I´ve found a working solution now....
in detail:
<index and fields>
| streamstats list(*) AS * by IncomingProtocolCallRef OutgoingProtocolCallRef callingPartyNumber
| search (Splunk_Telgruppe_origCalled="Group-01" OR Splunk_Telgruppe_finalCalled="Group-01")
| sort origDeviceName
| stats count list(*) AS * by callingPartyNumber origMediaTransportAddress_Port origMediaTransportAddress_IP
| search origDeviceName="SBC*"
| eval Splunk_Telgruppe_finalCalled = mvindex(mvdedup(Splunk_Telgruppe_finalCalled),0)
| eval CallTime = mvindex(mvdedup(CallTimeTotal),0)
| eval is_origCalled = if(match(Splunk_Telgruppe_origCalled ,"Group-01"),1,0)
| eval is_finalCalled = if(match(Splunk_Telgruppe_finalCalled ,"Group-01"),2,0)
| eval callType4 = if(match(origDeviceName,"SBC*") AND match(destDeviceName,"SEP*") AND NOT match(origDeviceName,"CVP*"),"40","0")
| eval callType5 = if(match(origDeviceName,"CVP*") AND NOT match(finalCalledPartyNumber,"3333*") AND NOT match(finalCalledPartyNumber,"4444*"),3,0)
| eval helper = is_origCalled+is_finalCalled+callType4+callType5
| eval CallType = case(helper==0,"-",helper==1,"dispense",helper==2,"take up",helper==3,"own team",helper==5,"employee direct call",helper==6,"employee direct call",helper>40,"team leader direct call")
| eval callType = if(isNull(callType),"without call", callType)
| table CallTime CallTimeTotal CallType Splunk_Telgruppe_origCalled Splunk_Telgruppe_finalCalled callingPartyNumber originalCalledPartyNumber finalCalledPartyNumber origDeviceName destDeviceName origCause_text destCause_text duration
It works perfectly....
Thanks
... View more