Solved: Creating a search table on dashboard

ssingh313 · ‎07-21-2016

Hi
I have different data logs on splunk that has specific information about call logs. I need to create a dashboard that can search the call logs by inputting a ConnId number which results in a table with the following information:
1. Event name
2. Event timestamp
3. DNIS
4. ANI
5. CallType
6. CallUID
7. UserData (which could be a list?)

How do I write a script that will only extract these information from the call logs?

Appreciate your help!

UPDATE
Here is a sample log:
EventSequenceNumber 0000000000000a
TimeinuSecs 220000
TimeinSecs 1324596578(07:29:22)
ReferenceID 2365
ThirdPartyDN '1564895'
ThisDNRole 4
ThisDN '1564895'
NetworkPartyRole 4
LastTransferOrigDN 'ex
LastTransferConnID 12456328ghfy71s1
LastTransferHomeLocation 'xxxxx'
FirstTransferOrigDN 'ex'
FirstTransferConnID 01680287ebda71d1
FirstTransferHomeLocation 'xxxxx'
ANI '1452369874'
DNIS '5632148'
UserData [12345] 00 00 00 00..
'CU_ACT_TY' '5'
'CU_HH_SVC_LVL' '30'
'CU_COE' 'n'
'CU_EMP' '01'
'CU_CLIENTID_TY' 'ACC'
'CU_SEG' 'xxx'
'CU_REP_FTS' 'n'
CallUID '000000000000000000000'
ConnID 12456328ghfy71s1
CallID 1111
PropagatedCallType 4

sundareshr · ‎07-21-2016

If these fields have already been extracted, you could try this

index=nameofyourindex CallID=<<enter id number here>> | table _time "Event name" DNIS ANI CallType CallID UserData

If the fields have not been extracted, you will have to do that first. You could use the http://docs.splunk.com/Documentation/Splunk/6.4.2/Knowledge/Managesearch-timefieldextractions

If you need help with field extractions, share sample raw data and someone in this community will assist

View solution in original post

sundareshr · ‎07-21-2016

If these fields have already been extracted, you could try this

index=nameofyourindex CallID=<<enter id number here>> | table _time "Event name" DNIS ANI CallType CallID UserData

If the fields have not been extracted, you will have to do that first. You could use the http://docs.splunk.com/Documentation/Splunk/6.4.2/Knowledge/Managesearch-timefieldextractions

If you need help with field extractions, share sample raw data and someone in this community will assist

ssingh313 · ‎07-21-2016

Thanks! I haven't extracted the information but I posted a sample data log if anyone can help with that.

sundareshr · ‎07-21-2016

Have you indexed this log file in splunk? Or do you need help with indexing as well? If you need help with indexing post an example of at least 2 calls, so we know how to break the events.

ssingh313 · ‎07-21-2016

Sorry I'm new to building dashboards on splunk. I have not indexed this log file. Here is another log file with the same connID.
AttributeLastTransferOrigDN 'ex'
LastTransferConnID 12456328ghfy71s1
LastTransferHomeLocation 'xxxxxxx'
FirstTransferOrigDN 'ex'
FirstTransferConnID 12456328ghfy71s1
FirstTransferHomeLocation 'xxxxxxx'
AttributeUpdateRevision 1
AttributeUserData [xxxx] 00 xx xx 00..
'CU_ACT_TY' '0'
'CU_HH_SVC_LVL' 'xx'
'CU_CLIENTID_TY' 'ACC'
'CU_SEG' 'XXX'
'CU_CALL_TY' 'XXX'
'CU_LINE' 'XXX'
'CU_ROLE' 'CLIENT'
'CU_ANI' 'XXXXXXXXXXXX'
'CU_DNIS' '0223501264'
'ReqType' '1'
'SessionId' 'XXXXXXXXXXXXXXXXXXXXXX'
'CU_NEXTGEN' 'N'
'CU_PBIG' 'N'
'CU_LOGINACCT' 'XXXXXXX'
'CU_COMBOAUTHTY' 'ACCT-TAXID'
'CU_IVR_CALL_ID' 'HJKU8976-UIB6744'
'RoutePoint' 'XXX'
'DialedNumber' 'XXX'
'CU_RP' '7001'
'CU_CCDB_TY' 'MLD'
'CU_CONN_ID' '12456328ghfy71s1'
'CU_SURVEY' 'Y'
'RRequestedSkills'(list)
'CustomerSegment' 'default'
'ServiceType' 'default'
'ServiceObjective' ''
'CU_ANIFND' ''
'CU_PIN_VALID' ''
'AUTHENTICATION_METHOD' ''
'CU_CLIENTID' 'XX5XX'
'CU_ACT' 'ACC#'
'CU_PROD_CD' 'INV'
'CU_ENTITY_CD' '000'
'CU_EPI' '00000'
'CU_DOB' '0000'
PropagatedCallType 4
ConnID 12456328ghfy71s1

I know both these logs have the same connID but the type of dashboard I am trying to build is where you can search any connID and it will be able to pull the information listed above in a table format. I am not sure if that is possible. But appreciate your help.

sundareshr · ‎07-21-2016

@ssingh313, when you say another log file with the same connid, is each call a new file? Or all calls written to the same file and rotated either by file size or date? If there can be more than one call in a single log file, please share enough log entries to depict at 2-3 calls and identify the start and end of each call. This will help determine the rules for indexing the logs. Once the logs are indexed, rest is easy 🙂

ssingh313 · ‎07-22-2016

Each call is a new file and sometimes there can be multiuple connIDs within one log depending on if the call has been transferred to another person. Here's an example of that.

07:29:13.4760 [0] 1.7.000.23 distribute_event: message EventQueued
AttributeEventSequenceNumber 0000000000007895R
TimeinuSecs 235689
TimeinSecs xxxxxxxxxx (07:29:13)
Extensions [XX] 00 00 00 00..
'UCID' bin: 12 c5 12 63.. (len=8)
OtherDNRole 1
OtherDN '7895230001'
ThisDNRole 2
ThisDN '1234567'
ThisTrunk 14526987
ANI '12356984'
DNIS '4568912'
CallUUID 'ABCD236JO45F22SQH17MODKE789652310'
ConnID 23a74523f123e63b
CallID 14292
PropagatedCallType 2
CallType 2
NetworkCallID 4563289745
ThisQueue '1234567'
AttributeCallState 0
AttributeThisDN 'ex'
ConnID 45632897abdh17r1
OtherDN '4459862'
XRouteType 0
AttributeUserData [xxxx] 00 00 00 00..
'CU_ACT_TY' '1'
'CU_HH_SVC_LVL' '89'
'CU_MLOL' 'Y'
'CU_MLD' 'Y'
'CU_COE' 'Y'
'CU_EMP' '0'
'CU_CLIENTID_TY' 'ACC'
'CU_SEG' '894'
'CU_CLIENTID' '98Z56S78'
'CU_PIN_VALID' 'N'
'CU_REP_FTS' 'Y'
'CU_ML_HOL' 'Y'
'CU_CALL_TY' 'XXX'
'CU_LINE' 'XXX'
'CU_ACT' '98Z56S78'
'CU_XFERCODE' 'ServiceAssociate'
'CU_DNIS_TEST' '5664123823'
'CU_ACT_OPENDATE' '74522369'
'CU_NEWACCT' 'N'
'CU_AUTHID' '0000'
'CU_AUTHLVL' '2'
'CU_EPI' '452361475223'
'CU_ENTITY_CD' '111'
'CU_LOB' 'COS'
'CU_PROD_CD' 'INV'
'CU_TT' 'N'
'CU_1ST_CID' '5ASD0E64-H39K-56W2-5698-145674H1JAL7'
'CU_ROLE' 'CLIENT'
'CU_ANIFND' 'N'
'CU_ANI' '569966245674'
'CU_DNIS' '7895620530'
'ReqType' '3'
'SessionId' '5ASD0E64-H39K-56W2-5698-145674H1JAL7'
'ICRName' 'TellMe'
'CU_FUNCTION' 'FAExtension'
'CU_LANGUAGE' 'English'
'CU_EPI_TY' 'EnterprisePartyId'
'CU_AUTHTY' 'TAXID'
'CU_BRANCHNUMBER' '0000000000'
'CU_NEXTGEN' 'N'
'CU_PBIG' 'N'
'CU_OVRLP_CD' '2'
'CU_ELITECARD' ''
'CU_REQFSA_ACDID' '0000000'
'CU_REQFSA_NTID' '0000000'
'CU_BACKENDOUTAGE' 'N'
'CU_LOGINACCT' '78X32L99'
'CU_COMBOAUTHTY' 'ACCT-TAXID'
'CU_IVR_CALL_ID' 'jekd7sk6aswk7fhabe5d2kl6'
'RoutePoint' '0000'
'DialedNumber' '0000'
'CU_RP' '0000'
'CU_CCDB_TY' 'MLD'
'CU_CONN_ID' '1289652314LKOP15'
'CU_SURVEY' 'Y'
'RVQID' ''
'RVQDBID' ''
'LBR_TS' '452367895'
'LBR_SNUM' '63'
'RTargetTypeSelected' '4'
'RTargetRuleSelected' ''
'RTenant' 'Resources'
'RStrategyName' 'xxxx_MAIN'
'RStrategyDBID' '785'
'CBR-actual_volume' ''
'CBR-Interaction_cost' ''
'CBR-contract_DBIDs' ''
'CBR-IT-path_DBIDs' ''
'RRequestedSkillCombination' ''
'RRequestedSkills'(list)
'CustomerSegment' 'default'
'ServiceType' 'default'
'ServiceObjective' ''
AttributeExtensions [45] 00 00 00 00..
'ISCC_ORIGIN_LOCATION' 'xxxx'
AttributeReferenceID 8956

So basically what I need to create is a dashboard that can be used to search with any given ConnID and it should display the Event name, Event timestamp, DNIS, ANI, CallType, CallUID, UserData (if any, could be listed). I am not exactly sure how to go about this since this is my first time using Splunk. Really appreciate your help!

sundareshr · ‎07-25-2016

Use this regex to extract the field. Create one for each field.

... | rex "ANI'?\s'?(?<AttributeANI>[^\t\n']+)" | table AttributeANI

*OR, instead of table, you could do timechart *

... | rex "ANI'?\s'?(?<AttributeANI>[^\t\n']+)" | timechart values(Attribute*) as Attribute*

Creating a search table on dashboard

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life