AVAYA CDR analyses with ELK

Elastic Stack Logstash
1

Hi,

I've setup log stash to receive CDR from a avaya pabx.

Iv'e used the filter bellow:
filter {
if [type] == "cdr" {
csv {
separator => ","
columns => [
"call Start", "Connected Time", "Ring Time", "Caller", "Direction", "Called Number", "Dialed Number", "Account", "Is Internal", "Call ID", "Continuation", "Party1device", "Party1Name", "Party2Device", "Party2Name", "Hold Time", "Park Time", "AuthValid", "AuthCode", "User Charged", "Call Charge", "Currency", "Amount at last User Change", "Call Units", "Units at Last User change", "Cost per Units", "Mark up", "External Targeting Cause", "External targeter ID", "External Targeted Number"
]
}
}
}

Everything looks good, but i have some "issue".
For example, i would like to have a graph with call duration, but the graph don't looks correct.
do i have to convert the duration to a specific format ? integer or?

I have another issue, the ring_Time is a value in second, but using a mean don't show the average ring time.

As i'm not programmer, any help would be appreciate.

Thx

2

Numerical fields should be integers or floats rather than strings. You can use the mutate filter for that conversion:

filter {
  mutate {
    convert => {
      "Connected Time" => "integer"
      "Ring Time" => "integer"
    }
  }
}

Once that change has been made, subsequent messages will have the correct data type of those fields. However, the mapping for the current index can't be changed and in practice you won't see the change until a new index is created.

3

Will try this

If i hunderstanc correctly, by default CSV are string ? Right ?

Thnks for you quick answer

4

I'v just try but connected time was hh:mm:ss is now 0

5

If i hunderstanc correctly, by default CSV are string ? Right ?

Yes.

I'v just try but connected time was hh:mm:ss is now 0

Oh, I assumed that the columns actually contained numbers. An hh:mm:ss string needs to be converted to seconds to be useful in Kibana. I think you'll have to use the ruby filter to write a small snippet of Ruby to perform that conversion.

6

I think i get it with the code bellow:

ruby { code => "event['Connected_Time'] = event['Connected_Time'] ? event['Connected_Time'].split(':').inject(0){|a, m| a = a * 60 + m.to_i} : 0" }

i've set it to integer also after the ruby code.

but a query in kiban for "Connected_Time":0 should show me all missed call return nothing .

7

I tried that filter with a plain stdout output and it looks good. Have you tried isolating things by ignoring ES and Kibana and just making sure that things look good with the stdout output?

8

i'm sorry, you already lose me :smile:

in kibana value looks to be good i a use a Connected_Time:* ( firts line 0, second 181, tird: 45

2015-09-16T12:20:08.206+02:00 I E208 Karl T9017 Line 17.3 1528449 2015/09/16 ... 208 0 3210756008 0 0 0 5
2015-09-16T12:21:31.137+02:00 I E223 Jordan T9017 Line 17.1 1528374 2015/09/16 ... 223 181 3210756023 0 0 0 3
2015-09-16T14:18:47.641+02:00 I E218 Malika T9017 Line 17.1 1533429 2015/09/16 ... 223 45 3210756023

but a query to Connected_Time:0 return nothing.

What do you mean by can you exlain me a little more ?

9

i've modify the ruby code like this, so it created a new row "duration". not sure it's the right way to do it

And now i can filter on duration:0 :s

code => "event['Duration'] = event['Connected_Time'] ? event['Connected_Time'].split(':').inject(0){|a, m| a = a * 60 + m.to_i} : 0" }

10

Hi,

Every thinks lloks to work fine. Ithink that i had a issue with some fielsds, but copy it to another field with ruby looks to do the trick.

I have another question, i saw a geoip map.

Any idea if we can apply that kind of map to phone numbers to now which country is the most called or calee?