Splunking Cisco Webex Meetings Data

The COVID-19 pandemic has had a major impact on our working lives. Companies have adopted by transforming their workforce to work remotely through video conferencing software. Cisco’s Webex Meetings, one of the most popular video conference softwares, plays a critical role in helping employees stay connected, enhance collaboration and drive productivity.

Splunking your Webex meetings data allows you to better understand your video conferencing service and enables you to determine if your workforce is able to connect and stay productive while asking the following questions:

• How many meetings occur each day?
• How long do they last?
• What is the distribution of meetings by size?
• How many people are attending these meetings?
• What kind of device do they use to participate in the meetings?
   

Recently, we released the Cisco Webex Meetings App for Splunk providing the ability to monitor, manage, and troubleshoot your Webex Meetings service. It leverages the recently published Cisco Webex Meetings Add-on for Splunk to collect the Webex meetings data and is an integrated component of Splunk's Remote Work Insights (RWI).    

Supported Webex API Endpoints 

The Cisco Webex Meetings Add-on for Splunk works by retrieving data from multiple endpoints that are exposed within Cisco’s Webex XML API History Service and Webex XML API General Session Service. You can refer to this for a complete list of available data and their corresponding  endpoints. There are two categories of data the Add-on is focused on retrieving: Historical and Real-Time data.

History Service 

Cisco’s History Service allows you to gather Webex sessions’ and participants’ data from a variety of service types, including Meeting Center, Training Center, Event Center, and Support Center. Guidance from Cisco states historical data retrieval may be incomplete if fetched less than 48 hours from the time that the meetings ended. Therefore the data retrieval from history service would happen two days delayed from time meetings ended.

General Session Service 

The add-on leverages the general session service to get the summary information for real-time scheduled sessions. It can return information for active scheduled sessions from all service types.

Splunk Setup Overview

1. Create a Webex Service Account.
2. Download and install the Cisco Webex Meetings Add-on for Splunk and Cisco Webex Meetings App for Splunk.
3. Configure the Add-on for the Webex Service Account.
4. Create inputs for general session service and history service.
5. Visualize the data in Cisco Webex Meetings App for Splunk.
    

Create a Webex Service Account

The current version of the Add-on doesn’t support Single Sign-On (SSO). If you have SSO enabled on your Webex account, please make sure you have created a service account first. Please refer to the instructions here on how to create a service account.

Download and Install the Add-on and App

The Cisco Webex Meetings Add-on for Splunk and Cisco Webex Meetings App for Splunk are listed on Splunkbase. Please refer to the instructions here for the installation process.

Configure the Add-on for the Webex Service Account

The configuration steps are the same for on-prem and cloud. Open the Web UI for the Heavy Forwarder (or a Splunk Cloud Input Data Manager - IDM). Access the Add-On from the list of applications. Please follow the following steps in order to configure the Add-on:

1. Click on the Configuration button on the top left corner.

2. Click on the Add-on Settings button.

3. Enter the following details about your Webex Service Account:

• Site Name (required): This identifies the Webex site you are targeting with your Add-on. For example, if the URL is https://mysitename.webex.com, the Site Name that you have to enter is mysitename.
• Username (required): Service Account Username or E-mail address of the host or admin account making the request. For example: splunker@example.com.
• Password (required): Password of the account associated with the E-mail address above. The password will be masked.
   

4. Click on the Save green button.

5. (Optional) Set up the log level for debugging purposes. The Add-on ships with useful debugging statements. In order to make the logs visible, you need to set up the log level to DEBUG under the Logging tab.

The debugging logs can be found by using the following SPL search:

index="_internal" sourcetype="taciscowebexmeetingsaddonforsplunk:log"

For more information about debugging or troubleshooting, please refer to this documentation.

6. (Optional) Set up the proxy if needed. The Add-on is proxy supported. You can configure the proxy setting under the Proxy tab.

Create inputs for general session service

1. Click on the Inputs button on the top left corner.

2. Click on the Create New Input button on the top right corner.

3. Select General Service.

4. Enter the following details in the pop up box:

• Name (required): Unique name for the data input.
• Interval (required): Time interval of input in seconds. Note: Interval should be 60 or less for general session service data.
• Index (required): Index for storing data.
• Monitor Active Session: Please make sure Monitor Active Session is checked.
   

5. Click on the Add green button on the bottom right of the pop up box.

Create inputs for history service

1. Click on the Inputs button on the top left corner.

2. Click on the Create New Input button on the top right corner.

3. Select History Service.

4. Enter the following details in the pop up box:

• Name (required): Unique name for the data input.
• Interval (required): Time interval of input in seconds. Note: Interval should be 86400 (24 hours) or more for historical data
• Index (required): Index for storing data.
• Endpoints (required): Historical endpoints that are used to fetch historical data back.
• Begin Time (required): This is the time from when you want to ingest the historical data. Please enter UTC time. Format: MM/DD/YYYY hh:mm:ss. NOTE: Begin Date must be at least 3 days ago and ideally no more than 90 days.
   

5. Click on the Add green button on the bottom right of the pop up box.

Visualize the Data 

Now it’s time to switch to Cisco Webex Meetings App for Splunk, where we have pre-built dashboards to visualize the data. 

1. Open the Web UI for the Search Head.
2. Access the App from the list of applications. 
3. Make sure you modify the “webex_index” Macro definition to point to the index where you set to store the Webex data. 

Settings > Advanced search > Search macros > webex_index > index=$YOUR_INDEX

Finally, you will see the dashboards populated with the data that the Add-on just brought into Splunk.

Happy Splunking!

----------------------------------------------------
Thanks!
Yuan Ling