|
Some folks really *are* too cool for school.
If you already pretty much know what you are doing in Splunk, maybe all you need is a checklist to follow.
If you are going to follow this, follow it to the end. If you got halfway through and decided “Meh, I’ll just wing it from here”, I will be able to tell because your installation will not work properly, and I will not be happy.
Requirements
- Splunk is running and you have admin access to it. Or you can open cloud tickets for the environment.
- There is an SFTP server somewhere,
- which you can log in to (or can get access to)
- with an SFTP account you can use to receive the CDR data from CUCM
- and which has a Splunk forwarder on it configured to send to your indexing tier. (We strongly suggest UF, but HF will work if it’s already installed)
- You can make Billing Server configuration changes to CUCM, or know someone who can.
Checklist for installation – on prem
- IN CUCM, add a new Billing Server entry pointing to your SFTP server.
- See our Call Manager Configuration documentation, complete those steps and come back here.
- If there are no empty Billing Server slots left, please contact us to discuss how to share a billing server entry with another app. There are details to be aware of.
- ON THE SH you are going to use, install the three Sideview apps
- SHC folks – do this on the deployer and deploy as is usual and per the below
- If your SH has access to the internet you can use Manage Apps, or just download from Splunkbase and upload as per the usual:
- Restart the SH after installing the last of the three (no need to do it for each)
- Please do not set “replicate=false” for the lookups in our app.
- Install a trial license key in our app on the search head (or full key if it’s available)
- Install it in the Cisco CDR Reporting and Analytics app via Setup/Change License key (instructions)
- If you don’t have the license key –
- For trials – get a trial from our “Get Trial License” page.
- For full licenses – get it from the official contact who should have it in an email
- Or drop us a line at support@sideviewapps.com and we’ll figure it out.
- ON THE INDEXING TIER create an index “cisco_cdr”
- Use the method appropriate for your environment. Via CM, directly, with API, whatever.
- Index name *can be different and can be customized*, but please do NOT mix this data with other unrelated data so give it its own index.
- FOR (or on) THE FORWARDER create the inputs as per our requirements
- Download the TA from this link at splunkbase:
https://splunkbase.splunk.com/app/4434
- Extract the contents
- INSIDE the TA folders, create a new local/inputs.conf file with contents dependent on your UF’s Operating system:
- for Windows, the contents of inputs.conf will look like these:
[batch://D:\path\to\files\cdr_*]
index = cisco_cdr
sourcetype = cucm_cdr
move_policy=sinkhole
[batch://D:\path\to\files\cmr_*]
index = cisco_cdr
sourcetype = cucm_cmr
move_policy=sinkhole
- for Linux or Unix, the contents of inputs.conf will look like these:
[batch:///path/to/files/cdr_*]
index = cisco_cdr
sourcetype = cucm_cdr
move_policy=sinkhole
[batch:///path/to/files/cmr_*]
index = cisco_cdr
sourcetype = cucm_cmr
move_policy=sinkhole
- (We have a whole slew of notes on this topic in the middle of our docs page on Configuring Splunk to index the data so you might want to check there quickly)
- Deploy that, plus the rest of the TA (including the props and transforms and all other files), via whatever method is appropriate to your environment.
- Did I mention the WHOLE TA needs to go on your UF?
- Yes, the entire TA, all of it. On the UF. It’ll work better that way.
- If in Step 4 you used an index named something other than our default, ‘cisco_cdr’:
- On the SH, edit the macro ‘custom_index’ to point to your index.
Checklist for installation – cloud
This is mostly the same steps as above only in a slightly different order.
- IN YOUR CLOUD
- Ask support to install the three Sideview apps –
- Also ask support to create a separate and new index called “cisco_cdr” on the indexing tier.
- The rest of the apps go on the SH.
- No IDM is required or useful, the actual input goes on your heavy forwarder on premise.
- SSAI cannot be used, because the input on the SH is actually a migration and management script – not an input at all, but required for operation.
- Also ask support to not set “replicate=false” for the lookups in our app. I don’t think this is a thing they do often, but it’s happened at least once.
- WAIT while that’s done.
- Please note – we *are* cloud compatible. We have a significant portion of our installations already in cloud, and they’re fine.
- But, we are sufficiently different, larger, and more complex than nearly any other third party app they install in cloud that sometimes the process isn’t as smooth as it could be.
- So, If you get any responses from Splunk that seem to indicate otherwise, just forward them to us and we’ll get it straightened out.
- IN CUCM, add a new Billing Server entry pointing to your SFTP server.
- See our Call Manager Configuration documentation, complete those steps and come back here.
- If there are no empty Billing Server slots left, please contact us to discuss how to share a billing server entry with another app. There are details to be aware of.
- Install a trial license key in our app on the search head (or full key if it’s available)
- Install it in the Cisco CDR Reporting and Analytics app via Setup/Change License key (instructions)
- If you don’t have the license key –
- For trials – get a trial from our “Get Trial License” page.
- For full licenses – get it from the official contact who should have it in an email
- Or drop us a line at support@sideviewapps.com and we’ll figure it out.
- FOR (or on) THE FORWARDER create the inputs as per our requirements
- Download the TA from this link at splunkbase:
https://splunkbase.splunk.com/app/4434
- Extract the contents
- INSIDE the TA folders, create a new local/inputs.conf file with contents dependent on your UF’s Operating system:
- for Windows, the contents of inputs.conf will look like these:
[batch://D:\path\to\files\cdr_*]
index = cisco_cdr
sourcetype = cucm_cdr
move_policy=sinkhole
[batch://D:\path\to\files\cmr_*]
index = cisco_cdr
sourcetype = cucm_cmr
move_policy=sinkhole
- for Linux or Unix, the contents of inputs.conf will look like these:
[batch:///path/to/files/cdr_*]
index = cisco_cdr
sourcetype = cucm_cdr
move_policy=sinkhole
[batch:///path/to/files/cmr_*]
index = cisco_cdr
sourcetype = cucm_cmr
move_policy=sinkhole
- (We have a whole slew of notes on this topic in the middle of our docs page on Configuring Splunk to index the data so you might want to check there quickly)
- Deploy that, plus the rest of the TA (including the props and transforms and all other files), via whatever method is appropriate to the environment.
- Did I mention the WHOLE TA needs to go on your UF?
- Yes, the entire TA, all of it. On the UF. It’ll work better that way.
Checklist for installation – Autobahn
If you do not know what Splunk Autobahn is, it’s a way to quickly get your feet wet with some apps that may be useful for your data (like ours) in a trial cloud instance. You have to talk to your rep or the sales folks about this to get it stood up.
PREREQUISITES –
- your on-prem UF should have SFTP enabled and working on it.
- The user Splunk runs under must have *delete* permissions to the SFTP users “drop folder”
Once you have your cloud autobahn instance set up and the SFTP server ready…
- IN YOUR CLOUD
- Create a separate and new index called “cisco_cdr” on the indexing tier.
- FOR (or on) THE FORWARDER
- Make sure your outputs.conf is set up.
- Download the TA from this link at splunkbase:
https://splunkbase.splunk.com/app/4434
- Extract the contents
- INSIDE the TA folders, create a new local/inputs.conf file with contents dependent on your UF’s Operating system:
- for Linux or Unix, the contents of inputs.conf will look like these:
[batch:///path/to/files/cdr_*]
index = cisco_cdr
sourcetype = cucm_cdr
move_policy=sinkhole
[batch:///path/to/files/cmr_*]
index = cisco_cdr
sourcetype = cucm_cmr
move_policy=sinkhole
- See our regular docs if the UF is on Windows – Configuring Splunk to index the data
- Deploy that, plus the rest of the TA (including the props and transforms and all other files), via whatever method is appropriate to the environment.
- It’ll end up as an app in your app folder, $SPLUNKHOME/etc/apps
- If in default locations, it will end up in /opt/splunkforwarder/etc/apps/ , so you’ll have a new folder in there /opt/splunkforwarder/etc/apps/TA_cisco_cdr
- Did I mention the WHOLE TA needs to go on your UF?
- Yes, the entire TA, all of it. On the UF. It’ll work better that way.
- Restart the UF.
- IN CUCM, add a new Billing Server entry pointing to your SFTP server.
- See our Call Manager Configuration documentation, complete those steps and come back here.
- If there are no empty Billing Server slots left, please contact us to discuss how to share a billing server entry with another app. There are details to be aware of.
- Install a trial license key in our app on the search head (or full key if it’s available)
- Install it in the Cisco CDR Reporting and Analytics app via Setup/Change License key (instructions)
- To get a license key:
- End customer should do this, or at least be aware of this.
- For trials – get a trial from our “Get Trial License” page
Next Steps
After set up, the app should start working pretty much immediately (obviously it’s slightly dependent on call volume, but it only takes one completed call to make Browse Calls show … one completed call.)
Check out the following couple of simple set up steps that can really make it more useful too –
- Sites – maps network locations (via IP addresses in CIDR notation) into “places”.
- Groups – maps numbers to names, groups and subgroups.
I hope this helps.
If you have any comments at all about the documentation, please send it in to docs@sideviewapps.com.
|