Hi,
I have to analyse a call-centre log. Here’s a brief description if the scenario. There’s a telephone line called ‘svc606’. This line is routed to five people using round robin. However, these people can also be called directly without using ‘svc606’. Every time ‘svc606’ is called, a log entry is made. About two seconds later a second entry is made for one of the five group members who received the call.
Here’s a simplified example of the log:
1. 10:00:00.000 LineName=’svc606’ caller=… duration=…
2. 10:00:02.010 LineName=’MrX’ caller=… duration=…
3. 10:05:20.000 LineName=’MrX’ caller=… duration=…
4. 10:10:00.000 LineName=’svc606’ caller=… duration=…
5. 10:10:01.090 LineName=’MrX’ caller=… duration=…
6. 10:12:00.999 LineName=’svc606’ caller=… duration=…
7. 10:12:01.999 LineName=’MrX’ caller=… duration=…
My search result must contain event 2, 5 and 7 because these have corelated event 2 seconds earlier. It mustn’t find event 3, because this is an independent call.
I came up with this solution:
index=tk | eval time=strftime(_time,"%Y%m_%H%M%S") | search index=tk [search index=tk LineName=svc606 | eval time=strftime(relative_time(_time, "+2s"),"%Y%m_%H%M%S") | fields time ]
Basically, this is a subsearch for ‘svc606’. I than create a time field, add a two second offset and cut of the microseconds. The same without the offset is done for the outer search. This works for the example event 2, but not for 5 and 7 due the slight time offset. (Only 1 second after formatting instead of two).
I’d like to search for a time range instead for a static value. Like
_time > (svc606_time + 1.9s) AND _time < (svc606_time + 2.1s)
But how?
Regards
... View more