Hi. I’m Nick at Sideview and this is the Getting Started Tutorial for Sideview’s Splunk app, “Cisco CDR Reporting and Analytics”.
or, launch the video on YouTube
Hi. I’m Nick at Sideview and this is the Getting Started Tutorial for Sideview’s Splunk app, “Cisco CDR Reporting and Analytics”.
Let’s jump right in and assume you know something about the app already. You may have even downloaded the free 90-day trial and spent 15 or so minutes setting it up and installing it and everything.
At a high level, there are two main sides to the app: the “Browse” side, and the “Report” side.
Under Browse the main page is “Browse calls” and under “Report” the main page is called “General Report”.
Bear in mind that under both sides you can definitely create things that look like “reports”, and things that look like “dashboards”, so the difference is maybe more subtle than it sounds. This video is going to stick to that distinction between Browse and Report and talk about these two pages since they’re really the core of this app.
So let’s leave the homepage for now and go right to “Browse > Calls”.
You’ll see a lot of form fields up at the top, but let’s ignore these for now. By default, this is just showing us the most recent calls that have been terminated. The table is showing a few columns by default. Let’s add a couple more columns and maybe take away these gateway columns. To do that, we click the “Edit Fields” button over on the right.
CallManager has a huge number of fields in the CDR and the CMR, and the app adds even more, bringing the total number up to about 200. This is one of the things that makes CallManager CDR so much fun.
You can scroll the left panel up and down here, and you can see I’m not kidding. There’s quite a lot.
You can hunt in here for the fields you want, but I’m going to use a trick and actually type in the first few letters of the fields I’m looking for.
By the way, there’s a big table on the homepage of all the fields. You may have noticed that, and if you’re browsing for a field in a particular area but don’t remember the exact name, you can find it there.
I know I’m looking for the MOS score, which here is called MLQK in CallManager CDR. And also, I’m going to get the quality field, which is a field the app adds that rolls up jitter, packet loss, and latency. I’m also going to grab the “to” field which is a roll-up of all the location information we can grab, either by parsing the DN to get things like area code or by looking up the IP address in our site’s lookup. And I’m also going to grab one more thing, callingPartyAreaCode.
You can see if I just type in “callingParty”, even for that one prefix there are quite a lot of different fields.
You can also remove fields from the right-hand side by clicking on them. I’m going to click these gateway fields and make them go away.
Last but not least, you can actually reorder the fields. I’m going to drag the callingPartyAreaCode field up to put it just under callingPartyNumber.
OK. Click the green “Save” button to apply our changes.
OK. Ignore the fact for now that MLQK seems to be blank for some of my calls. It’s not blank for all of them. This is actually an idiosyncrasy of our test data.
So now let’s look at the text boxes and pulldowns up top. Let’s enter an extension into the “number/ext.” text field. I’m actually going to enter a wildcarded number here. Let’s also enter a second wildcarded number. You can enter any number of numbers or extensions here, comma-separated, wildcarded or not.
And I’m going to change the “call types” pulldown to show just incoming calls.
I’m going to put “MLQK>0” here. This will narrow this down to calls that have some quality information, and that have a MOS score greater than zero.
Just a note. When you’re using the product and you have a point like this where you’ve entered a few filtering arguments, you may actually get zero calls shown. Or at any rate, fewer calls than you think should be shown. If that ever happens, note that this pulldown here is by default set to “count only the 1000 most recent matching records”. To make a long story short, sometimes combinations of filtering here require you to jump this up to “all records. ” Notice also that this header here is saying “at least 135 calls”, which is sort of strange. That’s coupled together. If I were to set this to “all records,” it would get us a definitive number.
Try not to worry too much about getting definitive numbers here, because it makes this interface very slow, and that’s not really what this interface is for. That’s more what the general report interface is for, you know- getting definitive, hard, pretty charts.
OK, let’s click one of these calls just by clicking the row. You can see they highlight when I mouse over them. So let’s take this one, with the transfer.
This takes me to the Call Detail page. Note that the Call Detail page itself has two field pickers that you can play with if you want to see different fields. This field picker here controls these 8 fields. Very quickly, I’ll just throw some completely random fields in here.
You can see if you have more than 10 pages then. This can be useful. You can tweak this if you’re doing a particular kind of call investigation or if you’re interested in a particular subset of fields on a particular day or week.
Likewise, this other field picker controls the columns that are displayed for these raw call legs.
Note that a lot of these things are links. You may have noticed earlier that under Browse, there are a lot of other things you can browse: devices, phone numbers, gateways, sites. For each one of these, there is a corresponding Detail view. So you can sort of imagine that if I click this it’s going to take us to Device Detail, as I’m mousing over these Originating Device, Destination Device links. Likewise, over here on these DN’s, this is going to take us to Phone Number detail.
Anyway, there’s other information on Call Detail. Other calls to and from the calling parties, other calls to and from the called parties. You can click these and thus sort of walk the network of calls if you’re doing extended troubleshooting.
And last but not least at the bottom, all call quality information that we have is dumped out into this table is here.
Note that in these “Detail” pages there’s always a breadcrumb in the top left. You can of course jump back to “Browse Calls” using the main navigation bar, and that’s how we got to it in the first place, but if you use that breadcrumb link to get back, it’s going to actually preserve those filtering arguments we were just using and that’s a very good thing.
So let’s click the “Browse” link in the breadcrumb now.
Note that all our pulldowns are set the way we had them.
OK. That was a quick tour of the “Browse” side. Let’s check out the reporting side. To get to the reporting side, you actually should almost never just click “General Report” here in the nav. The easiest way to get there is to click this hidden little blue link called “graph calls over time.”
This is going to essentially kick us sideways over from Browse Calls and into Report. But it’s going to preserve all these arguments that we were using. It’ll preserve our time range, whatever we were doing, it doesn’t matter.
What we’re looking at here is basically, it has given us a column chart of call counts over time for those same calls that we were just looking at.
Now there are even more form fields up top, but notice that the top half of those fields are the same fields we were just looking at in Browse Calls. And note that all the filtering values came across with us.
Now look below at the second half of the form elements. This is sort of talking in the English language about what we’re charting. It says to “chart the distinct count of calls over time”, split by, and then it says “none”.
We can change these to anything we want! And that’s sort of the beauty and the terror of the General Report interface because what do I want to change them to? I don’t know. It takes a while to get sort of comfortable in here.
Let’s first change it to something easy. Let’s change it from “chart the distinct count of calls over time” to “sum duration over time.
You can see here in this first pulldown I have sum, average, max, min, and 95th percentile. Let’s change it to sum. The app is somewhat smart, so it knows that I couldn’t sum the thing that was selected before, so it changed me over to duration. You can see it has actually grayed out the fields that it knows cannot be “summed,” and it has left only the things that are numeric.
Duration is actually the thing I wanted to do. Note there’s another field called “duration_in_minutes,” but the main duration field is in seconds.
Let’s change the “split by” pulldown from saying “none” to saying “callingPartyCity”.
These pulldowns contain a huge number of fields by the way, so much like I used a shortcut in the field pickers, note that I can open the pulldown and then just type the first few characters and it’ll jump to the right value.
Let’s also change the “Stack mode” pulldown just above the chart, to say “Stacked”. That’s stacked, that’s unstacked.
So this is showing us the same total call minutes report over time, split by the city that the call is coming in from.
Now let’s talk about saving and creating reports and dashboards. You may have noticed these Save and Create buttons. There’s a pair of them over in the Browse side and a pair of them here.
Let’s click the big green “Create” button and we’ll do “Create Dashboard Panel”. We have to give 3 things a name – the “Search”, the “Dashboard,” and also the “Dashboard Panel.”
And that’s the minimum. I’ll leave these at their defaults, to share with all other users. You can change these and tweak this to share the dashboard with only certain subsets of users, but that’s an advanced topic.
I can also add this panel to an existing dashboard and not create a new dashboard.
You can run it as a scheduled search, and I’d have a few more things to do, but I’m not going to do that.
So now we have created a dashboard! Tada!
You can see that there’s a bit of an idiosyncrasy, a bug, a problem, a mistake where it turns off our stack mode. So you have to know this little trick. You have to click this little paintbrush icon and come in here and re-click “stack mode.” A couple other things are like that, so you just sort of have to learn the Splunk dashboard editor system here, as well as our report builder. You can add a second, or third dashboard panel, etc. You can drag it around. There’s nowhere else to put it now because there’s only one panel here, but you get the idea. So I’m going to go back and, we did it.
OK. Let’s play with this report a little more. Now that we’ve saved it and shared it and done something cool with it. As you can see, we can mouse over the cities in the chart legend. Let’s actually click one. I’m going to click “Toronto.” We can click one of these bars here, and it would zoom into that particular time and to the Toronto calls, or I can click the legend item and it’s just going to narrow down to the Toronto part.
When you click anything in this interface, it’s going to do what it did here. It’s going to keep you on the reporting page. It’s going to figure out what combination of arguments it needs to add to what combination of fields, and then it’s going to dump you back in to figure out how to adjust the filtering to zoom in on those calls, and then give you that call volume report for those calls. This is a little confusing the first time you do it, but after a while, you realize it’s helping you keep on doing this. You can keep on carving up this data and slicing things and drilling down.
Last but not least, we’re going to flip this back from Report back over to the “Browse” side. Remember we got from Browse over to report by clicking a link here that said, “graph calls over time.” Now that we’re on the reporting side, that same position has another link that says, “see calls”. This in turn is your little escape hatch to switch sideways back over to browse calls, and it’s going preserve all those arguments you picked up in the top half. So while we were here, we picked up this callingPartyCity=”Toronto” term. So I click “See calls.”
This is what I was saying before – you’re really free to flip back and forth, doing kind of ad hoc call investigations or simple call reports in Browse, and doing high-level utilization reports or sanity checks over on the reporting side. You can flip back and forth between these two modes very easily and in fact, that’s really a very powerful way to use the app.
So if you see something that doesn’t make sense, and you’re not sure if it’s really in the data or if it’s something you don’t understand about the fields, click it! Drill in, and figure out what it is. This is a tool you really drive forward.
That’s it for getting started. There’s lots of stuff we did NOT get to, like how to set up call reports for inbound/outbound calls for different departments, for office locations, etc.; how to troubleshoot and report on complex call flow issues and transfer issues; how to get the app to recognize your office locations and report on those; how to run reports and alerts on 911 calls; charting and analyzing call concurrency, gateway utilization and circuit usage; site to site concurrency for internal calls, busy hour calculations, erlangs, intraday usage patterns, international calls, it just goes on and on.
This is a very “long tail” product, and we fill the gaps by being able to do really almost any report you can imagine, that another call accounting package might not have thought of ahead of time.
I hope you’ve enjoyed this, and please watch our other videos! Have a nice day.