Splunk Search

formatted CDR files

New Member

I am very new to Splunk but have been asked to look into the possibility to using Splunk to replace an existing system used query our CDR files.

From what I can tell Splunk has most of what we would need.
The one thing I cannot seem to find is:
Our files are comma separated but follow a pattern similar to ANumber,BNumber,deliveryDate,etc.
Our searches would be :
return all files where ANumber = ? and BNumber = ? and deliveryDate > ? etc

Our current system collects the files and inserts them into a database. It is told which field is what and creates a column based on this. The querys are then created to match the columns.

I cannot see a way of collecting files in Splunk where you can index the files by telling it a format field1,field2 etc

I hope this all makes sense. I am sure there is a way but that I am unable to see it.

Thanking you in advance

0 Karma


I like the sound of that, and concept sideview 😉
@Mary as you are fairly new to this, blitz through the Exploring Splunk (Splunk Query Language) manual then go play with the data. Quite quickly and with only a v small amount of effort you will have top numbers calling, those called, duration etc. Interested in cost, by department?! Next stop, reference a tariff table, extend your searches and pipe the results to graphs and tables. I appreciate that the sound of all this may have you running for the hills...but I suspect not.
Myabe Call Loggers are dead. Think of the savings.

0 Karma


To build on Dave's answer:

Actually, if the fields are comma-separated, there is an even easier way to tell Splunk how to identity them. Assume that you create a sourcetype called CDR for your data.

In props.conf


In transforms.conf

DELIMS = ","
FIELDS = ANumber,BNumber,deliveryDate,etc.

These conf files can be put in $SPLUNK_HOME/etc/system/local

As Dave pointed out, you should create a separate index for your CDR data. I would suggest this:

  1. Create the new index.
  2. Set up the props.conf and transforms.conf files
  3. Upload some sample CDR into the index. Be sure to specify the CDR sourcetype manually (just type it in) and choose your new index. This can all be done from the Splunk GUI.
  4. Play with the data. If it looks wrong, use the clean command to clean out your index and try again.
  5. When the data looks right - clean out the index one more time and then start indexing your real data!


Nicee ;-)...thanks LG

0 Karma


What system are your CDR files from? Sideview makes apps for both Cisco CallManager's CDRs and Shoretel CDR. And if you can send us sample logs we may very well be able to expand into your particular product. 😃 If you can help us with sample data to get a new app started we will happily grant you a free perpetual license to use the resulting product.

0 Karma


Mary - the good news is that this is possible. You would probably split the fields out (even using the GUI) to create a Regex, defining the field. Searches are easily constructed for ANumber etc.
If volume isn't going to cause you a problem with your license (CDRs are big, I know) then you could index the lot. Defining a new index would be advisable.
For Regex I'll post the links, ditto the tutorial if they are useful?


...and this is unmissable 😉

0 Karma

0 Karma
Get Updates on the Splunk Community!

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Greetings, Splunk Cloud Admins and Splunk enthusiasts! The Admin Configuration Service (ACS) team is excited ...

Tech Talk | One Log to Rule Them All

One log to rule them all: how you can centralize your troubleshooting with Splunk logs We know how important ...

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through: An introduction to the Splunk Threat ...