The table below explains in detail the steps of a Splunk Enterprise or Splunk Cloud Platform search to see information regarding failed calls on your telecom network. For more information, review the use case monitoring key telecommunications service metrics.
Some commands, parameters, and field names in the searches below may need to be adjusted to match your environment. In addition, to optimize the searches shown below, you should specify an index and a time range when appropriate.
Splunk recommends that customers look into using data models, report acceleration, or summary indexing when searching across hundreds of GBs of events in a single search. The searches provided here are a good starting point, but depending on your data, search time range, and other factors, more can be done to ensure that they scale appropriately.
|| sourcetype=<call detail records>||Search only your telephony data.|
|| lookup <cdr disposition mapping file> disposition||
Enrich the search results with clearer descriptions of the dispositions.
If your lookup file does not contain the disposition column, adjust the search to match the names in your lookup.
|| search disposition="FAILED" OR disposition="CONGESTED"||Search for failed call events, identified with a disposition of FAILED or CONGESTED.|
|| stats count values(description) AS Description BY disposition||Count the number of events for each description and group the results by disposition.|
|| rename disposition AS Disposition count AS Count||Rename the fields as shown for better readability.|
|| table Description Disposition Count||Display the results in a table with columns in the order shown.|
|| eval Description=if(match(Disposition,"CONGESTED"),"Route Error",Description)||If the disposition is "CONGESTED", return a value of "Route Error". Otherwise, return the description for the disposition.|
|| sort - Count||Sort the results with the largest count first.|