Dear Splunkers: I would like to monitor PRI voice channel capacity on a Cisco voice gateway. I would like receive alerts when PRI utilization reaches predefined thresholds. This data is available via the Cisco router CLI, but I'm not familiar with any apps or queries or methods to extract this data into Splunk.
Possible ways to solve this:
I've updated my answer with an example for method 1 that uses the %ISDN-6-CONNECT event generated in your log. Requires the Cisco Networks Add-On:
sourcetype=cisco:ios facility=ISDN mnemonic=CONNECT | strcat dvc " " src_int dvc_src_int | timechart max(channel) BY dvc_src_int
This should give you a timechart with the highest channel over time by the unique combination device + source interface. This requires that the selection order for your B channels is in an ascending order. If you allocate the channels in a descending order replace max with min.
Let me know if this works. I'll consider adding this as a dashboard panel in the Cisco Networks App.
Thanks for the response. I am looking forward to trying this query, unfortunately, I don't know how to configure the voice gateway logging options to provide me this data. Can you make any recommendations? Thanks.
Hi! I'm not a Cisco voice guy, so I don't know, but if it's a IOS based router you'd normally just set the logging level to informational:
logging trap informational logging host ip.add.re.ss
Unless it's explicitly disabled you will receive an event every time a call is connected and disconnected
Thanks. This is producing the right level of data granularity now - but outbound calls do not generate informational events, so I am missing some data.
I extracted the routerip and the interface label fields. For some reason , the host field looks like a time field and not an IP. I am working on the query now, with the goal of producing a bar graph for each interface showing the number of channels in use for the given time range.
The following is v1 of the query:
index=* sourcetype=cisco:ios mnemonic=DISCONNECT| stats count as totalDisconnect by RouterIP, InterfaceLabel| appendcols[ search index=* sourcetype=cisco:ios mnemonic=CONNECT |stats count as totalConnect by RouterIP, InterfaceLabel] |eval ChannelsInUse=totalConnect-totalDisconnect |lookup VoiceGateway.csv VGWIPAddress as RouterIP OUTPUT SiteName ,VGWName, Interface, Carrier, CircuitID |eval Site ="[".VGWName.".".Interface."]" |table Site,ChannelsInUse
Not sure if you need your extra extractions (RouterIP and InterfaceLabel). There should be a dvc field where the host/ip resides as well as srcint which references your PRI circuit. channelid contains the channel number.
I may be misunderstanding your use however. Could you perhaps post a screenshot of your graph?
Please also accept or upvote helpful answers. It encourages more contributions.
the dvc field is returning the name of the syslog server where the UF is installed. In any case, the following query gives me what I am looking for:
index=vgw sourcetype=cisco:ios mnemonic=DISCONNECT| eval DisconnectCallTime=date_hour+":"+date_minute | dedup RouterIP, DisconnectCallTime, mnemonic| stats count as totalDisconnect by RouterIP, InterfaceLabel, mnemonic| appendcols[ search index=vgw sourcetype=cisco:ios mnemonic=CONNECT| eval ConnectCallTime=date_hour+":"+date_minute | dedup RouterIP, ConnectCallTime, mnemonic| stats count as totalConnect by RouterIP, InterfaceLabel, mnemonic] |eval ChannelsInUse=if(totalConnect-totalDisconnect<0,0,totalConnect-totalDisconnect) |lookup VoiceGateway.csv VGWIPAddress as RouterIP OUTPUT SiteName ,VGWName, Interface, Carrier, CircuitID |eval Site ="[".VGWName.".".Interface."]" |sort Site|table Site,ChannelsInUse
This means you have an underlying problem with the host field. Since I don't know how you receive your logs I can't give you a quick fix, but in general a good solution is to use a syslog daemon, make that syslog daemon log events from each host to a unique file or directory per file, and then use host_segment=N in the monitor stanza that reads your files. The key is to have the actual sending host's name/ip in the host/dvc field. Here's an example monitor stanza for inputs.conf on the forwarder where you are receiving your syslogs:
[monitor:///var/log/splunk/*] sourcetype=syslog host_segment=4
This will put the value of the fourth position in the path in the host field, so if you had logs from:
both in /var/log/splunk/
Those values would populate the host field. This is a better solution as you don't have to hack it the way you did, and as an extra this setup works with any other syslog type data meaning it scales easily without you having to make customizations for every sourcetype.
You should check out the latest Splunk Apptitude winning app for innovation ... it's definitely possible!
The video is particularly good - explains how AAA uses Splunk with Cisco UC to proactively monitor their voice environment and automate call routing to ensure drivers aren't stranded.