Oracle SBC CDR

If you use either Oracle Session Border Controller (Oracle SBC) or Oracle Session Router and you’re using a reasonably recent version of the Cisco CDR app, you can integrate this data today and get it up and running in the Investigate Calls and Chart UI.

Setup is pretty simple and basically we are going to lean on Oracle SBC’s documentation for setting up ​“Local CDR Storage and SFTP Push”. But here below are the full steps start to finish. 

• First install our Supporting App for Oracle SBC CDR in your main Splunk instance either by doing in-product install from your Splunk Instance (Apps > Manage Apps > Browse more apps) or by downloading the tar.gz from Splunkbase and installing manually (Apps > Manage Apps > Install app from file).
• Note if you use distributed search, you will also need to install this app on your Splunk Indexers. There is no need to first edit what is in it. Although it’s true that not everything in the app package needs to be on the indexers, rest assured that the app contains no savedsearches, scheduled or otherwise, no acceleration, no accelerated data models, no python code, nothing that would have any ill effects on an indexer or add any load in and of itself.
  
• Next, unless you have a strong reason not to, we recommend using the same SFTP server that your CUCM CDR comes into. You will first have to create a different subdirectory to hold the Oracle SBC CDR files. Pick a subdirectory name, create the subdirectory on the server (you can use an SFTP client or log into the box itself) and remember that subdirectory name as you will need it in the SFTP steps later.
  
• Next the bulk of the work is laid out in the Oracle documentation.
  Note we strongly recommend using the cdr-output-inclusive parameter.
• At this point you should see the files building up in the subdirectory since we haven’t created a data input yet to whisk them away. Check to make sure the files are coming in. 
  
• Next you’ll create a new data input to pull the data in. You will do this on the same Splunk instance that is reading the CUCM CDR, which may well be a Splunk Universal Forwarder, and we recommend creating the inputs.conf stanza in the same file as the existing CDR and CMR input stanzas.
  
  Here is an example of the inputs.conf entry you will need to add to the file.
  

   [batch:///home/username/cisco_cdr_data/oracle_sbc/*.txt]
   sourcetype = oracle_sbc_cdr
   index = cisco_cdr
   move_policy = sinkhole
  

• After making that change to inputs.conf, restart that Splunk instance (whether or not it’s a Splunk Universal Forwarder or your actual standalone Splunk indexer)
  
• Next log in to Splunk, navigate to the Cisco CDR app and to ​“Admin > Enable/​Disable Data Types”. You should now see Oracle SBC as an option in the dropdown — 
  
• select ​“Oracle SBC” and it should now also appear in the table. Finish this step by submitting the form to enable the new data type.
• Now return to the Investigate Calls page, and you should see a new pulldown option titled ​“through” that has both ​“CUCM” and also ​“Oracle SBC”. You can leave both selected or pick just one at a time. Note that the fields available in Oracle SBC data have some overlap with the CUCM field names, but generally the space of fields is different so you will have to experiment with the ​“Edit Fields” button. Have fun and let us know what you think !

Of course if you have any problems or if we seem to have missed something in these docs, please do reach out to us at any time.

ADVANCED NOTE: it is possible that your Oracle SBC instance has a very slightly different set of fields than what our code expects to see, even if you have used the ​“cdr-output-inclusive” parameter. If so, this is quite easy for us to fix after you set it up, but if you prefer to talk to us first and send us a snippet of your data we can certainly do that.