Skip to main content

 

Splunk Lantern

Failed call metrics by geographic location

You might want to find failed calls and visualize them on a geomap when doing the following:

Prerequisites 

In order to execute this procedure in your environment, the following data, services, or apps are required:

Example

You work for a large telecommunications provider and use Splunk to monitor the services you provide. You need a search that will give a representation of where the failed calls are occurring.

To optimize the search shown below, you should specify a time range.  You may also need to adjust fields to match what is available in your data source. 

  1. Ensure your lookup files are uploaded to your Splunk deployment.
  2. Run the following search:
    | sourcetype=<call detail records>
    | eval _time = start
    | lookup <cdr disposition mapping file> disposition
    | search disposition=FAILED OR disposition=CONGESTED
    | rex field=dst "(?<dstCountry>\d+)(?=\d{10})"
    | lookup <country code to name mapping file> phoneCode AS dstCountry OUTPUTNEW countryName AS dstCountryName  
    | stats count by dstCountryName  
    | geom geo_countries allFeatures=true featureIdfield=dstCountryName

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
| sourcetype=<call detail records> Search only your telephony data.
| eval _time = start Extract the timestamp and put it in a field called "start".
| lookup <cdr disposition mapping file> disposition

Enrich the search results with clearer descriptions of the dispositions.

If your lookup file does not contain the disposition column, adjust the search to match the names in your lookup.

| search disposition=FAILED OR disposition=CONGESTED Search for failed call events, identified with a disposition of FAILED or CONGESTED.
| rex field=dst "(?<dstCountry>\d+)(?=\d{10})"

Extract the destination (dst) country code.

This example assumes that the country code is what precedes a 10 digit number.

| lookup <country code to name mapping file> phoneCode AS dstCountry OUTPUTNEW countryName AS dstCountryName  

Enrich the results by adding a country Name based on the dstCountry field extracted.

If your lookup file does not contain phoneCode and countryName columns, adjust the search to match the names in your lookup.

| stats count by dstCountryName   Calculate a count for the results and sort by destination country.
| geom geo_countries allFeatures=true featureIdfield=dstCountryName Map the results count by country, using the dstCountryName field as the Feature ID.

Result

Use the results to more effectively troubleshoot and resolve ongoing issues.