Here's how:
Get admin perms in Zoom, go to zoom.us, go to app marketplace, go to develop, click build app
I did JWT, fill that out and copy the JWT token
Download add-on builder from SplunkBase (I placed on indexer)
Build app that takes Query URL and JWT Token, define REST URL as https://api.zoom.us/v2/${query_url}?access_token=${jwt_token}, and add access_token:${jwt_token} as a REST URL param
Reboot indexer
You'll have to write your own parsing regex. I just did some split , mvexpand , and basic rex ing to get the data I need, but will write some more robust regex's soon
To get participant metrics you need to query the API for meetings IDs first, and then loop through and query the API for participant or QoS metrics for each meeting ID. I did this using a combination of Python and Splunk. Same thing with IM metrics, pull users first and then loop through for IMs.
Python script for participant metrics:
me@bin$ cat zoomparticipants.py
# Input field needs to be called "id" output field will be called "participant_string"
import requests
import splunk.Intersplunk
import sys
def generateResult(results, settings):
for row in results:
r = requests.get("https://api.zoom.us/v2/metrics/meetings/"+row['id']+"/participants?access_token=DELETED&type=past&page_size=300&page_number=")
row['participant_string'] = r.json()
return results
# Entry point of the code
results, dummyresults, settings = splunk.Intersplunk.getOrganizedResults()
results = generateResult(results, settings)
splunk.Intersplunk.outputResults(results)
SPL:
index=zoom source=zoom_api://metrics_meetings_page* | eval raw=split(_raw,"{\"uuid\":\"") | mvexpand raw | search raw!={* | rex field=raw "^(?<meeting_uuid>.*?)\"," | dedup meeting_uuid |
eval id=meeting_uuid | zoomparticipants | eval participant=split(participant_string,"{") | mvexpand participant | rex field=participant "u\'id\': u\'(?<participant_id>.*?)\'" | where isnotnull(participant_id) |
rex field=raw "\"id\":\"?(?<meeting_id>.*?)\"?," |
rex field=raw "\"topic\":\"?(?<meeting_topic>.*?)\"?," |
rex field=raw "\"host\":\"?(?<meeting_host>.*?)\"?," |
rex field=raw "\"email\":\"?(?<meeting_email>.*?)\"?," |
rex field=raw "\"user_type\":\"?(?<meeting_user_type>.*?)\"?," |
rex field=raw "\"start_time\":\"?(?<meeting_start_time>.*?)\"?," |
rex field=raw "\"end_time\":\"?(?<meeting_end_time>.*?)\"?," |
rex field=raw "\"duration\":\"?(?<meeting_duration>.*?)\"?," |
rex field=raw "\"participants\":\"?(?<meeting_participants>.*?)\"?," |
rex field=raw "\"has_pstn\":\"?(?<meeting_has_pstn>.*?)\"?," |
rex field=raw "\"has_voip\":\"?(?<meeting_has_voip>.*?)\"?," |
rex field=raw "\"has_3rd_party_audio\":\"?(?<meeting_has_3rd_party_audio>.*?)\"?," |
rex field=raw "\"has_video\":\"?(?<meeting_has_video>.*?)\"?," |
rex field=raw "\"has_screen_share\":\"?(?<meeting_has_screen_share>.*?)\"?," |
rex field=raw "\"has_recording\":\"?(?<meeting_has_recording>.*?)\"?," |
rex field=raw "\"has_sip\":\"?(?<meeting_has_sip>.*?)\"?," |
rex field=raw "\"dept\":\"?(?<meeting_dept>.*?)\"?}" |
rex field=participant "u\'speaker\': u\'(?<participant_speaker>.*?)\'" |
rex field=participant "u\'join_time\': u\'(?<participant_join_time>.*?)\'" |
rex field=participant "u\'mac_addr\': u\'(?<participant_mac_addr>.*?)\'" |
rex field=participant "u\'share_desktop\': u\'(?<participant_share_desktop>.*?)\'" |
rex field=participant "u\'device\': u\'(?<participant_device>.*?)\'" |
rex field=participant "u\'data_center\': u\'(?<participant_data_center>.*?)\'" |
rex field=participant "u\'domain\': u\'(?<participant_domain>.*?)\'" |
rex field=participant "u\'ip_address\': u\'(?<participant_ip_address>.*?)\'" |
rex field=participant "u\'share_application\': u\'(?<participant_share_application>.*?)\'" |
rex field=participant "u\'user_name\': u\'(?<participant_user_name>.*?)\'" |
rex field=participant "u\'harddisk_id \': u\'(?<participant_harddisk_id>.*?)\'" |
rex field=participant "u\'user_id\': u\'(?<participant_user_id>.*?)\'" |
rex field=participant "u\'location\': u\'(?<participant_location>.*?)\'" |
rex field=participant "u\'recording\': u\'(?<participant_recording>.*?)\'" |
rex field=participant "u\'share_whiteboard\': u\'(?<participant_share_whiteboard>.*?)\'" |
rex field=participant "u\'connection_type\': u\'(?<participant_connection_type>.*?)\'" |
rex field=participant "u\'network_type\': u\'(?<participant_network_type>.*?)\'" |
rex field=participant "u\'pc_name\': u\'(?<participant_pc_name>.*?)\'" |
rex field=participant "u\'microphone\': u\'(?<participant_microphone>.*?)\'" |
rex field=participant "u\'leave_time\': u\'(?<participant_leave_time>.*?)\'" |
rex field=participant "u\'leave_reason\': u\'(?<participant_leave_reason>.*?)\'" |
eval participant_seconds=strptime(participant_leave_time,"%Y-%m-%dT%H:%M:%SZ")-strptime(participant_join_time,"%Y-%m-%dT%H:%M:%SZ") |
table meeting_id meeting_topic meeting_host meeting_email meeting_user_type meeting_start_time meeting_end_time meeting_duration meeting_participants meeting_has_pstn meeting_has_voip meeting_has_3rd_party_audio meeting_has_video meeting_has_screen_share meeting_has_recording meeting_has_sip meeting_dept participant_speaker participant_join_time participant_mac_addr participant_share_desktop participant_device participant_data_center participant_domain participant_ip_address participant_share_application participant_user_name participant_harddisk_id participant_user_id participant_location participant_recording participant_share_whiteboard participant_connection_type participant_network_type participant_pc_name participant_microphone participant_leave_time participant_leave_reason participant_id participant_seconds
... View more