Let me lay out a simple scenario:
At our fictional business “Hattie’s Hats”, Getrude believes that Esther is artificially inflating her outbound statistics by calling people and just hanging up instead of actually selling them hats.
Of course, this is test data so from what I can see of it, a quick in-my-mind average says that this isn’t the case. But hey, let’s pretend for a while!
How would we go about determining if this is the case? I know off hand that it’ll involve lengths of calls, but I’m not yet sure exactly what that would look like.
So let’s do a little exploring!
Try #1 – neat, useful, but ultimately not what we want.
Maybe our first try at this problem is to see if we can plot something like average duration of outgoing calls.
To do that, head to General Report. Set up the various options and filters to something like so…
And that looks great! But it doesn’t really help us.
In any case, I’m not sure average duration works – what if Esther’s making *some* outbound short calls, but some outbound *long* calls as well? In that case relying on the average isn’t a very good metric.
We COULD just filter it to calls that are under, let’s say 45 seconds? Shall we try that?
Try #2 – neat and useful, but also not what we need.
Let’s do! It’s easy to add another bit to our criteria and only show calls under 45 seconds.
We’ll want to switch back to charting the distinct count of calls over name – duration doesn’t make any sense in there any more.
Ah, now a clearer picture is developing. Esther really does make a lot of short calls!
Oh, no not really. Esther has a lot of short calls, but she also has a lot of calls overall so … it’s right that she may have a lot of short ones.
I think what we need is a sharper dividing line.
What I think we want to do is see the count of short calls vs. the count of long calls.
So what this shouts out to me is that we should build a custom field that divides each call into “long” or “short”. Short calls would be duration under 45 seconds, long calls would be anything else.
Try #3 – or how I learned to use a custom on-the-fly field.
This will involve the Advanced field.
Our first step is to remove the duration<45 from the search field. If you left it in the resulting report won’t be very interesting because all calls would be short!
Next, let’s build a new field. This is more or less just Splunk’s regular processing language – SPL. You don’t need a leading or trailing pipe in the advanced field, but you can use pipes in the interior.
So, our advanced field should contain
eval split_duration=if(duration<45, "Short", "Normal")
What that says is to use Splunk’s regular old “eval” function to build a new field that is set to “Short” if the duration is under 45 seconds, and is set to “Normal” if it’s not. We’re going to call that field split_duration because we’re splitting the duration into two chunks. And because I’m writing this blog entry so I get to decide these sorts of things.
Important Protip #1
Read up in Splunk’s docs on eval about all the wonderful things that can be done.
Important Protip #2
You have to run this search once before you can use the field. While it may look like magic, it’s only slightly magical and the field won’t create itself out of thin air. Instead the magical invocation to make the field appear is to run the whole search once.
So we search!
Now we can use the field
Remember, you have to run the search once, but once you have, you can now use it just like any other field!
Hopefully this gets you a start.
Do keep in mind that almost 100% of sensible questions you can ask the Cisco CDR Reporting and Analytics app can be answered without resorting to these sorts of shenanigans. But “almost 100%” and “100%” are not quite the same things, and knowing that a thing like this is possible is useful material to keep around!