Set up the Groups Lookup

Here ultimately we will be populating the Groups Lookup in the Cisco CDR app. This lookup contains a number of fields, chief among them the ​“number”, which is matched at search time against the extensions and DN’s of all calls coming in the CDR. The other fields include the name, group and subgroup of the user or location that the number is assigned to.

Note: If you have not already, you might quickly review the User Documentation for Groups and Extensions to learn more about how users will use these fields.

Using Active Directory

Our recommended method to populate the Groups Lookup is to use existing data from your Microsoft Active Directory via a separate free Splunk-Supported app called the Splunk Supporting Add-on for Active Directory.

In the steps below we will use this app to query Active Directory on a regular basis (eg nightly) and populate our Groups lookup in the CDR app with user data right from AD. 

Step 1: Install and Configure the Splunk Supporting Add-on for Active Directory

The Splunk Supporting Add-on for Active Directory is also known as SA-ldapsearch.

• Install the Splunk Support Add-on for Active Directory from its link on Splunkbase.
• Follow the documentation and instructions provided by Splunk for Deploying and Using the Splunk Supporting Add-on for Active Directory (SA-LDAPSearch).

You should have a working installation of this app when finished.

Step 2: Create the search to retrieve records.

The following LDAP search should retrieve all users that are included in the Base DN you included in your LDAP setup from Step 1.

| ldapsearch search="(&(objectClass=user) (!(objectClass=computer)))"
 attrs="userAccountControl, telephoneNumber, mobile, ipPhone, displayName, department" 
| rex field=telephoneNumber mode=sed "s/[^0-9+]//g" 
| rex field=mobile mode=sed "s/[^0-9+]//g" 
| rex field=ipPhone mode=sed "s/[^0-9+]//g" 
| where userAccountControl="NORMAL_ACCOUNT" AND
 ((isnotnull(telephoneNumber) AND telephoneNumber!="") 
 OR (isnotnull(mobile) AND mobile!="") 
 OR (isnotnull(ipPhone) AND ipPhone!=""))
| eval number = mvdedup(mvappend(telephoneNumber, mobile, ipPhone))
| mvexpand number
| stats last(displayName) as name last(department) as group by number
| table number, name, group, subgroup, subgroup2, subgroup3, subgroup4

Note: In this example we map the AD fields telephoneNumber, displayName and department into our fields number, name and group. You can customize this if you need to, and if you need help doing that contact us at support@​sideviewapps.​com and we’ll help you out.

Confirm that search works in a new Search window in the Splunk Support Add-on for Active Directory app. 

Note it may take a few seconds or even minutes for results to come back. Be patient! 

Step 3: (if Splunk Enterprise) Add the outputlookup clause to actually write to the lookup file

Now that we have a search that returns the data, we need to use that search to populate the lookup file with data. Note that if anyone has made prior attempts to populate rows in the Groups Lookup this will completely overwrite them. 

Modify the search above (or your version of it), and add this one line to the end of it:

| outputlookup create_empty=false override_if_empty=false groups

Run that search once manually to populate the lookup the first time. Note that the outputlookup command has no effect on the visible results – the search results are exactly the same as if you didn’t have the outputlookup command in it. Wait until you get results to display, then you can proceed.

Step 3: (if Splunk Cloud) 

In Cloud it MIGHT be a little more advanced, and feel free to contact us.

If you are using a Splunk Cloud instance that can directly talk to your Active Directory, there are no special steps to follow, just use the ​“if Splunk Enterprise” steps above.

But it’s also possible that you are doing this on a Heavy Forwarder or Search Head that’s in your internal network to talk to AD. If that is the case, the steps are here:

1. Create an index in your Cloud environment. A suggested name is ​“cisco_​cdr_​app_​lookups”
2. On your local HF/SH, add the following syntax to the end of your big SPL query from above

   | eval lookup_name="groups"
   | collect index=cisco_cdr_app_lookups
   

3. That above search should be saved and scheduled (see below) to run nightly.
   
4. After a few minutes, that data should be in your cloud instance. Run this search on the cloud instance:
   

   `custom_lookup_index` lookup_name="groups"
   | table number, name, group, subgroup, subgroup2, subgroup3, subgroup4
   | outputlookup override_if_empty=false create_empty=false groups
   

5. Then save that search in your cloud instance and schedule it to run an hour after the search created in step ²⁄₃.
   

Step 4: Schedule the search

Save that search by clicking Save As then Report. Name it <Your Company Name>_AD_Lookups_for_CDR. You do not need to have it include a timerange picker.

In the Report has been created dialog, click Schedule. Set the options appropriately for your environment (perhaps daily at 2:00 AM with a scheduling window of an hour to let Splunk move the exact timing a bit if it needs to).

Step 5: Test

Return to the Cisco CDR App, click Settings then Define groups. Click the tab for Edit/​Delete Extensions/​Groups. It should mirror the results we got from the search we created minutes ago. If that’s what you see there, we’re done.

If there are problems with your testing, drop us a line at support@​sideviewapps.​com with the full details and we can help troubleshoot with you.

Next steps

For some tips on what to explore with your newly set-up groups, see our user docs on groups! Or reach out to us and schedule a quick meeting and we’ll help you walk through the new functionality that will be most useful to you.

Setup (Without Active Directory)

If you don’t have or can’t link to Active Directory, Groups and Extensions can still be set up. This ​“manual” method is also much quicker and can work well for testing out the overall feature.

Click Settings > Define groups and extensions in the app’s main navigation bar. 

To enter just a few extensions/​groups

• Use the tab ​“Add New Extension/​Group” and add numbers, names and group (and optionally subgroup) entries. Hit return only once per entry, as this form is not particularly sophisticated.
• You can confirm/​check what’s entered with the ​“Edit/​Delete Extensions/​Groups” tab.
• In some cases, it can be very useful to use the ​“Find Extensions to add” tab. Within that tab you’ll find a sorted list of frequently appearing extensions that are NOT already in the lookup, and you can thus paste some of those in to cover ground quickly.

To enter/​use a larger list of extensions/​groups

• Use the tab ​“Download CSV”
• That CSV file should be empty. If it is not, you should be sure to check with other users or your admins to find out what you should do and who you should work with.
• Fill out the CSV file as appropriate — you may have a separate system from which you can export or copy data. 
  
• Be careful to save the file as a CSV file, and be careful that you haven’t pasted in any special non UTF8 characters.
  
• Use the tab ​“Upload CSV” to overwrite the existing lookup (which hopefully is empty) with your new contents.
  NOTE: the upload does indeed overwrite the existing csv file completely, so make sure you include all the information you need.
  

Once a few entries are in place, hop over to our User Docs section for Using Groups for more ideas!

If you have any comments at all about the documentation, please send them to docs@​sideviewapps.​com.