3 - Populate Devices (cloud)

Populating Devices in Splunk Cloud

In Cloud it is a little more advanced and please feel free to contact us. However in somewhat abbreviated form here are the steps: 

1. create a new and separate index. A suggested name is ​“cisco_​cdr_​app_​lookups”
2. If you picked a name other than the suggested one, then on your cloud instance go to the Cisco CDR app and then click ​“Settings” > ​“Advanced Search” > ​“Search Macros”. Scroll down and click ​“custom_​lookup_​index”, and change the definition to match the name you chose. Save your change. 
3. On the local (onprem) Splunk instance on which the AXL app is installed, add the following syntax to the END of your big SPL query:

   | eval lookup_name="devices"
   | collect index=cisco_cdr_app_lookups
   

   Note again that if you picked a different index name, you will have to reuse that same name here. 
4. Schedule that search to run once a day. Assuming this instance has already been set up to forward its indexed data to Splunk Cloud, these rows will be sent up to your Cloud instance once a day.
5. Now on the Cloud SH schedule the following search to run once a day, ideally an hour or so after the first one. Save it with a timerange of ​“last 24 hours”

   custom_lookup_index lookup_name="devices"
   | eventstats max(info_max_time) as latest
   | where info_max_time=latest AND info_max_time>relative_time(now(),"-24h")
   | table name, productName, department, description, className, subclassName, devicePool, mailId, userFullName, userId, callingSearchSpaceName, protocol, securityProfileName, directoryNumber, axlHost, axlPort
   | outputlookup override_if_empty=false create_empty=false devices
   

6. That’s it! you’re done! If you have questions about how/​why this works, feel free to contact us