Splunk Search

How to get all sets of response time from user to agent in the entire log

rajaguru2790
Explorer

In the above log

User(Saj) to Agent(Rohi) Response for all the conversations in the log should be captured: In the above example three valid user to agent response is there.If there are multiple Agent's response in between it can be ignored.Only the user response should be captured and after that next agent immediate response should be captured parsing the entire log.

1st set: Difference from user to agent time needed in Secs:
User Response: 1/1/2019 2:42:55 AM
Agent Response: 1/1/2019 2:51:16 AM (Initial Response Found already using Regex)

2nd Set: Difference from user time to agent time is needed
User Response: 1/1/2019 2:54:38 AM
Agent Response: 1/1/2019 2:55:12 AM

3rd Set: Difference from user time to agent time is needed
User Response: 1/1/2019 2:56:39 AM
Agent Response: 1/1/2019 2:57:10 AM

Like this if "n" number of sets are there everything should be displayed and their
Interaction Measurement Number (Sequential Number starting at 1 to N that identifies the unique measurement in the session log extracted by sequentially parsing the Chat Session log)
Response Start Time - Time associated with User part of the User  Agent interaction number measurement from the Session log
Response End Time – Time associated with the Agent part of the User  Agent interaction number measurement from the Session log
Agent Interaction Response Time – Difference in End Time and Start Time of the interaction number measurement for the interaction number.

!_CI_!!_L_!en!_/LO_!!_TIME_!1/1/2019 2:42:55 AM!_/TIME_!
!_NAME_!Saj!_/NAME_!
!_TEXT_!<translateitem>Hi Team</translateitem>!_/TEXT_!!_NAMEID_!sajg6@test.com!_/NAMEID_!!_MID_!1!_/MID_!!_UTCEPOCHTIME_!1546328575000!_/UTCEPOCHTIME_!!_/CINST_!
--------------------------------------------------------------------------------------
!_CI_!!_L_!en!_/LO_!!_TIME_!1/1/2019 2:42:56 AM!_/TIME_!
!_NAME_!System!_/NAME_!
!_TEXT_!<span class='defaultsysmsg' style='display:none'>The following associated data has been added:<ul><li>Customer Information</li></ul></span>!_SM+msg_DataAdded+Customer InformationSM_!<arcmd cmd='event-UPDATEASSOCIATEDDATA' />!_/TEXT_!!_NAMEID_!system@email.com!_/NAMEID_!!_MID_!3!_/MID_!!_UTCEPOCHTIME_!1546328576000!_/UTCEPOCHTIME_!!_/CINST_!
--------------------------------------------------------------------------------------
!_CI_!!_L_!en!_/LO_!!_TIME_!1/1/2019 2:42:59 AM!_/TIME_!
!_NAME_!Rohi!_/NAME_!
!_TEXT_!<span class='defaultsysmsg' style='display:none'>System Message: Rohi is online for chatting.</span>!_SM+msg_AgentOnline+RohiSM_!!_/TEXT_!!_NAMEID_!rohi@test.com!_/NAMEID_!!_MID_!4!_/MID_!!_UTCEPOCHTIME_!1546328579000!_/UTCEPOCHTIME_!!_/CINST_!
--------------------------------------------------------------------------------------
!_CI_!!_L_!en!_/LO_!!_TIME_!1/1/2019 2:43:09 AM!_/TIME_!
!_NAME_!Saj!_/NAME_!
!_TEXT_!<translateitem>Wish you a very happy ne year</translateitem>!_/TEXT_!!_NAMEID_!sajg6@test.com!_/NAMEID_!!_MID_!5!_/MID_!!_UTCEPOCHTIME_!1546328589000!_/UTCEPOCHTIME_!!_/CINST_!
--------------------------------------------------------------------------------------
!_CI_!!_L_!en!_/LO_!!_TIME_!1/1/2019 2:43:12 AM!_/TIME_!
!_NAME_!Saj!_/NAME_!
!_TEXT_!<translateitem>new*</translateitem>!_/TEXT_!!_NAMEID_!sajg6@test.com!_/NAMEID_!!_MID_!6!_/MID_!!_UTCEPOCHTIME_!1546328592000!_/UTCEPOCHTIME_!!_/CINST_!
--------------------------------------------------------------------------------------
!_CI_!!_L_!en!_/LO_!!_TIME_!1/1/2019 2:43:25 AM!_/TIME_!
!_NAME_!Saj!_/NAME_!
!_TEXT_!<translateitem>I need to close this ticket 10936307</translateitem>!_/TEXT_!!_NAMEID_!sajg6@test.com!_/NAMEID_!!_MID_!7!_/MID_!!_UTCEPOCHTIME_!1546328605000!_/UTCEPOCHTIME_!!_/CINST_!
--------------------------------------------------------------------------------------
!_CI_!!_L_!en!_/LO_!!_TIME_!1/1/2019 2:43:32 AM!_/TIME_!
!_NAME_!Saj!_/NAME_!
!_TEXT_!<translateitem>please help me in closing the same</translateitem>!_/TEXT_!!_NAMEID_!sajg6@test.com!_/NAMEID_!!_MID_!8!_/MID_!!_UTCEPOCHTIME_!1546328612000!_/UTCEPOCHTIME_!!_/CINST_!
--------------------------------------------------------------------------------------
!_CI_!!_L_!en!_/LO_!!_TIME_!1/1/2019 2:45:07 AM!_/TIME_!
!_NAME_!Saj!_/NAME_!
!_TEXT_!<translateitem>Anyone there ?</translateitem>!_/TEXT_!!_NAMEID_!sajg6@test.com!_/NAMEID_!!_MID_!9!_/MID_!!_UTCEPOCHTIME_!1546328719000!_/UTCEPOCHTIME_!!_/CINST_!
--------------------------------------------------------------------------------------
!_CI_!!_L_!en!_/LO_!!_TIME_!1/1/2019 2:47:13 AM!_/TIME_!
!_NAME_!Saj!_/NAME_!
!_TEXT_!<translateitem>??</translateitem>!_/TEXT_!!_NAMEID_!sajg6@test.com!_/NAMEID_!!_MID_!10!_/MID_!!_UTCEPOCHTIME_!1546328833000!_/UTCEPOCHTIME_!!_/CINST_!
--------------------------------------------------------------------------------------
!_CI_!!_L_!en!_/LO_!!_TIME_!1/1/2019 2:49:23 AM!_/TIME_!
!_NAME_!Saj!_/NAME_!
!_TEXT_!<translateitem>?? Hi Rohi You there?</translateitem>!_/TEXT_!!_NAMEID_!sajg6@test.com!_/NAMEID_!!_MID_!11!_/MID_!!_UTCEPOCHTIME_!1546328963000!_/UTCEPOCHTIME_!!_/CINST_!
--------------------------------------------------------------------------------------
!_CI_!!_L_!en!_/LO_!!_TIME_!1/1/2019 2:51:16 AM!_/TIME_!
!_NAME_!Rohi!_/NAME_!
!_TEXT_!<translateitem>Hello Saj my name is Rohi. How can I help you today?</translateitem>!_/TEXT_!!_NAMEID_!rohi@test.com!_/NAMEID_!!_MID_!12!_/MID_!!_UTCEPOCHTIME_!1546329076000!_/UTCEPOCHTIME_!!_/CINST_!
--------------------------------------------------------------------------------------
!_CI_!!_L_!en!_/LO_!!_TIME_!1/1/2019 2:51:27 AM!_/TIME_!
!_NAME_!Rohi!_/NAME_!
!_TEXT_!<translateitem>Yes</translateitem>!_/TEXT_!!_NAMEID_!rohi@test.com!_/NAMEID_!!_MID_!13!_/MID_!!_UTCEPOCHTIME_!1546329087000!_/UTCEPOCHTIME_!!_/CINST_!
--------------------------------------------------------------------------------------
!_CI_!!_L_!en!_/LO_!!_TIME_!1/1/2019 2:53:47 AM!_/TIME_!
!_NAME_!Rohi!_/NAME_!
!_TEXT_!<translateitem>Hello Saj my name is Rohi. How can I help you today?</translateitem>!_/TEXT_!!_NAMEID_!rohi@test.com!_/NAMEID_!!_MID_!14!_/MID_!!_UTCEPOCHTIME_!1546329227000!_/UTCEPOCHTIME_!!_/CINST_!
--------------------------------------------------------------------------------------
!_CI_!!_L_!en!_/LO_!!_TIME_!1/1/2019 2:54:38 AM!_/TIME_!
!_NAME_!Saj!_/NAME_!
!_TEXT_!<translateitem>?? Hi Rohi You there?</translateitem>!_/TEXT_!!_NAMEID_!sajg6@test.com!_/NAMEID_!!_MID_!11!_/MID_!!_UTCEPOCHTIME_!1546328963000!_/UTCEPOCHTIME_!!_/CINST_!
--------------------------------------------------------------------------------------
!_CI_!!_L_!en!_/LO_!!_TIME_!1/1/2019 2:55:12 AM!_/TIME_!
!_NAME_!Rohi!_/NAME_!
!_TEXT_!<translateitem>today you are geting this issue</translateitem>!_/TEXT_!!_NAMEID_!rohi@test.com!_/NAMEID_!!_MID_!12!_/MID_!!_UTCEPOCHTIME_!1546329076000!_/UTCEPOCHTIME_!!_/CINST_!
--------------------------------------------------------------------------------------
!_CI_!!_L_!en!_/LO_!!_TIME_!1/1/2019 2:56:39 AM!_/TIME_!
!_NAME_!Saj!_/NAME_!
!_TEXT_!<translateitem>?? Can you help me?</translateitem>!_/TEXT_!!_NAMEID_!sajg6@test.com!_/NAMEID_!!_MID_!11!_/MID_!!_UTCEPOCHTIME_!1546328963000!_/UTCEPOCHTIME_!!_/CINST_!
--------------------------------------------------------------------------------------
!_CI_!!_L_!en!_/LO_!!_TIME_!1/1/2019 2:57:10 AM!_/TIME_!
!_NAME_!Rohi!_/NAME_!
!_TEXT_!<translateitem>Sure</translateitem>!_/TEXT_!!_NAMEID_!rohi@test.com!_/NAMEID_!!_MID_!12!_/MID_!!_UTCEPOCHTIME_!1546329076000!_/UTCEPOCHTIME_!!_/CINST_!
--------------------------------------------------------------------------------------
!_CI_!!_L_!en!_/LO_!!_TIME_!1/1/2019 2:58:31 AM!_/TIME_!
!_NAME_!System!_/NAME_!
!_TEXT_!<span class='defaultsysmsg' style='display:none'>System Message: Saj G has closed the browser</span>!_SM+msg_hasClosed+Saj GSM_!!_/TEXT_!!_NAMEID_!system@email.com!_/NAMEID_!!_MID_!15!_/MID_!!_UTCEPOCHTIME_!1546329278000!_/UTCEPOCHTIME_!!_/CINST_!
--------------------------------------------------------------------------------------
!_CI_!!_L_!en!_/LO_!!_TIME_!1/1/2019 2:59:17 AM!_/TIME_!
!_NAME_!System!_/NAME_!
!_TEXT_!<span class='defaultsysmsg' style='display:none'>System Message: rohi has closed and abandoned. To start a new chat click on &quot;Chat now&quot;.</span>!_SM+msg_UserAbandoned+rohiSM_!<arcmd cmd='arev_SESSIONCLOSED'>!_/TEXT_!!_NAMEID_!system@email.com!_/NAMEID_!!_MID_!16!_/MID_!!_UTCEPOCHTIME_!1546329312000!_/UTCEPOCHTIME_!!_/CINST_!
--------------------------------------------------------------------------------------
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...