Supporting App for AXL | Installation Notes

3 - Populate Devices

Splunk Cloud initial step

If you are in Cloud, create a new and separate index in your cloud environment. A suggested name is cisco_​cdr_​app_​lookups”. You can use a different name here, but if you do contact us for other changes to make!

Everyone continue here

  1. Log into your on-prem Splunk instance.
  2. Click Settings at the top, then Searches, Reports and Alerts.
  3. Change to All” apps, change the owner” to nobody” or All”, and then filter’ for get_​devices_​example”
  4. For that search, click Edit and then Clone it to a new search, named get_​devices_​via_​axl” or similar.
  5. View that cloned report, and on the resulting screen click Enable Report to enable it (it clones disabled, like the original). 
  6. Confirm it returns fields like productName, and remember it might take a few moments for it to return data. Just be patient.
  7. Edit the search (Edit > Open in Search) and add to the end
    - If you are using Splunk Enterprise on-prem
    | outputlookup create_empty=false override_if_empty=false devices 
    - If you are using Splunk Cloud
    | eval lookup_name="devices"
    | collect index=cisco_cdr_app_lookups
  8. Run that search once again to populate the devices lookup for the first time. 
  9. Save the altered search.

Scheduling the AXL search

Go back to Settings > Searches, Reports and Alerts and search for the version of the report you built in the previous step. Once found:

  1. Click Edit, then Edit Schedule for that report
  2. Enable the checkbox to Schedule Report
  3. Change the settings to suit your needs. We recommending Run every day at 1:00 or 2:00.
  4. Click Save.

Splunk Cloud final steps

If you are using Splunk Cloud, we need to create the lookup from the AXL data we’re sending to it.

  • Log into your Cloud environment. 
  • Click Settings at the top, then Searches, Reports and Alerts.
  • Create a new report with a Title like Generate AXL lookup.
  • Paste this into the search field
    `custom_lookup_index` lookup_name="devices"
    | eventstats max(info_max_time) as latest
    | where info_max_time=latest AND info_max_time>relative_time(now(),"-24h")
    | eval lastUpdated=latest
    | table name, productName, department, description, className, subclassName, devicePool, mailId, userFullName, userId, callingSearchSpaceName, protocol, securityProfileName, directoryNumber, clusterId, lastUpdated
    | outputlookup override_if_empty=false create_empty=false devices
  • Use -24h for the earliest time, ignore the latest time or use now” if you like.
  • Turn the Time Range Picker option to No
  • Save it in the Cisco CDR Reporting and Analytics app

Once it returns you back to the Searches, Reports and Alerts page,

  • Search for your saved report (you will be the owner of this report)
  • Click Edit, then Edit Schedule.
  • Schedule the report to run Every day, ideally either one or two hours after the on-prem search runs (so at 2:00 or 3:00 AM)

And for one last easy step, once it returns you back to the Searches, Reports and Alerts page,

  • Search for your saved report if it’s not displaying
  • Click Run to run it once.

Next Steps

Now that you have the Devices lookup set up and enabled, there will be a few more fields available to you for use everywhere in the app. You can read about them in our page on Using Devices. Or drop us a line and we’d be happy to hop on with you and show you around what you now have — there’s more there than may first meet the eye.


Installation Notes
Installation Notes
Installation Notes
Installation Notes