Optional steps

If you happen to have either Microsoft Active Directory or LDAP configured in your environment for user/group management, you can have the Splunk use that AD/LDAP information to populate the Cisco CDR Reporting and Analytics groups and keep them updated.

Enabling Groups lookups to use Active Directory (Optional)

Enabling AD integration will allow your groups to reflect your AD structure, making many reports more intuitive and easier to read.  This will also work for any other LDAP-based source.

Note that a large portion of these instructions are using the core Splunk product and not using the CDR App specifically.  As such, additional help with and documentation for the Splunk Supporting Add-on for Active Directory and lookups can found in Splunk’s documentation.

Determine the logical Mapping of LDAP/AD fields to CDR fields

The CDR app’s “Groups” should have at a minimum the number, name and group fields.  A subgroup field is optional and won’t be included in this example.

Active Directory already has fields that would normally match up with the fields needed for the CDR app;

• number should be mapped to AD field telephoneNumber
• name should be mapped to AD field displayName
• group should be mapped to AD field department

This is only one  example, though it is a very common one.  Your own mapping of CDR app groups to Active Directory fields may differ.  For instance, your environment may be better suited to using the Location field in AD to populate group.

Now that we’ve determined which Active Directory fields need to be mapped into the CDR App’s groups fields, we need to enable a mechanism to retrieve that information from AD into Splunk.  This will be done with the Splunk Supporting Add-on for Active Directory.

Step 1: Install and Configure the Splunk Supporting Add-on for Active Directory

The Splunk Supporting Add-on for Active Directory is also known as SA-ldapsearch.

• Install the Splunk Support Add-on for Active Directory from its link on Splunkbase.
• Follow the documentation and instructions provided by Splunk for Deploying and Using the Splunk Supporting Add-on for Active Directory (SA-LDAPSearch)

You should have a working installation of this app when finished.

Step 2: Create the search to retrieve records.

The following LDAP search should retrieve all users that are included in the Base DN you included in your LDAP setup.

| ldapsearch search="(&(objectClass=user) (!(objectClass=computer)))" 
| search userAccountControl="NORMAL_ACCOUNT"
| table telephoneNumber, displayName, department
| rename telephoneNumber AS number, displayName AS name, department AS group

The first line ( | ldapsearch… ) is the base LDAP search.  It uses its own non-obvious syntax, but it’s likely you won’t need to change this line because as it is it will include all AD user objects and exclude computer objects.

The second line ( search userAccountControl=… ) searches for only those accounts that are “regular” users.  This is difficult to do in the base search because userAccountControl is a multivalued field so we do it in this way – Splunk has no issues at all with searching multivalued fields.

The third ( | table … ) and fourth ( | rename … ) lines make the output into the right format and match up the AD field names with the CDR field names.

Confirm that search works in a new Search window in the Splunk Support Add-on for Active Directory.   Note it may take a few seconds or even minutes for results to come back.  Be patient!  We are going to schedule the update so it won’t matter a lot if it takes a few minutes to run.

Step 3: Create the outputlookup

Now that we have a search that returns the data we need to enable AD groups to be used in the CDR App, we need to use that search to create the lookup file we need.

Modify the search above (or your version of it) and add to the end of it

...
| outputlookup groups

Like so:

| ldapsearch search="(&(objectClass=user) (!(objectClass=computer)))" 
| search userAccountControl="NORMAL_ACCOUNT" 
| table telephoneNumber, displayName, department 
| rename telephoneNumber AS number, displayName AS name, department AS group 
| outputlookup groups

Run that search once manually to populate the lookup the first time.   Note that the outputlookup command is somewhat invisible – the search results you’ll see in Splunk will look just like the results you get if you didn’t have the outputlookup command in it.  This is normal and expected.

Step 4: Schedule the search

Save that search by clicking Save As then Report.  Name it <Your Company Name>_AD_Lookups_for_CDR. You do not need to have it include a timerange picker.

In the Report has been created dialog, click Schedule.  Set the options appropriately for your environment (perhaps daily at 2:00 AM with a scheduling window of an hour to let Splunk move the exact timing a bit if it needs to).

Step 5: Test

In the CDR App, click Setup then Define groups (optional).  Click the tab for Edit/Delete Extensions/Groups.  It should mirror the list from the search we created.

If it returns an appropriate list, we are done.

Troubleshooting

If you do not get a list of groups when you click Setup, Define groups (optional) then Edit/Delete Extensions/Groups, then there is a problem in the lookup.  Your first step should be to carefully review the steps to create the lookup.  Note especially the following things:

1. The Test connection button near the bottom of the  Splunk Supporting Add-on for Active Directory should return successfully.  Please consult with your AD administrator if it does not.
2. The search you crafted in Step 2 should return data.  If it does not, review this search and correct as required.
3. Review the syntax for the | outputlookup groups command in Step 3.
4. Make sure you ran the full command from Step 3 at least once to initially populate the groups lookup.
5. Ensure your schedule for the <Your Company Name>_AD_Lookups_for_CDR saved search is correct and enabled.

You can also confirm that the lookup is populated with this command:

| inputlookup groups

If all steps appear correct but you still get no data and the above inputlookup doesn’t display anything either, then you might want to confirm permissions on the lookup itself.  The following outlines how to check and set those.

1. 1. In Splunk’s interface at Settings, Lookups, Lookup table files.
   2. Change App Context to All (or uncheck the option to Show only objects created in this app context).
   3. Search in the upper right for the word groups.
   4. For the  groups.csv item, click the Permissions link under Sharing.
   5. In the resulting dialog, ensure that it should appear in All apps and that Everyone has at least read permission to it.

 

 

If you have any comments at all about the documentation, please send it in to docs@sideviewapps.com.