How to correlate transactions across two fields

msarro · ‎04-28-2011

Hey everyone. I am working on parsing through data from call data records. In every record there is a "local call ID" field which is used to identify a particular call. If a caller calls someone else on the system, two records will be generated, one for the incoming call, and one for the outgoing call. In this case, the localcallid of one record will be equal to a second field, "relatedcallid" of the other record.

Here's a breakdown since its hard to explain:
Record 1

Caller: John Doe, Callee:Jane Doe, LocalCallID:12345, RelatedCallID:67890

Record 2

Callee: Jane Doe, Caller:John Doe, LocalCallID:67890, RelatedCallID:12345

What I'd like to do is something like this (goal is to get information for all parts of the call):

transaction maxspan=10s localcallid OR localcallid=relatedcallid

Can anyone point me towards the best way to do this? Like I said, I need to not only gather all items sharing the same localcallid, but also all items where the relatedcallid matches the localcallid of the initial record.

Ledion_Bitincka · ‎04-28-2011

The transaction command cannot do the correlation you're looking for - however here's a way to do it: create a field that unifies all the records. In the following simplistic example I am assuming that you can somehow differentiate between local and non-local caller ids, let's say local caller ids start with 12, then the following search will generate the transactions you're looking for

.... | eval cid=if(match(LocalCallID, "^12"), LocalCallID, RelatedCallID) | transaction maxspan=10s cid

How to correlate transactions across two fields

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...