this via the Deployment Server or any other method you may use.
2. ON YOUR FORWARDER, Configure the add-on
   • Locate the extracted/installed version of the TA_cisco_cdr
   • Inside there, create a “local” folder so that you have a directory “TA_cisco_cdr/local/”.  If you already have that folder, then continue with the next step.
   • Create a new file inside the “TA_cisco_cdr/local/” folder called “inputs.conf”, so you have a “TA_cisco_cdr/local/inputs.conf” file.
   • To that file, add the following contents depending on your UF’s Operating System:
     • • for Windows,  the contents of inputs.conf will look like these:

     [batch://D:\path\to\files\cdr_*]
     index = cisco_cdr
     sourcetype = cucm_cdr
     move_policy=sinkhole
     
     [batch://D:\path\to\files\cmr_*]
     index = cisco_cdr
     sourcetype = cucm_cmr
     move_policy=sinkhole
     

     • • for Linux or Unix, the contents of inputs.conf will look like these:

     [batch:///path/to/files/cdr_*] 
     index = cisco_cdr 
     sourcetype = cucm_cdr 
     move_policy=sinkhole 
     
     [batch:///path/to/files/cmr_*] 
     index = cisco_cdr 
     sourcetype = cucm_cmr 
     move_policy=sinkhole
     

3. Double check:
   • the resulting file is in the right location; $SPLUNKHOME/etc/apps/TA_cisco_cdr/local/inputs.conf
     
   • and that permissions are correct for the paths it points to so that the Splunk user can read and delete those files.
4. Restart your forwarder.

Unlike much of our install, there’s a few extra notes for this process.

• It is critical that no mistakes be made in those files. Only the sections in bold should be edited. Leave everything else exactly as it is written above.
• Use appropriate slashes for your hosts Operating System, ie “/foo/bar/cdr_*” vs “C:\foo\bar\cdr_*”.
• Make sure to match the format of the paths
  • Linux – Note the triple slashes at the front of the path – it’s “batch://” then the path starting with the leading slash, “/path/to/files/” hence three slashes like “batch:///path/to/files/”.
  • Windows – Full path goes here, it’s “batch://” then your path, including drive letter, like “E:\SFTP”, for “batch://E:\SFTP\”.
• That “cdr_*” and “cmr_*” are present respectively on the end of each path, and that they correspond to the “cucm_cdr” and “cucm_cmr” sourcetypes in that same stanza.

If you have any comments at all about the documentation, please send it in to docs@sideviewapps.com.