Skip to main content
Splunk Lantern

Failed call metrics by geographic location


The table below explains in detail the steps of a Splunk Enterprise or Splunk Cloud Platform search to help find failed calls and visualize them on a geomap. For more information, review the use case monitoring key telecommunications service metrics.

Some commands, parameters, and field names in the searches below may need to be adjusted to match your environment.  In addition, to optimize the searches shown below, you should specify an index and a time range when appropriate.

Splunk recommends that customers look into using data models, report acceleration, or summary indexing when searching across hundreds of GBs of events in a single search. The searches provided here are a good starting point, but depending on your data, search time range, and other factors, more can be done to ensure that they scale appropriately.   

Splunk Search Explanation
| sourcetype=<call detail records> Search only your telephony data.
| eval _time = start Extract the timestamp and put it in a field called "start".
| lookup <cdr disposition mapping file> disposition

Enrich the search results with clearer descriptions of the dispositions.

If your lookup file does not contain the disposition column, adjust the search to match the names in your lookup.

| search disposition=FAILED OR disposition=CONGESTED Search for failed call events, identified with a disposition of FAILED or CONGESTED.
| rex field=dst "(?<dstCountry>\d+)(?=\d{10})"

Extract the destination (dst) country code.

This example assumes that the country code is what precedes a 10 digit number.

| lookup <country code to name mapping file> phoneCode AS dstCountry OUTPUTNEW countryName AS dstCountryName  

Enrich the results by adding a country Name based on the dstCountry field extracted.

If your lookup file does not contain phoneCode and countryName columns, adjust the search to match the names in your lookup.

| stats count by dstCountryName   Calculate a count for the results and sort by destination country.
| geom geo_countries allFeatures=true featureIdfield=dstCountryName Map the results count by country, using the dstCountryName field as the Feature ID.