Hi
I have different data logs on splunk that has specific information about call logs. I need to create a dashboard that can search the call logs by inputting a ConnId number which results in a table with the following information:
1. Event name
2. Event timestamp
3. DNIS
4. ANI
5. CallType
6. CallUID
7. UserData (which could be a list?)
How do I write a script that will only extract these information from the call logs?
Appreciate your help!
UPDATE
Here is a sample log:
EventSequenceNumber 0000000000000a
TimeinuSecs 220000
TimeinSecs 1324596578(07:29:22)
ReferenceID 2365
ThirdPartyDN '1564895'
ThisDNRole 4
ThisDN '1564895'
NetworkPartyRole 4
LastTransferOrigDN 'ex
LastTransferConnID 12456328ghfy71s1
LastTransferHomeLocation 'xxxxx'
FirstTransferOrigDN 'ex'
FirstTransferConnID 01680287ebda71d1
FirstTransferHomeLocation 'xxxxx'
ANI '1452369874'
DNIS '5632148'
UserData [12345] 00 00 00 00..
'CU_ACT_TY' '5'
'CU_HH_SVC_LVL' '30'
'CU_COE' 'n'
'CU_EMP' '01'
'CU_CLIENTID_TY' 'ACC'
'CU_SEG' 'xxx'
'CU_REP_FTS' 'n'
CallUID '000000000000000000000'
ConnID 12456328ghfy71s1
CallID 1111
PropagatedCallType 4
If these fields have already been extracted, you could try this
index=nameofyourindex CallID=<<enter id number here>> | table _time "Event name" DNIS ANI CallType CallID UserData
If the fields have not been extracted, you will have to do that first. You could use the http://docs.splunk.com/Documentation/Splunk/6.4.2/Knowledge/Managesearch-timefieldextractions
If you need help with field extractions, share sample raw data and someone in this community will assist
If these fields have already been extracted, you could try this
index=nameofyourindex CallID=<<enter id number here>> | table _time "Event name" DNIS ANI CallType CallID UserData
If the fields have not been extracted, you will have to do that first. You could use the http://docs.splunk.com/Documentation/Splunk/6.4.2/Knowledge/Managesearch-timefieldextractions
If you need help with field extractions, share sample raw data and someone in this community will assist
Thanks! I haven't extracted the information but I posted a sample data log if anyone can help with that.
Have you indexed this log file in splunk? Or do you need help with indexing as well? If you need help with indexing post an example of at least 2 calls, so we know how to break the events.
Sorry I'm new to building dashboards on splunk. I have not indexed this log file. Here is another log file with the same connID.
AttributeLastTransferOrigDN 'ex'
LastTransferConnID 12456328ghfy71s1
LastTransferHomeLocation 'xxxxxxx'
FirstTransferOrigDN 'ex'
FirstTransferConnID 12456328ghfy71s1
FirstTransferHomeLocation 'xxxxxxx'
AttributeUpdateRevision 1
AttributeUserData [xxxx] 00 xx xx 00..
'CU_ACT_TY' '0'
'CU_HH_SVC_LVL' 'xx'
'CU_CLIENTID_TY' 'ACC'
'CU_SEG' 'XXX'
'CU_CALL_TY' 'XXX'
'CU_LINE' 'XXX'
'CU_ROLE' 'CLIENT'
'CU_ANI' 'XXXXXXXXXXXX'
'CU_DNIS' '0223501264'
'ReqType' '1'
'SessionId' 'XXXXXXXXXXXXXXXXXXXXXX'
'CU_NEXTGEN' 'N'
'CU_PBIG' 'N'
'CU_LOGINACCT' 'XXXXXXX'
'CU_COMBOAUTHTY' 'ACCT-TAXID'
'CU_IVR_CALL_ID' 'HJKU8976-UIB6744'
'RoutePoint' 'XXX'
'DialedNumber' 'XXX'
'CU_RP' '7001'
'CU_CCDB_TY' 'MLD'
'CU_CONN_ID' '12456328ghfy71s1'
'CU_SURVEY' 'Y'
'RRequestedSkills'(list)
'CustomerSegment' 'default'
'ServiceType' 'default'
'ServiceObjective' ''
'CU_ANIFND' ''
'CU_PIN_VALID' ''
'AUTHENTICATION_METHOD' ''
'CU_CLIENTID' 'XX5XX'
'CU_ACT' 'ACC#'
'CU_PROD_CD' 'INV'
'CU_ENTITY_CD' '000'
'CU_EPI' '00000'
'CU_DOB' '0000'
PropagatedCallType 4
ConnID 12456328ghfy71s1
I know both these logs have the same connID but the type of dashboard I am trying to build is where you can search any connID and it will be able to pull the information listed above in a table format. I am not sure if that is possible. But appreciate your help.
@ssingh313, when you say another log file with the same connid, is each call a new file? Or all calls written to the same file and rotated either by file size or date? If there can be more than one call in a single log file, please share enough log entries to depict at 2-3 calls and identify the start and end of each call. This will help determine the rules for indexing the logs. Once the logs are indexed, rest is easy 🙂
Each call is a new file and sometimes there can be multiuple connIDs within one log depending on if the call has been transferred to another person. Here's an example of that.
07:29:13.4760 [0] 1.7.000.23 distribute_event: message EventQueued
AttributeEventSequenceNumber 0000000000007895R
TimeinuSecs 235689
TimeinSecs xxxxxxxxxx (07:29:13)
Extensions [XX] 00 00 00 00..
'UCID' bin: 12 c5 12 63.. (len=8)
OtherDNRole 1
OtherDN '7895230001'
ThisDNRole 2
ThisDN '1234567'
ThisTrunk 14526987
ANI '12356984'
DNIS '4568912'
CallUUID 'ABCD236JO45F22SQH17MODKE789652310'
ConnID 23a74523f123e63b
CallID 14292
PropagatedCallType 2
CallType 2
NetworkCallID 4563289745
ThisQueue '1234567'
AttributeCallState 0
AttributeThisDN 'ex'
ConnID 45632897abdh17r1
OtherDN '4459862'
XRouteType 0
AttributeUserData [xxxx] 00 00 00 00..
'CU_ACT_TY' '1'
'CU_HH_SVC_LVL' '89'
'CU_MLOL' 'Y'
'CU_MLD' 'Y'
'CU_COE' 'Y'
'CU_EMP' '0'
'CU_CLIENTID_TY' 'ACC'
'CU_SEG' '894'
'CU_CLIENTID' '98Z56S78'
'CU_PIN_VALID' 'N'
'CU_REP_FTS' 'Y'
'CU_ML_HOL' 'Y'
'CU_CALL_TY' 'XXX'
'CU_LINE' 'XXX'
'CU_ACT' '98Z56S78'
'CU_XFERCODE' 'ServiceAssociate'
'CU_DNIS_TEST' '5664123823'
'CU_ACT_OPENDATE' '74522369'
'CU_NEWACCT' 'N'
'CU_AUTHID' '0000'
'CU_AUTHLVL' '2'
'CU_EPI' '452361475223'
'CU_ENTITY_CD' '111'
'CU_LOB' 'COS'
'CU_PROD_CD' 'INV'
'CU_TT' 'N'
'CU_1ST_CID' '5ASD0E64-H39K-56W2-5698-145674H1JAL7'
'CU_ROLE' 'CLIENT'
'CU_ANIFND' 'N'
'CU_ANI' '569966245674'
'CU_DNIS' '7895620530'
'ReqType' '3'
'SessionId' '5ASD0E64-H39K-56W2-5698-145674H1JAL7'
'ICRName' 'TellMe'
'CU_FUNCTION' 'FAExtension'
'CU_LANGUAGE' 'English'
'CU_EPI_TY' 'EnterprisePartyId'
'CU_AUTHTY' 'TAXID'
'CU_BRANCHNUMBER' '0000000000'
'CU_NEXTGEN' 'N'
'CU_PBIG' 'N'
'CU_OVRLP_CD' '2'
'CU_ELITECARD' ''
'CU_REQFSA_ACDID' '0000000'
'CU_REQFSA_NTID' '0000000'
'CU_BACKENDOUTAGE' 'N'
'CU_LOGINACCT' '78X32L99'
'CU_COMBOAUTHTY' 'ACCT-TAXID'
'CU_IVR_CALL_ID' 'jekd7sk6aswk7fhabe5d2kl6'
'RoutePoint' '0000'
'DialedNumber' '0000'
'CU_RP' '0000'
'CU_CCDB_TY' 'MLD'
'CU_CONN_ID' '1289652314LKOP15'
'CU_SURVEY' 'Y'
'RVQID' ''
'RVQDBID' ''
'LBR_TS' '452367895'
'LBR_SNUM' '63'
'RTargetTypeSelected' '4'
'RTargetRuleSelected' ''
'RTenant' 'Resources'
'RStrategyName' 'xxxx_MAIN'
'RStrategyDBID' '785'
'CBR-actual_volume' ''
'CBR-Interaction_cost' ''
'CBR-contract_DBIDs' ''
'CBR-IT-path_DBIDs' ''
'RRequestedSkillCombination' ''
'RRequestedSkills'(list)
'CustomerSegment' 'default'
'ServiceType' 'default'
'ServiceObjective' ''
AttributeExtensions [45] 00 00 00 00..
'ISCC_ORIGIN_LOCATION' 'xxxx'
AttributeReferenceID 8956
So basically what I need to create is a dashboard that can be used to search with any given ConnID and it should display the Event name, Event timestamp, DNIS, ANI, CallType, CallUID, UserData (if any, could be listed). I am not exactly sure how to go about this since this is my first time using Splunk. Really appreciate your help!
Use this regex to extract the field. Create one for each field.
... | rex "ANI'?\s'?(?<AttributeANI>[^\t\n']+)" | table AttributeANI
*OR, instead of table, you could do timechart *
... | rex "ANI'?\s'?(?<AttributeANI>[^\t\n']+)" | timechart values(Attribute*) as Attribute*