Hey,
I try to figure out if it is possible to have splunk to build a result for my special needings:
I have 2 different log types. In the first one I find a ANI=1234@, with that specific phone number i can find in the second log a new call-ref-id in a way like "call ref=[f13409]".
What I want is to input into the search the phone number, have splunk search it and give an output with combined information of both logs. So it has to find on nearly same timestamp the belonging call ref and then show me all information from both logs.
May this be possible?
Hope to made it clear enough..
I imagine you could achieve what you want if you have your field extractions setup so that there is a common name for the fields containing the telephone number. So let's say you've called this field "telephone_number" and that the call-ref-field is called "call_ref". In that case something like this should work:
telephone_number=<yoursearch> | stats list(call_ref) by telephone_number
This gives you a list of all values of call_ref linked to a specific telephone number.
I imagine you could achieve what you want if you have your field extractions setup so that there is a common name for the fields containing the telephone number. So let's say you've called this field "telephone_number" and that the call-ref-field is called "call_ref". In that case something like this should work:
telephone_number=<yoursearch> | stats list(call_ref) by telephone_number
This gives you a list of all values of call_ref linked to a specific telephone number.
There are a number of ways to do this, but the easiest thing would be to create a field extraction that omits the leading 0. If you search for metrics_ani=
i have built a field extraction called "metrics_ani" which extracts the number.
but in my second log, this phone number is used without its leading 0 (german dial-out).
further on it is not used in the same surrounding like it is in my first log.
First Log (metrics_ani)
[ANI: sip:number@..
metrics_ani extracts number here correctly.
Is it now possible to transform that number pattern to delete the leading 0 and give it to stats list(call_ref) by metrics_ani=
You could use transaction for this as well.