Skip to main content

 

Splunk Lantern

Subscribers with the highest outbound call volume

You might want to find subscribers with the highest outbound call volumes when doing the following:

Prerequisites 

In order to execute this procedure in your environment, the following data, services, or apps are required:

Example

You work for a large telecommunications provider and use Splunk to monitor the services you provide. You need a search that will give insight into who your top customers are and from where they are calling.

To optimize the search shown below, you should specify a time range.  You may also need to adjust fields to match what is available in your data source. 

  1. Ensure your lookup file is uploaded to your Splunk deployment.
  2. Run the following search:
    | sourcetype=<call detail records>
    | eval _time = start
    | rex field=dst "(?<dstCountry>\d+)(?=\d{10})"
    | lookup <country code to name mapping file> phoneCode AS dstCountry OUTPUTNEW countryName as dstCountryName ISO2 AS dstCountryCode
    | stats count count(dstCountryName) AS dcount values(dstCountryName) AS CountryName BY src dstCountryName
    | stats sum(count) AS count list(dcount) AS dcount values(CountryName) AS dstCountryName BY src
    | sort - count
    | table src dstCountryName dcount count
    | rename src AS "Subscriber" count AS "Total Call Count" dcount AS "Destination Calls" dstCountryName AS "Dialed Countries"

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
| sourcetype=<call detail records> Search only your telephony data.
| eval _time = start Extract the timestamp and put it in a field called "start".
| rex field=dst "(?<dstCountry>\d+)(?=\d{10})"

Extract the destination (dst) country code.

This example assumes that the country code is what precedes a 10 digit number.

| lookup <country code to name mapping file> phoneCode AS dstCountry OUTPUTNEW countryName as dstCountryName ISO2 AS dstCountryCode

Enrich the results by adding a country name and iso code, based on the dstCountry field extracted.

If the column names in your lookup file differ from those shown here, adjust the search to match the names in your lookup.

| stats count count(dstCountryName) AS dcount values(dstCountryName) AS CountryName BY src dstCountryName Calculate counts of dialed countries and return them with the names of the countries, sorted first by source country.
| stats sum(count) AS count list(dcount) AS dcount values(CountryName) AS dstCountryName BY src Sum the total count by source, list dialed destinations and counts, and sort by source.
| sort - count Sort the results with the largest count first.
| table src dstCountryName dcount count Display the results in a table with columns in the order shown.
| rename src AS "Subscriber" count AS "Total Call Count" dcount AS "Destination Calls" dstCountryName AS "Dialed Countries" Rename the fields as shown for better readability.

Result

Use the results of this search to create targeting marketing or campaigns or to generate time-series reports displaying call routing and associated costs.