Did a little bit of searching, but didn't really find what I needed, but I also don't know if I'm even searching the best way/terms/ keywords.
I'm hoping Splunk can parse daily log file (.log) and look for the following lines:
05:49:15.416 ( 7528:11056) U-PE: 20000018 Hook: 1 (OffHook)
00:26:41.618 ( 7528: 7820) U-PE: 2000017A State: 12 (Established)
01:22:02.283 ( 7528:11056) U-PE: 20000156 Hook: 0 (OnHook)
The first part is just standard time in the %T.%f style formating.
The second part is always 5 numbers or 4 with a leading space a colon and 5 more numbers or 4 with a leading space.
The U-PE: is the event and the 8 alphanumeric ID that comes after that is uniquely bound to a user.
What I hope Splunk can do, is find every time there is a U-PE: OffHook event that does NOT have an Established U-PE: before the U-PE OnHook event, and report the time between the OffHook and OnHook event.
As for the 8 character User ID, there are about two or three hundred, but they are all unique.
... View more