[cisco-voip] Reporting question -

[Ed Leatherman]

Follow-up to this conversation, couple people expressed interested out
of band so I figured I would share with everyone.
I was able to get things setup to start indexing and reporting on QRT.
I'll try to outline what I did below.

I'm new to using splunk for anything but basic syslog, so I wouldn't
be surprised if there is a better way to do this.

The easiest way to get this information into splunk seemed to be just
have it index the contents of a directory and have the QRT reports
dumped into that directory periodically.

First thing was to setup a scheduled trace collection (as Wes
mentioned below). I just had RTMT to SFTP the Extended Function
reports from the publisher every hour to a directory on my splunk
server.

On the splunk side of things, it seemed like it might make it easier
to search/report on this information if I create a new index for QRT
reports. Under Manager->Indexes I just created a new index named 'qrt'
with the default settings.

I created a new input source under Manager->Data Inputs-> Files &
Directories. Gave it the path to the QRT reports, set it to my 'qrt'
index. I left source-type as automatic, as nothing else jumped out at
me as appropriate.

This gets splunk indexing those qrt reports. easy way to double check
that everything is working is to search for index="qrt" and see if you
get expected results.

Splunk is pretty good about getting the date/time stamp field out of
each record, but for me it did not recognize any of the other fields
even though they are in XML format and should be pretty obvious.
Perhaps there is a setting or something I miss to get it to parse the
rest of the fields automatically - that would be nice. As is though,
you can manually add fields you are interested in using the Field
Extractor tool. It also likes to index misc. lines in the report files
such as "</ReportList>" that do not actually have a QRT record.. not
sure if there is a quick and dirty way to prevent that, otherwise
would need to build your search queries to ignore them if they are in
the way. Or pre-process the XML files with a perl script or something
to remove them I guess.

If someone knows splunk better and has any suggestions i'd love to hear them.

I've also got it indexing CDR's which looks to be very useful,
sometime after the holidays I will try to put something together in a
better format for how to add that stuff in as well, wasn't hard
though.

On Wed, Dec 23, 2009 at 11:19 AM, Ed Leatherman <ealeatherman at gmail.com> wrote:
> This actually gave me an idea.. going to export them to SFTP server
> and index them into splunk so i can search and report on them
> (easily). Will let you know how it works out.
>
> On Wed, Dec 23, 2009 at 11:09 AM, Wes Sisk <wsisk at cisco.com> wrote:
>> I'm pretty sure QRTs are just files.  Have you looked for them as an item in
>> scheduled trace collection?
>>
>> /Wes
>>
>> On Wednesday, December 23, 2009 10:38:04 AM, Tim Reimers
>> <treimers at ashevillenc.gov> wrote:
>>
>> Does anyone know of a way to automate the retrieval of QRT entries in the
>> system?
>>
>> I'd like to get an automatic weekly summary of calls that someone used the
>> QRT button for.
>>
>> I know I can get that using a query in RTMT, but I want that to be
>> automated?
>>
>> I don't know which tables in the database the QRT info is stored in?
>>
>> Tim Reimers
>> Systems Analyst II
>> Information Technology Services
>> City of Asheville
>> 70 Court Plaza
>> Asheville, NC 28801
>> phone - 828-259-5512
>> treimers at ashevillenc.gov
>>
>>
>> ________________________________
>> _______________________________________________
>> cisco-voip mailing list
>> cisco-voip at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>
>>
>> _______________________________________________
>> cisco-voip mailing list
>> cisco-voip at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>
>>
>
>
>
> --
> Ed Leatherman
>



-- 
Ed Leatherman