Getting Data In

Is it possible to monitor PRI channels on a Cisco voice gateway?

fdarrigo
Path Finder

Dear Splunkers: I would like to monitor PRI voice channel capacity on a Cisco voice gateway. I would like receive alerts when PRI utilization reaches predefined thresholds. This data is available via the Cisco router CLI, but I'm not familiar with any apps or queries or methods to extract this data into Splunk.

Frank

Tags (3)
0 Karma
1 Solution

mikaelbje
Motivator

Hi!

Possible ways to solve this:

  1. The Cisco Networks app has a few field extractions for voice events allowing you to extract the channel etc from the event. If you allocate the channels in an incrementing manner, i.e. from 0 to 30 you could look at the highest/lowest number used and fire an alert based on that.
  2. Another method would be to create an EEM applet/script on the device that runs the commands and logs them to syslog. That way you can create extractions for the event received.
  3. The last method would probably be using SNMP.

I've updated my answer with an example for method 1 that uses the %ISDN-6-CONNECT event generated in your log. Requires the Cisco Networks Add-On:

sourcetype=cisco:ios facility=ISDN mnemonic=CONNECT | strcat dvc " " src_int dvc_src_int | timechart max(channel) BY dvc_src_int

This should give you a timechart with the highest channel over time by the unique combination device + source interface. This requires that the selection order for your B channels is in an ascending order. If you allocate the channels in a descending order replace max with min.

Let me know if this works. I'll consider adding this as a dashboard panel in the Cisco Networks App.

View solution in original post

0 Karma

friea
Splunk Employee
Splunk Employee

You should check out the latest Splunk Apptitude winning app for innovation ... it's definitely possible!

http://devpost.com/software/pri-capacity

The video is particularly good - explains how AAA uses Splunk with Cisco UC to proactively monitor their voice environment and automate call routing to ensure drivers aren't stranded.

mikaelbje
Motivator

Hi!

Possible ways to solve this:

  1. The Cisco Networks app has a few field extractions for voice events allowing you to extract the channel etc from the event. If you allocate the channels in an incrementing manner, i.e. from 0 to 30 you could look at the highest/lowest number used and fire an alert based on that.
  2. Another method would be to create an EEM applet/script on the device that runs the commands and logs them to syslog. That way you can create extractions for the event received.
  3. The last method would probably be using SNMP.

I've updated my answer with an example for method 1 that uses the %ISDN-6-CONNECT event generated in your log. Requires the Cisco Networks Add-On:

sourcetype=cisco:ios facility=ISDN mnemonic=CONNECT | strcat dvc " " src_int dvc_src_int | timechart max(channel) BY dvc_src_int

This should give you a timechart with the highest channel over time by the unique combination device + source interface. This requires that the selection order for your B channels is in an ascending order. If you allocate the channels in a descending order replace max with min.

Let me know if this works. I'll consider adding this as a dashboard panel in the Cisco Networks App.

0 Karma

fdarrigo
Path Finder

Thanks for the response. I am looking forward to trying this query, unfortunately, I don't know how to configure the voice gateway logging options to provide me this data. Can you make any recommendations? Thanks.

0 Karma

mikaelbje
Motivator

Hi! I'm not a Cisco voice guy, so I don't know, but if it's a IOS based router you'd normally just set the logging level to informational:

logging trap informational
logging host ip.add.re.ss

Unless it's explicitly disabled you will receive an event every time a call is connected and disconnected

0 Karma

fdarrigo
Path Finder

Thanks. This is producing the right level of data granularity now - but outbound calls do not generate informational events, so I am missing some data.

I extracted the routerip and the interface label fields. For some reason , the host field looks like a time field and not an IP. I am working on the query now, with the goal of producing a bar graph for each interface showing the number of channels in use for the given time range.

0 Karma

fdarrigo
Path Finder

The following is v1 of the query:

index=* sourcetype=cisco:ios mnemonic=DISCONNECT| stats count as totalDisconnect by RouterIP, InterfaceLabel| appendcols[ search index=* sourcetype=cisco:ios mnemonic=CONNECT |stats count as totalConnect by RouterIP, InterfaceLabel] |eval ChannelsInUse=totalConnect-totalDisconnect |lookup VoiceGateway.csv VGWIPAddress as RouterIP OUTPUT SiteName ,VGWName, Interface, Carrier, CircuitID |eval Site ="[".VGWName.".".Interface."]" |table Site,ChannelsInUse

0 Karma

mikaelbje
Motivator

Not sure if you need your extra extractions (RouterIP and InterfaceLabel). There should be a dvc field where the host/ip resides as well as src_int which references your PRI circuit. channel_id contains the channel number.

I may be misunderstanding your use however. Could you perhaps post a screenshot of your graph?

Please also accept or upvote helpful answers. It encourages more contributions.

0 Karma

fdarrigo
Path Finder

the dvc field is returning the name of the syslog server where the UF is installed. In any case, the following query gives me what I am looking for:

index=vgw sourcetype=cisco:ios  mnemonic=DISCONNECT| eval DisconnectCallTime=date_hour+":"+date_minute | dedup RouterIP, DisconnectCallTime, mnemonic| stats count as totalDisconnect by RouterIP, InterfaceLabel, mnemonic| appendcols[ search index=vgw sourcetype=cisco:ios mnemonic=CONNECT| eval ConnectCallTime=date_hour+":"+date_minute | dedup RouterIP, ConnectCallTime, mnemonic| stats count as totalConnect by RouterIP, InterfaceLabel, mnemonic] |eval ChannelsInUse=if(totalConnect-totalDisconnect<0,0,totalConnect-totalDisconnect) |lookup VoiceGateway.csv VGWIPAddress as RouterIP OUTPUT SiteName ,VGWName, Interface, Carrier, CircuitID |eval Site ="[".VGWName.".".Interface."]" |sort Site|table Site,ChannelsInUse
0 Karma

mikaelbje
Motivator

This means you have an underlying problem with the host field. Since I don't know how you receive your logs I can't give you a quick fix, but in general a good solution is to use a syslog daemon, make that syslog daemon log events from each host to a unique file or directory per file, and then use host_segment=N in the monitor stanza that reads your files. The key is to have the actual sending host's name/ip in the host/dvc field. Here's an example monitor stanza for inputs.conf on the forwarder where you are receiving your syslogs:

[monitor:///var/log/splunk/*]
sourcetype=syslog
host_segment=4

This will put the value of the fourth position in the path in the host field, so if you had logs from:

  • hostname1.example.com
  • hostname2.example.com

both in /var/log/splunk/

Those values would populate the host field. This is a better solution as you don't have to hack it the way you did, and as an extra this setup works with any other syslog type data meaning it scales easily without you having to make customizations for every sourcetype.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...