Cisco CDR Reporting & Analytics | Installation Notes

Create Custom Device Types

The Cisco CDR app contains a simple facility to extract device types based on regex matches against the device names. Many of the ones we ship will work out of the box, however most likely you will also have one or more device types that don’t match. This page will tell you how to customize those extractions so as to get all, or nearly all, of these populating.

Examples: The most well-known example is the SEP” prefix on hardphone devicenames. This is what the app uses to assign orig_​device_​type”, dest_​device_​type” to hardphone”. Another example is the common (but not universal) prefix CSF” for jabber devices.

Note: it’s tempting to call these extractions” since they are really very simple. However, that term implies a slightly different config in the Splunk world, and these are called transforms.” So, I’m using that nomenclature here.

To see the existing transforms

  1. Log into Splunk as an admin user.
  2. Go to the Cisco CDR Reporting and Analytics app if you aren’t there already.
  3. In the top right, click settings,” then Fields,” then Field transformations.”
  4. In the little search box (that may say filter”), enter device_​type” and hit return. (This is just to filter out some extraneous transforms that have nothing to do with device_types).

To edit an existing transform

Let’s say that our default extraction for IP Communicator devices is wrong. 

  1. Click the transform that says cisco-cdr-origipcom.”
  2. Edit its regex as necessary and click save.”
  3. Repeat the above two steps for cisco-cdr-destipcom” to get the destination side as well.

If you get an error that You do not have permissions to edit this configuration” you’ll have to ask for help from your Splunk admins.

Note that all of these extractions are in pairs: one for the orig” side, and one for the dest” side.

To create a new transform — part 1

This takes two steps. For part 1 we clone” an existing pair, change their permissions and edit them to match the new requirements.

Pick a simple one to clone like cisco-cdr-destsoftphone” and cisco-cdr-origsoftphone”:

  1. Click the Clone” link under Actions for the dest” one
  2. Change the end to your new device type name, like cisco-cdr-destMyNewDeviceType”
  3. Repeat for the orig” side, with cisco-cdr-origMyNewDeviceType”

After you’ve cloned them you’ll be returned to the Field Transformations” page.
Important step to change permissions -

  1. Look for your new cloned entries
  2. Under the column Sharing” you’ll see they’re Private”. Click Permissions” right next to that. 
  3. Change each of them so that they appear
    • in All apps (system),
    • so that Everyone has Read permission 
    • and so that admin has write permission

If you do not see those options or cannot set them, you should stop here and contact your Splunk admins for help.

Once you’ve changed permissions, find each one again and — 

  1. Click on it to edit it
  2. Edit/​Set the Regular Expression to match the names for the devices you’re trying to extract a type for. (The desktop app RegexBuddy” is your friend and it may be worth purchasing if you’re going to spend a lot of time on Splunk)
  3. Change the last part of each Format field to provide a new device type name for this new extraction — the format is dest_device_type::<MyNewDeviceTypeName>”, so for instance if we want to call the new device type whitecourtesyphone” your Format” field would be dest_device_type::whitecourtesyphone”
  4. Then don’t forget to repeat these steps for the other” side (dest vs. orig).

Proceed to part 2 below to make this new extraction show up.

To create a new transform — part 2

This step makes the extraction we just built run automatically so that your new device types show up.

  1. In the breadcrumb link click fields” and then Field extractions”.
  2. Search for entries matching phone”.
    • If there is a cucm_​cdr : REPORT-custom-phone-types”
      • click on it to use it (and skip to step 3). 
    • If there is no cucm_​cdr : REPORT-custom-phone-types”,
      • click the button for New Field Extraction” in the top right
      • name it custom-phone-types”
      • apply it to sourcetype cucm_cdr
      • and make its type Uses transform”
  3. In the Extraction/​Transform” field, add the names of the two extractions you created above at the end of what is already there, separating them by commas, like “…,cisco-cdr-destMyNewDeviceType,cisco-cdr-origMyNewDeviceType”

Things to watch out for

  • These must be defined in pairs, as it takes one to capture the orig_​device_​type from origDeviceName field and another to capture the dest_​device_​type from the destDeviceName field.
  • Each must have a regex and a dest_device_type::foo” or orig_device_type::foo” value in the FORMAT. You might notice that some of the existing transforms also have other fields. These are optional and you don’t have to do any beyond the orig|dest device type fields.
  • Leave create multivalued fields” unchecked. Leave Automatically clean field names” checked.
  • Before you begin making these changes, have a test search at hand in another window so you can test your changes and see what you’re doing.
  • Remember that Splunk has NO BUILT IN BACKUPS for config of any kind. If you would like to backup your config, that is something you or your admins would have to be doing.
  • Don’t worry about the device_​type” field. the app creates that one automatically by taking the union of the orig_​and dest_​field values.

If you have any comments at all about the documentation, please send them to docs@​sideviewapps.​com.

Related

Installation Notes

Ingesting data from UCCX

Installation Notes

Microsoft Teams

Installation Notes

Oracle SBC CDR

Installation Notes

Other Data Sources