I'm doing this today. We first send the records to a linux server which is running syslog-ng. We do this because the team that manages Splunk has a rather short retention time built into their service level agreements. We can keep them in Splunk up to 180 days max. We leave them on the Syslog server for up to 7 years. Syslog-ng distributes records into sub-directories based on the host from which the data is received. Syslog-ng is configured to listen on a non-standard TCP port above 5000 (Avaya CM requirement)
On the CM side, we simply set up a node name that points to the linux server using the same port, administer CDR1 on the ip-service screen and then use CDR1 in the system CDR screen.
Splunk has a component called a forwarder that is installed on the linux server. Its job is to monitor the directory tree under which your CDR files reside. It forwards any new records to Splunk. Your Splunk guy (maybe you?) will need to create a regular expression that extracts the fields. Once in Splunk, there are so many ways to manipulate the data. You should especially look into using labels, which will allow you to aggregate records from multiple hosts. This can be very useful if you have an ESS event, because for the duration of the event, your CDR is coming from a different IP/DNS name. Labels will allow you to present them as one seamless system.
Have fun - Tom
Last edited by lynnt; 06-09-2015 at 07:02 AM.
|
04-02-2015, 07:00 AM
Linear Mode
