# Install Step 3, Data Collection

## Prepare the host which UCM will SFTP to

Next we recommend the following steps where you will set up a small separate host that will receive the files from CUCM via SFTP, and that will forward them onto your Splunk instance via the Splunk Universal Forwarder.    However on-premise folks (E.g. ones not in cloud) with only a single Splunk instance should know that it’s a fine option to simply SFTP the files directly to the main Splunk host.

### Set up this little intermediate host.

• Find or build a small virtual machine or system.
• Install and test an SFTP server on it.
• This would preferably be *nix, because then a compatible SFTP server is built right into the OS.
• But if you need to, you can use Windows and for SFTP something like the SolarWinds SFTP server, FileZilla Server or others.
• Download and install the Splunk Universal Forwarder (UF) on this host.  You can get the UF by going to https://www.splunk.com/en_us/download.html, scrolling far down until you see Universal Forwarder. Follow the steps to install it for your platform.

### Install the “TA_cisco_cdr” app on this host

• Download the TA_cisco_cdr app from Splunkbase here: https://splunkbase.splunk.com/app/4434/ and save the tar.gz file locally.
(note during the download there is also a little wget command you can run right on the UF host. This can save a little time.)
• Either way, unpack the contents of that tar.gz file and place the resulting TA_cisco_cdr folder in the $SPLUNK_HOME/etc/apps directory on your forwarder At this point you should have a small VM or host running, with a Splunk Universal Forwarder installed, and that UF should have a directory at$SPLUNK_HOME/etc/apps/TA_cisco_cdr/…

### Configuring the input itself

1. Create a local directory inside your TA_cisco_cdr directory: $SPLUNK_HOME/etc/apps/TA_cisco_cdr/local/. If you already have that folder, then continue with the next step. • If you are unfamiliar with that term,$SPLUNK_HOME points to the root of where the Splunk program got installed.
• In Windows, probably c:\program files\splunk\ (though of course you could have moved it when you installed it)
• In Linux, by default /opt/splunk/
2. Create a new file inside the above folder called called inputs.conf, so you have a \$SPLUNK_HOME/etc/apps/TA_cisco_cdr/local/inputs.conf.
3. To that file, add the following contents depending on your UF’s Operating System:
• for Linux or Unix, the contents of inputs.conf will look like these:
[batch:///path/to/files/cdr_*] index = cisco_cdr sourcetype = cucm_cdr move_policy=sinkhole[batch:///path/to/files/cmr_*]
index = cisco_cdr
sourcetype = cucm_cmr
move_policy=sinkhole
• for Windows,  the contents of inputs.conf will look like these:
[batch://D:\path\to\files\cdr_*] index = cisco_cdr sourcetype = cucm_cdr move_policy=sinkhole[batch://D:\path\to\files\cmr_*]
index = cisco_cdr
sourcetype = cucm_cmr
move_policy=sinkhole

Important Notes:

• Only the sections in bold should be edited.   Conversely everything not in bold should be exactly as written above.
• Windows users double-check your permissions on both the created file and the /local folder!
• Be careful with your direction of and count of slashes, use the examples as a reference.
• Make sure the index=… entry points to the correct index.  If earlier you picked an index name other than our cisco_cdr suggestion,  it goes here.
• By design, this input will index and then delete files immediately.  If this is a concern, please see our documentation regarding Sinkhole vs. Monitor Inputs.

The data collection node is now set up and ready to receive files and forward those into Splunk.  The last piece in order to get data coming in is to now set up UCM to send files to this host.