Version 4.1.10 (March 26th, 2018)
> Added a new default device_type extraction for Cisco ICD queues.
> Workaround for a bug in Splunk where the server returns “UNKNOWN_VERSION” as
the Splunk version. Prior to this release of the app, when his bug did occur
in Splunk it made the app’s version dependency check fail, and then redirect
every user to the homepage to tell them the Splunk version was too low.
> Fixed a bug where gateway devices were showing up on browse devices if you
had all device types selected (even though they’re not one of the options).
Version 4.1.9 (February 13th, 2018)
> Removed the runlocal=true from all lookups so bundle replication can push the
scripts and tables out to run at the indexers.
> Fixed a bug in Browse Extensions where the group and subgroup pulldowns
would never populate with any entries that had a null value for subgroup.
(Note this bug does not occur when the row has merely “emptystring” values.)
> Greatly improved performance of the Browse Sites page by switching to a
tstats search instead of a raw data search. Also removed the “scan only the
most recent 1000 calls”, as this became obsolete.
> Added export buttons to two of the panels in Call Detail view, to make it
easier for users to do deeper investigations and comparisons in Excel.
> Added “reset to default fields” and related links to the 2 Field Pickers in
the Call Detail views.
> Improved checklist.conf entries that check our dependencies against Splunk
version and Sideview Utils version – they no longer erroneously say
“not applicable” when they pass.
> There is a new mechanism implemented as a “check_single_value” key in
fields.conf that activates a health check. If any recent events have
multiple values for the given field the health check will fail.
> Cisco CDR now ships its own custom controller to allow admins to update the
apps own file-based lookups via uploaded csv files.
(Prior to this release, that functionality relied on the presence of the
Lookup Updater tool in Sideview Utils.)
> Replaced all our health checks with checklist.conf stanzas, added a custom
testrunner to pull those stanzas into our own health check page and run them
> Removed a number of old obsolete health checks, including the old custom
“headerextractionconfig” search command.
Version 4.1.8 (January 19th, 2018)
> Removed the long-deprecated “cisco_cdr” and “cisco_cmr” sourcetypes.
> Fixed a bug where if callingPartyNumber was null, the countryCode, areaCode
and all location fields of finalCalledPartyNumber would also fail to extract
and vice versa.
> Fixed a bug in Browse Extensions where extensions that matched multiple rows
in the groups lookup would not appear in the results at all NOTE: in
general having extensions match multiple rows in the groups lookup is not
fully supported and despite this fix, will still cause a number of problems
> Fixed a bug in Device Detail where calls with null values for any of the
three party fields would not be included in totals.
> Fixed a bug in Device Detail where drilldown clicks on the chart to view
individual calls, would not show any call legs where any of the party
numbers were blank.
> Fixed a bug in the Site Detail view, where changes to the Site pulldowns
would reset the selected timerange to whatever timerange the Browse Sites
page had originally had.
> Fixed a bug where every time the homepage loaded, it would re-insert a row
into the clusters lookup, telling the user to visit the Clusters page under
> Removed “call types” and the “scan only the 1000 most recent” calls from
> Removed “gateway” from the device type pulldown in Browse Devices.
across all pages that have it, we reworded the “count only the 1000 most
recent matching records” pulldown’s labels to say “scan only the 1000 most
recent call legs” to more accurately describe how it works.
> Added a custom search command dnparse that may one day replace the scripted
lookup “parse_phone_numbers”. However in our testing the performance lags
behind the existing scripted-lookup so the app continues to use the latter.
> Added a check to Browse Calls, for if users put a “*” into the number field.
Prior to this change they’d actually get considerably worse performance as
a result. Now it will be the same as if they’d entered nothing.
> A small change to the code running lookup editors for Sites and Groups – if
a user edited an individual row previously, empty fields like subgroup would
be encoded as emptystring values. Now they are proper nulls.
> For customers who have already set up the TA_ciscoaxl app, there is now a
hidden view called setup_devices that allows them to use Cisco AXL to
populate a new “devices” lookup automatically and make its fields available
within the Browse and Report views.
Version 4.1.7 (December 6th, 2017)
> Fixed a bug in the Gateway Utilization page where the counts would be
doubled if tandem calls were selected. This bug was unfortunately
introduced by our changes in 4.1.4.
> Changed the behavior of the “site” field generated by the `get_sites` macro.
Now if the origination and destination sites are the same, the site field
has only the one value, ie “Oakland”. Previously the site field would have
a multivalue value, ie [“Oakland”,”Oakland”].
> Added a “split by site” option to the Call Concurrency page.
> Fixed a problem in “Setup > Sites”, where the “find more sites to add” tool
did not work properly.
> on the 911_calls page, the copy about enabling/disabling the alert has been
updated to match UI changes in Splunk 7.0.
Version 4.1.6 (November 3rd, 2017)
> Fixed a bug around the advanced Sites lookup customization introduced in
4.1.5, where if you used the new feature, call_detail, sites and
site_detail pages then wouldn’t extract the sites from the right IP fields.
> Introduced a hidden view called “user_activity” that local administrator
users can use to see which of their local users are using which apps and
dashboards, and what kinds of searches they’re running there.
> Fixed a bug introduced into the Gateway Utilization page in 4.1.4 where
if you only had one call type selected it would give an error and not run.
> Changed the Cluster pulldown on the Browse Calls page to a multiselect
checkbox pulldown control, so users can select more than one at a time.
> Fixed a bug where some conditional messaging on the Extension Detail no
longer worked. If you navigated to the page manually the messaging now
tells you that you need to enter an extension or DN before the page will
Version 4.1.5 (August 29th, 2017)
> Improved our concurrency calculation, which essentially wasn’t accounting
for a number of seconds at the end of each call equal to the difference
between the origination and connect times.
> Gave the “number” text fields support for hyphenated ranges of numbers like
1000-1020 for users who want to search for all calls involving a whole
range of extensions. (Note this required removing a minor feature added
in 4.1.4 whereby you could paste in DN’s with hyphens in them and it would
strip out the hyphens as a convenience.)
> Made a small change to our location lookup to remove the seldom-used
*AreaDescription fields, that was able to give us a 10x speed improvement
in search performance when any of the other location fields are needed.
> Added an advanced customization setting to allow admins to alter how the
sites lookup works. By default the origIpAddr and destIpAddr fields are
the ones used, but you can now change this to use other ipAddr fields like
Version 4.1.4 (July 31st, 2017)
> Fixed some incorrect charting results in the Call Concurrency and Gateway
Utilization tool if you were analyzing tandem calls and/or SIP trunk calls.
> Fixed a problem where the 911_calls alert that the app ships with, does
not extract or display the originating Site field.
> Added a README file at the root of the app to help catch users who do not
follow the install docs closely.
> Added a simple feature to remove hyphen characters on paste, if a user ever
pastes them into the “number” fields.
> Fixed a problem in the geolocation lookup that broke the value of the
> Improved the geolocation lookup to present city names in consistent title
case (previously cities were sometimes upper case, sometimes title case.)
> Added the ability for administrators to define in conf, what field list
should be set when end-users click “reset to default fields” in the Browse
Calls page’s Field Picker.
> Added a copy of the core props, transforms, and lookup config from our
Cisco IOS Voice Gateway app, so prospects looking to stitch together
disparage chains of Callmanager call legs via the voice gateway logs no
longer have to set up our separate voice gateway app.
Version 4.1.3 (July 11th, 2017)
> Updated the libphonenumbers code ( daviddrysdale/python-phonenumbers ) that
does most of the work around extracting location info from DN’s.
> Updated the “npa-nxx-lata-clli-ocn-location” lookup.
> the `custom_index` macro now defaults to index=”cisco_cdr” instead of
> Addressed an issue where the fields table on the homepage took a very long
time to load.
> Fixed a bug in the 911 calls page, where it wasn’t including the originating
> added a “see full search syntax” link to the 911 calls page, and formatted
the duration field as 00:00:00 instead of integer number of seconds.
Version 4.1.2 (May 26th, 2017)
> Improved behavior out of the box for the scripted lookup that is responsible
for creating the many geolocation fields like countryCode, areaCode.
offnet prefixes of “99” are now supported out of the box, and non-numeric
values no longer result in error messages written to the output fields.
> If users set up the Sites lookup such that all internal calling parties are
mapped to sites and thus to lat/long values, that plus the DN parsing code
can now reliably geolocate virtually all calling parties across all calls.
> Fixed bugs in how the filtering fields and pulldowns were working in Browse
> Fixed a bug with Splunk 6.6, where a diagnostic search run by the app’s Home
Page would fail with an error saying “headerextraction config [HTTP 401]
Client is not authenticated.”
> Fixed a regression in Splunk 6.6 where Splunk’s problematic default behavior
returned whereby it sends all “saved report” links to splunk’s generic
report view. Now this is fixed again, and all saved report links load the
given report in the appropriate view in the app.
Version 4.1.1 (April 12th, 2017)
> Fixed a problem with the internal_device_type and device_type fields where
for internal calls they would only pick up the values from the orig* side.
> Added new device_type value of “ccg” to pick up call-control-group devices
from device names in the form CCG-1211, CCG-1940
> Fixed a bug in the field picker within Browse Extensions. where if you did
not select “incoming” or “outgoing” or “internal” as fields, the
corresponding “duration” fields would not be calculated either.
> Fixed a bug in Browse Extensions where if a given number appeared sometimes
with one unicodeLoginUserID value, and sometimes with another (or none) that
there would be one row for each such combination, rather than just one row
for each number.
> Workaround for a rare bug in Splunk 6.2 (possibly in subsequent Splunk
versions but not in 6.5). The bug was that if you had any negative integer
values of the CMR “duration” field, and you had both a CMR field and the
duration field selected in your field picker, searches in Browse Calls
would fail with the cryptic error “invalid number”.
> the “Define Sites” and “Define Groups” pages now have significantly more
useful functionality within the “Find Sites to add” tab, and the “Find
Extensions to add” tabs, respectively.
Version 4.1 (February 21st 2017)
> Added new view “Browse Extensions/DN’s” and its associated detail view.
This can be used for a variety of use cases around call volume reports
to and from internal parties and groups. Note that this replaces the older
and simpler “Browse Phone Numbers” page and “Phone Number Detail” which
have been removed.
> Made a change to the default 911_calls alert to workaround a problem where
the server would send an email every few *seconds* once a 911 call went
out, instead of only one email per call as expected.
> Fixed the Concurrent Calls report so that the dropped calls panel also has
a “view results” link, thus making it easier to save as an alert.
> Performance improvements to the Concurrent Calls report.
> Removed all the old “example” savedsearches because they have all since been
replaced by better examples in the field gallery table.
Version 4.0.7 (January 25th 2017)
> Added a new page for 911 calls, under “Browse”. There is an associated
savedsearch that can be easily turned into a realtime alert.
> Added a safeguard so that if the deployment is from a version where the
CMR data also has a “duration” field, that this will be reflected as a
field called “cmr_duration”, rather than appearing as confusing second
and third values for “duration” in the Browse Calls table.
> Added some logic for the huntPilotDN field for the cases when the field is
undefined in the raw CDR. Specifically if calledPartyPatternUsage is “7”,
then the app now infers correctly that finalCalledPartyNumber represents
the huntPilotDN (as per cisco docs).
> Added lookup for patternUsage, creating new fields
calledPartyPatternUsageDescription and calledPartyPatternUsageName
> added lookup for mobileCallTypes to identify mobility features invoked,
creating the new field mobilityFeature
> Added lookup for routing reasons, creating the new fields
lastRedirectingRoutingReasonName, origRoutingReasonName, and
> Added all fields mentioned above to field gallery, plus more than 70
> Reworked the field gallery on the homepage to give it additional filtering
and search controls. You can now choose to see 1) fields present in raw CDR
vs those added by the app. 2) fields that are in your indexed data vs not.
There is also now a search field that you can use to match any entered
search string against field name and description text.
Version 4.0.6 (November 11th, 2016)
> Removed 2 unused calculated fields in props.conf that were triggering
CalcFieldProcessor WARNS in splunkd.log
> Performance optimizations on the scripted lookup that parses country code,
area code and exchange out of DN’s.
> Parametrization of the scripted lookup for DN’s to support customers who
have unusual dialing prefixes for outside lines.
> Many improvements to the “Define Groups” documentation.
> A bugfix to the system that checks whether the Sideview Utils app is
not installed at all. Now a better error message displays instead of a
simple but confusing alert.
> Fixed a bug where if you specified a groups lookup with the number, name
and group fields but omitted the subgroup field, then every time the app’s
homepage was loaded, the lookup would get obliterated.
Version 4.0.5 (September 23rd, 2016)
> Reversed the order of the raw call legs table in Call Detail. Although
this makes it inconsistent with Browse Calls, we all seem to still
expect the first leg to be first and last leg to be last.
> Added a gantt-style visualization of the N call legs to Call Detail. This
visualization only appears for calls with more than one leg.
> Added new fields callingPartyLATA, callingPartyOCN, callingPartyCompanyType
and the corresponding fields for finalCalledParty.
> Restored some important messaging on the Create Data Inputs page, that
warns the user that when they submit the form to create the data input, the
files being indexed will be at the same time deleted from the filesystem.
> Added new field duration_elapsed. This field value will contain the number
of seconds between the connectTime of the earliest call leg to connect, to
the disconnectTime of the last call leg to disconnect. This field can be
used in General Report and Browse Calls, but not yet in Call Detail.
> Renamed total_duration field (introduced in 4.0.2) to duration_total so that
it will always appear alphabetically next to duration and duration_elapsed
> The “legs” field (introduced in 4.0.2) will now appear in field lists
throughout the product.
Version 4.0.4 (July 20th, 2016)
> Replaced the FlashChart modules used throughout the app with JSChart
modules. (Splunk’s FlashChart module has developed some bugs in certain
browsers and flash plugins whereas JSChart’s once-problematic axis labels
are now much improved.)
> Added a few missing fields to the field_gallery so they will appear not
only in the report gallery but also in reporting pulldowns and field
pickers. – fields are finalCalledPartyCity, finalCalledPartyState,
finalCalledPartyZip, originalCalledPartyGroup, originalCalledPartyName,
> Bug fixed in the data input wizard’s error detection. Previously if your
directory already had a data input but it also had no files therein, you
would get the warning about no files, not the more important warning about
the previously existing input.
> Added interactivity to the Call Concurrency page so that you can now click
the main call concurrency chart and see a second chart below showing you
the call concurrency within that much shorter time range.
> Fixed a bug in Gateway Detail where the first chart didn’t load.
> Fixed a bug where 2 seldom used fields from the CMR, directoryNum and
directoryNumPartition were erroneously listed in the app as directoryNumber
and directoryNumberPartition. This caused them to not work in field
pickers and reporting pulldowns.
> Fixed a bug that prevented any of the City, State and Zip fields from being
used in General Report.
Version 4.0.3 (April 26th 2016)
> Fixed a bug in the Data Input wizard where on windows it would fail to
detect pre-existing data inputs if the casing of the path you entered
didn’t match exactly.
> Fixed a bug in the Data Input Wizard where if you had more than 30 existing
data inputs on a standalone indexer, it might not detect that you were
about to create a data input on files that are already being indexed by an
existing data input.
> Sinkhole inputs created by the data input wizard will now set crcSalt to
“<SOURCE>” to avoid all bugs and catch-22’s around initCrcLength being
too low or too high.
> To help existing customers index data that has been orphaned on the
filesystem by initCrcLength catch-22’s, initCrcLength has been lowered
to 1500 for cdr and 1000 for cmr.
> Added max_days_ago=365 to sourcetype config to make it easier to index
> There is a new field called “number” that is the union of callingPartyNumber
originalCalledPartyNumber and finalCalledPartyNumber
> the “callId” field is now created automatically instead of extracted by the
UI explicitly using the app’s `get_call_id` macro. This is just to simplify
some underlying search syntax and has no other significant effect.
> Workaround for a bug in Splunk 6.4, whereby our preexisting patch to
workaround a *separate* bug in the Splunk Navigation bar, now has to be
wrapped in a require call. (see dashboard.js)
> Replaced the lookup config to generate originalCalledPartyName,
originalCalledPartyGroup and originalCalledPartySubgroup, which had been
removed with the thought that it was never interesting.
> added new field “name” that is the union of callingPartyName,
originalCalledPartyName, and finalCalledPartyName
> added new field “group” that is the union of callingPartyGroup,
originalCalledPartyGroup and finalCalledPartyGroup
> added new field “subgroup” that is the union of callingPartySubgroup,
originalCalledPartySubgroup and finalCalledPartySubgroup
> Fixed a bug in Browse calls where if you were not actually searching for
a particular IP address field, but you had that field in your field list,
and you didn’t have the location or sites field active, and you were on a
CUCM that stores ip’s as long integers, you’d see the unconverted integers
in your Browse results.
> Fixed a bug where if you were using the “advanced” field in Browse Calls,
the app would not realize it had to carry along those field names and run
any required SPL extractions for those fields in your expression.
> Added/Modified the ip_addr “field” to now be available in the app UI, and
hold the union of all the various IP address fields.
Version 4.0.2 (March 11th, 2016)
> Added new field to the UI called “initialCalledParty”, “initialCallingParty”,
“terminatingCalledParty” and “terminatingCallingParty”. For multi-leg calls
these represent the appropriate parties from the initial/final call legs.
> Added new field to the UI called “total_duration” that adds up the duration
values from all the individual call legs.
> Added a new field to the UI called “transfers” that represents the number
of call legs within the given call that show a termination cause of “call
split”. This field is available in both Browse Calls as an additional
column, and also in the Reporting UI.
> Added a new field to the UI called “legs” that simply represents how many
call legs the given call has.
> Added a field called “on_hook_party”. If the last call leg
terminated by the caller going on-hook, this is “caller”. If the leg
was terminated by the receiver, this is “recipient”
> Optimization for General Report to only get CMR data if one or more CMR
fields are actually involved in the report.
> Added finalCalledPartySubgroup and callingPartySubgroup to the field_gallery.
Also added these fields to the default groups lookup fields.
> modified the machinery that initially creates the groups lookup, so that it
will not interfere with customer attempts to add new fields to the lookup.
> Changed the default groups lookup to also have an optional “subgroup” field
as this field has proved useful to some customers.
> Fixed a bug where the raw call legs table in Call Detail view would list
the time as the last column in the table instead of the first.
> Fixed a bug where the General report page would see groups fields like
callingPartyName/callingPartyGroup and think it had to run the very
expensive location extractions.
> Fixed a bug in Browse Calls where if you had the “count only” pulldown set
to “all records” for your session, when you clicked into Call Detail and
then clicked the breadcrumb to get back to Browse calls it would reset to
“count only the 1000 most recent matching records”.
> Fixed a small class of bugs that concerned when a single report was
filtering and/or reporting by one or more IP Address fields and one or more
> Fixed a bug in the Browse Calls view where “Graph calls over time” wouldn’t
pass along your selected value for the Cluster pulldown.
> Optimized the DN-parsing lookup to not process originalCalledPartyNumber
since this wasn’t being used by anyone and removing it speeds up a very
expensive lookup by about 50%.
Version 4.0.1 (February 18th, 2016)
> Browse Devices now has a sites pulldown that you can use to see only the
devices from one or more of your defined sites or locations.
> Setup Sites now has a tab to help you find devices, extensions, DN’s and
Ip Addresses that are not matching any of the sites you have defined so far.
> callingPartyGroup, callingPartyName, finalCalledPartyGroup and
finalCalledPartyName will now appear in all field menus without having
to wait for the daily scheduled search that finds new custom fields
> Modification to the data health checks so they complete quickly on hosts
with *only* legacy sourcetype data.
> Fixed a regression in 4.0 where the app’s Create Data Input Wizard would
index the CMR records with the “cucm_cdr” sourcetype instead of “cucm_cmr”
> Resolved a performance problem on Call Detail view which in some cases
caused the page to hang.
> Fixed a problem where the links to the admin section would result in
‘page not found’ errors.
> Deleted 6 hidden gitignore/cvsignore/svnignore files from the libphonenumbers
directory so they don’t trigger splunkbase/cloud appcert/app-vetting checks.
> Fixed a bug where if you saved a report or created a dashboard panel from
the Call Concurrency and Gateway Utilization tool and then tried to re-run
that report later, it would fail to repopulate the pulldowns correctly.
Note that reports saved prior to this fix will have to be recreated in
order to have the correct loading behavior in the UI.
> Fixed a bug in Call Detail view where if you had a field displaying in the
upper right panel and that field had multiple values, it would show only
the value from the most recent call leg instead of listing all the values.
> removed “answered” and “missed” from the Browse Phone Numbers page as these
numbers as calculated were frequently inaccurate for calls with more than
one call leg.
> Fixed a bug where in the Browse calls page you couldn’t search for
duration greater or less than a particular number of seconds.
> Some adjustments to the design of the save/create controls and the Edit
Fields button in the Browse Calls page.
> The Browse calls page now has a “graph calls over time” link that switches
you over to the General Report page, preserving your filtering arguments.
Version 4.0 (January 27th, 2016)
> The App’s name has been changed from “Splunk for Cisco CDR” to
“Cisco CDR Reporting and Analytics”
> Changed the Data Input wizard and documentation to now create and recommend
batch aka sinkhole data inputs only. This removes the need to create
shell scripts to delete older CDR and CMR files.
> Splunk’s AppBar module has been patched within this app to resolve a
problem where the module stopped using Splunk’s “@go” URL system. This had
the effect of preventing all our app’s saved reports from loading in the
proper view (ie browse or general_report). With this change, all saved
reports will once again reload back in the view in which they were saved.
> Added first version of sourcetype configuration for Alternate Syslog.
Contact us for more details.
> Modified one of the data health checks so that it wont be triggered by
other non-cdr sourcetypes living in the app’s index.
> Added a new field “internal_device_type”, useful for doing reports around
device utilization where “gateway” isn’t a useful type to have.
> Added a new field “site” that combines origSite and destSite, useful for
various reports split by site.that need to combine both inbound and
> Added many new sample reports for various fields.
> Reorganization of the homepage to help trial users get started and also
provide simpler more functional content for paid users.
> Some rounds of optimization to trim out unnecessary search language that
the reporting and Browse pages were inserting.
> On the Site Detail page, removed “User busy” and “unallocated number”
from the “unusual call termination reasons” timechart.
> On the Site Detail page, enabled drilldown on the “Unusual call termination
reasons” report that now takes the user directly to see the actual calls.
> On the Site Detail page, enabled drilldown on the Site to Site concurrency
timechart report that takes the user directly to see all calls in
progress at that moment.
Version 3.7 (November 19th, 2015)
> In Browse Calls, the user can now edit and reorder the fields shown in the
tabular results. This supercedes the “include” pulldown which has been
removed in this release.
> in the Call Detail, the user can now edit and reorder the fields shown in
the “call legs” table.
> in Call Detail view “call legs” table now indicates next to a calling or
called party when that party terminated the leg by going on-hook.
> in Call Detail view, the “call legs” table is now above the “other calls
> When clicking the “see calls” link in General Report to peek at the calls
themselves in “Browse Calls”, if you are using a quality field or a
location field, the UI no longer warns you that the field is not active, it
instead automatically includes it in the results for you.
> Fixed a bug where if Splunk indexed a given call’s legs out of time order,
the start time assigned to the call by the app might actually be the time
for one of the subsequent call legs. This problem was always there to a
certain extent but is a lot more common in Splunk 6.3 due to an
undocumented SPL behavior change.
NOTE: this problem also causes a bug where the drilldown from Browse Calls
to Call Detail view results in Call Detail view loading empty.
> An optimization around the ‘call types’ pulldown – if all 4 types are
selected and there are no other searchterms it now skips running any
subsearch thus speeding up these cases significantly.
> Browse Calls page now lists multiple duration values for multi-leg calls.
> “sites_lookup” macro renamed to “get_sites” for consistency.
> Fixed a problem on Site Detail page where the “only 10000 events” pulldown
was being ignored.
> Some minor improvements for users who find themselves searching for raw cdr
events in the search page – added a Workflow action to get to Call Detail
and a better default selected field list.
> Changed how the various default device type extractions were configured so
that now they can be edited from the Splunk Admin UI without throwing an
erroneous error on submit.
> Relaxed a Health Check that was looking for issues around indexed headers,
such that it no longer searches other Splunk indexes as well.
> Added entries to the help table for the fields around sites and also around
the “to”, “from” and “quality” columns on the Browse Calls page.
Version 3.6 (October 6th, 2015)
> Updated General Report to include the new site and subnet fields (destSite,
origSite, destCidr and origCidr) in the reporting pulldowns. (See “Setup > Define
Sites” if you aren’t using the Sites feature yet.)
> Updated Browse Calls to fully support the use of the site and subnet
fields in the “misc search terms” box. (See “Setup > Define Sites” if you
aren’t using the Sites feature yet.)
> Reworked the base cdr/cmr macros to workaround sporadic bugs in Splunk
6.2 on windows where the type and eventtype fields stop working properly in
searches, with the symptom being that you get “no results found” at various
times when there should be results.
> Fixed a problem on Call Detail page where calls involving very common
calling or receiving parties were triggering extremely expensive and slow
searches on the “other calls to/from” panels. In extreme cases these searches
could cause Splunk to run out of memory.
> Added 5 new lookups to create readable description fields for the 5
“*OnBehalfOf” fields in CallManager CDR.
> Updated the Sideview Utils required version to resolve a problem where the
show location/quality pulldowns would reset themselves, as well as to pull in
another fix for some problems users have running Splunk 5.X.
Version 3.5.4 (Aug 14th, 2015)
> Added the Sizing Calculator page.
> Devices listed on Call Detail pages are now linked to Device Detail.
> lookups are now explicitly scoped to run on the search head in distributed
Version 3.5.3 (May 26th, 2015)
> renamed the “report” view to “general_report” so that standard Splunk
dashboard/report interactions in 6.2 that are trying to go to the core
“report” view can work properly again.
> Added a Data Health Check to catch savedsearches.conf content saved with
“report” that should be manually changed to “general_report”
> Browse calls page now loads with neither “locations” nor “call quality”
selected in the “include” field. This results in much faster page loads
although users who liked the Locations on by default will now have to
turn them on manually.
Version 3.5.2 (May 21st, 2015)
> Restored a few fields inadvertently screened out of General Report’s y-axis
> Changed fields in CSV and JSON exported from Browse Calls, so that duration
is listed in seconds (instead of [D] HH:MM:SS), and to make timeformat
> Added key pages and resources for “Site Detail” and “Setup Sites” pages
which had been accidentally excluded from the trial download.
Version 3.5.1 (May 7th, 2015)
> Fixed behavior when multiple extensions were entered comma-separated in the
“number” fields. Now calls will be matched whose call legs contain any of
the given extensions, rather than all of them.
> Added a setup view for the user to define their sites and offices based on
ip addresses, specifically by subnets given in CIDR notation.
> Added “Browse Sites” view and a detail view that shows site-to-site
> Reversed order of orig_ and dest_gateway fields in Browse Calls.
> Added index-time transform so that the useless “INTEGER,INTEGER..” headers
are no longer indexed.
> In General Report, it is no longer possible to create nonsensical
combinations of options such as “distinct count of duration” or
“sum of orig_gateway”.
Version 3.5 (April 7th, 2015)
> Charting Pulldowns to select fields now load much faster in reports.
> When duration is displayed in Browse Calls and Call Detail views, it now
appears formatted as “00:17:30” rather than as a raw number of seconds.
> the ‘see raw search syntax’ links now use the default search view rather
than the app’s custom “charting” view.
> Call Detail view loads much faster because its searches are restricted
to the times the call legs occurred, plus an extra day on either side.
This makes the “other calls to/from” tables much faster to render.
> The “other calls to/from” searches on Call Detail view are further sped up
by no longer retrieving and collating CMR data.
> Fixed a rare bug whereby calls that had null values for the
“dateTimeDisconnect” field would not render properly in the Call Detail view.
> on Call Detail view, removed null non-CMR fields that were showing up in
the “Call quality information (CMR)” section.
> Changed to consistently follow Cisco’s definitions of numberPacketsLost.
As of this release numberOfPacketsSent – numberOfPacketsReceived will not
necessarily equal numberPacketsLost because the latter doesn’t include
late packets or duplicates.
Version 3.4.6 (February 16th, 2015)
> Fixed a regression in the Browse Calls page where if you filtered by an
extension or DN, you would only see call information from the subset of
call legs that contained that DN.
> added device_name and ip_addr fields that for each call leg, are the union
of the corresponding orig* and dest* fields.
> Improved logging in the data input setup wizard.
> Fixed a critical bug in the data input wizard where, for single-indexer
mode, if you happened to not create an index with the default name
“cisco_cdr”, the setup page would fail to load properly.
> Fixed a bug where Call Detail view would not render certain times properly
for calls that had more than one call leg.
> multiple calling and called parties listed in Call Detail view are listed
in the order in which they appeared, (no longer sorted numerically).
> Fixed a bug in Gateway Detail view where the drilldowns from a given Call
Release description over to Browse Calls always returned zero results.
Version 3.4.5 (February 4th, 2015)
> Fixed a bug where users without administrative privileges would get a
strange error message at the top of the app homepage. “Client is not
authorized to perform the requested action”.
> Fixed a bug where very large groups files would get truncated to
10,000 rows when an admin user hit the homepage.
Version 3.4.4 (January 29th, 2015)
> Fixed a bug in the data health check detection, whereby the check for the
custom_index macro was not restricted to just the local search head.
> Packaged a “TA_cisco_cdr” app within the main app. This app is now the
recommended app to push out to indexing and forwarding tiers.
> App is now aware of the user’s geographical locale when rendering times and
dates. eg if you have “en-GB” in the locale portion of your URL, you will
get dates rendered as “dd/mm/yyyy” instead of “mm/dd/yyyy”.
> Fixed a bug introduced in 3.4.1 to the Concurrent Calls and Gateway
Utilization tool, where the granularity accidentally was lowered to Splunk’s
default granularity for timecharts.
> Edited the Data Input Setup flow so that it now also gives full setup
instructions for distributed deployments.
Version 3.4.3 (December 18th, 2014)
> Fixed a bug in the data input setup wizard where the custom_index macro
would get set to “index=”main” erroneously.
> Improved handling in the data input setup wizard if the end-user enters
the path with some slashes or backslashes that are not appropriate for
their platform, or if they leave a trailing slash on the directory.
Version 3.4.2 (December 15th, 2014)
> Fixed a bug where if you used them as filtering search terms, the
device_type, and *_device_type fields would not work reliably.
Version 3.4.1 (December 12th, 2014)
> Corrected a small but longstanding known error in the Concurrent Calls and
Gateway Utilization tool. where the concurrency displayed towards the
right side of the chart would be a small delta higher than the actual
> Added “device_type” as a field in the app, and also as a field in the
Concurrent Calls and Gateway Utilization tool.
> The interactive chart of calls over time shown on the Phone Number Detail
page is now split by type (ie outgoing / incoming / internal)
> Improved out of the box extractions for device types like uccx unity-vm.
> Added device_type as a field in the Browse Devices page.
Version 3.4 (November 24th, 2014)
> Added a Data Input Wizard to encapsulate all of the complexity and tedium
of creating the index, setting the macro, and creating the data inputs, and doing
it right on Splunk 5.0 vs 6.0, 6.1, and 6.2.
Version 3.3.2 (November 10th, 2014)
> Fixed a bug that affected both Browse Devices and Device Detail, where in
deployments with no unicodeLoginUserId values, key tables would be blank.
> Fixed a bug where in the Browse Calls page the from/to fields were sometimes
empty. This only affected version 3.3.1.
Version 3.3.1 (November 5th, 2014)
> Fixed the dependency error detection so that once again helpful errors are
displayed for instance if the Sideview Utils app is not installed.
> Fixed a bug introduced in 3.3 where in the Browse Calls page if you set the
“count only the” Pulldown to “all records”, it would only retrieve 10.
> Back by popular demand, Browse Calls now has a “cluster” pulldown again.
> Improved a number of cases where location fields weren’t being added.
> Fixed a bug in Browse Calls, where if terms in “other search terms”
applied to different call legs, those calls would not be returned.
> Fixed a bug introduced by Splunk 6.2 where the textfield in the app’s
Charting view was only a single line and could not be enlarged.
Version 3.3 (September 24th, 2014)
> In the “number” field in Browse Calls or General Report, you are no longer
limited to a single number or wildcarded prefix. You can now enter space-
or comma-separated numbers or extensions.
> Replaced the 2 release code description fields displayed in Browse Calls
with our single overall release code field.
> Optimizations to increase reporting speed if call types are selected.
> Call type element on Browse Calls is now a checkbox pulldown.
> Call Detail view now includes at the bottom the complete set of call quality
field values from the CMRs.
> Browse Calls now allows you to optionally see and search on location data
like city,state,country as well as call quality data.
> Cleaned up geolocated city names to be consistently title-cased.
> When clicking “see calls” from reports that use either location or call
quality fields, the relevant extra fields will be enabled in Browse Calls.
> When clicking from Browse Calls into Call Detail and then using the
breadcrumb link to return, now the user’s filtering selections are retained.
> If when a report loads, there are no matching calls at all, the fields and
charting pulldowns disappear and you get a message saying that no calls were
matched. Formerly the pulldowns would load in an unusable state.
Version 3.2.1 (July 31st, 2014)
> Interaction and usability improvements to the Device Detail page.
> Improved fields displayed by default on Call Detail page.
Version 3.2 (July 29th, 2014)
> Improved sample reports that ship for the call quality fields.
> Added first version of Browse Devices and Device Detail drilldown.
> Fixed a bug in the charting view where if a user saved a report here it
would not run correctly later when run from manager or from the app menu.
> country code, area code, exchange and geographical location now appear as
core fields in the reporting interface.
> Homepage fields and sample reports table rewritten to workaround rendering
problems seen on some customer installs.
> Ongoing improvements and additions to sample reports listed on home page.
Version 3.1.5 (April 2nd, 2014)
> Patched a problem in the underlying Splunk search language whereby certain
fields like ‘duration’ would sometimes disappear from the fields pulldowns
on Splunk 6.
> fixed our field seconds_until_answered so it can never come out negative.
> Found and fixed some mistakes in some of our sample reports.
> Added new fields cause and cause_description that will be whichever
of origCause and destCause is nonzero. Thus cause_description is the
overall termination error for the call, regardless of which side ended it.
> Added a “duration_in_minutes” field.
Version 3.1.4 (March 31st, 2014)
> Added a new setup page that talks about the need to create a script
that periodically deletes files older than 3 days from the monitored
> Added a check to the Data Health Checks page that looks for significant
> Fixed a regression in the Browse Phone Numbers page where numbers entered
into the “number” field would not filter the results.
Version 3.1.3 (March 20 2014)
> Fixed a bug whereby phones making outbound calls through sip
trunks would get misinterpreted as gateways.
> Fixed a recent bug where CMR fields had stopped appearing in
the list of fields in the Report Builder.
Version 3.1.2 (March 19 2014)
> Added call-type and gateway pulldowns to the Busy Hour Calculator
> Added a “per gateway” mode to the Busy Hour Calculator
> Renamed Gateway Utilization page to “Call Concurrency and Gateway
> Added a type pulldown to Gateway Utilization report thus allowing
the report to be run on any combination of incoming/outgoing/internal
or tandem calls.
> Added a multiselect pulldown to Gateway Utilization report allowing the
report to be run over specific gateways when relevant.
Version 3.1.1 (February 17 2014)
> Added a simple Busy Hour Calculator page where you specify a timerange
and it gives you the BHT in Erlangs.
> Improved design and behavior around the “See calls” link in reports.
> Fixed app icon display problems in Splunk 6
Version 3.1 (February 11th, 2014)
> Added a concurrency reporting interface, that you can use to analyze
concurrent inbound calls and outbound calls split by gateway.
> Fixed a bug in the system that generates AutoHeader field extraction rules
where FIELDS and DELIMS keys would be outputted in lowercase.
> Fixed a bug in the homepage report gallery where complex reports whose
search language involved quote characters would not run properly.
> Added a new calculated field called “seconds_until_answered”. This field is
defined only for calls where call_answerable=1 and call_answered=1
> Added 2 new calculated fields hour_of_day and day_of_week.
> Fixed a bug where the selected cluster wasn’t passed if you drilled down
on a table row in the Report page.
> Added international country code, areacode, and exchange fields to the
Example Report table on the homepage.
> Added a “call type” pulldown to the browse and report pages that allows
you to easily restrict to just incoming/outgoing and internal calls.
> Added a “See calls” link to the report page that allows you to go from
filtering and reporting and drilling down in the Report page, to quickly
browsing and investigating the underlying space of calls.
Version 3.0 (November 8th 2013)
> Added a new view “Browse Phone Numbers”, by which you can browse phone
numbers of inbound callers as well as internal extensions and DN’s.
> Added a new wizard and new sourcetype configurations to not only allow
out of the box indexing with Splunk forwarding and distributed search,
but to set indexing properties through a wizard UI.
> Added lots of error detection to streamline user experience around
> Added new fields to differentiate hardphones vs jabberphones vs softphones.
> Added new fields to differentiate video calls from audio calls.
> Added new field “type” to denote call type – incoming, outgoing, internal
> Added first version of scripted lookup to parse country code, area code
and geographic locales, along with US lookups to zipcodes and lat/long
Version 2.4.2 (July 26 2013)
> Fixed a bug in ‘browse gateways’ where the page was not incorporating any
terms the user might have typed into “misc search terms”
Version 2.4.1 (July 8 2013)
> Improved gateway field extractions to extract dest_gateway and orig_gateway
fields for non-MGCP gateways. Added new fields called dest_mgcp_gateway
and orig_mgcp_gateway that are only populated when appropriate.
> Added a new ‘gateway type’ Pulldown to the Browse Gateways page.
Version 2.4 (April 10 2013)
> changed required Splunk version to 5.0
> Updated report builder to use splunk’s new fieldsummary command, as this
very significantly improves performance in the reporting interface.
> Added new gallery table discussing each field in the CDR and CMR data
along with docs and example reports for each.
> reworked all varVQMetrics and gateway field extractions to happen
automatically so as to simplify the underlying search language.
Version 2.3.1 (March 26 2013)
> fixed a bug in the reporting interface where you could not search for
fields values in CDR or CMR and then report on fields from the other.
Version 2.3 (March 8 2013)
> added “get_gateway_fields” macro
> added Browse Gateways page
> added Gateway Detail page
> added MLQK and other advanced quality metrics as field options in reports.
> made MLQK and other advanced quality metrics available in call_detail view.
Version 2.2.2 (December 4 2012)
> Switched to Table module so as to allow hiding the clusterId/callManagerId/
callId fields on all detail tables.
> Fixed a bug where the UI would sometimes ignore extensions entered in forms.
> Added duration to the default field list on detail tables.
> Added ability to tab between table and chart and both in report view.
> Greatly improved the time to render the fields pulldowns in report view.
Version 2.2.1 (November 1 2012)
> Improved the initial install experience to transparently create the groups
and clusters lookup when they are initially absent.
Version 2.2 (October 30 2012)
> Completely reworked the setup flow and the installation process.
> Updated the app to workaround issues in Splunk 5.0 around saved search names
in “@go” URLs. This app now requires at least Sideview Utils 2.2.4.
See release notes for Sideview Utils 2.2.4.
Version 2.1.1 (September 28 2012)
> fixed a bug in the report view where if you used one of the IpAddr fields
as your x-axis but didn’t use one as your split-by, you’d get an error.
> improved the report view so that changing charting properties doesn’t rerun
your entire report.
> Fixed ‘Call Detail’ and ‘Phone Number Detail’ views so that if users happen
to go to them directly from the menu, there is a message prompting them to
enter a callId or extension as appropriate.
> added print button to the browse sessions view.
> improved print output (only if you’re on Sideview Utils 2.0.10 and up).
> removed ‘globalCallId_callId’ from the field list because more often than
not the reports around it are confusing, and the default ‘callId’ field is
a better field to use anyway.
> fixed a bug in the automatic error-detection that was detecting
misconfigured field extractions. (The logic was right, but the link it
gave you to export the csv was slightly wrong.)
> added ‘see raw search syntax’ links to the browse view.
> Updated some Pulldown params that were using older legacy param names.
> Added new export, print, info functionality to browse and report views.
> added better ‘save search’ functionality to browse and report views.
> added ‘create dashboard’ and ‘create alert’ functionality to report view.
> User interface improvements to the chart view.
> Reorganized saved report and saved dashboard menus.
> Removed the ‘contact us’ form.
> Improved drilldown behavior in the Report Builder.
> fixed a bug where the originalCalledPartyNumber(s) did not display correctly
on the call_detail page.
> fixed a bug where the other calls to/from the recipients would not always
> Added a ‘sort by’ field to the report interface. It shows up only when
you’re running a non-timechart report with no split-by.
> Fixed a bug in the charting view where the chart would always be visible.
> Changed the MLQK example links from the homepage to go to the charting
view to be less confusing.
> added the save/play/pause/finalize controls to the charting view.
Version 2.0 (May 02, 2012)
> fixed a bug in some views where if you used the form fields to filter by
extension, the filter would not be applied properly.
> Fixed a bug where from the ‘browse’ view you had a menu option to save the
current report, but it didn’t work properly.
> General improvements to pivoting and redirecting cleanup of the code now
that we have Sideview Utils 2.0 underneath.
> Fixed a bug in the ip address conversion where IP’s whose last quad was less
than 10 didn’t get converted properly.
> interaction improvements to all views.
Version 1.2.2 (Feb 17, 2012)
> Had to fix a mistake in how the setup screens redirected you through the flow.
Version 1.2.1 (Feb 15, 2012)
> The installation docs have been completely rewritten, *very* significantly
expanded, and mostly moved to our website. See for yourself at
http://sideviewapps.com/apps/splunk-for-cisco-cdr/docs/ While the in-app
documentation has also been completely updated, it largely directs the
user to the website documentation.
Version 1.2 (Feb 02, 2012)
> significant changes and rewrites to fix bugs and issues with Splunk 4.3.
> significant changes and rewrites based on more search language performance
testing at high data volumes.
> lots of improvements and minor bugfixes to the custom reporting view.
> new simpler more usable homepage
> customers can now specify a custom index during app setup.
> fixed various bugs in the call_detail view, in cases where there was more
than one finalCalledPartyNumber
> fixed a bug where you couldn’t actually run any reports if clusterId or
callManagerId was specified as a field.
> added a cluster lookup, related wizard page to regenerate it from indexed
data, and filtering pulldowns in Browse and Report views
> Fixed a bug where the automatic redirect to the qos threshold page wouldn’t
> Added a JobStatus module to both Browse and Report views, so customers can
now pause and cancel searches inline.
> Added save controls to the Browse page, so it effectively becomes a “simple
call report”, operating on just the CDR data.
Version 1.1 (Jan 27, 2012)
> major rewrite of browse and report views, including major changes to search
language used in macros. These changes were to workaround serious performance
problems seen in larger data sets. – added a ‘call legs’ section to the
call_detail view. – fixed a bug where the app would not warn the user
correctly when the Sideview Utils app was not installed – fixed a bug around
IP address conversions. – numerous other small fixes and improvements.
Version 1.0.9 (Nov 30, 2011)
> Added functionality around a lookup that adds group names and user names into
the records. Incorporated guided setup around this feature into the existing
setup wizard. Note that this can also be used to generate reports about *all*
extensions regardless of activity. I only added a hint about this to the app
itself, but once you get the hang of it it’s quite straightforward.
Version 1.0.8 (Oct 25, 2011)
> CallManager CDR and CMR data has several fields which are IP Address values,
however it encodes these values as integers. The app now has functionality to
automatically convert the integers back into IP Addresses. Specifically, when
you use any of the ip address fields in reports, as either the ‘split-by’
field or as the x-axis field, it will correctly display the values as IP
addresses. Also on the call_detail view, when those fields are displayed in
the rightmost panel they will appear as IP addresses now.
Version 1.0.7 (Oct 20, 2011)
> added a new lookup for video codec types,
> fixed a bug in “browse” and “report” views where the search filter would not
filter overall calls, but individual CDR and CMR rows. The filtered results
will make a lot more sense now to end-users.
> added a new field called ‘call_connected’, which is True or False or null.
The value is derived by looking at the overall call release cause codes.
(null represents records where no call was attempted)
> made a new field called callID that is the callID plus the callManagerId,
separated by a “.”
> the report view’s main reporting pulldown now defaults to ‘distinct calls’
instead of dumping the user at ‘distinct count of authorizationLevel’ and
hoping they figure it out.
> The flow around the contact form has been slightly improved.
> added back-button and forward-button support to the “browse” view.
> re-running guided setup will no longer force you to contact sideview a second time.
> Upped required version of Sideview Utils to pick up other bugfixes.
Version 1.0.6 (Sep 28, 2011)
> The app now includes a view for Quality of Service reporting, and the app
has a setup screen offering configurable thresholds for QoS by
numberOfPacketsLost, jitter and latency. Also the functionality whereby the
appname and app version was sent to sideviewapps.com has been completely
removed in this version. Instead during the initial app setup screens you
are asked to send us your name and a brief note.
Version 1.0.5 (Sep 19, 2011)
> Fixed a problem where the reports could be misleading when you imported data
from more than one CallManager
> Added initial version of a scripted lookup that will enable new
Quality-of-service reporting features. (docs and user interface will come
soon. Email me if you want to try it out now)
> Rewrote and reworked the guided setup copy.
Version 1.0.4 (Sep 02, 2011)
> fixed a bug on call_detail where as soon as you drilled down to any other
call you’d only see results from a single second. The call_detail view is
much more usable and interesting now.
> Added ‘see raw search syntax’ links in various places so customers can see
how the real searches work.
> Made those links take you to a new custom view that is a little more
comfortable than splunk’s normal ‘advanced charting view’.
> added lookups for call release cause codes, as well as redirect reason codes.
Now those descriptions are automatically created as fields for each call.
> Fixed a bug where changing some TimeRangePickers would not do anything.
> Improved the error detection to not flag configurations where trivial
off-hook calls generate CDR’s.