Splunk Search

How to correlate transactions across two fields

msarro
Builder

Hey everyone. I am working on parsing through data from call data records. In every record there is a "local call ID" field which is used to identify a particular call. If a caller calls someone else on the system, two records will be generated, one for the incoming call, and one for the outgoing call. In this case, the localcallid of one record will be equal to a second field, "relatedcallid" of the other record.

Here's a breakdown since its hard to explain:
Record 1

Caller: John Doe, Callee:Jane Doe, LocalCallID:12345, RelatedCallID:67890

Record 2

Callee: Jane Doe, Caller:John Doe, LocalCallID:67890, RelatedCallID:12345

What I'd like to do is something like this (goal is to get information for all parts of the call):

transaction maxspan=10s localcallid OR localcallid=relatedcallid

Can anyone point me towards the best way to do this? Like I said, I need to not only gather all items sharing the same localcallid, but also all items where the relatedcallid matches the localcallid of the initial record.

Ledion_Bitincka
Splunk Employee
Splunk Employee

The transaction command cannot do the correlation you're looking for - however here's a way to do it: create a field that unifies all the records. In the following simplistic example I am assuming that you can somehow differentiate between local and non-local caller ids, let's say local caller ids start with 12, then the following search will generate the transactions you're looking for

.... | eval cid=if(match(LocalCallID, "^12"), LocalCallID, RelatedCallID) | transaction maxspan=10s cid 
0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...