Install Step 2, Sideview Apps

Create a new index in Splunk

If you or your Splunk admins have a preferred way of creating indexes, just follow those steps. If not and you only have a standalone Splunk instance, follow the instructions below.

• Log into your Splunk instance as an admin.
• Click Settings at the top and then Indexes.
• Click the green button at the top right that says New Index.
• Provide a name. We suggest ​“cisco_​cdr” but if you pick a different name just make a note of it because this will come up later in these docs.
  
• In most cases, leave the other defaults alone. Change these only if you really know what you are doing (advanced folks might refer to our sizing page).
• Click Save.

Install two Sideview Apps

• Log into Splunk. You will see Apps on the left-hand side. Click Manage by the gear icon next to that to go to the Manage Apps page.
• Then click Browse More Apps.
  
• Use the textbox in the top left to search for Sideview.
  
• When you see Sideview’s Canary app click the Install button beside it (see notes below if there’s no Install button).
  • The username and password here are for Splunk​.com, not your local system’s password.
    
• Next, do the same to find our Cisco CDR Reporting and Analytics app, and click Install again.
• Restart Splunk by going to Settings, Server Controls and clicking the Restart Splunk button.
• When it is finished restarting, click the Splunk>Enterprise or Splunk>Cloud logo in the upper left to get back to the main Splunk page.
  

Note (1): If Browse More Apps does not work, for instance, because you are on an air-gapped network or if Splunkbase integration is disabled. That’s fine. Just go to the Splunkbase page for Canary and download it as a a .tgz file, then do the same for Cisco CDR Reporting and Analytics. Assuming your account is a Splunk admin, you can install them by going to the Manage Apps page and clicking Install App From File.

Note (2): If instead of Install it says View on Splunkbase, this means your Splunk user account does not have the ability to install new apps. Engage the help of your local Splunk admin team.

Note (3): If you’re using Splunk Cloud and it says you cannot install our apps, contact us, because it means.… something is wrong. Our apps are approved for Splunk Cloud, so we will investigate and reach out to the Cloud folks and get you going.

If you used a custom index name

If you used a custom index name earlier (instead of ​“cisco_​cdr”), you’ll need to go to Splunk’s Settings menu > Advanced Search > Search macros. Find the macro named ​“custom_​index” and edit it to reflect your index name.

Considerations for user accounts

For users who will need and expect full use of the app’s features and who will need to run the apps’s more sophisticated reports, it is best to give their accounts the ​“power” user role. In terms of capabilities and quotas, at least for the senior users on the team, their user accounts should have at least a 500MB dispatch directory size, allow at least 5 concurrent searches, and have the schedule_​search capability. These three requirements can then be achieved simply by granting these users the ​“power” role. 

We also recommend that at least one user on the team be able to do ​“Schedule PDF Delivery” in the Splunk SimpleXML, and this requires the ​“list_​settings” capability in addition to ​“schedule_​search”.

Get a trial license for the app

• Enter your email address and accept the trial license agreement on this page, and it may take a day or so but we will reply via email and send you a 90 day trial license.
• To install that license, use the Apps list to navigate to the Cisco CDR Reporting and Analytics app and then go to Setup > Update License in the navigation. When that page loads paste in your license string and hit return.

You should now have both the Canary and Cisco CDR Reporting and Analytics apps installed. Don’t worry that the Cisco CDR landing page complains that you have no data yet, the next step is to enable the data collection system.