Splunk Cloud final steps
If you are using Splunk Cloud, we need to create the lookup from the AXL data we’re sending to it.
- Log into your Cloud environment.
- Click Settings at the top, then Searches, Reports and Alerts.
- Create a new report with a Title like Generate AXL lookup.
- Paste this into the search field
| eventstats max(info_max_time) as latest
| where info_max_time=latest AND info_max_time>relative_time(now(),"-24h")
| table name, productName, department, description, className, subclassName, devicePool, mailId, userFullName, userId, callingSearchSpaceName, protocol, securityProfileName, directoryNumber, axlHost, axlPort
| outputlookup override_if_empty=false create_empty=false devices
- Use -24h for the earliest time, ignore the latest time or use “now” if you like.
- Turn the Time Range Picker option to No
- Save it in the Cisco CDR Reporting and Analytics app
Once it returns you back to the Searches, Reports and Alerts page,
- Search for your saved report (you will be the owner of this report)
- Click Edit, then Edit Schedule.
- Schedule the report to run Every day, ideally either one or two hours after the on-prem search runs (so at 2:00 or 3:00 AM)
And for one last easy step, once it returns you back to the Searches, Reports and Alerts page,
- Search for your saved report if it’s not displaying
- Click Run to run it once.