Splunk Search

Creating a search table on dashboard

ssingh313
Path Finder

Hi
I have different data logs on splunk that has specific information about call logs. I need to create a dashboard that can search the call logs by inputting a ConnId number which results in a table with the following information:
1. Event name
2. Event timestamp
3. DNIS
4. ANI
5. CallType
6. CallUID
7. UserData (which could be a list?)

How do I write a script that will only extract these information from the call logs?

Appreciate your help!

UPDATE
Here is a sample log:
EventSequenceNumber 0000000000000a
TimeinuSecs 220000
TimeinSecs 1324596578(07:29:22)
ReferenceID 2365
ThirdPartyDN '1564895'
ThisDNRole 4
ThisDN '1564895'
NetworkPartyRole 4
LastTransferOrigDN 'ex
LastTransferConnID 12456328ghfy71s1
LastTransferHomeLocation 'xxxxx'
FirstTransferOrigDN 'ex'
FirstTransferConnID 01680287ebda71d1
FirstTransferHomeLocation 'xxxxx'
ANI '1452369874'
DNIS '5632148'
UserData [12345] 00 00 00 00..
'CU_ACT_TY' '5'
'CU_HH_SVC_LVL' '30'
'CU_COE' 'n'
'CU_EMP' '01'
'CU_CLIENTID_TY' 'ACC'
'CU_SEG' 'xxx'
'CU_REP_FTS' 'n'
CallUID '000000000000000000000'
ConnID 12456328ghfy71s1
CallID 1111
PropagatedCallType 4

0 Karma
1 Solution

sundareshr
Legend

If these fields have already been extracted, you could try this

index=nameofyourindex CallID=<<enter id number here>> | table _time "Event name" DNIS ANI CallType CallID UserData

If the fields have not been extracted, you will have to do that first. You could use the http://docs.splunk.com/Documentation/Splunk/6.4.2/Knowledge/Managesearch-timefieldextractions

If you need help with field extractions, share sample raw data and someone in this community will assist

View solution in original post

sundareshr
Legend

If these fields have already been extracted, you could try this

index=nameofyourindex CallID=<<enter id number here>> | table _time "Event name" DNIS ANI CallType CallID UserData

If the fields have not been extracted, you will have to do that first. You could use the http://docs.splunk.com/Documentation/Splunk/6.4.2/Knowledge/Managesearch-timefieldextractions

If you need help with field extractions, share sample raw data and someone in this community will assist

ssingh313
Path Finder

Thanks! I haven't extracted the information but I posted a sample data log if anyone can help with that.

0 Karma

sundareshr
Legend

Have you indexed this log file in splunk? Or do you need help with indexing as well? If you need help with indexing post an example of at least 2 calls, so we know how to break the events.

0 Karma

ssingh313
Path Finder

Sorry I'm new to building dashboards on splunk. I have not indexed this log file. Here is another log file with the same connID.
AttributeLastTransferOrigDN 'ex'
LastTransferConnID 12456328ghfy71s1
LastTransferHomeLocation 'xxxxxxx'
FirstTransferOrigDN 'ex'
FirstTransferConnID 12456328ghfy71s1
FirstTransferHomeLocation 'xxxxxxx'
AttributeUpdateRevision 1
AttributeUserData [xxxx] 00 xx xx 00..
'CU_ACT_TY' '0'
'CU_HH_SVC_LVL' 'xx'
'CU_CLIENTID_TY' 'ACC'
'CU_SEG' 'XXX'
'CU_CALL_TY' 'XXX'
'CU_LINE' 'XXX'
'CU_ROLE' 'CLIENT'
'CU_ANI' 'XXXXXXXXXXXX'
'CU_DNIS' '0223501264'
'ReqType' '1'
'SessionId' 'XXXXXXXXXXXXXXXXXXXXXX'
'CU_NEXTGEN' 'N'
'CU_PBIG' 'N'
'CU_LOGINACCT' 'XXXXXXX'
'CU_COMBOAUTHTY' 'ACCT-TAXID'
'CU_IVR_CALL_ID' 'HJKU8976-UIB6744'
'RoutePoint' 'XXX'
'DialedNumber' 'XXX'
'CU_RP' '7001'
'CU_CCDB_TY' 'MLD'
'CU_CONN_ID' '12456328ghfy71s1'
'CU_SURVEY' 'Y'
'RRequestedSkills'(list)
'CustomerSegment' 'default'
'ServiceType' 'default'
'ServiceObjective' ''
'CU_ANIFND' ''
'CU_PIN_VALID' ''
'AUTHENTICATION_METHOD' ''
'CU_CLIENTID' 'XX5XX'
'CU_ACT' 'ACC#'
'CU_PROD_CD' 'INV'
'CU_ENTITY_CD' '000'
'CU_EPI' '00000'
'CU_DOB' '0000'
PropagatedCallType 4
ConnID 12456328ghfy71s1

I know both these logs have the same connID but the type of dashboard I am trying to build is where you can search any connID and it will be able to pull the information listed above in a table format. I am not sure if that is possible. But appreciate your help.

0 Karma

sundareshr
Legend

@ssingh313, when you say another log file with the same connid, is each call a new file? Or all calls written to the same file and rotated either by file size or date? If there can be more than one call in a single log file, please share enough log entries to depict at 2-3 calls and identify the start and end of each call. This will help determine the rules for indexing the logs. Once the logs are indexed, rest is easy 🙂

0 Karma

ssingh313
Path Finder

Each call is a new file and sometimes there can be multiuple connIDs within one log depending on if the call has been transferred to another person. Here's an example of that.

07:29:13.4760 [0] 1.7.000.23 distribute_event: message EventQueued
AttributeEventSequenceNumber 0000000000007895R
TimeinuSecs 235689
TimeinSecs xxxxxxxxxx (07:29:13)
Extensions [XX] 00 00 00 00..
'UCID' bin: 12 c5 12 63.. (len=8)
OtherDNRole 1
OtherDN '7895230001'
ThisDNRole 2
ThisDN '1234567'
ThisTrunk 14526987
ANI '12356984'
DNIS '4568912'
CallUUID 'ABCD236JO45F22SQH17MODKE789652310'
ConnID 23a74523f123e63b
CallID 14292
PropagatedCallType 2
CallType 2
NetworkCallID 4563289745
ThisQueue '1234567'
AttributeCallState 0
AttributeThisDN 'ex'
ConnID 45632897abdh17r1
OtherDN '4459862'
XRouteType 0
AttributeUserData [xxxx] 00 00 00 00..
'CU_ACT_TY' '1'
'CU_HH_SVC_LVL' '89'
'CU_MLOL' 'Y'
'CU_MLD' 'Y'
'CU_COE' 'Y'
'CU_EMP' '0'
'CU_CLIENTID_TY' 'ACC'
'CU_SEG' '894'
'CU_CLIENTID' '98Z56S78'
'CU_PIN_VALID' 'N'
'CU_REP_FTS' 'Y'
'CU_ML_HOL' 'Y'
'CU_CALL_TY' 'XXX'
'CU_LINE' 'XXX'
'CU_ACT' '98Z56S78'
'CU_XFERCODE' 'ServiceAssociate'
'CU_DNIS_TEST' '5664123823'
'CU_ACT_OPENDATE' '74522369'
'CU_NEWACCT' 'N'
'CU_AUTHID' '0000'
'CU_AUTHLVL' '2'
'CU_EPI' '452361475223'
'CU_ENTITY_CD' '111'
'CU_LOB' 'COS'
'CU_PROD_CD' 'INV'
'CU_TT' 'N'
'CU_1ST_CID' '5ASD0E64-H39K-56W2-5698-145674H1JAL7'
'CU_ROLE' 'CLIENT'
'CU_ANIFND' 'N'
'CU_ANI' '569966245674'
'CU_DNIS' '7895620530'
'ReqType' '3'
'SessionId' '5ASD0E64-H39K-56W2-5698-145674H1JAL7'
'ICRName' 'TellMe'
'CU_FUNCTION' 'FAExtension'
'CU_LANGUAGE' 'English'
'CU_EPI_TY' 'EnterprisePartyId'
'CU_AUTHTY' 'TAXID'
'CU_BRANCHNUMBER' '0000000000'
'CU_NEXTGEN' 'N'
'CU_PBIG' 'N'
'CU_OVRLP_CD' '2'
'CU_ELITECARD' ''
'CU_REQFSA_ACDID' '0000000'
'CU_REQFSA_NTID' '0000000'
'CU_BACKENDOUTAGE' 'N'
'CU_LOGINACCT' '78X32L99'
'CU_COMBOAUTHTY' 'ACCT-TAXID'
'CU_IVR_CALL_ID' 'jekd7sk6aswk7fhabe5d2kl6'
'RoutePoint' '0000'
'DialedNumber' '0000'
'CU_RP' '0000'
'CU_CCDB_TY' 'MLD'
'CU_CONN_ID' '1289652314LKOP15'
'CU_SURVEY' 'Y'
'RVQID' ''
'RVQDBID' ''
'LBR_TS' '452367895'
'LBR_SNUM' '63'
'RTargetTypeSelected' '4'
'RTargetRuleSelected' ''
'RTenant' 'Resources'
'RStrategyName' 'xxxx_MAIN'
'RStrategyDBID' '785'
'CBR-actual_volume' ''
'CBR-Interaction_cost' ''
'CBR-contract_DBIDs' ''
'CBR-IT-path_DBIDs' ''
'RRequestedSkillCombination' ''
'RRequestedSkills'(list)
'CustomerSegment' 'default'
'ServiceType' 'default'
'ServiceObjective' ''
AttributeExtensions [45] 00 00 00 00..
'ISCC_ORIGIN_LOCATION' 'xxxx'
AttributeReferenceID 8956

So basically what I need to create is a dashboard that can be used to search with any given ConnID and it should display the Event name, Event timestamp, DNIS, ANI, CallType, CallUID, UserData (if any, could be listed). I am not exactly sure how to go about this since this is my first time using Splunk. Really appreciate your help!

0 Karma

sundareshr
Legend

Use this regex to extract the field. Create one for each field.

... | rex "ANI'?\s'?(?<AttributeANI>[^\t\n']+)" | table AttributeANI

*OR, instead of table, you could do timechart *

... | rex "ANI'?\s'?(?<AttributeANI>[^\t\n']+)" | timechart values(Attribute*) as Attribute*
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...