Cisco CDR Reporting and Analytics


Migrating – Splunk 5.X to 6.X


If you are setting up a new Splunk 6.X deployment and migrating your existing cisco_cdr app from ol older Splunk 5.X deployment, here are the steps to follow.

First, the single largest and most important change from Splunk 5.X to 6.X is the sourcetypes being used. On Splunk 5.X you were using the app’s older sourcetypes “cisco_cdr” and “cisco_cmr” and while the old data can be migrated….



A) Just follow our setup documentation, but when you come to the point of installing the “cisco_cdr” app on the Search Head (or on the Single Instance), follow this instead::

— Copy the entire existing cisco_cdr directory from etc/apps on the old 5.X deployment, to etc/apps on the new Search Head.
— Then get the latest version of the cisco_cdr app and copy it over. This will upgrade all the core parts of the app yet at teh same time leave all the content your users have created intact.

B) HOWEVER, some content will have hidden inside other apps and you need to manually migrate these.

— With the legacy sourcetypes (sourcetype=cisco_cdr and sourcetype=cisco_cmr), you wil lneed additional autogenerated config that will be hiding over in etc/apps/learned .
You can move as much or as little of this as you want, although take care not to overwrite or damage anything in the new deployment’s “learned” app.
What you need ultimately out of the old deployment’s “learned” app, is
1) any stanzas from etc/apps/learned/local/props.conf matching these stanza names
[cisco_cdr-2], [cisco_cdr-3]
And also
[cisco_cmr-2], [cisco_cmr-3]
2) All of the stanzas in transforms.conf that look like [AutoHeader-1], [AutoHeader-2]

— It’s unfortunately common for users to flip around to other apps, particularly the “search” app and to accidentally create searches and dashboards and alerts when over there. This is pretty terrible because outside of the app itself, tons of extractions and lookups and power will just not work at all. It’s very likely that whoever created this content isn’t aware of this problem, but they will nonetheless expect this content to get migrated. (In general have them contact Sideview for how to proceed after the migration)