Here ultimately we will be populating the Groups Lookup in the Cisco CDR app. This lookup contains a number of fields, chief among them the “number”, which is matched at search time against the extensions and DN’s of all calls coming in the CDR. The other fields include the name, group and subgroup of the user or location that the number is assigned to.
Note: If you have not already, you might quickly review the User Documentation for Groups and Extensions to learn more about how users will use these fields.
Using Active Directory
Our recommended method to populate the Groups Lookup is to use existing data from your Microsoft Active Directory via a separate free Splunk-Supported app called the Splunk Supporting Add-on for Active Directory.
In the steps below we will use this app to query Active Directory on a regular basis (eg nightly) and populate our Groups lookup in the CDR app with user data right from AD.
Step 1: Install and Configure the Splunk Supporting Add-on for Active Directory
The Splunk Supporting Add-on for Active Directory is also known as SA-ldapsearch.
You should have a working installation of this app when finished.
Step 2: Create the search to retrieve records.
The following LDAP search should retrieve all users that are included in the Base DN you included in your LDAP setup from Step 1.
| ldapsearch search="(&(objectClass=user) (!(objectClass=computer)))"
attrs="userAccountControl, telephoneNumber, mobile, ipPhone, displayName, department"
| rex field=telephoneNumber mode=sed "s/[^0-9+]//g"
| rex field=mobile mode=sed "s/[^0-9+]//g"
| rex field=ipPhone mode=sed "s/[^0-9+]//g"
| where userAccountControl="NORMAL_ACCOUNT" AND isnotnull(telephoneNumber) AND telephoneNumber!=""
| eval number = mvdedup(mvappend(telephoneNumber, mobile, ipPhone))
| mvexpand number
| stats last(displayName) as name last(department) as group by number
| table number, name, group, subgroup, subgroup2, subgroup3, subgroup4
Note: In this example we map the AD fields telephoneNumber, displayName and department into our fields number, name and group. You can customize this if you need to, and if you need help doing that contact us at email@example.com and we’ll help you out.
Confirm that search works in a new Search window in the Splunk Support Add-on for Active Directory app.
Note it may take a few seconds or even minutes for results to come back. Be patient!
Step 3: (if Splunk Enterprise) Add the outputlookup clause to actually write to the lookup file
Now that we have a search that returns the data, we need to use that search to populate the lookup file with data. Note that if anyone has made prior attempts to populate rows in the Groups Lookup this will completely overwrite them.
Modify the search above (or your version of it), and add this one line to the end of it:
| outputlookup create_empty=false override_if_empty=false groups
Run that search once manually to populate the lookup the first time. Note that the outputlookup command has no effect on the visible results – the search results are exactly the same as if you didn’t have the outputlookup command in it. Wait until you get results to display, then you can proceed.
Step 3: (if Splunk Cloud)
In Cloud it is a little more advanced, and feel free to contact us. However in somewhat abbreviated form here are the steps:
- create an index. A suggested name is “cisco_cdr_app_lookups”
- add the following syntax to the end of your big SPL query
| eval run_id=now()
| collect index=sideview_lookup_test
- Schedule that search to run
Step 4: Schedule the search
Save that search by clicking Save As then Report. Name it <Your Company Name>_AD_Lookups_for_CDR. You do not need to have it include a timerange picker.
In the Report has been created dialog, click Schedule. Set the options appropriately for your environment (perhaps daily at 2:00 AM with a scheduling window of an hour to let Splunk move the exact timing a bit if it needs to).
Step 5: Test
Return to the Cisco CDR App, click Settings then Define groups. Click the tab for Edit/Delete Extensions/Groups. It should mirror the results we got from the search we created minutes ago. If that’s what you see there, we’re done.
If there are problems with your testing, drop us a line at firstname.lastname@example.org with the full details and we can help troubleshoot with you.
For some tips on what to explore with your newly set-up groups, see our user docs on groups! Or reach out to us and schedule a quick meeting and we’ll help you walk through the new functionality that will be most useful to you.