If you’ve spent any amount of time around Mitel (formerly Shoretel) you know that the system processes auto-attendants the same way it does voicemail. That’s just fine up to and until the point you have a department asking for metrics of AA menus. In my case it was accounting wanting to make a case for a temp employee for W-2 season. To pull last year’s data I had to turn to backups but decided for the future I wanted to be able to pump the logs in to Splunk so I could just query it there. The Splunk Forwarder was already installed on the Mitel server forwarding the Windows logs so it was just a matter of adding the Mitel logs.
Some general info about the Mitel logs if you’ve never dug in to them before. They’re stored in the folder the software was installed in. For this site it was:
\Shoreline Data\Logs\The voicemail logs themselves come as Vmail-[date/timestamp].Log and look like this:
The timestamp is 2-digit year/month/day and then six digits of time. The initial log is created at midnight. All zeros. If the log file fills up it creates a second and stamps it with the 24-hour time. In the above example 6:15PM and 24 seconds.
To get Splunk to watch the file and forward updates a [monitor://] stanza needs to be added to inputs.conf file on the forwarder of the Mitel server. Should find it in where Splunk is installed. For this site it was:
\Program Data\SplunkUniversalForwarder\etc\system\local\If there isn’t a file there with that name it’s OK to create one. Splunk just uses the default config files if there’s not yet been any customization. Create a stanza like this:
[monitor://E:\Shoreline Data\Logs\Vmail*.Log]
sourcetype=mitel_voicemail_logs
index=shoretelKeep in mind that most of Splunk is case sensitive so pay attention. You’ve been warned.
sourcetype= can be whatever you’d like that makes sense to you. It just creates a reliable searchable field to get started with.
index= is optional. In this environment there was already a separate index that other phone-related logs were dumped in to. If you do too send them there. Or create a special index for it. Or just omit the line and the logs will land in the default index. No wrong answer depending on the environment.
Restart the Splunk service on the server and you’re up and running.
I noticed quickly though that I was getting multiple lines of events in each Splunk event. This could make queries troublesome in the future so I needed to find a way to force Splunk to ingest one line per event.
The answer turned out to be a props.conf file on the Splunk indexer. On that machine navigate to where Splunk is installed to edit the file. At this site it was:
\splunk\etc\system\local\Again if there’s no props.conf file just create one. You need a stanza to identify the incoming logs you want the settings applied to. The easiest way is to match on the sourcetype that is attached by the inputs.conf on the forwarder on the Mitel server. In this case:
[mitel_voicemail_logs]
MAX_EVENTS=1
LINE_BREAKER=([\r\n]+)
SHOULD_LINEMERGE=falseMAX_EVENTS=1 sets the max number of lines per event.
LINE_BREAKER=([\r\n]+) is a regex for locating newlines within the file.
SHOULD_LINEMERGE=false guarantees other lines in the default props.conf file don’t interfere with the settings here and cause multiple-line-events unexpectedly.
After saving the file restart the Splunk service on the indexer and watch the magic happen! Should look a little like this:
