Splunk Search

How to correlate transactions across two fields

msarro
Builder

Hey everyone. I am working on parsing through data from call data records. In every record there is a "local call ID" field which is used to identify a particular call. If a caller calls someone else on the system, two records will be generated, one for the incoming call, and one for the outgoing call. In this case, the localcallid of one record will be equal to a second field, "relatedcallid" of the other record.

Here's a breakdown since its hard to explain:
Record 1

Caller: John Doe, Callee:Jane Doe, LocalCallID:12345, RelatedCallID:67890

Record 2

Callee: Jane Doe, Caller:John Doe, LocalCallID:67890, RelatedCallID:12345

What I'd like to do is something like this (goal is to get information for all parts of the call):

transaction maxspan=10s localcallid OR localcallid=relatedcallid

Can anyone point me towards the best way to do this? Like I said, I need to not only gather all items sharing the same localcallid, but also all items where the relatedcallid matches the localcallid of the initial record.

Ledion_Bitincka
Splunk Employee
Splunk Employee

The transaction command cannot do the correlation you're looking for - however here's a way to do it: create a field that unifies all the records. In the following simplistic example I am assuming that you can somehow differentiate between local and non-local caller ids, let's say local caller ids start with 12, then the following search will generate the transactions you're looking for

.... | eval cid=if(match(LocalCallID, "^12"), LocalCallID, RelatedCallID) | transaction maxspan=10s cid 
0 Karma
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...