https://community.splunk.com/t5/Getting-Data-In/Problem-with-CDR-Phone-Data/m-p/297674#M96012 <P>I´ve found a working solution now....</P> <P>in detail:</P> <PRE><CODE>&lt;index and fields&gt; | streamstats list(*) AS * by IncomingProtocolCallRef OutgoingProtocolCallRef callingPartyNumber | search (Splunk_Telgruppe_origCalled="Group-01" OR Splunk_Telgruppe_finalCalled="Group-01") | sort origDeviceName | stats count list(*) AS * by callingPartyNumber origMediaTransportAddress_Port origMediaTransportAddress_IP | search origDeviceName="SBC*" | eval Splunk_Telgruppe_finalCalled = mvindex(mvdedup(Splunk_Telgruppe_finalCalled),0) | eval CallTime = mvindex(mvdedup(CallTimeTotal),0) | eval is_origCalled = if(match(Splunk_Telgruppe_origCalled ,"Group-01"),1,0) | eval is_finalCalled = if(match(Splunk_Telgruppe_finalCalled ,"Group-01"),2,0) | eval callType4 = if(match(origDeviceName,"SBC*") AND match(destDeviceName,"SEP*") AND NOT match(origDeviceName,"CVP*"),"40","0") | eval callType5 = if(match(origDeviceName,"CVP*") AND NOT match(finalCalledPartyNumber,"3333*") AND NOT match(finalCalledPartyNumber,"4444*"),3,0) | eval helper = is_origCalled+is_finalCalled+callType4+callType5 | eval CallType = case(helper==0,"-",helper==1,"dispense",helper==2,"take up",helper==3,"own team",helper==5,"employee direct call",helper==6,"employee direct call",helper&gt;40,"team leader direct call") | eval callType = if(isNull(callType),"without call", callType) | table CallTime CallTimeTotal CallType Splunk_Telgruppe_origCalled Splunk_Telgruppe_finalCalled callingPartyNumber originalCalledPartyNumber finalCalledPartyNumber origDeviceName destDeviceName origCause_text destCause_text duration </CODE></PRE> <P>It works perfectly.... </P> <P>Thanks</P> Tue, 30 May 2017 11:26:53 GMT denis_roehr 2017-05-30T11:26:53Z https://community.splunk.com/t5/Getting-Data-In/Problem-with-CDR-Phone-Data/m-p/297670#M96008 <P>Hello Everybody,</P> <P>I have a big Problem with customers phone data (cdr´s)...</P> <P>One phone-call has multiple events:</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/2941i5CA584C0EA3C62E0/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>I like to merge all events together values() with an additional field with the name "callType". (for example interal, team, ....) </P> <P>For example : " | stats values(origDeviceName) values(destDeviceName) values(...) by callType</P> <P>I´ve tried to use stats / transaction / eventstats .... but without success... </P> <P>Has anybody an idea? </P> Wed, 17 May 2017 08:10:07 GMT https://community.splunk.com/t5/Getting-Data-In/Problem-with-CDR-Phone-Data/m-p/297670#M96008 denis_roehr 2017-05-17T08:10:07Z https://community.splunk.com/t5/Getting-Data-In/Problem-with-CDR-Phone-Data/m-p/297671#M96009 <P>Assuming your protocol references are unique...</P> <PRE><CODE>your search that returns the transactions and gets a calltype on at least one of the transactions | eval DeviceNames=mvappend(origDeviceName,destDeviceName) | eval ProtocolRefs=mvappend(IncomingProtocolCallRef, OutgoingProtocolCallRef) | table _time DeviceNames ProtocolRefs callType | transaction ProtocolRefs </CODE></PRE> Wed, 17 May 2017 14:51:18 GMT https://community.splunk.com/t5/Getting-Data-In/Problem-with-CDR-Phone-Data/m-p/297671#M96009 DalJeanis 2017-05-17T14:51:18Z https://community.splunk.com/t5/Getting-Data-In/Problem-with-CDR-Phone-Data/m-p/297672#M96010 <P>Hi Dal,</P> <P>Thanks for your quick reply... But I could not get the right results with the functions.</P> <P>I will share more details... </P> <P>Denis</P> Thu, 18 May 2017 08:39:14 GMT https://community.splunk.com/t5/Getting-Data-In/Problem-with-CDR-Phone-Data/m-p/297672#M96010 denis_roehr 2017-05-18T08:39:14Z https://community.splunk.com/t5/Getting-Data-In/Problem-with-CDR-Phone-Data/m-p/297673#M96011 <P>Here are a few more detailed details...</P> <P>The dashboard currently displays the following data:</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/2939i1C0A5074848EAAFE/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>In the lower red field the data of the SEP connection are missing and the reason are changing IncomingProtocolCallRef IDs.</P> <P>The raw data show that the SEP connection exists, but with a different incoming ID ...</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/2940i142AD1217EC6BBF4/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>Here is the complete search </P> <PRE><CODE>index="callmanager_cdr" sourcetype="cucm_cdr" globalCallID_callId=* cdrRecordType=1 (NOT "INTEGER,INTEGER*" AND NOT "*cdrRecordType*") (callingPartyNumber="*" OR originalCalledPartyNumber ="*" OR finalCalledPartyNumber="*") destCause_text="*" type="*" | fields _time Splunk_Telgruppe_origCalled Splunk_Telgruppe_finalCalled IncomingProtocolCallRef OutgoingProtocolCallRef callingPartyNumber originalCalledPartyNumber Standort_origCalled StandortBezeichnung_origCalled finalCalledPartyNumber Standort_finalCalled StandortBezeichnung_finalCalled origDeviceName destDeviceName origCause_text destCause_text duration | eval Splunk_Telgruppe_finalCalled2 =if(isNull(Splunk_Telgruppe_finalCalled),"N/A",Splunk_Telgruppe_finalCalled) | sort 0 - _time | eval time2=strftime(_time,"%d-%m-%Y %H:%M:%S") | eval identHelper = mvzip(IncomingProtocolCallRef,OutgoingProtocolCallRef) | eval time= _time | makemv delim="," identHelper | mvexpand identHelper | stats count list(*) as * by identHelper | search count &gt; 1 (Splunk_Telgruppe_origCalled="XXX-XXX" OR Splunk_Telgruppe_finalCalled="XXX-XXX") origDeviceName="SBC*" | eval _time = mvindex(time,0) | eval Splunk_Telgruppe_finalCalled = mvindex(Splunk_Telgruppe_finalCalled2,count-2) | eval is_origCalled = if(match(Splunk_Telgruppe_origCalled ,"XXX-XXX"),1,0) | eval is_finalCalled = if(match(Splunk_Telgruppe_finalCalled ,"XXX-XXX"),2,0) | eval callType4 = if(match(origDeviceName,"SBC*") AND match(destDeviceName,"SEP*") AND NOT match(origDeviceName,"CVP*"),"40","0") | eval helper = is_origCalled+is_finalCalled+callType4 | eval callType = case(helper==0,"-",helper==1,"Überlauf abgebend",helper==2,"Überlauf aufnehmend",helper==3,"eigenes Team",helper&gt;40,"Direktanruf") | append [search index="callmanager_cdr" sourcetype="cucm_cdr" globalCallID_callId=* cdrRecordType=1 (NOT "INTEGER,INTEGER*" AND NOT "*cdrRecordType*") (callingPartyNumber="*" OR originalCalledPartyNumber ="*" OR finalCalledPartyNumber="*") (destDeviceName = CVP* AND origDeviceName = SBC*) destCause_text="*" type="*" (Splunk_Telgruppe_origCalled="XXX-XXX" OR Splunk_Telgruppe_finalCalled="XXX-XXX") NOT [search index="callmanager_cdr" sourcetype="cucm_cdr" globalCallID_callId=* cdrRecordType=1 (NOT "INTEGER,INTEGER*" AND NOT "*cdrRecordType*") (callingPartyNumber="*" OR originalCalledPartyNumber ="*" OR finalCalledPartyNumber="*") destCause_text="*" type="*" | fields _time IncomingProtocolCallRef OutgoingProtocolCallRef | eval identHelper = mvzip(IncomingProtocolCallRef,OutgoingProtocolCallRef) | eval time= _time | makemv delim="," identHelper | mvexpand identHelper | stats count by identHelper | where count &gt; 1 | fields identHelper | rename identHelper AS OutgoingProtocolCallRef | format] ] | eval callType = if(isNull(callType),"ohne Gespräch", callType) | table _time time2 callType identHelper IncomingProtocolCallRef OutgoingProtocolCallRef callingPartyNumber origDeviceName destDeviceName duration | search callType="*" | sort - _time </CODE></PRE> <P>thanks for your help...</P> Thu, 18 May 2017 14:40:40 GMT https://community.splunk.com/t5/Getting-Data-In/Problem-with-CDR-Phone-Data/m-p/297673#M96011 denis_roehr 2017-05-18T14:40:40Z https://community.splunk.com/t5/Getting-Data-In/Problem-with-CDR-Phone-Data/m-p/297674#M96012 <P>I´ve found a working solution now....</P> <P>in detail:</P> <PRE><CODE>&lt;index and fields&gt; | streamstats list(*) AS * by IncomingProtocolCallRef OutgoingProtocolCallRef callingPartyNumber | search (Splunk_Telgruppe_origCalled="Group-01" OR Splunk_Telgruppe_finalCalled="Group-01") | sort origDeviceName | stats count list(*) AS * by callingPartyNumber origMediaTransportAddress_Port origMediaTransportAddress_IP | search origDeviceName="SBC*" | eval Splunk_Telgruppe_finalCalled = mvindex(mvdedup(Splunk_Telgruppe_finalCalled),0) | eval CallTime = mvindex(mvdedup(CallTimeTotal),0) | eval is_origCalled = if(match(Splunk_Telgruppe_origCalled ,"Group-01"),1,0) | eval is_finalCalled = if(match(Splunk_Telgruppe_finalCalled ,"Group-01"),2,0) | eval callType4 = if(match(origDeviceName,"SBC*") AND match(destDeviceName,"SEP*") AND NOT match(origDeviceName,"CVP*"),"40","0") | eval callType5 = if(match(origDeviceName,"CVP*") AND NOT match(finalCalledPartyNumber,"3333*") AND NOT match(finalCalledPartyNumber,"4444*"),3,0) | eval helper = is_origCalled+is_finalCalled+callType4+callType5 | eval CallType = case(helper==0,"-",helper==1,"dispense",helper==2,"take up",helper==3,"own team",helper==5,"employee direct call",helper==6,"employee direct call",helper&gt;40,"team leader direct call") | eval callType = if(isNull(callType),"without call", callType) | table CallTime CallTimeTotal CallType Splunk_Telgruppe_origCalled Splunk_Telgruppe_finalCalled callingPartyNumber originalCalledPartyNumber finalCalledPartyNumber origDeviceName destDeviceName origCause_text destCause_text duration </CODE></PRE> <P>It works perfectly.... </P> <P>Thanks</P> Tue, 30 May 2017 11:26:53 GMT https://community.splunk.com/t5/Getting-Data-In/Problem-with-CDR-Phone-Data/m-p/297674#M96012 denis_roehr 2017-05-30T11:26:53Z