Using Splunk to track CallManager Express CDN logs
DISCLAIMER I am not responsible for damage to your equipment or downtime incurred by your following my instructions. Research this and be sure of what you are doing before you do it.
Here’s a neat way to get a quick (and dirty) view into how many calls your company is taking in through Cisco CallManager Express using Splunk. Assuming you already have a syslog server set up and working… Install Splunk on the syslog server and verify that it is working Set up the CallManager Express to send syslog entries to the syslog server (see
http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ap04_:_syslog_Configuration_and_Cisco_Devices AND page 11-6 in
http://www.cisco.com/univercd/cc/td/doc/product/voice/its/cmesrnd/managcme.pdf ) Telnet into the CME and do a show run. Look at your voice translation rules. The first number in each rule will appear in log entries as cdn:#### for inbound calls.
For example, if you have:
voice translation-rule 5 rule 1 /5202/ /1007/ rule 2 /5203/ /1006/ rule 3 /5204/ /1007/ rule 4 /5205/ /1007/ rule 5 /5206/ /1007/ rule 6 /5207/ /1009/ rule 7 /5208/ /1006/ rule 8 /5209/ /1007/ rule 9 /5210/ /1008/ rule 10 /5211/ /1007/
…and someone calls in using 555-5204, the log entry should contain cdn:5204 .
You can use this to build some saved searches that will show your call traffic by DID by hour, minute, or whatever.