Skip to main content

 

Splunk Lantern

Failed calls with enriched error information

You might want to know the details around failed calls when doing the following:

Prerequisites 

In order to execute this procedure in your environment, the following data, services, or apps are required:

Example

You work for a large telecommunications provider and use Splunk to monitor the services you provide. You need a search that will find failed calls provide more insight into why these calls didn't complete successfully.

To optimize the search shown below, you should specify a time range.  You may also need to adjust fields to match what is available in your data source. 

  1. Ensure your lookup files are uploaded to your Splunk deployment.
  2. Run the following search:
    | sourcetype=<call detail records>
    | eval _time = start
    | lookup <cdr disposition mapping file> disposition
    | search disposition=FAILED OR disposition=CONGESTED
    | eval Description=if(match(disposition,"CONGESTED"),"Route Error",description)
    | rex field=src "(?<srcCountry>\d+)(?=\d{10})"
    | rex field=dst "(?<dstCountry>\d+)(?=\d{10})"
    | lookup <country code to name mapping file> phoneCode AS dstCountry OUTPUTNEW countryName AS dstCountryName ISO2 AS dstCountryCode
    | table _time src dst dstCountryCode Description disposition
    | rename _time AS Time src AS "Source #" dst AS "Destination #" disposition AS Disposition dstCountryCode AS "Destination Country"

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
| sourcetype=<call detail records> Search only your telephony data.
| eval _time = start Extract the timestamp and put it in a field called "start".
| lookup <cdr disposition mapping file> disposition

Enrich the search results with clearer descriptions of the dispositions.

If your lookup file does not contain the disposition column, adjust the search to match the names in your lookup.

| search disposition=FAILED OR disposition=CONGESTED Search for failed call events, identified with a disposition of FAILED or CONGESTED.
| eval Description=if(match(disposition,"CONGESTED"),"Route Error",description) If the disposition is "CONGESTED", return a value of "Route Error". Otherwise, return the description for the disposition.

| rex field=src "(?<srcCountry>\d+)(?=\d{10})"

| rex field=dst "(?<dstCountry>\d+)(?=\d{10})"

Extract the source (src) country code, then the destination (dst) country code.

This example assumes that the country code is what precedes a 10 digit number.

| lookup <country code to name mapping file> phoneCode AS dstCountry OUTPUTNEW countryName AS dstCountryName ISO2 AS dstCountryCode

Enrich the results by adding a country name and iso code, based on the dstCountry field extracted.

If the column names in your lookup file differ from those shown here, adjust the search to match the names in your lookup.

| table _time src dst dstCountryCode Description disposition Display the results in a table with columns in the order shown.
| rename _time AS Time src AS "Source #" dst AS "Destination #" disposition AS Disposition dstCountryCode AS "Destination Country" Rename the fields as shown for better readability.

Result

Use the results to more effectively troubleshoot and resolve ongoing issues. 

  • Was this article helpful?