Cisco CDR Reporting & Analytics | Installation Notes

Create Custom Device Types

The Cisco CDR app contains a simple facility to extract device types based on regex matches against the device names. Many of the ones we ship will work out of the box, however most likely you will also have one or more device types that don’t match. This page will tell you how to customize those extractions so as to get all, or nearly all, of these populating.

Examples: The most well-known example is the SEP” prefix on hardphone devicenames. This is what the app uses to assign orig_​device_​type”, dest_​device_​type” to hardphone”. Another example is the common (but not universal) prefix CSF” for jabber devices.

Note: it’s tempting to call these extractions” since they are really very simple. However, that term implies a slightly different config in the Splunk world, and these are called transforms.” So, I’m using that nomenclature here.

To see the existing transforms

  1. Log into Splunk as an admin user.
  2. Go to the Cisco CDR Reporting and Analytics app if you aren’t there already.
  3. In the top right, click settings,” then Fields,” then Field transformations.”
  4. In the little search box (that may say filter”), enter device_​type” and hit return. (This is just to filter out some extraneous transforms that have nothing to do with device_types).

To edit an existing transform

Let’s say that our default extraction for IP Communicator devices is wrong. Click the transform that says cisco-cdr-origipcom.” Edit its regex as necessary and click save.” Now, do the same with cisco-cdr-destipcom.”

Note that all of these extractions are in pairs: one for the orig” side, and one for the dest” side.

To create a new transform

This takes two steps. For Step 1 we clone” an existing pair. Note the clone” links next to each extraction. Pick a simple one to clone like cisco-cdr-destsoftphone” and cisco-cdr-origsoftphone”. Follow the existing naming scheme of course.

After you’ve cloned them, set their regex to match whatever devices you’re trying to extract a type for. (The desktop app RegexBuddy” is your friend and it may be worth purchasing if you’re going to spend a lot of time on Splunk)

You may note that the regex doesn’t actually do anything at this point – nothing is extracted yet because our transform exists only in a vacuum and it’s not being run yet. To get it to run automatically we have to do step 2.

Step 2 In the breadcrumb link click fields” and then Field extractions”.

Search for entries matching phone”. If there is one cucm_​cdr : REPORT-custom-phone-types”, click on it to use it (and skip the next step). Otherwise, click the button for New Field Extraction” in the top right.

If you are adding a new entry, name it custom-phone-types”, apply it to sourcetype cucm_​cdr, and make its type Uses transform”, then continue below.

Everyone continue here: In the Extraction/​Transform” field, use the name of the two extractions you created above at the end of whatever’s there, separating them by commas.

Things to watch out for

  • These must be defined in pairs, as it takes one to capture the orig_​device_​type from origDeviceName field and another to capture the dest_​device_​type from the destDeviceName field.
  • Each must have a regex and a dest_device_type::foo” or orig_device_type::foo” value in the FORMAT. You might notice that some of the existing transforms also have other fields. These are optional and you don’t have to do any beyond the orig|dest device type fields.
  • Leave create multivalued fields” unchecked. Leave Automatically clean field names” checked.
  • Before you begin making these changes, have a test search at hand in another window so you can test your changes and see what you’re doing.
  • Remember that Splunk has NO BUILT IN BACKUPS for config of any kind. If you would like to backup your config, that is something you or your admins would have to be doing.
  • Don’t worry about the device_​type” field. the app creates that one automatically by taking the union of the orig_​and dest_​field values.

If you have any comments at all about the documentation, please send them to [email protected]​sideviewapps.​com.

Related

Installation Notes

There are many ways to deploy, configure and update the Splunk Universal Forwarder. Here we cover a variety of the more advanced ways to handle updating the TA for Cisco CDR Reporting and Analytics.