https://community.splunk.com/t5/Splunk-Search/Transaction-command-with-multiple-fields/m-p/300237#M164954 <P>I have this start event. I am using the "Phonecall" as the key in the transaction.<BR /> 1. InteractionEvent on Phonecall-1244025-01a102b0xxxxxxxx, Dn: 1244025@8800, Status: Ringing, StatusChanged: true, Reason: Ringing,<BR /> 2. Constructing inbound telephony interaction , cli = 1655491xxxx, dnis = 1290xxx, entereddigits = ...</P> <P>I want to include the inbound caller's phone number (cli) in the table to show duration of call.<BR /> The "Phonecall" key is not included in the line of logs where the "cli" is identified.</P> <P>| transaction Phonecall startswith="Status: Ringing"<BR /> endswith="Reason: Done" | table cli Phonecall reason status reason duration eventcount</P> Tue, 21 Nov 2017 18:10:30 GMT bcarnot 2017-11-21T18:10:30Z https://community.splunk.com/t5/Splunk-Search/Transaction-command-with-multiple-fields/m-p/300237#M164954 <P>I have this start event. I am using the "Phonecall" as the key in the transaction.<BR /> 1. InteractionEvent on Phonecall-1244025-01a102b0xxxxxxxx, Dn: 1244025@8800, Status: Ringing, StatusChanged: true, Reason: Ringing,<BR /> 2. Constructing inbound telephony interaction , cli = 1655491xxxx, dnis = 1290xxx, entereddigits = ...</P> <P>I want to include the inbound caller's phone number (cli) in the table to show duration of call.<BR /> The "Phonecall" key is not included in the line of logs where the "cli" is identified.</P> <P>| transaction Phonecall startswith="Status: Ringing"<BR /> endswith="Reason: Done" | table cli Phonecall reason status reason duration eventcount</P> Tue, 21 Nov 2017 18:10:30 GMT https://community.splunk.com/t5/Splunk-Search/Transaction-command-with-multiple-fields/m-p/300237#M164954 bcarnot 2017-11-21T18:10:30Z https://community.splunk.com/t5/Splunk-Search/Transaction-command-with-multiple-fields/m-p/300238#M164955 <P>If there is no matching field (Phonecall is not available in logs with cli field) how can it identify to which Phonecall event it belongs to? There can be multiple Phone calls in the logs and there may be overlap in the events.</P> Tue, 21 Nov 2017 18:35:43 GMT https://community.splunk.com/t5/Splunk-Search/Transaction-command-with-multiple-fields/m-p/300238#M164955 somesoni2 2017-11-21T18:35:43Z https://community.splunk.com/t5/Splunk-Search/Transaction-command-with-multiple-fields/m-p/300239#M164956 <P>Do you know that the line with <CODE>Phonecall</CODE> defined always immediately precedes the line with <CODE>cli</CODE>? If so you may be able to use:</P> <PRE><CODE>| streamstats window=2 current=t last(cli) AS lastcli | transaction lastcli startswith="Status: Ringing" endswith="Reason: Done" </CODE></PRE> Tue, 21 Nov 2017 18:45:51 GMT https://community.splunk.com/t5/Splunk-Search/Transaction-command-with-multiple-fields/m-p/300239#M164956 micahkemp 2017-11-21T18:45:51Z https://community.splunk.com/t5/Splunk-Search/Transaction-command-with-multiple-fields/m-p/300240#M164957 <P>Thank you for your response.<BR /> This is the layout of the log every time <BR /> Phonecall -xxx Reason: Ringing<BR /> cli= caller</P> <P>The cli will always come after the ringing event.<BR /> Thank you for your time, it is really appreciated.</P> <P>2017-11-21 08:08:44,254 DEBUG InteractionEvent on Phonecall-1244025-01a102b009cxxxxx, Dn: 1244xxx@RB8800, Status: Ringing, StatusChanged: true, <STRONG>Reason: Ringing</STRONG>, Extensions: {Attached Data Changed=}, TEventExtensions: , TEventReasons: null CallId: 1594<BR /> 2017-11-21 08:08:44,254 DEBUG ***<BR /> 2017-11-21 08:08:44,254 TRACE Constructing inbound telephony interaction , <STRONG>cli = 1555491xxxx</STRONG>, dnis = 129xxxx, entereddigits = ...<BR /> 2017-11-21 08:08:44,254 TRACE Setting Telephony System Call ID to null for interaction<BR /> 2017-11-21 08:08:44,254 TRACE Setting CLI to 1555491xxxx<BR /> 2017-11-21 08:08:44,254 TRACE Setting DNIS to 129xxxx<BR /> 2017-11-21 08:08:44,254 TRACE Setting UCID to 15xx<BR /> 2017-11-21 08:08:44,254 TRACE Setting Telephony System Call ID to Phonecall-1244025-01a102b009cxxxxx</P> Tue, 21 Nov 2017 21:26:30 GMT https://community.splunk.com/t5/Splunk-Search/Transaction-command-with-multiple-fields/m-p/300240#M164957 bcarnot 2017-11-21T21:26:30Z https://community.splunk.com/t5/Splunk-Search/Transaction-command-with-multiple-fields/m-p/300241#M164958 <P>the cli event happens 1st then a Phonecall ID is assigned.</P> <P>2017-11-21 08:08:44,254 TRACE <STRONG>Constructing inbound telephony interaction , cli = 15554910544</STRONG>, dnis = 1290008, entereddigits = ...<BR /> 2017-11-21 08:08:44,254 TRACE Setting Telephony System Call ID to null for interaction<BR /> 2017-11-21 08:08:44,254 TRACE <STRONG>Setting CLI to 15554910544</STRONG><BR /> 2017-11-21 08:08:44,254 TRACE Setting DNIS to 1290008<BR /> 2017-11-21 08:08:44,254 TRACE Setting UCID to 1594<BR /> 2017-11-21 08:08:44,254 TRACE <STRONG>Setting Telephony System Call ID to Phonecall-1244025-01a102b009cc3b53</STRONG></P> Tue, 21 Nov 2017 21:58:43 GMT https://community.splunk.com/t5/Splunk-Search/Transaction-command-with-multiple-fields/m-p/300241#M164958 bcarnot 2017-11-21T21:58:43Z