Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Transaction command with multiple fields
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Transaction command with multiple fields
I have this start event. I am using the "Phonecall" as the key in the transaction.
1. InteractionEvent on Phonecall-1244025-01a102b0xxxxxxxx, Dn: 1244025@8800, Status: Ringing, StatusChanged: true, Reason: Ringing,
2. Constructing inbound telephony interaction , cli = 1655491xxxx, dnis = 1290xxx, entereddigits = ...
I want to include the inbound caller's phone number (cli) in the table to show duration of call.
The "Phonecall" key is not included in the line of logs where the "cli" is identified.
| transaction Phonecall startswith="Status: Ringing"
endswith="Reason: Done" | table cli Phonecall reason status reason duration eventcount
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you know that the line with Phonecall defined always immediately precedes the line with cli? If so you may be able to use:
| streamstats window=2 current=t last(cli) AS lastcli
| transaction lastcli startswith="Status: Ringing" endswith="Reason: Done"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your response.
This is the layout of the log every time
Phonecall -xxx Reason: Ringing
cli= caller
The cli will always come after the ringing event.
Thank you for your time, it is really appreciated.
2017-11-21 08:08:44,254 DEBUG InteractionEvent on Phonecall-1244025-01a102b009cxxxxx, Dn: 1244xxx@RB8800, Status: Ringing, StatusChanged: true, Reason: Ringing, Extensions: {Attached Data Changed=}, TEventExtensions: , TEventReasons: null CallId: 1594
2017-11-21 08:08:44,254 DEBUG ***
2017-11-21 08:08:44,254 TRACE Constructing inbound telephony interaction , cli = 1555491xxxx, dnis = 129xxxx, entereddigits = ...
2017-11-21 08:08:44,254 TRACE Setting Telephony System Call ID to null for interaction
2017-11-21 08:08:44,254 TRACE Setting CLI to 1555491xxxx
2017-11-21 08:08:44,254 TRACE Setting DNIS to 129xxxx
2017-11-21 08:08:44,254 TRACE Setting UCID to 15xx
2017-11-21 08:08:44,254 TRACE Setting Telephony System Call ID to Phonecall-1244025-01a102b009cxxxxx
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If there is no matching field (Phonecall is not available in logs with cli field) how can it identify to which Phonecall event it belongs to? There can be multiple Phone calls in the logs and there may be overlap in the events.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
the cli event happens 1st then a Phonecall ID is assigned.
2017-11-21 08:08:44,254 TRACE Constructing inbound telephony interaction , cli = 15554910544, dnis = 1290008, entereddigits = ...
2017-11-21 08:08:44,254 TRACE Setting Telephony System Call ID to null for interaction
2017-11-21 08:08:44,254 TRACE Setting CLI to 15554910544
2017-11-21 08:08:44,254 TRACE Setting DNIS to 1290008
2017-11-21 08:08:44,254 TRACE Setting UCID to 1594
2017-11-21 08:08:44,254 TRACE Setting Telephony System Call ID to Phonecall-1244025-01a102b009cc3b53
Level Up Your .conf25: Splunk Arcade Comes to Boston
Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...
Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform
