Cisco CDR Reporting & Analytics | Installation Notes
Install Step 3, Data Collection
Step 3: Data Collection
One quick note — we use the Splunk term $SPLUNK_HOME to denote the base install path of Splunk or the Splunk forwarder. On a Windows server, this is usually C:\Program Files\Splunk or C:\Program Files\Splunkuniversalforwarder. On Linux it’s usually /opt/splunk or /opt/splunkforwarder.
Prepare the host which UCM will SFTP to
Next, we recommend the following steps, where you’ll set up a small separate host that will receive the files from CUCM via SFTP, and will forward them onto your Splunk instance via the Splunk Universal Forwarder.
However, on-premise folks (e.g. ones not in cloud) with only a single Splunk instance should know that it’s a fine option to simply SFTP the files directly to the main Splunk host. If you do this, in our app’s “Admin” menu there’s an item “Set up data inputs” which you can run to set up a local data input.
Set up this little intermediate host
- Find or build a small virtual machine or system with an SFTP server and the Splunk Universal Forwarder
- This would preferably be *nix, because then a compatible SFTP server is built right into the OS.
- But if you need to, you can use Windows, and for SFTP something like the SolarWinds SFTP server, FileZilla Server, or others.
- Download and install the Splunk Universal Forwarder (UF) on this host. You can get the UF by going to https://www.splunk.com/en_us/download.html, and scrolling far down until you see Universal Forwarder.
- Then follow the steps specific to your platform:
Splunk installation on Linux vs Splunk installation on Windows - NOTE: Do NOT try to ingest the CDR data at installation time! We’ll do that later, and doing it now will not work
Configuring the UF to send data to your Splunk instance
- ONPREM folks only:
- On your Splunk server, follow these quick steps in the Splunk docs to enable “receiving” on your indexer.
- Then on your forwarder host, follow these steps (also in the Splunk docs) to configure your forwarder to send data to your indexer.
- We find it easiest to use the CLI instructions in the section Configure the universal forwarder to connect to a receiving indexer.
- We find it easiest to use the CLI instructions in the section Configure the universal forwarder to connect to a receiving indexer.
- On your Splunk server, follow these quick steps in the Splunk docs to enable “receiving” on your indexer.
- CLOUD folks only:
- Log into your cloud instance and in the Apps list click the Universal Forwarder app.
- Follow the instructions on that page (or this page) to install the Universal Forwarder (UF) locally on this little host we’re creating, and to get the special customized-for-you UF credentials package for it to connect to your cloud instance.
Install the “TA_cisco_cdr” app on this host
- Download the TA_cisco_cdr app from Splunkbase here: https://splunkbase.splunk.com/app/4434/ and save the tar.gz file on the UF system.
- From a terminal/cmd session, run the following command to install the app:
$SPLUNK_HOME/bin/splunk install app <filename>
- Do not at this time restart the forwarder, we will do that in a later step.
At this point, you should have a small VM or host running, with a Splunk Universal Forwarder installed, and that UF should have a directory at $SPLUNK_HOME/etc/apps/TA_cisco_cdr/…
Configuring the input itself
- Create the input by adding this config to an inputs.conf file located at “$SPLUNK_HOME/etc/apps/TA_cisco_cdr/local/inputs.conf”. You may need to create the folder“local” and the file itself. Make sure the user Splunk runs under has permissions to this file and folder.
- To that file, add the following contents depending on your UF’s Operating System:
- for Linux or Unix, the contents of inputs.conf will look like these — with the /path/to/files/pointing to the folder where your SFTP server saves the files:
[batch:///path/to/files/cdr_*] index = cisco_cdr sourcetype = cucm_cdr move_policy=sinkhole [batch:///path/to/files/cmr_*] index = cisco_cdr sourcetype = cucm_cmr move_policy=sinkhole
- for Windows, the contents of inputs.conf will look like these — with the D:\path\to\files\ pointing to the folder where your SFTP server saves the files:
[batch://D:\path\to\files\cdr_*] index = cisco_cdr sourcetype = cucm_cdr move_policy=sinkhole [batch://D:\path\to\files\cmr_*] index = cisco_cdr sourcetype = cucm_cmr move_policy=sinkhole
- for Linux or Unix, the contents of inputs.conf will look like these — with the /path/to/files/pointing to the folder where your SFTP server saves the files:
Important Notes:
- Be careful with your direction of and count of slashes. Use the examples as a reference.
- By design, this input will index and then delete files immediately. If this is a concern, please see our documentation regarding Sinkhole vs. Monitor Inputs.
The data collection node is now set up and ready to receive files and forward those into Splunk. The last piece, in order to get data coming in, is to now set up UCM to send files to this host.