Splunk Search

How to correlate transactions across two fields

msarro
Builder

Hey everyone. I am working on parsing through data from call data records. In every record there is a "local call ID" field which is used to identify a particular call. If a caller calls someone else on the system, two records will be generated, one for the incoming call, and one for the outgoing call. In this case, the localcallid of one record will be equal to a second field, "relatedcallid" of the other record.

Here's a breakdown since its hard to explain:
Record 1

Caller: John Doe, Callee:Jane Doe, LocalCallID:12345, RelatedCallID:67890

Record 2

Callee: Jane Doe, Caller:John Doe, LocalCallID:67890, RelatedCallID:12345

What I'd like to do is something like this (goal is to get information for all parts of the call):

transaction maxspan=10s localcallid OR localcallid=relatedcallid

Can anyone point me towards the best way to do this? Like I said, I need to not only gather all items sharing the same localcallid, but also all items where the relatedcallid matches the localcallid of the initial record.

Ledion_Bitincka
Splunk Employee
Splunk Employee

The transaction command cannot do the correlation you're looking for - however here's a way to do it: create a field that unifies all the records. In the following simplistic example I am assuming that you can somehow differentiate between local and non-local caller ids, let's say local caller ids start with 12, then the following search will generate the transactions you're looking for

.... | eval cid=if(match(LocalCallID, "^12"), LocalCallID, RelatedCallID) | transaction maxspan=10s cid 
0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...