Analysis of Cisco CDR and Microsoft Exchange Server Logs with Splunk
Today, email and phone calls are the primary means of communication in a business environment. Each message or call can potentially bring company revenue, and one employee can write several hundred messages a day or make about a hundred calls. In this article we will explain how using Splunk you can analyze the logs of Microsoft Exchange Server and Cisco Call Manager, as well as how this can be useful.
Do I need to analyze data on communications?
Definitely a must! Analysis of mail and telephony may allow:
- To monitor external and internal messages and calls, analyze the interaction of employees and departments with contractors;
- Identify the relationship of internal units and conduct a comparative analysis of the nature of their activities;
- Analyze the performance of employees: the structure and intensity of communications, the percentage of undoing that can help affect the increase in sales and income of the company;
- Monitor messages on personal mail in order to prevent information leakage;
- To control the cost of calls in the context of employees, departments and the entire company;
- Monitor the process of work on a particular topic: call forwarding, speed of replies, and so on.
Implementation
In this article, we will not tell you how to load data into Splunk, or how to parse the logs. If it will be interesting to you, you can write to us . Now we will show the most interesting analytics visualization and a couple of examples of queries for Cisco logs and Ms Exchange.
')
Analytics postal correspondence in the context of the entire organization
At this dashboard, you can see the analyst by correspondence with counterparties in time, how many people interact on the part of the counterparty and the organization, whether the important counterparty depends on one employee.
Analytics postal correspondence on the department
On this dashboard, you can find out with whom they interact and how employees from this department work: how often the communication is carried out, on which topics, etc.
Department comparison
These figures show fragments of a dashboard, where you can compare the intensity of calls and messages for departments, the difficulty of dialing, quantitative characteristics for each employee, the distribution of messages by counterparties and other indicators.
Employee comparison
On this dashboard, the user will see which of the employees have more incoming and outgoing ones, how much their calls cost for the organization, who communicates more with colleagues, and who with counterparties who find it harder to call.
Correspondence
This dashboard reflects information about the work on a particular topic, you can see who is corresponding on this topic, its redirection and the speed of response.
Some more interesting stats
Statistics who correspond after hours.
Characteristics of outgoing calls, to determine how many calls are made by mobile communication on the territory of Russia or abroad.
Of course, to obtain the full diversity of analytics, it is not enough just the logs of the mail server and telephony, so a reference system was added to the solution to enrich the information.
Requests
Consider a few queries that were used for the charts shown above.
MS Exchange
index="msexchange" tag=email subject!="Folder Content" recipient_domain != *xxxxxx* NOT PersonalMail = 1 NOT AutoMail = 1 DepartmentSender = "X"
|dedup message_id recipients
| chart count over DepartmentSender by recipient_domain usenull=false useother=f
Cisco CDR
|inputlookup phone_department.csv
| where unit = "X"
| table ext
| join ext type=left
[search index=cdr3 sourcetype = csv Department = "X" |fields + _time, callingPartyNumber OrigName| stats count AS "colorig" by callingPartyNumber OrigName| rename callingPartyNumber as ext OrigName as Name]
| join ext type=left
[search index=cdr3 sourcetype = csv DepartmentDest = "X" |fields + _time, originalCalledPartyNumber DestName | stats count AS "coldest" by originalCalledPartyNumber DestName| rename originalCalledPartyNumber as ext DestName as Name ]
|join ext type=left
[search index = cdr3 DepartmentDest = "X" | fields + _time DepartmentDest duration origCause_value originalCalledPartyNumber | eval type = if(duration=0 AND origCause_value != 393216, "", " ")| top type by originalCalledPartyNumber| search type ="" | table originalCalledPartyNumber percent|rename originalCalledPartyNumber as ext]
|fillnull colorig coldest
|table ext Name colorig coldest percent
|sort -colorig -coldest
|rename ext as " " Name as "" colorig as " " coldest as " " percent as " "
Conclusion
In this article, we showed how Splunk can be used to analyze MSExhange and CiscoCM data. The solution can be deepened and expanded depending on the needs of the customer.
We are happy to answer all your questions and comments on this topic. Also, if you are interested in something specifically in this area, or in the field of machine data analysis in general, we are ready to refine the existing solutions for you, for your specific task. To do this, you can write about it in the comments or simply send us a request through the form on our website .
PS
On June 28, 2018, “ Splunk Getting Started ” will be taught in Moscow , where in 6 hours the participants will receive a theoretical base and practical skills for working in Splunk. Learn more about learning and register at this link .
Source: https://habr.com/ru/post/343420/
All Articles