Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About lboro_garyp
lboro_garyp
Explorer
Member since:
11-01-2017
yesterday
Community Statistics
| Posts | 11 |
| Solutions | 1 |
| Karma Given | 3 |
| Karma Received | 2 |
| Member Since | 11-01-2017 |
Activity Feed
- Got Karma for Re: Finding Events That Occur A Minimum Number of Times per Month. yesterday
- Karma Re: Finding Events That Occur A Minimum Number of Times per Month for ITWhisperer. yesterday
- Posted Re: Finding Events That Occur A Minimum Number of Times per Month on Splunk Search. yesterday
- Karma Re: Finding Events That Occur A Minimum Number of Times per Month for ITWhisperer. yesterday
- Karma Re: Finding Events That Occur A Minimum Number of Times per Month for richgalloway. yesterday
- Posted Finding Events That Occur A Minimum Number of Times per Month on Splunk Search. yesterday
- Posted Re: Help with Logic of Compound Subsearch with inputlookup on Splunk Search. 06-30-2022 03:17 AM
- Posted Re: Logic of Compound Subsearch with inputlookup on Splunk Search. 06-29-2022 05:32 AM
- Posted Help with Logic of Compound Subsearch with inputlookup on Splunk Search. 06-29-2022 03:28 AM
- Posted Re: Microsoft Teams add on for multiple tenants on All Apps and Add-ons. 05-20-2021 08:27 AM
- Got Karma for Re: Microsoft Teams add on for multiple tenants. 05-19-2021 07:50 AM
- Posted Re: Teams Call Record Data Stopped Working on All Apps and Add-ons. 05-19-2021 07:36 AM
- Posted Re: Microsoft Teams add on for multiple tenants on All Apps and Add-ons. 05-19-2021 06:59 AM
- Posted Re: Microsoft Teams add on for multiple tenants on All Apps and Add-ons. 05-18-2021 03:08 AM
- Posted Re: Finding Unique Pairs of Data in Interchangeable Fields on Splunk Search. 11-01-2017 11:07 AM
- Posted Finding Unique Pairs of Data in Interchangeable Fields on Splunk Search. 11-01-2017 09:25 AM
- Tagged Finding Unique Pairs of Data in Interchangeable Fields on Splunk Search. 11-01-2017 09:25 AM
- Tagged Finding Unique Pairs of Data in Interchangeable Fields on Splunk Search. 11-01-2017 09:25 AM
- Tagged Finding Unique Pairs of Data in Interchangeable Fields on Splunk Search. 11-01-2017 09:25 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 |
yesterday
1 Karma
Thanks for the replies, both of you! I was, indeed, close. I didn't realise you could continue to process the output of a stats command further, so @richgalloway's solution is pretty obvious when you grok that. @ITWhisperer, I'd not used eventstats before, so this was a good one to learn. Your code outputs a line for each activeNumber per month, though. So where Rich's outputs a line for every activeNumber that is active in all the months, yours output a line per month per activeNumber. So the overall number of activeNumbers, multiplied by the number of months searched for. Both answers are great, though, I understand how they work and why they give different values. Thanks both again!
... View more
yesterday
Hi folks, I'm analysing Cisco CallManager telephone call details records that have been ingested to Splunk. I need to find the extensions that make and receive a minimum number of external calls per month, every month, in the last calendar year to evaluate who should continue to receive PSTN telephone service. I've managed to identify external calls, classify their callType (in a new field) as Incoming or Outgoing, and create a new field in each event called "activeNumber" that represents the internal number making or receiving the call. Using | chart count by activeNumber date_month I can see a chart of calls per number per month. Using | stats count by date_month activeNumber | where count > 10 I can see the same data, but only where the count for any given month is greater than 10. I'm stuck where to go next, though, and I suspect this may not have been entirely the correct route to take. I need to find the activeNumber values that appear at least 10 times *every* month within the search period (12 months, for example). I toyed with the idea of concatenating the month and the activeNumber into a new field in each event that made the activeNumber's appearance in each month unique, but, again, didn't know where to go from there. My other idea was to make a list of activeNumber values for each month and then compare the lists, but wasn't sure how to do that. I suspect that a subsearch may be necessary. Does anyone have an idea how I'd go about this?
... View more
06-30-2022
03:17 AM
A colleague eventually came up with the following query that does exactly what I wanted: | inputlookup CUCM_lboro_assigned_numbers_27_6_22.csv
| rename DN AS phone
| search NOT
[ search index=cucm cdrRecordType=1 duration>0
| eval phone = mvappend(callingPartyNumber,originalCalledPartyNumber,finalCalledPartyNumber)
| mvexpand phone
| dedup phone
| table phone
] As you can see, it's still creating a multi-field value out of the fields I'm interested in (callingPartyNumber, originalCalledPartyNumber and finalCalledPartyNumber), but the using mvexpand to create a new event for each field and, most importantly, then dedupe'ing those events
... View more
06-29-2022
05:32 AM
mvappend is interesting, but doesn't seem to do what I want. I'm seeing numbers returned that I know have received a call in the search period. I'm not sure how searching a multi-field result value a list of single-field values works, particularly with the NOT involved. If a DN in the inputlookup file is present as one or more of callingPartyNumber, originalCalledPartyNumber or finalCalledPartyNumber it shouldn't be returned as a result. My original query was returning every number that didn't appear as any one (or more) of the fields, I'm not sure what logic is being applied to the mvappend version, as that produces a different result.
... View more
06-29-2022
03:28 AM
I'm struggling to create a search using an inputlookup and multiple NOT searches.
Background: I have an inputlookup that is a list of telephone numbers, I want to search my recent telephone log files and get a list of entries from that inputlookup that haven't made or received calls.
My current query is as a follows:
| inputlookup CUCM_lboro_assigned_numbers_27_6_22.csv
| rename DN AS phone
| search NOT
[ search index=cucm cdrRecordType=1 duration>0
| rename callingPartyNumber AS phone
| table phone]
AND NOT
[ search index=cucm cdrRecordType=1 duration>0
| rename originalCalledPartyNumber AS phone
| table phone]
AND NOT
[ search index=cucm cdrRecordType=1 duration>0
| rename finalCalledPartyNumber AS phone
| table phone]
The problem with it is that the three queries are being individually 'search NOT' against the inputlookup, so if a number doesn't place a call (appears as callingPartyNumber), but does receive a call (originalCalledPartyNumber or finalCalledPartyNumber), it still gets listed. I only want to see numbers that haven't made calls AND haven't received calls.
It's almost as if I need to build an intermediate data set of numbers that are returned from all three subsearches, then 'search NOT' that against the inputlookup. But I don't know how to do that.
Any suggestions?
... View more
Labels
- Labels:
-
subsearch
05-20-2021
08:27 AM
Well, out of curiosity I went back and set up a separate webhook on a different port and it's still not working properly, I'm getting 404 errors for nonexistent call records. Whenever I (re)start the subscription for the second tenancy I can see the *wrong* webhook being restarted (they're running on different ports). I'm not convinced that, even with an additional webhook configured, the Graph API is being told the correct webhook to use. Sadly I think there's something missing in the code for this to allow multiple tenancies to run on one node. FWIW, I'm running this on a heavy forwarder with separate indexer and search nodes.
... View more
05-19-2021
07:36 AM
Having just set this up for my system (and the steps being fresh in my memory): did the client secret for your Azure AD app expire?
... View more
05-19-2021
06:59 AM
1 Karma
Okay, I got this up and running for our test tenancy first with no problems. Generic webhook, plus subscription and call record inputs, and account unique to that tenancy and it's Azure AD app. I then created a new Azure AD app in the live tenancy, followed by a subscription and call record input on Splunk with the live tenancy's tenantID, and a new account with the live tenancy's clientID and secret. The subscription and call record inputs both point at the previous generic webhook. Call records are being ingested successfully from both tenancies into the same index, and are identifiable using the 'source' field in the records as I gave them uniquely identifiable names relating to the tenancy name. All good so far, but the wrinkle seems to be that every call record header that gets pushed to the webhook is passed onto *both* call record inputs to be requested from graph.microsoft.com. One always fails, as the call either took place on live or testing but not both, and returns a 404. It seems that the intelligence isn't there for the webhook to extract a tenantID from the call record header and pass it on to the relevant call record input. Disabling the call record input for the testing tenancy (where there are very few calls going on) bears this out. This works for my needs, I can turn the logging on and off for the testing tenancy as and when I need it, but if you're hoping to capture logs for multiple live tenancies I'd be inclined to set up a unique webhook for each one.
... View more
05-18-2021
03:08 AM
I was wondering the same thing as I'm about to set this up for our testing tenancy, and then our live one. It would be handy to have all data in one index via one "add on" as we can obviously differentiate between tenancies using tenantID in the data. I'll give it a try and report back if no one else replies before me.
... View more
11-01-2017
11:07 AM
Brilliant! It was missing a bracket but did the trick once I popped it back in 🙂
The most important part seems to be
eval callParticipents=mvsort(split(callingPartyNumber."#".finalCalledPartyNumber,"#"))
...but I can't quite figure it out, could you explain it, please? I get that we're creating a new multivalue field to work with called callParticipents for each event in the timeframe. I guess it doesn't matter which order the values go into the field A/B is the same as B/A for the purposes of a multivalue field, right? I just can't grok how callParticipents is built from that line
edit
Never mind, I sat down and read the docs on split and the mv commands and I get it now. Thanks so much!
... View more
11-01-2017
09:25 AM
Hi folks, I'm parsing Cisco Callmanager call detail records in our splunk system and I'd like to see which pairs of telephone numbers have the most calls between them, but here's the tricky bit: I don't care who called who, I want to aggregate calls from A->B and B->A into one counter and list the top 10 pairs of callers who make the most calls to each other.
The code below is giving me a nice list of top calling pairs at the moment, but A->B and B->A are listed as two distinct pairs, how do I aggregate them?
index=cucm | stats count by callingPartyNumber,finalCalledPartyNumber |sort by -count
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
yesterday
|
