Version 5.2.3 (January 9th, 2020)
- Fixed a typo in the concurrency searches if you did not have a split-by
field set. Improved test coverage to avoid regressions in this area in
- Updated python to include latest version of libphonenumbers
- Updated the “npa-nxx-lata-clli-ocn-location” lookup. This is the piece
that allows the app to take a north american number with just areacode
and exchange, and create fields with city, state, zip, CLLI, OCN,
CompanyType, latitude and longitude.
Version 5.2.2 (January 2nd, 2020)
Fixed some critical problems that were introduced with 5.2.1’s new field
extractions for gateway, device_type and type fields. Chief among these was
a problem where FXO ports on MGCP gateways were getting misunderstood by
5.2.1 as calls to internal devices rather than outgoing calls.
Fixed a bug in the Call Concurrency and Gateway Utilization page that only
affected tandem calls, where the concurrency numbers for those gateways
would be undercounted.
- Fixed an obscure bug where if you attempted to use one of the dateTime*
field as a search term, and you used it with a comparison operator like “>”,
on multi-leg calls, the filtering would not work.
- Fix made to our first-time-run and migration script to make it not error
out when run in python3 on splunk 8.
Version 5.2.1 (December 10th, 2019)
- Fixed a bug in the Call Concurrency and Gateway Utilization page where if you
narrowed the chart to just N gateways, the presence of any tandem legs in the
calls being analyzed would drag other (unselected) gateways into your chart.
- Added 3 extra hidden fields to the groups lookup, that are optional.
Admins can now customize the automatic lookup statements to use these fields
and alias them to more useful names reflecting the local use case
requirements, and then they will begin working as filtering, reporting and
grouping, and the ‘setup groups’ forms will automatically include appropriate
form elements to create/update/delete the values.
- Fixed a bug in the Canary UI where General Report and a few other pages would
sometimes get an extra “Loading…” indicator stuck open even when nothing
further was loading.
- Improved how the “type”, field is calculated from span integers to never
recognize conference bridge devices and conductors as ‘gateway’ devices.
Prior to this change, the default ^CFB and “CONF$$” regexes for device_type
“conference_bridge” were doing a lot of this work, so for many customers the
net improvement here may be minimal or zero. On the other hand for some this
will make a lot of “tandem” call legs become “incoming” or “outgoing” legs
more in line wiht expectation.
- As with the fixes to the “type” field (see above), the extraction of the
device_type and gateway fields has been improved.
- Fixed a bug where calls to/from, analog devices attached to MGCP gateways
would get the orig/dest gateway fields set to the MGCP gateway. This was
misleading at best.
- Fixed a bug where picking just incoming or internal calls, would erroneously
filter out matching calls involving conference bridge devices, (even where we
were previously extracting the ‘type’ field correctly).
- removed duplicate values from the internal_device_type field.
- Fixed a bug where the origSpan and destSpan fields were marked as categorical
instead of numeric, so you couldn’t build reports like max(origSpan).
- Fixed a bug causing the Canary UI on 8.0 to get a ‘switch back to the old
splunk UI’ (This was intended only for pre 8.0 versions, and the link when
clicked would just redirect you back to Canary UI).
- The Browse gateways page now uses improved SPL to populate the checkbox
pulldown for selecting which gateways you want to analyze.
(Note: this work was mistakenly reported in the 5.1.4 release notes although
it did not actually ship until this release).
Version 5.2 (November 5th, 2019)
- To implement the “upload lookup” functionality on Setup Groups and Setup
Devices in Splunk 8 and higher, a restmap.conf controller now exists to
replace the legacy web.conf controller, and the respective pages now POST
to this new controller when run in the Canary UI. There is also an
improvement to how the messaging works for both success and failure cases.
- Added a “download” tab to the “Define Sites” page so admins can download a
fresh copy of the current subnets to work on it, and then reupload it later.
- MLQK values of exactly 0 are now discarded automatically. These values
always seem to be false readings and previously they had to be filtered out
- Fixing a bug in the Call Detail page, where if many devices were involved,
- Fixed a misalignment of the Pager module in the Browse Devices pages.
the layout of the page would get pushed out and break.
- Fixed a bug that only affected the Canary UI where the page didn’t work
due to a typo where the page invokes app’s reusable ui pattern
- Fixed a bug that only affected the General Report and Browse Calls views
in the Canary UI where some fields would not get their special custom SPL
extractions/conversions inserted automatically behind the scenes.
- Changes to the Call Detail page to get the Field selection to work in both
the Canary UI and the old Splunk UI.
Version 5.1.5 (October 7th, 2019)
- Compatibility work for the transition from Sideview Utils to Canary.
- Layout fixes to the Browse Gateways page.
Version 5.1.4 (September 19th, 2019)
- Now when you use “Create Dashboard Panel”, the current choice of
visualization (chart vs table) as well as chartType and stackMode if
relevant, are passed along and saved into the final dashboard XML.
- Fixed a problem where CallManager misreports inbound calls to UCXNSubscriber
devices as though the device was a gateway and the leg a tandem leg.
- Added a new field called “bh_type” to the app whose value denotes whether
the origination time of the call is during “business_hours” or “off_hours”.
- Added fields to Browse Extensions that are unchecked by default that show
“business_hours” and “off_hours” call counts, as well as
“business_hours_duration” and “off_hours_duration”.
- Added proper logic to detect whether the Canary app is installed and if so
to switch to rendering the current page in the Canary UI instead of the
Advanced XML UI. Also text and links about Canary (currently in beta).
- Fixed a bug in General Report when doing a “max” “concurrency” report,
where if you weren’t using a splitby field, the legend would say “1” instead
- Fixed a bug where if you used the “Setup Clusters” page to generate your
clusters lookup, it would write the clusterLocale values as “”, which would
prevent the location lookup from running and thus you would not get any
location fields like area code, exchange, country, lat/long etc.
Version 5.1.3 (August 26th, 2019)
- Converted the encoding of a number of static file-based lookups from ascii
to UTF-8 to allow customers to more easily translate the english language
content there into a local language.
- Added a key to server.conf so that when admins update the sideview license
on any Clustered Search Head, that license change will be propagated to the
other SHC members.
- Improvements to the app_setup/migration script so that it better handles
unexpected cases where the clusters/devices/groups/cidr lookups on disk
are found to be empty. It will now detect this case and attempt to replace
the contents of the file with the corresponding *.default.csv file.
- Tightened the regex that matches the SEP prefix for hardphones to eliminate
false positives on other devices whose names happen to have those first few
letters. Now it looks further for 12 subsequent characters of hex.
- Fixed a subtle problem in the Call Concurrency and Gateway Utilization page.
CallManager sometimes marks call legs canonically as outgoing or incoming
even when the destDevice or origDevice listed is clearly a hardphone or conf
bridge. Since gateway extractions all fail for these devicenames, the page
when splitting “by gateway” would end up with “NULL” as a legend item.
These have now been filtered out.
- The gateways pulldown in the Gateway Utilization page will now return much
faster, and will contain the canonical list of gateways for the given time
range even if there are hundreds of gateways across 100K+ call legs.
- Search optimization is disabled now for any user or view using our
`get_locations` macro, as we have seen SPL optimization mangle the lookup
command for the external lookup.
- Fixed a bug in General Report where if “sourcetype” was a field you were
analyzing, the UI wouldn’t realize it should try to pull any CMR and CUBE
records into the analysis as well.
Version 5.1.2 (July 19th, 2019)
- Fixed a bug where when using max(concurrency) in the General Report view,
your “bins” setting would be ignored and a default bins ceiling of 400
would get used instead.
- Fixed a bug in Browse Extensions, and Browse Devices, where if you entered
values into a text field and then without changing anything else clicked
the submit button instead of hitting the enter key, the values you entered
would be ignored.
Version 5.1.1 (July 11th, 2019)
- Made a change so that if the Splunk instance is a Search Head Cluster and
someone tries to post a new license string into the Update License page,
it takes no action and gives them a helpful error.
- Snuck in a semi-secret feature whereby concurrency reports can be done in a
limited fashion within General Report and Browse Calls.
- Updated the “npa-nxx-lata-clli-ocn-location” lookup.
- Updated python to include latest version of libphonenumbers
Version 5.1 (June 10th, 2019)
- Major improvements to both functionality and usability of the Browse
- Devices lookup now can hold an additional column “productName”. When
present this creates fields origProductName and destProductName.
- Device Detail page now has an additional tab that displays additional
summary details like unicodeLoginUserId values and numbers associated with
the device, as well as any values that our SA_cisco_cdr_axl app may have
pulled from CallManager via AXL.
Version 5.0.10 (May 14th, 2019)
- Removed the CSR and SCSR field from the field gallery because we realized
that these fields don’t actually exist in the CMR itself yet.
- Added CS_total and SCS_total as new fields on the calls, which are the
total seconds of concealed speech and the total seconds of severely
concealed speech, across ALL CMR associated with the given call.
- Added CSR_overall and SCSR_overall fields, which are respectively the
CS_total/duration_total, and SCS_total/duration_total.
As such these represent reliable concealed speech ratio metrics for any
devices reporting CS and SCS.
- Fixing a bug in the transfers and legs fields, where if you used them
as a split-by field in reporting, they would get very significantly
overcounted, as represented by the range numbers in the legend for the
split by values.
- Call Detail view now displays the time of any CMR that are present, either
by listing the value of its dateTimeStamp field or failing that, presenting
the time that the record was indexed by Splunk.
- Fixed a bug where refreshing the browser manually on General Report pages
could reset your y-axis field unexpectedly.
- Fixed some formatting problems in field_gallery.csv which were causing
General Report to treat some fields incorrectly as categorical or numeric.
- Changed the Update License page so it no longer attempts to preload the
textfield with the existing license string – instead now the raw string is
displayed in the table below.
- Fixed a bug in Browse Extensions where “Show – Include numbers with zero
calls” would return two rows for some numbers in the results.
- Fixed a bug where the devices lookup (rarely used, somewhat secret feature)
which is technically allowed to have null values in most of its fields,
would get some null values filled with “PLACEHOLDER” on Splunk restart.
- Added migration to make the field names within the devices lookup
- added new fields that can be pulled from the optional devices lookup.
- Device Detail and Extension Detail pages now have links under key panels
that show calls, to investigate these same calls over in Browse Calls.
- Fixed a bug in the Browse Extensions page, where the “no group” and “no
subgroup” options wouldn’t work when checked, if any other checkboxes were
Version 5.0.9 (April 12th, 2019)
- Improved error messaging when underprivileged users attempt to update
the app’s license string, and when invalid licenses are submitted.
- Removed the embedded app TA_cisco_cdr, as this has now been released
separately on Splunkbase. (NOTE – versions posted on Splunkbase never
had the TA’s in them so this only reflects a change for users
downloading from the Sideview website.)
- Fixed a bug where orig_device_type, dest_device_type and device_type
fields would not populate correctly for non-mgcp gateway devices.
- Implemented a small improvement for the device_type field on individual
call legs. If both types are the same, the field now only holds the single
- Implemented a subtle fix to what the app calls its “union fields”, (group,
name, subgroup, ip_addr and device_type) so that in the aggregated call
results, these fields now only list the distinct values.
- Improved the Groups lookup’s handling of wildcarded numbers by having it
check and correct the sort order of the lookup, so now nested wildcards
work in the expected way without manual sorting.
- Added Cisco’s somewhat newer redirect reason codes >300 to the app’s lookup.
- Fixed an error in the Concurrent calls page that complained about an invalid
- Added new default device_type extractions for conference bridges
- Fixed a bug where some conference bridge devices would get misidentified as
- Changes to default.meta to make some of our content not get flagged as
“orphaned” in splunk’s “reassign knowledge objects” admin UI.
Version 5.0.8 (March 12th, 2019)
- Improved the “to” and “from” fields so that if one of the geographical
fields like city OR state is blank, it does not fall all the way back to
displaying only country (this can happen with wireless numbers where there
is no city associated)
- Raising the minimum version asserted by the app, from Splunk Enterprise 6.2
to Splunk Enterprise 6.4, as our new license endpoint was found to be only
compatible with 6.4 and up.
- Fixed a bug when adding a dashboard panel to a shared dashboard not owned
by the current user. Previously this would fail with a confusing 404 error.
- Fixed a bug when creating a new dashboard entirely, where the dashboard
panel creation would fail with “ERROR 400 Cannot create an object with
empty or all whitespace name”
- When saving a new report, sharing the report with others now works properly.
- When creating a new dashboard for new dashboard panels, the UI now prompts
you if your desired dashboard name contains invalid characters.
- For multileg calls, the “from” and “to” fields now have only the distinct
string values from the various legs, and no longer list duplicate values.
- Removing the interactive timeline from the top of the Browse Devices page
as it seems a change in more recent Splunk Enterprise versions has made
this not render properly. (if you want it back and fixed let us know)
- Fixed a bug on the Browse Devices page where the device name filter would
allow the device names from the non-matching device (on the other side of
each call) to creep into the device search results.
- Fixed a bug in the Gantt chart on Call Detail where it now renders even in
the rare case where callingPartyNumber or finalCalledPartyNumber are blank.
- Fixed a bug in Browse Extensions where using the “name” field would filter
to the right people but could also return other internal parties that had
been on any multi-leg calls with them during the time range.
- The “number” field in Browse Devices now supports multiple comma-separated
numbers, numbers with wildcards and hyphenated ranges of numbers (only up
to a max of 50) and various combinations thereof.
- Cosmetic CSS fixes to render popuplayers, checkbox pulldowns and buttons
properly in the Splunk 7.3 beta.
- Screened out some erroneous rest command warnings from the 911 calls page
and the sites setup page.
Version 5.0.7 (March 1st, 2019)
- Fixed a critical bug for Cloud users and users downloading from Splunkbase
that effectively barred all non-admin users from the product.
- Health checks page can now be run even when product lacks a valid license.
- Filtered out unnecessary “Successfully loaded lookup file” UI messages.
- Added a warning to users who attempt to enter raw numeric terms into the
‘search filters’ field, as this is not supported and will return 0 results.
Version 5.0.6 (February 27th, 2019)
- Fixed a common problem where license strings pasted into “Update License”
would fail if they had an extra leading or trailing space character.
- Improved the fix done in 5.0.5 around the “Sideview Utils not installed”
error case to no longer require a custom module.
Version 5.0.5 (February 19th, 2019)
- on Site Detail and Gateway Detail pages, some drilldowns and links were
linking to Browse Calls with the “get only the” pulldown set to only pull
the most recent 1000 call legs. This has been fixed so those links will set
that pulldown to “all” and so will now return expected results.
- Implemented a workaround for a bug introduced in Splunk Enterprise 7.2.4
itself that causes an error message to appear on the app homepage saying
“ServerSideInclude Module Error”
- Improved the Edit Clusters page so that if Splunk fails to run our
app_setup script (we are still not sure why this happens sometimes), users
can still use the “Edit Clusters” page to fix the clusters lookup manually.
Version 5.0.4 (February 4th, 2019)
- Fixed a bug where if you were using * as a wildcard in your groups lookup
entries the Extension Detail page for matching numbers would fail to list
the name, group, subgroup information.
- Migration check added, to look for old saved reports that have ui_edit_view
specified but no ui_context. Since these will be unable to reload themselves
in the specified view they are now migrated to load in the default splunk
- the Setup Groups page now gives users the ability to download a copy of the
groups lookup as a csv or to open it directly in Excel.
- Fixed a bug around the “save report” buttons – the resulting reports would
reload fine in the Sideview UI but the underlying savedsearch stanza had an
extra “search” prepended to the SPL that would make it always return 0
results when run from core splunk interfaces and from the scheduler.
Version 5.0.3 (January 25th, 2019)
- Fixed a regression introduced surprisingly long ago where if you saved a
report and then tried to reload it from the “Saved Reports” menu, it would
not appear with the form elements selected to the right values and so the
results would be incorrect.
- Fixed a bug where after you saved a report or dashboard from any of the
app’s interfaces, you would have to reload the page or navigate to a
different page before the new report/dashboard appeared in the Saved Report
or Saved Dashboards menu.
Version 5.0.2 (January 17th, 2019)
- Fixed a bug in the Devices page, where if you had all of the options selected
in the “sites” pulldown, then all of the sites in the table would switch to
- Fixed a bug on Internet Explorer only that was introduced in 5.0.1, that
prevented the product from working properly on that browser.
Version 5.0.1 (January 14th, 2019)
- Fixed a problem introduced in Splunk 7.X where the TimeRangePicker control’s
menu options lost their submenus and became instead a huge flat list.
- Screened out a class of uninformative “Successfully read lookup file”
messages from being displayed in the UI.
- Improved clarity of product messaging when license/support terms expire.
- Within General Report, the “over time” option now always gives you an option
to set the “bins”, ie to set the granularity of time on the x-axis.
- Cisco CDR app now requires at least Sideview Utils 3.4.6.
Version 5.0 (January 11th, 2019)
- The product has a new licensing mechanism. Instead of the license information
being embedded only in the source code served from our website, you can now
update the license by pasting your current valid license string into a page
in the product itself.
- Fixed a bug in the “number” field in Browse Calls and General Report where
you could quickly click into the field as the page was loading and the
“enter number()” text would get stuck in there as though it was valid input.
- Added Field Gallery docs for SCSR and CSR fields, and a sample report.
- Pulled new NANPA data into the “npa-nxx-lata-clli-ocn-location.csv” lookup.
- Fixed a bug that caused Browse Gateways to sometimes break a given gateway’s
stats into two different rows.
- updated python-phonenumbers library to latest version.
Version 4.4.3 (November 9th, 2018)
- Significant performance improvements in both browse and general report
views by simplifying and optimizing the underlying SPL.
- Fixed a problem in the Call Detail view caused by a regression in
Splunk 7.2 in its fields and table commands. Specifically this caused
confusing behavior in the Call Detail page where the field values in tables
could become misaligned and jumbled up from the field names
- Fixed a bug where filtering using numeric fields with comparison operators
like MLQK>0 or jitter>20 would erroneously filter out all rows with 2 or
more call legs. (Note that technically this a workaround for a bug we
only recently discovered in Splunk’s own search language.)
- Fixed a bug that caused callingPartyCountry and finalCalledPartyCountry to
often be blank.
- Fixed a problem where users who lacked the dispatch_rest_to_indexers
capability in Splunk would get a confusing warning on some pages.
(besides the erroneous warning no functionality was actually affected)
- Fixes to the hidden user_activity view (Note this view only works for users
that can search the _internal and _audit indexes, typically admins only)
- Improved the messages displayed when the app comes up and Sideview Utils
is not installed or was removed accidentally.
- Fixed a bug in the app_setup script that failed to account for the devices
lookup having a different header row that was canonical on older versions
of the app.
- Fixed a minor bug — when summing a numeric field on multileg calls where the
same value gets repeated the sum would fall slightly short.
- In General Report the “stack mode” pulldown now defaults to “stacked”.
Version 4.4.2 (October 10th, 2018)
- Fixed a bug in the new Create Report / Create Dashboard Panel functionality
where it would fail for non-admin users.
- Fixed a bug where the data input setup wizard would fail if the “admin” user
had been deleted (regardless of which user you were using the wizard as).
- Fixed a bug where non-US numbers would get not just *CountryCode and
*AreaCode fields but also the three digit *Exchange fields created
Version 4.4.1 (September 27th, 2018)
- Fixed a bug where the migration applied to the clusters lookup in 4.4
failed to properly migrate the names of the fields, leaving the lookup
inconsistent with props.conf
Version 4.4 (September 22nd, 2018)
- python script now handles the tasks around creating and migrating the
contents of key user-editable lookup files. (Formerly this was handled
by special config hidden on the home page that required an admin user to
load that page once after installs and after all upgrades.)
- Minimum version of Splunk Enterprise has changed from 6.0 to 6.2.
- Substantially reordered and redesigned the main form field layout in Browse
Calls and General Report.
- Updated python to include latest version of libphonenumbers
- Pulled new NANPA data into the “npa-nxx-lata-clli-ocn-location.csv” lookup.
- Sites lookup now *can* have subnet blocks that contain other listed subnets,
meaning you can now put in catchalls for larger regions while carving out
specific subnets within for other site names. Various mechanisms also now
exist to detect when the file has incorrect sort order, and to fix it from
within Setup Sites itself.
- In the Gateways – Summary tab, each gateway now has a failed call count and a
failed call percentage.
- In the Gateways – Calls over time tab, you can now change the charts
displayed for the gateways to be split by call success/failure instead of
just by call type.
- Added a new field “gateway” that represents the union of orig_gateway and
- Clicking “see calls” from General Report will now set the “see only the N
most recent call legs” pulldown to “all” to avoid common confusion there.
- Fixed several problems where all calls to/from non-US regions in the North
American numbering plan would not get their actual *Country, *AreaCode,
*Exchange, fields set correctly.
- Added proper support for parsing IDD prefixes by locale. Clusters.csv now
has an extra column “locale”. Existing CSV’s are migrated when the homepage
is loaded. If left blank there is a failsafe macro that sets it to “US”.
- Setup Clusters page now has a UI with which the users can edit the locale
for each cluster.
- Canadian states and territories are now reflected properly in the
callingPartyState and finalCalledPartyState fields.
- Fixed the field extractions for origUnityVMDevice and destUnityVMDevice
which were only holding the device name up to the first hyphen char.
- Added two new categorical fields, callingPartyNumberType and
finalCalledPartyNumberType. eg: “toll_free”, “fixed_line”, “mobile”,
“fixed_line_or_mobile”, “shared_cost” etc.
- Fixed a bug in Browse Gateways, where the click to Gateway Detail did not
pass on the currently selected timerange.
- Changed the Origination/Connect/Disconnect times listed on the Call Detail
page to include second granularity (was formerly just to the minute).
- Added ‘see search syntax’ links to the Extension Detail pages.
- Added a field called “seconds_until_disconnect” that just measures the total
time between the origination time and the disconnect time. This can be useful
for analyzing inbound ring time for call legs that are not answered.
- Browse Sites now lists the subnet_description fields and country if those
have been entered in the lookup.
- Added some cosmetic CSS fixes to work with Splunk Enterprise 7.2.
Version 4.3.2 (July 31st, 2018)
- Numbers entered into the groups lookup can now have asterisk characters and
they will be treated as wildcards when matching against party numbers.
- for US numbers, the callingPartyState and finalCalledPartyState fields now
are the full state names instead of the two letter abbreviations. There are
also new fields callingPartyStateAbbr and finalCalledPartyStateAbbr for the
users who need the abbreviated values.
- For US numbers there are new fields callingPartyCLLI, finalCalledPartyCLLI,
callingPartyCompanyName and finalCalledPartyCompanyName.
- Fixed the field pulldowns in General Report to properly disable fields that
we know to be categorical when a numerical statistic (eg avg) is selected.
- Fixed a recent regression where the “reset to default fields” links
dissappeared from the field pickers.
- removed the “all” option from the Sites pulldown on Site Detail as it didn’t
work properly and doesn’t make sense on a page designed to give detail on
only a single site.
- Fixed a cosmetic bug in the TimePicker’s Calendar widget, where the “next”
button rendered in the middle of the month name.
- Added a day_of_year field (integer-valued, from 1 to 366).
- App homepage now automatically runs a subset of the health checks that we
deem critical, so common setup failures can be found and fixed more quickly.
- Fixed a bug in General Report where the “bins” fields would often reset
themselves to “15”.
- Lots of new Health Checks have been added to detect common and/or critical
misconfigurations and error states. (See Setup > Health Checks for details)
- Fixed a bug in the “calls over time” tab within the Browse Gateways page
where not all gateways would actually get a timechart, if you had the
“scan only” pulldown set to less than “all”.
- Fixed a bug in the “calls over time” tab in Browse Gateways where the charts
were not including stats from any incoming calls.
- Health Checks page now groups the health checks that are considered
“Critical” in their own section at the top.
Version 4.3.1 (June 14th, 2018)
- Fixed a bug where some very long but nonetheless valid international numbers
were not getting location fields extracted.
- Fixed a bug where “0011” was not being used as a possible IDD prefix.
Note that this is only likely to affect users in Australia.
- Some changes in the Setup pages for clarity and also for look and feel and
consistency in Splunk 7.1
- Added some initial functionality so that customers who follow our steps to
ingest data from CUBE, will see those extra fields in Browse Calls.
- Added a health check to make sure no entries in the Groups lookup are
missing the number field.
Version 4.3 (May 7th, 2018)
- Browse Extensions now has options to include rows for extensions with zero
calls, as well as to include calls with zero duration in the counts.
- Browse Extensions now has a field to specify one or more huntGroups whose
activity you want to narrow down to. The value entered is passed to the
Extension Detail page as well and exists as an editable field there also.
Supports * as a wildcard, comma-separated and hyphenated range values.
- Simplification and optimization of the SPL search syntax used by the Browse
Extensions view. Removal of the “nameGroupSubgroup” field.
- Fixed a bug where Browse Extensions was double-counting duration of calls
where the given party was both the original and final called party number.
- Fixed a bug in the Devices page where selecting “no site extracted” would
not work correctly. As part of the underlying fix was in Sideview Utils,
the required Sideview Utils version is now 3.4.2.
- Groups lookup now has max_matches=1, meaning if a given extension is in the
lookup twice, only the first matching row will be used.
- Added huntPilotDN to the available fields in Browse Extensions, although it
is off by default.
- Added a health check to look for numbers entered more than once in the
- Added a simple report to the Field Gallery table, to show which pairs of
sites tend to have low MOS scores for calls carried internally.
- Added logic to Device, Gateway and Site Detail views, so that when the user
clicks the breadcrumb to return to the corresponding Browse view, the
previous selection states will be restored.
- Fixed a bug in the health check that checks leg_type definitions for
- Removed the MAX_DAYS_AGO=365 setting, so customers adding historical data
that is more than one year old don’t get it indexed with current clock time.
- Gave Site Detail page a simple link you can use to see all calls in/out of
the given site, over on the Browse Calls page.
- Screened out three field names from all field lists – the misspelled orig*
and “destdeviceName” fields that appears in CMR data, and the varVQMetrics
field which is not needed because we extract each metric separately.
- Changed the gateway checkbox pulldowns on the Gateway Utilization, and Busy
Hour Calculator pages, to only pull 50,000 events at most, in calculating the
list of gateways.
Version 4.2 (April 24th, 2018)
- For all calls that have more than one leg, the order of those calls in the
results on Browse Calls is now reversed. This is a change we have wanted
to make for a long time. Formerly the first call leg was listed last and
the last call first. We apologize for the confusion of our existing
customers who had gotten used to it the old way.
- Browse Gateways now has a checkbox pulldown to select any subset of gateways.
- Improved the Browse Gateways page, to have a second tab wherein it lists
one chart per selected gateway, of call counts over time split by type
- There is a new field called “leg_type”. You can assign values to call legs
simply by defining eventtypes whose names begin with “leg_type_”. This
enables a wide range from simple on-the-ground readability to advanced
reporting and analytics, particularly around complex multi-leg flows.
Docs and more product work are coming. Contact us for more details.
- Sites lookup now has additional fields of country and subnet_description.
and the “location” field is now renamed to “site_name”.
The app homepage runs a simple migration that will implement these changes
and add the new columns as necessary to existing lookup files.
- The fields we add to represent the “initial” and “terminating” party number
values, now are defined on each call leg instead of only on first and last.
- Fixed a bug where if you used the “advanced” field within General Report,
clicking “see calls” to switch to Browse Calls would fail with an error.
- Added a new field called initialType, that for each call represents the
“type” value of the call leg with the earliest origination time.
- Changed defaults on the 911 report, to include 9911 and to exclude calls
that failed with “Unallocated (unassigned) number”.
- Updated the call release cause codes and video codec types lookups to add
some entries only present in more recent CM versions.
- Fixed a bug in Browse Calls and General Report where if you were using
any location fields suffixed with Lat, Long or StateAbbr, and not using
any other location fields, the values be all null.
- Fixed the appearance of the app’s submit buttons when the app is loaded in
- Added a workaround for a bug in Splunk 7.1, where the class of
“foo NOT foo” searches that we use to power the field pickers stop working
- Fixed cosmetic bugs in Splunk 7.1 in the Pulldown, CheckboxPulldown and
- TimeRangePicker controls on extension_detail, site_detail, gateway_detail and
device_detail no longer default to All time.
- Required version of Sideview Utils is now 3.4.1 (was previously 3.3.15).
Version 4.1.10 (March 26th, 2018)
- Added a new default device_type extraction for Cisco ICD queues.
- Workaround for a bug in Splunk where the server returns “UNKNOWN_VERSION” as
the Splunk version. Prior to this release of the app, when his bug did occur
in Splunk it made the app’s version dependency check fail, and then redirect
every user to the homepage to tell them the Splunk version was too low.
- Fixed a bug where gateway devices were showing up on browse devices if you
had all device types selected (even though they’re not one of the options).
Version 4.1.9 (February 13th, 2018)
- Removed the runlocal=true from all lookups so bundle replication can push the
scripts and tables out to run at the indexers.
- Fixed a bug in Browse Extensions where the group and subgroup pulldowns
would never populate with any entries that had a null value for subgroup.
(Note this bug does not occur when the row has merely “emptystring” values.)
- Greatly improved performance of the Browse Sites page by switching to a
tstats search instead of a raw data search. Also removed the “scan only the
most recent 1000 calls”, as this became obsolete.
- Added export buttons to two of the panels in Call Detail view, to make it
easier for users to do deeper investigations and comparisons in Excel.
- Added “reset to default fields” and related links to the 2 Field Pickers in
the Call Detail views.
- Improved checklist.conf entries that check our dependencies against Splunk
version and Sideview Utils version – they no longer erroneously say
“not applicable” when they pass.
- There is a new mechanism implemented as a “check_single_value” key in
fields.conf that activates a health check. If any recent events have
multiple values for the given field the health check will fail.
- Cisco CDR now ships its own custom controller to allow admins to update the
apps own file-based lookups via uploaded csv files.
(Prior to this release, that functionality relied on the presence of the
Lookup Updater tool in Sideview Utils.)
- Replaced all our health checks with checklist.conf stanzas, added a custom
testrunner to pull those stanzas into our own health check page and run them
- Removed a number of old obsolete health checks, including the old custom
“headerextractionconfig” search command.
Version 4.1.8 (January 19th, 2018)
- Removed the long-deprecated “cisco_cdr” and “cisco_cmr” sourcetypes.
- Fixed a bug where if callingPartyNumber was null, the countryCode, areaCode
and all location fields of finalCalledPartyNumber would also fail to extract
and vice versa.
- Fixed a bug in Browse Extensions where extensions that matched multiple rows
in the Groups lookup would not appear in the results at all NOTE: in
general having extensions match multiple rows in the Groups lookup is not
fully supported and despite this fix, will still cause a number of problems
- Fixed a bug in Device Detail where calls with null values for any of the
three party fields would not be included in totals.
- Fixed a bug in Device Detail where drilldown clicks on the chart to view
individual calls, would not show any call legs where any of the party
numbers were blank.
- Fixed a bug in the Site Detail view, where changes to the Site pulldowns
would reset the selected timerange to whatever timerange the Browse Sites
page had originally had.
- Fixed a bug where every time the homepage loaded, it would re-insert a row
into the clusters lookup, telling the user to visit the Clusters page under
- Removed “call types” and the “scan only the 1000 most recent” calls from
- Removed “gateway” from the device type pulldown in Browse Devices.
- across all pages that have it, we reworded the “count only the 1000 most
recent matching records” pulldown’s labels to say “scan only the 1000 most
recent call legs” to more accurately describe how it works.
- Added a custom search command dnparse that may one day replace the scripted
lookup “parse_phone_numbers”. However in our testing the performance lags
behind the existing scripted-lookup so the app continues to use the latter.
- Added a check to Browse Calls, for if users put a “*” into the number field.
Prior to this change they’d actually get considerably worse performance as
a result. Now it will be the same as if they’d entered nothing.
- A small change to the code running lookup editors for Sites and Groups – if
a user edited an individual row previously, empty fields like subgroup would
be encoded as emptystring values. Now they are proper nulls.
- For customers who have already set up the TA_ciscoaxl app, there is now a
hidden view called setup_devices that allows them to use Cisco AXL to
populate a new “devices” lookup automatically and make its fields available
within the Browse and Report views.
Version 4.1.7 (December 6th, 2017)
- Fixed a bug in the Gateway Utilization page where the counts would be
doubled if tandem calls were selected. This bug was unfortunately
introduced by our changes in 4.1.4.
- Changed the behavior of the “site” field generated by the `get_sites` macro.
Now if the origination and destination sites are the same, the site field
has only the one value, ie “Oakland”. Previously the site field would have
a multivalue value, ie [“Oakland”,”Oakland”].
- Added a “split by site” option to the Call Concurrency page.
- Fixed a problem in “Setup > Sites”, where the “find more sites to add” tool
did not work properly.
- on the 911_calls page, the copy about enabling/disabling the alert has been
updated to match UI changes in Splunk 7.0.
Version 4.1.6 (November 3rd, 2017)
- Fixed a bug around the advanced Sites lookup customization introduced in
4.1.5, where if you used the new feature, call_detail, sites and
site_detail pages then wouldn’t extract the sites from the right IP fields.
- Introduced a hidden view called “user_activity” that local administrator
users can use to see which of their local users are using which apps and
dashboards, and what kinds of searches they’re running there.
- Fixed a bug introduced into the Gateway Utilization page in 4.1.4 where
if you only had one call type selected it would give an error and not run.
- Changed the Cluster pulldown on the Browse Calls page to a multiselect
checkbox pulldown control, so users can select more than one at a time.
- Fixed a bug where some conditional messaging on the Extension Detail no
longer worked. If you navigated to the page manually the messaging now
tells you that you need to enter an extension or DN before the page will
Version 4.1.5 (August 29th, 2017)
- Improved our concurrency calculation, which essentially wasn’t accounting
for a number of seconds at the end of each call equal to the difference
between the origination and connect times.
- Gave the “number” text fields support for hyphenated ranges of numbers like
1000-1020 for users who want to search for all calls involving a whole
range of extensions. (Note this required removing a minor feature added
in 4.1.4 whereby you could paste in DN’s with hyphens in them and it would
strip out the hyphens as a convenience.)
- Made a small change to our location lookup to remove the seldom-used
*AreaDescription fields, that was able to give us a 10x speed improvement
in search performance when any of the other location fields are needed.
- Added an advanced customization setting to allow admins to alter how the
sites lookup works. By default the origIpAddr and destIpAddr fields are
the ones used, but you can now change this to use other ipAddr fields like
Version 4.1.4 (July 31st, 2017)
- Fixed some incorrect charting results in the Call Concurrency and Gateway
Utilization tool if you were analyzing tandem calls and/or SIP trunk calls.
- Fixed a problem where the 911_calls alert that the app ships with, does
not extract or display the originating Site field.
- Added a README file at the root of the app to help catch users who do not
follow the install docs closely.
- Added a simple feature to remove hyphen characters on paste, if a user ever
pastes them into the “number” fields.
- Fixed a problem in the geolocation lookup that broke the value of the
- Improved the geolocation lookup to present city names in consistent title
case (previously cities were sometimes upper case, sometimes title case.)
- Added the ability for administrators to define in conf, what field list
should be set when end-users click “reset to default fields” in the Browse
Calls page’s Field Picker.
- Added a copy of the core props.conf and transforms.conf stanzas from our
Cisco IOS Voice Gateway app, so prospects looking to stitch together
disparage chains of Callmanager call legs via the voice gateway logs no
longer have to set up the separate voice gateway app.
Version 4.1.3 (July 11th, 2017)
- Updated the libphonenumbers code ( daviddrysdale/python-phonenumbers ) that
does most of the work around extracting location info from DN’s.
- Updated the “npa-nxx-lata-clli-ocn-location” lookup.
- the `custom_index` macro now defaults to index=”cisco_cdr” instead of
- Addressed an issue where the fields table on the homepage took a very long
time to load.
- Fixed a bug in the 911 calls page, where it wasn’t including the originating
- added a “see full search syntax” link to the 911 calls page, and formatted
the duration field as 00:00:00 instead of integer number of seconds.
Version 4.1.2 (May 26th, 2017)
- Improved behavior out of the box for the scripted lookup that is responsible
for creating the many geolocation fields like countryCode, areaCode.
offnet prefixes of “99” are now supported out of the box, and non-numeric
values no longer result in error messages written to the output fields.
- If users set up the Sites lookup such that all internal calling parties are
mapped to sites and thus to lat/long values, that plus the DN parsing code
can now reliably geolocate virtually all calling parties across all calls.
- Fixed bugs in how the filtering fields and pulldowns were working in Browse
- Fixed a bug with Splunk 6.6, where a diagnostic search run by the app’s Home
Page would fail with an error saying “headerextraction config [HTTP 401]
Client is not authenticated.”
- Fixed a regression in Splunk 6.6 where Splunk’s problematic default behavior
returned whereby it sends all “saved report” links to splunk’s generic
report view. Now this is fixed again, and all saved report links load the
given report in the appropriate view in the app.
Version 4.1.1 (April 12th, 2017)
- Fixed a problem with the internal_device_type and device_type fields where
for internal calls they would only pick up the values from the orig* side.
- Added new device_type value of “ccg” to pick up call-control-group devices
from device names in the form CCG_1211, CCG-1940
- Fixed a bug in the field picker within Browse Extensions. where if you did
not select “incoming” or “outgoing” or “internal” as fields, the
corresponding “duration” fields would not be calculated either.
- Fixed a bug in Browse Extensions where if a given number appeared sometimes
with one unicodeLoginUserID value, and sometimes with another (or none) that
there would be one row for each such combination, rather than just one row
for each number.
- Workaround for a rare bug in Splunk 6.2 (possibly in subsequent Splunk
versions but not in 6.5). The bug was that if you had any negative integer
values of the CMR “duration” field, and you had both a CMR field and the
duration field selected in your field picker, searches in Browse Calls
would fail with the cryptic error “invalid number”.
- the “Define Sites” and “Define Groups” pages now have significantly more
useful functionality within the “Find Sites to add” tab, and the “Find
Extensions to add” tabs, respectively.
Version 4.1 (February 21st, 2017)
- Added new view “Browse Extensions/DN’s” and its associated detail view.
This can be used for a variety of use cases around call volume reports
to and from internal parties and groups. Note that this replaces the older
and simpler “Browse Phone Numbers” page and “Phone Number Detail” which
have been removed.
- Made a change to the default 911_calls alert to workaround a problem where
the server would send an email every few *seconds* once a 911 call went
out, instead of only one email per call as expected.
- Fixing the Concurrent Calls report so that the dropped calls panel also has
a “view results” link, so as to make it easier to save as an alert.
- Performance improvements to the Concurrent Calls report.
- Removed all the old “example” savedsearches because they have all since been
replaced by better examples in the field gallery table.
Version 4.0.7 (January 25th 2017)
- Added a new page for 911 calls, under “Browse”. There is an associated
savedsearch that can be easily turned into a realtime alert.
- Added a safeguard so that if the deployment is from a version where the
CMR data also has a “duration” field, that this will be reflected as a
field called “cmr_duration”, rather than appearing as confusing second
and third values for “duration” in the Browse Calls table.
- Added some logic for the huntPilotDN field for the cases when the field is
undefined in the raw CDR. Specifically if calledPartyPatternUsage is “7”,
then the app now infers correctly that finalCalledPartyNumber represents
the huntPilotDN (as per cisco docs).
- Added lookup for patternUsage, creating new fields
calledPartyPatternUsageDescription and calledPartyPatternUsageName
- added lookup for mobileCallTypes to identify mobility features invoked,
creating the new field mobilityFeature
- Added lookup for routing reasons, creating the new fields
lastRedirectingRoutingReasonName, origRoutingReasonName, and
- Added all fields mentioned above to field gallery, plus more than 70
- Reworked the field gallery on the homepage to give it additional filtering
and search controls. You can now choose to see 1) fields present in raw CDR
vs those added by the app. 2) fields that are in your indexed data vs not.
There is also now a search field that you can use to match any entered
search string against field name and description text.
Version 4.0.6 (November 11th, 2016)
- Removed 2 unused calculated fields in props.conf that were triggering
CalcFieldProcessor WARNS in splunkd.log
- Performance optimizations on the scripted lookup that parses country code,
area code and exchange out of DN’s.
- Parametrization of the scripted lookup for DN’s to support customers who
have unusual dialing prefixes for outside lines.
- Many improvements to the “Define Groups” documentation.
- A bugfix to the system that checks whether the Sideview Utils app is
not installed at all. Now a better error message displays instead of a
simple but confusing alert.
- Fixed a bug where if you specified a Groups lookup with the number, name
and group fields but omitted the subgroup field, then every time the app’s
homepage was loaded, the lookup would get obliterated.
Version 4.0.5 (September 23rd, 2016)
- Reversed the order of the raw call legs table in Call Detail. Although
this makes it inconsistent with Browse Calls, we all seem to still
expect the first leg to be first and last leg to be last.
- Added a gantt-style visualization of the N call legs to Call Detail. This
visualization only appears for calls with more than one leg.
- Added new fields callingPartyLATA, callingPartyOCN, callingPartyCompanyType
and the corresponding fields for finalCalledParty.
- Restored some important messaging on the Create Data Inputs page, that
warns the user that when they submit the form to create the data input, the
files being indexed will be at the same time deleted from the filesystem.
- Added new field duration_elapsed. This field value will contain the number
of seconds between the connectTime of the earliest call leg to connect, to
the disconnectTime of the last call leg to disconnect. This field can be
used in General Report and Browse Calls, but not yet in Call Detail.
- Renamed total_duration field (introduced in 4.0.2) to duration_total so that
it will always appear alphabetically next to duration and duration_elapsed
- The “legs” field (introduced in 4.0.2) will now appear in field lists
throughout the product.
Version 4.0.4 (July 20th, 2016)
- Replaced the FlashChart modules used throughout the app with JSChart
modules. (Splunk’s FlashChart module has developed some bugs in certain
browsers and flash plugins whereas JSChart’s once-problematic axis labels
are now much improved.)
- Added a few missing fields to the field_gallery so they will appear not
only in the report gallery but also in reporting pulldowns and field
pickers. – fields are finalCalledPartyCity, finalCalledPartyState,
finalCalledPartyZip, originalCalledPartyGroup, originalCalledPartyName,
- Bug fixed in the data input wizard’s error detection. Previously if your
directory already had a data input but it also had no files therein, you
would get the warning about no files, not the more important warning about
the previously existing input.
- Added interactivity to the Call Concurrency page so that you can now click
the main call concurrency chart and see a second chart below showing you
the call concurrency within that much shorter time range.
- Fixed a bug in Gateway Detail where the first chart didn’t load.
- Fixed a bug where 2 seldom used fields from the CMR, directoryNum and
directoryNumPartition were erroneously listed in the app as directoryNumber
and directoryNumberPartition. This caused them to not work in field
pickers and reporting pulldowns.
- Fixed a bug that prevented any of the City, State and Zip fields from being
used in General Report.
Version 4.0.3 (April 26th 2016)
- Fixed a bug in the Data Input wizard where on windows it would fail to
detect pre-existing data inputs if the casing of the path you entered
didn’t match exactly.
- Fixed a bug in the Data Input Wizard where if you had more than 30 existing
data inputs on a standalone indexer, it might not detect that you were
about to create a data input on files that are already being indexed by an
existing data input.
- Sinkhole inputs created by the data input wizard will now set crcSalt to
- To help existing customers index data that has been orphaned on the
filesystem by initCrcLength catch-22’s, initCrcLength has been lowered
to 1500 for cdr and 1000 for cmr.
- Added max_days_ago=365 to sourcetype config to make it easier to index
- There is a new field called “number” that is the union of callingPartyNumber
originalCalledPartyNumber and finalCalledPartyNumber
- the “callId” field is now created automatically instead of extracted by the
UI explicitly using the app’s `get_call_id` macro. This is just to simplify
some underlying search syntax and has no other significant effect.
- Workaround for a bug in Splunk 6.4, whereby our preexisting patch to
workaround a *separate* bug in the Splunk Navigation bar, now has to be
wrapped in a require call. (see dashboard.js)
- Replaced the lookup config to generate originalCalledPartyName,
originalCalledPartyGroup and originalCalledPartySubgroup, which had been
removed with the thought that it was never interesting.
- added new field “name” that is the union of callingPartyName,
originalCalledPartyName, and finalCalledPartyName
> added new field “group” that is the union of callingPartyGroup,
originalCalledPartyGroup and finalCalledPartyGroup
- added new field “subgroup” that is the union of callingPartySubgroup,
originalCalledPartySubgroup and finalCalledPartySubgroup
- Fixed a bug in Browse calls where if you were not actually searching for
a particular IP address field, but you had that field in your field list,
and you didn’t have the location or sites field active, and you were on a
CUCM that stores ip’s as long integers, you’d see the unconverted integers
in your Browse results.
- Fixed a bug where if you were using the “advanced” field in Browse Calls,
the app would not realize it had to carry along those field names and run
any required SPL extractions for thoe fields in your expression.
- Added/Modified the ip_addr “field” to now be available in the app UI, and
hold the union of all the various IP address fields.
Version 4.0.2 (March 11th, 2016)
- Added new field to the UI called “initialCalledParty”, “initialCallingParty”,
“terminatingCalledParty” and “terminatingCallingParty”. For multi-leg calls
these represent the appropriate parties from the initial/final call legs.
- Added new field to the UI called “total_duration” that adds up the duration
values from all of a call’s individual call legs.
- Added a new field to the UI called “transfers” that represents the number
of call legs within the given call that show a termination cause of “call
split”. This field is available in both Browse Calls as an additional
column, and also in the Reporting UI.
- Added a new field to the UI called “legs” that simply represents how many
call legs the given call has.
- Added a field called “on_hook_party”. If the last call leg was
terminated by the caller going on-hook, this is “caller”. If the last leg
was terminated by the receiver, this is “recipient”. For calls that don’t
connect the field will be null.
- ~30% speed improvement for General Report to only get CMR data if
one or more CMR fields are actually involved in the report.
- modified the machinery that initially creates the Groups lookup, so that it
will not interfere with customer attempts to add new fields to the lookup.
- Added finalCalledPartySubgroup and callingPartySubgroup to the field_gallery.
- Changed the default Groups lookup to also have an optional “subgroup” field
as this field has proved useful to some customers. The field will also get
automatically added to any rows in existing customer lookups.
- Fixed a bug where the raw call legs table in Call Detail view would list
the time as the last column in the table instead of the first.
- Fixed a bug where the General report page would see groups fields like
callingPartyName/callingPartyGroup and think it had to run the very
expensive location extractions.
- Fixed a bug in Browse Calls where if you had the “count only” pulldown set
to “all records” for your session, when you clicked into Call Detail and
then clicked the breadcrumb to get back to Browse calls it would reset to
“count only the 1000 most recent matching records”.
- Fixed a small class of bugs that concerned when a single report was
filtering and/or reporting by one or more IP Address fields *and* one or
more site fields.
- Fixed a bug in the Browse Calls view where “Graph calls over time” wouldn’t
pass along your selected value for the Cluster pulldown.
- Optimized the DN-parsing lookup to not process originalCalledPartyNumber
since this was never being used and removing it speeds up a very
expensive lookup by about 50%.
Version 4.0.1 (February 18th, 2016)
- Browse Devices now has a sites pulldown that you can use to see only the
devices from one or more of your defined sites or locations.
- Setup Sites now has a tab to help you find devices, extensions, DN’s and
Ip Addresses that are not matching any of the sites you have defined so far.
- callingPartyGroup, callingPartyName, finalCalledPartyGroup and
finalCalledPartyName will now appear in all field menus without having
to wait for the daily scheduled search that finds new custom fields
- Modification to the data health checks so they complete in reasonable
time on hosts with *only* legacy sourcetype data.
- Fixed a regression in 4.0 where the app’s Create Data Input Wizard would
index the CMR records with the “cucm_cdr” sourcetype instead of “cucm_cmr”
- Resolved a performance problem on Call Detail view which in some cases
caused the page to hang.
- Fixed a problem where the links to the Splunk Admin UI would result in
‘page not found’ errors.
- Deleted 6 hidden gitignore/cvsignore/svnignore files from the libphonenumbers
directory so they don’t trigger splunkbase/cloud appcert/app-vetting checks.
- Fixed a bug where if you saved a report or created a dashboard panel from
the Call Concurrency and Gateway Utilization tool and then tried to re-run
that report later, it would fail to repopulate the pulldowns correctly.
(Note that reports saved prior to this fix would have to be recreated in
order to have the correct loading behavior in the UI.)
- Fixed a bug in Call Detail view where if you had a field displaying in the
upper right panel and that field had multiple values, it would show only
the value from the most recent call leg instead of listing all the values.
- removed “answered” and “missed” from the Browse Phone Numbers page as these
numbers as calculated were a little misleading for calls with more than
one call leg.
- Fixed a bug where in the Browse calls page you couldn’t search for
duration greater or less than a particular number of seconds.
- Some adjustments to the design of the save/create controls and the Edit
Fields button in the Browse Calls page.
- The Browse calls page now has a “graph calls over time” link that switches
you over to the General Report page, preserving your filtering arguments.
Version 4.0 (January 27th, 2016)
- The App’s name has been changed from “Splunk for Cisco CDR” to
“Cisco CDR Reporting and Analytics”.
- Changed the Data Input wizard and documentation to now create and recommend
batch aka sinkhole data inputs only. This removes the need to create
shell scripts to delete older CDR and CMR files.
- Splunk’s AppBar module has been patched within this app to resolve a
problem where the module stopped using Splunk’s “@go” URL system. This had
the effect of preventing all our app’s saved reports from loading in the
proper view (ie browse or general_report). With this change, all saved
reports will once again reload back in the view in which they were saved.
- Added first version of sourcetype configuration for AlternateSyslog.
Contact us for more details.
- Modified one of the data health checks so that it wont be triggered by
other non-cdr sourcetypes living in the app’s index.
- Added a new field “internal_device_type”, useful for doing reports around
device utilization where “gateway” isn’t a useful device-type to have.
- Added a new field “site” that combines origSite and destSite, useful for
various reports split by site that need to combine both sites from inbound
and outbound parties.
- Added many new sample reports for various fields.
- Reorganization of the homepage to help trial users get started and also
provide simpler more functional content for paid users.
- Some rounds of optimization to trim out unnecessary search language that
the reporting and Browse pages were inserting.
- On the Site Detail page, removed “User busy” and “unallocated number”
from the “unusual call termination reasons” timechart.
- On the Site Detail page, enabled drilldown on the “Unusual call termination
reasons” report that now takes the user directly to see the actual calls.
- On the Site Detail page, enabled drilldown on the Site to Site concurrency
timechart report that takes the user directly to see all calls in
progress at that moment.
Version 3.7.1 (November 23rd, 2015)
- Fixed a regression in the “number” field in Browse Calls whereby the
resulting search would be invalid.
- Corrected language in help text and health checks that referred to the file
extension on the downloaded app package as *.tar.gz rather than *.spl.
Version 3.7 (November 19th, 2015)
- In Browse Calls, the user can now edit and reorder the fields shown in the
tabular results. This supercedes the “include” pulldown which has been
removed in this release.
- in the Call Detail, the user can now edit and reorder the fields shown in
the “call legs” table.
- in Call Detail view “call legs” table now indicates next to a calling or
called party when that party terminated the leg by going on-hook.
- in Call Detail view, the “call legs” table is now above the “other calls
- When clicking the “see calls” link in General Report to peek at the calls
themselves in “Browse Calls”, if you are using a quality field or a
location field, the UI no longer warns you that the field is not active, it
instead automatically includes it in the results for you.
- Fixed a bug where if Splunk indexed a given call’s legs out of time order,
the start time assigned to the call by the app might actually be the time
for one of the subsequent call legs. This problem was always there to a
certain extent but is a lot more common in Splunk 6.3 due to an
undocumented SPL behavior change.
NOTE: this problem also causes a bug where the drilldown from Browse Calls
to Call Detail view results in Call Detail view loading empty.
- An optimization around the ‘call types’ pulldown – if all 4 types are
selected and there are no other searchterms it now skips running any
subsearch thus speeding up these cases significantly.
- Browse Calls page now lists multiple duration values for multi-leg calls.
- “sites_lookup” macro renamed to “get_sites” for consistency.
- Fixed a problem on Site Detail page where the “only 10000 events” pulldown
was being ignored.
- Some minor improvements for users who find themselves searching for raw cdr
events in the search page — added a Workflow action to get to Call Detail
and a better default selected field list.
- Changed how the various default device type extractions were configured so
that now they can be edited from the Splunk Admin UI without throwing an
erroneous error on submit.
- Relaxed a Health Check that was looking for issues around indexed headers,
such that it no longer searches other Splunk indexes as well.
- Added entries to the help table for the fields around sites and also around
the “to”, “from” and “quality” columns on the Browse Calls page.
Version 3.6 (October 6th, 2015)
- Reworked the base events macros to workaround sporadic bug in 6.2 on
windows where type and eventtype fields stop working properly in search.
- Fixed a problem on Call Detail page where calls involving extremely common
calling or receiving parties were triggering extremely expensive and slow
searches on the “other calls to/from” panels.
- Updated General Report to include the site and subnet fields (destSite,
origSite, destCidr and origCidr) in the reporting pulldowns.
- Updated Browse Calls to work properly and give appropriate warnings if the
user uses site and subnet fields in the “misc search terms” box.
- Updated Sideview Utils required version to pick up an improvement around
CheckboxPulldown having its options deselected by default. This resolves
a problem where the show location/quality pulldowns would reset themselves.
- Added 5 new lookups to create readable description fields for the 5
“onBehalfOf” fields in UCM CDR.
Version 3.5.4 (Aug 14th, 2015)
- Added the Sizing Calculator page.
- Devices listed on Call Detail pages are now linked to Device Detail.
- lookups are now explicitly scoped to run on the search head in distributed
Version 3.5.3 (May 26th, 2015)
- renamed the “report” view to “general_report” so that standard Splunk
dashboard/report interactions in 6.2 that are trying to go to the core
“report” view can work properly again.
- Added a Data Health Check to catch savedsearches.conf content saved with
“report” that should be manually changed to “general_report”
- Browse calls page now loads with neither “locations” nor “call quality”
selected in the “include” field. This results in much faster page loads
although users who liked the Locations on by default will now have to
turn them on manually.
Version 3.5.2 (May 21st, 2015)
- Restored a few fields inadvertently screened out of General Report’s y-axis
- Changed fields in CSV and JSON exported from Browse Calls, so that duration
is listed in seconds (instead of [D] HH:MM:SS), and to make timeformat
- Added key pages and resources for “Site Detail” and “Setup Sites” pages
which had been accidentally excluded from the trial download.
Version 3.5.1 (May 7th, 2015)
- Fixed behavior when multiple extensions were entered comma-separated in the
“number” fields. Now calls will be matched whose call legs contain any of
the given extensions, rather than all of them.
- Added a setup view for the user to define their sites and offices based on
ip addresses, specifically by subnets given in CIDR notation.
- Added “Browse Sites” view and a detail view that shows site-to-site
- Reversed order of orig_ and dest_gateway fields in Browse Calls.
- Added index-time transform so that the useless “INTEGER,INTEGER..” headers
are no longer indexed.
- In General Report, it is no longer possible to create nonsensical
combinations of options such as “distinct count of duration” or
“sum of orig_gateway”.
Version 3.5 (April 7th, 2015)
- Charting Pulldowns to select fields now load much faster in reports.
- When duration is displayed in Browse Calls and Call Detail views, it now
appears formatted as “00:17:30” rather than as a raw number of seconds.
- the ‘see search syntax’ links now use the default search view rather
than the app’s custom “charting” view.
- Call Detail view loads much faster because its searches are restricted
to the times the call legs occurred, plus an extra day on either side.
This makes the “other calls to/from” tables much faster to render.
- The “other calls to/from” searches on Call Detail view are further sped up
by no longer retrieving and collating CMR data.
- Fixed a rare bug whereby calls that had null values for the
“dateTimeDisconnect” field would not render properly in the Call Detail view.
- on Call Detail view, removed null non-CMR fields that were showing up in
the “Call quality information (CMR)” section.
- Changed to consistently follow Cisco’s definitions of numberPacketsLost.
As of this release numberOfPacketsSent – numberOfPacketsReceived will not
necessarily equal numberPacketsLost because the latter doesn’t include
late packets or duplicates.
Version 3.4.6 (February 16th, 2015)
- Fixed a regression in the Browse Calls page where if you filtered by an
extension or DN, you would only see call information from the subset of
call legs that contained that DN.
- added device_name and ip_addr fields that for each call leg, are the union
of the corresponding orig* and dest* fields.
- Improved logging in the data input setup wizard.
- Fixed a critical bug in the data input wizard where, for single-indexer
mode, if you happened to not create an index with the default name
“cisco_cdr”, the setup page would fail to load properly.
- Fixed a bug where Call Detail view would not render certain times properly
for calls that had more than one call leg.
- multiple calling and called parties listed in Call Detail view are listed
in the order in which they appeared, (no longer sorted numerically).
- Fixed a bug in Gateway Detail view where the drilldowns from a given Call
Release description over to Browse Calls always returned zero results.
Version 3.4.5 (February 4th, 2015)
- Fixed a bug where users without administrative privileges would get a
strange error message at the top of the app homepage. “Client is not
authorized to perform the requested action”.
- Fixed a bug where very large groups files would get truncated to
10,000 rows when an admin user hit the homepage.
Version 3.4.4 (January 29th, 2015)
- Fixed a bug in the data health check detection, whereby the check for the
custom_index macro was not restricted to just the local search head.
- Packaged a “TA_cisco_cdr” app within the main app. This app is now the
recommended app to push out to indexing and forwarding tiers.
- App is now aware of the user’s geographical locale when rendering times and
dates. eg if you have “en-GB” in the locale portion of your URL, you will
get dates rendered as “dd/mm/yyyy” instead of “mm/dd/yyyy”.
- Fixed a bug introduced in 3.4.1 to the Concurrent Calls and Gateway
Utilization tool, where the granularity accidentally was lowered to Splunk’s
default granularity for timecharts.
- Edited the Data Input Setup flow so that it now also gives full setup
instructions for distributed deployments.
Version 3.4.3 (December 18th, 2014)
- Fixed a bug in the data input setup wizard where the custom_index macro
would get set to “index=”main” erroneously.
- Improved handling in the data input setup wizard if the end-user enters
the path with some slashes or backslashes that are not appropriate for
their platform, or if they leave a trailing slash on the directory.
Version 3.4.2 (December 15th, 2014)
- Fixed a bug where if you used them as filtering search terms, the
device_type, and *_device_type fields would not work reliably.
Version 3.4.1 (December 12th, 2014)
- Corrected a small but longstanding known error in the Concurrent Calls and
Gateway Utilization tool. where the concurrency displayed towards the
right side of the chart would be a small delta higher than the actual
- Added “device_type” as a field in the app, and also as a field in the
Concurrent Calls and Gateway Utilization tool.
- The interactive chart of calls over time shown on the Phone Number Detail
page is now split by type (ie outgoing / incoming / internal)
- Improved out of the box extractions for device types like uccx unity-vm.
- Added device_type as a field in the Browse Devices page.
Version 3.4 (November 24th, 2014)
- Built a new Data Input Wizard to both simplify the setup experience and
keep users away from the confusingly different admin sections in 6.2 vs
6.1 vs 6.0 vs 5.0 Splunk versions.
Version 3.3.2 (November 10th, 2014)
- Fixed a bug that affected both Browse Devices and Device Detail, where in
deployments with no unicodeLoginUserId values, key tables would be blank.
- Fixed a bug where in the Browse Calls page the from/to fields were sometimes
empty. This only affected version 3.3.1.
Version 3.3.1 (November 5th, 2014)
- Fixed the dependency error detection so that once again helpful errors are
displayed for instance if the Sideview Utils app is not installed.
- Fixed a bug introduced in 3.3 where in the Browse Calls page if you set the
“count only the” Pulldown to “all records”, it would only retrieve 10.
- Back by popular demand, Browse Calls now has a “cluster” pulldown again.
- Improved a number of cases where location fields weren’t being added.
- Fixed a bug in Browse Calls, where if terms in “other search terms”
applied to different call legs, those calls would not be returned.
- Fixed a bug introduced by Splunk 6.2 where the textfield in the app’s
Charting view was only a single line and could not be enlarged.
Version 3.3 (September 24th, 2014)
- In the “number” field in Browse Calls or General Report, you are no longer
limited to a single number or wildcarded prefix. You can now enter space-
or comma-separated numbers or extensions.
- Replaced the 2 release code description fields displayed in Browse Calls
with our single overall release code field.
- Optimizations to increase reporting speed if call types are selected.
- Call type element on Browse Calls is now a checkbox pulldown.
- Call Detail view now includes at the bottom the complete set of call quality
field values from the CMRs.
- Browse Calls now allows you to optionally see and search on location data
like city,state,country as well as call quality data.
- Cleaned up geolocated city names to be consistently title-cased.
- When clicking “see calls” from reports that use either location or call
quality fields, the relevant extra fields will be enabled in Browse Calls.
- When clicking from Browse Calls into Call Detail and then using the
breadcrumb link to return, now the user’s filtering selections are retained.
- If when a report loads, there are no matching calls at all, the fields and
charting pulldowns disappear and you get a message saying that no calls were
matched. Formerly the pulldowns would load in an unusable state.
Version 3.2.1 (July 31st, 2014)
- Interaction and usability improvements to the Device Detail page.
- Improved fields displayed by default on Call Detail page.
Version 3.2 (July 29th, 2014)
- Improved sample reports that ship for the call quality fields.
- Added first version of Browse Devices and Device Detail drilldown.
- Fixed a bug in the charting view where if a user saved a report here it
would not run correctly later when run from manager or from the app menu.
- country code, area code, exchange and geographical location now appear as
core fields in the reporting interface.
- Homepage fields and sample reports table rewritten to workaround rendering
problems seen on some customer installs.
- Ongoing improvements and additions to sample reports listed on home page.
Version 3.1.5 (April 2nd, 2014)
- Patched a problem in the underlying Splunk search language whereby certain
fields like ‘duration’ would sometimes disappear from the fields pulldowns
on Splunk 6.
- fixed our field seconds_until_answered so it can never come out negative.
- Found and fixed some mistakes in some of our sample reports.
- Added new fields cause and cause_description that will be whichever
of origCause and destCause is nonzero. Thus cause_description is the
overall termination error for the call, regardless of which side ended it.
- Added a “duration_in_minutes” field.
Version 3.1.4 (March 31st, 2014)
- Added a new setup page that talks about the need to create a script
that periodically deletes files older than 3 days from the monitored
- Added a check to the Data Health Checks page that looks for significant
- Fixed a regression in the Browse Phone Numbers page where numbers entered
into the “number” field would not filter the results.
Version 3.1.3 (March 20 2014)
- Fixed a bug whereby phones making outbound calls through sip
trunks would get misinterpreted as gateways.
- Fixed a recent bug where CMR fields had stopped appearing in
the list of fields in the Report Builder.
Version 3.1.2 (March 19 2014)
- Added call-type and gateway pulldowns to the Busy Hour Calculator
- Added a “per gateway” mode to the Busy Hour Calculator
- Renamed Gateway Utilization page to “Call Concurrency and Gateway
- Added a type pulldown to Gateway Utilization report thus allowing
the report to be run on any combination of incoming/outgoing/internal
or tandem calls.
- Added a multiselect pulldown to Gateway Utilization report allowing the
report to be run over specific gateways when relevant.
Version 3.1.1 (February 17 2014)
- Added a simple Busy Hour Calculator page where you specify a timerange
and it gives you the BHT in Erlangs.
- Improved design and behavior around the “See calls” link in reports.
- Fixed app icon display problems in Splunk 6
Version 3.1 (February 11, 2014)
- Added a concurrency reporting interface, that you can use to analyze
concurrent inbound calls and outbound calls split by gateway.
- Fixed a bug in the system that generates AutoHeader field extraction rules
where FIELDS and DELIMS keys would be outputted in lowercase.
- Fixed a bug in the homepage report gallery where complex reports whose
search language involved quote characters would not run properly.
- Added a new calculated field called “seconds_until_answered”. This field is
defined only for calls where call_answerable=1 and call_answered=1
- Added 2 new calculated fields hour_of_day and day_of_week.
- Fixed a bug where the selected cluster wasn’t passed if you drilled down
on a table row in the Report page.
- Added international country code, areacode, and exchange fields to the
Example Report table on the homepage.
- Added a “call type” pulldown to the browse and report pages that allows
you to easily restrict to just incoming/outgoing and internal calls.
- Added a “See calls” link to the report page that allows you to go from
filtering and reporting and drilling down in the Report page, to quickly
browsing and investigating the underlying space of calls.
Version 3.0 (November 8th 2013)
- Added a new view “Browse Phone Numbers”, by which you can browse phone
numbers of inbound callers as well as internal Extensions and DN’s.
- Added a new wizard and new sourcetype configurations to not only allow
out of the box indexing with Splunk forwarding and distributed search,
but to set indexing properties through a wizard UI.
- Added lots of error detection to streamline user experience around
- Added new fields to differentiate hardphones vs jabberphones vs softphones.
- Added new fields to differentiate video calls from audio calls.
- Added new field “type” to denote call type – incoming, outgoing, internal
- Added first version of scripted lookup to parse country code, area code
and geographic locales, along with US lookups to zipcodes and lat/long
Version 2.4.2 (July 26 2013)
- Fixed a bug in ‘browse gateways’ where the page was not incorporating any
terms the user might have typed into “misc search terms”
Version 2.4.1 (July 8 2013)
- Improved gateway field extractions to extract dest_gateway and orig_gateway
fields for non-MGCP gateways. Added new fields called dest_mgcp_gateway
and orig_mgcp_gateway that are only populated when appropriate.
- Added a new ‘gateway type’ Pulldown to the Browse Gateways page.
Version 2.4 (April 10 2013)
- changed required Splunk version to 5.0
- Updated report builder to use splunk’s new fieldsummary command, as this
very significantly improves performance in the reporting interface.
- Added new gallery table discussing each field in the CDR and CMR data
along with docs and example reports for each.
- reworked all varVQMetrics and gateway field extractions to happen
automatically so as to simplify the underlying search language.
Version 2.3.1 (March 26 2013)
- fixed a bug in the reporting interface where you could not search for
fields values in CDR or CMR and then report on fields from the other.
Version 2.3 (March 8 2013)
- added “get_gateway_fields” macro
- added Browse Gateways page
- added Gateway Detail page
- added MLQK and other advanced quality metrics as field options in reports.
- made MLQK and other advanced quality metrics available in call_detail view.
Version 2.2.2 (December 4 2012)
- Switched to Table module so as to allow hiding the clusterId/callManagerId/
CallID fields on all detail tables.
- Fixed a bug where the UI would sometimes ignore Extensions entered in forms.
- Added duration to the default field list on detail tables.
- Added ability to tab between table and chart and both in report view.
- Greatly improved the time to render the fields pulldowns in report view.
Version 2.2.1 (November 1 2012)
- Improved the initial install experience to transparently create the groups
and clusters lookup when they are initially absent.
Version 2.2 (October 30 2012)
- Completely reworked the setup flow and the installation process.
- Updated the app to workaround issues in Splunk 5.0 around saved search names
in “@go” URLs. This app now requires at least Sideview Utils 2.2.4.
See release notes for Sideview Utils 2.2.4.
Version 2.1.1 (September 28 2012)
- fixed a bug in the report view where if you used one of the IpAddr fields
as your x-axis but didn’t use one as your split-by, you’d get an error.
- improved the report view so that changing charting properties doesn’t rerun
your entire report.
- Fixed ‘Call Detail’ and ‘Phone Number Detail’ views so that if users happen
to go to them directly from the menu, there is a message prompting them to
enter a CallID or Extension as appropriate.
- added print button to the browse sessions view.
- improved print output (only if you’re on Sideview Utils 2.0.10 and up).
- removed ‘globalCallID_CallID’ from the field list because more often than
not the reports around it are confusing, and the default ‘CallID’ field is
a better field to use anyway.
- fixed a bug in the automatic error-detection that was detecting
misconfigured field extractions. (The logic was right, but the link it
gave you to export the csv was slightly wrong.)
- added ‘see search syntax’ links to the browse view.
- Updated some Pulldown params that were using older legacy param names.
- Added new export, print, info functionality to browse and report views.
- added better ‘save search’ functionality to browse and report views.
- added ‘create dashboard’ and ‘create alert’ functionality to report view.
- User interface improvements to the chart view.
- Reorganized saved report and saved dashboard menus.
- Removed the ‘contact us’ form.
- Improved drilldown behavior in the Report Builder.
- fixed a bug where the originalCalledPartyNumber(s) did not display correctly
on the call_detail page.
- fixed a bug where the other calls to/from the recipients would not always
- Added a ‘sort by’ field to the report interface. It shows up only when
you’re running a non-timechart report with no split-by.
- Fixed a bug in the charting view where the chart would always be visible.
- Changed the MLQK example links from the homepage to go to the charting
view to be less confusing.
- added the save/play/pause/finalize controls to the charting view.
Version 2.0 (May 02, 2012)
- fixed a bug in some views where if you used the form fields to filter by
Extension, the filter would not be applied properly.
- Fixed a bug where from the ‘browse’ view you had a menu option to save the
current report, but it didn’t work properly.
- General improvements to pivoting and redirecting cleanup of the code now
that we have Sideview Utils 2.0 underneath.
- Fixed a bug in the ip address conversion where IP’s whose last quad was less
than 10 didn’t get converted properly.
- interaction improvements to all views.
Version 1.2.2 (Feb 17, 2012)
- Had to fix a mistake in how the setup screens redirected you through the flow.
Version 1.2.1 (Feb 15, 2012)
- The installation docs have been completely rewritten, *very* significantly
expanded, and mostly moved to our website. See for yourself at
https://sideviewapps.com/apps/splunk-for-cisco-cdr/docs/ While the in-app
documentation has also been completely updated, it largely directs the
user to the website documentation.
Version 1.2 (Feb 02, 2012)
- significant changes and rewrites to fix bugs and issues with Splunk 4.3.
- significant changes and rewrites based on more search language performance
testing at high data volumes.
- lots of improvements and minor bugfixes to the custom reporting view.
- new simpler more usable homepage
- customers can now specify a custom index during app setup.
- fixed various bugs in the call_detail view, in cases where there was more
than one finalCalledPartyNumber
- fixed a bug where you couldn’t actually run any reports if clusterId or
callManagerId was specified as a field.
- added a cluster lookup, related wizard page to regenerate it from indexed
data, and filtering pulldowns in Browse and Report views
- Fixed a bug where the automatic redirect to the qos threshold page wouldn’t
- Added a JobStatus module to both Browse and Report views, so customers can
now pause and cancel searches inline.
- Added save controls to the Browse page, so it effectively becomes a “simple
call report”, operating on just the CDR data.
Version 1.1 (Jan 27, 2012)
- major rewrite of browse and report views, including major changes to search
language used in macros. These changes were to workaround serious performance
problems seen in larger data sets. – added a ‘call legs’ section to the
call_detail view. – fixed a bug where the app would not warn the user
correctly when the Sideview Utils app was not installed – fixed a bug around
IP address conversions. – numerous other small fixes and improvements.
Version 1.0.9 (Nov 30, 2011)
- Added functionality around a lookup that adds group names and user names into
the records. Incorporated guided setup around this feature into the existing
setup wizard. Note that this can also be used to generate reports about *all*
Extensions regardless of activity. I only added a hint about this to the app
itself, but once you get the hang of it it’s quite straightforward.
Version 1.0.8 (Oct 25, 2011)
- CallManager CDR and CMR data has several fields which are IP Address values,
however it encodes these values as integers. The app now has functionality to
automatically convert the integers back into IP Addresses. Specifically, when
you use any of the ip address fields in reports, as either the ‘split-by’
field or as the x-axis field, it will correctly display the values as IP
addresses. Also on the call_detail view, when those fields are displayed in
the rightmost panel they will appear as IP addresses now.
Version 1.0.7 (Oct 20, 2011)
- added a new lookup for video codec types,
- fixed a bug in “browse” and “report” views where the search filter would not
filter overall calls, but individual CDR and CMR rows. The filtered results
will make a lot more sense now to end-users.
- added a new field called ‘call_connected’, which is True or False or null.
The value is derived by looking at the overall call release cause codes.
(null represents records where no call was attempted)
- made a new field called callID that is the callID plus the callManagerId,
separated by a “.”
- the report view’s main reporting pulldown now defaults to ‘distinct calls’
instead of dumping the user at ‘distinct count of authorizationLevel’ and
hoping they figure it out.
- The flow around the contact form has been slightly improved.
- added back-button and forward-button support to the “browse” view.
- re-running guided setup will no longer force you to contact sideview a second time.
- Upped required version of Sideview Utils to pick up other bugfixes.
Version 1.0.6 (Sep 28, 2011)
- The app now includes a view for Quality of Service reporting, and the app
has a setup screen offering configurable thresholds for QoS by
numberOfPacketsLost, jitter and latency. Also the functionality whereby the
appname and app version was sent to sideviewapps.com has been completely
removed in this version. Instead during the initial app setup screens you
are asked to send us your name and a brief note.
Version 1.0.5 (Sep 19, 2011)
- Fixed a problem where the reports could be misleading when you imported data
from more than one CallManager
- Added initial version of a scripted lookup that will enable new
Quality-of-service reporting features. (docs and user interface will come
soon. Email me if you want to try it out now)
- Rewrote and reworked the guided setup copy.
Version 1.0.4 (Sep 02, 2011)
- fixed a bug on call_detail where as soon as you drilled down to any other
call you’d only see results from a single second. The call_detail view is
much more usable and interesting now.
- Added ‘see search syntax’ links in various places so customers can see
how the real searches work.
- Made those links take you to a new custom view that is a little more
comfortable than splunk’s normal ‘advanced charting view’.
- added lookups for call release cause codes, as well as redirect reason codes.
Now those descriptions are automatically created as fields for each call.
- Fixed a bug where changing some TimeRangePickers would not do anything.
- Improved the error detection to not flag configurations where trivial
off-hook calls generate CDR’s.