Skip to main content


Splunk Lantern

Call failure statistics

You might need to see information regarding failed calls on your network when doing the following:


In order to execute this procedure in your environment, the following data, services, or apps are required:


You work for a large telecommunications provider and use Splunk to monitor the services you provide. You need a search that will give insight into the failures that your network is experiencing.

To optimize the search shown below, you should specify a time range.  You may also need to adjust fields to match what is available in your data source. 

  1. Ensure your lookup file is uploaded to your Splunk deployment.
  2. Run the following search:
    | sourcetype=<call detail records>
    | lookup <cdr disposition mapping file> disposition
    | search disposition="FAILED" OR disposition="CONGESTED"
    | stats count values(description) AS Description BY disposition
    | rename disposition AS Disposition count AS Count
    | table Description Disposition Count
    | eval Description=if(match(Disposition,"CONGESTED"),"Route Error",Description)
    | sort - Count

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
| sourcetype=<call detail records> Search only your telephony data.
| lookup <cdr disposition mapping file> disposition

Enrich the search results with clearer descriptions of the dispositions.

If your lookup file does not contain the disposition column, adjust the search to match the names in your lookup.

| search disposition="FAILED" OR disposition="CONGESTED" Search for failed call events, identified with a disposition of FAILED or CONGESTED.
| stats count values(description) AS Description BY disposition Count the number of events for each description and group the results by disposition.
| rename disposition AS Disposition count AS Count Rename the fields as shown for better readability.
| table Description Disposition Count Display the results in a table with columns in the order shown.
| eval Description=if(match(Disposition,"CONGESTED"),"Route Error",Description) If the disposition is "CONGESTED", return a value of "Route Error". Otherwise, return the description for the disposition.
| sort - Count Sort the results with the largest count first.


If you discover anomalies, operationalize them as alerts or actions. You may also want to enrich the failed call logs with more descriptive information to help with troubleshooting, or visualize your failed calls by geographic location.