Here are a few more detailed details...
The dashboard currently displays the following data:
In the lower red field the data of the SEP connection are missing and the reason are changing IncomingProtocolCallRef IDs.
The raw data show that the SEP connection exists, but with a different incoming ID ...
Here is the complete search
index="callmanager_cdr" sourcetype="cucm_cdr" globalCallID_callId=* cdrRecordType=1
(NOT "INTEGER,INTEGER*" AND NOT "*cdrRecordType*")
(callingPartyNumber="*" OR originalCalledPartyNumber ="*" OR finalCalledPartyNumber="*") destCause_text="*" type="*"
| fields _time Splunk_Telgruppe_origCalled Splunk_Telgruppe_finalCalled IncomingProtocolCallRef OutgoingProtocolCallRef
callingPartyNumber originalCalledPartyNumber Standort_origCalled StandortBezeichnung_origCalled finalCalledPartyNumber
Standort_finalCalled StandortBezeichnung_finalCalled origDeviceName destDeviceName origCause_text destCause_text duration
| eval Splunk_Telgruppe_finalCalled2 =if(isNull(Splunk_Telgruppe_finalCalled),"N/A",Splunk_Telgruppe_finalCalled)
| sort 0 - _time
| eval time2=strftime(_time,"%d-%m-%Y %H:%M:%S")
| eval identHelper = mvzip(IncomingProtocolCallRef,OutgoingProtocolCallRef)
| eval time= _time
| makemv delim="," identHelper
| mvexpand identHelper
| stats count list(*) as * by identHelper
| search count > 1 (Splunk_Telgruppe_origCalled="XXX-XXX" OR Splunk_Telgruppe_finalCalled="XXX-XXX") origDeviceName="SBC*"
| eval _time = mvindex(time,0)
| eval Splunk_Telgruppe_finalCalled = mvindex(Splunk_Telgruppe_finalCalled2,count-2)
| eval is_origCalled = if(match(Splunk_Telgruppe_origCalled ,"XXX-XXX"),1,0)
| eval is_finalCalled = if(match(Splunk_Telgruppe_finalCalled ,"XXX-XXX"),2,0)
| eval callType4 = if(match(origDeviceName,"SBC*") AND match(destDeviceName,"SEP*") AND NOT match(origDeviceName,"CVP*"),"40","0")
| eval helper = is_origCalled+is_finalCalled+callType4
| eval callType = case(helper==0,"-",helper==1,"Überlauf abgebend",helper==2,"Überlauf aufnehmend",helper==3,"eigenes Team",helper>40,"Direktanruf")
| append [search index="callmanager_cdr" sourcetype="cucm_cdr" globalCallID_callId=* cdrRecordType=1 (NOT "INTEGER,INTEGER*" AND NOT "*cdrRecordType*")
(callingPartyNumber="*" OR originalCalledPartyNumber ="*" OR finalCalledPartyNumber="*") (destDeviceName = CVP* AND origDeviceName = SBC*) destCause_text="*" type="*"
(Splunk_Telgruppe_origCalled="XXX-XXX" OR Splunk_Telgruppe_finalCalled="XXX-XXX")
NOT [search index="callmanager_cdr" sourcetype="cucm_cdr" globalCallID_callId=* cdrRecordType=1 (NOT "INTEGER,INTEGER*" AND NOT "*cdrRecordType*")
(callingPartyNumber="*" OR originalCalledPartyNumber ="*" OR finalCalledPartyNumber="*") destCause_text="*" type="*"
| fields _time IncomingProtocolCallRef OutgoingProtocolCallRef
| eval identHelper = mvzip(IncomingProtocolCallRef,OutgoingProtocolCallRef)
| eval time= _time
| makemv delim="," identHelper
| mvexpand identHelper
| stats count by identHelper
| where count > 1
| fields identHelper
| rename identHelper AS OutgoingProtocolCallRef
| format] ]
| eval callType = if(isNull(callType),"ohne Gespräch", callType)
| table _time time2 callType identHelper IncomingProtocolCallRef OutgoingProtocolCallRef callingPartyNumber origDeviceName destDeviceName duration
| search callType="*"
| sort - _time
thanks for your help...
... View more