Design a Query

  1. Choose a filter setting. You can use one or both:
    • data: final filtering phase, explicitly determines which records will appear in the report.
    • scope: initial filtering phase, expands the scope to all records within matching sessions.

The data filter is strict and isolates results to individual records that match all criteria.

{
  "data": {
    "event1":{
      "fields": ["event1_Field1","event1_Field2"]
    },
    "event2":{
      "fields": ["event2_Field1"]
    }
  }
}

The scope filter is broad. With only one match it provides all records associated with a user session, it needs a data filter to work.

{
  "timestamp": {
    "$gte": "2019-12-16T00:00:00Z",
    "$lte": "2019-12-21T00:00:00Z"
  },
  "data": {
     "CallEvent": {
        "fields": ["EventName", "EventVersion", "EventSku",
        "TimeStamp", "HostId", "CustomerId", "FlowId", "FlowName",
        "ActionId", "ActionName", "IsTriggerAction", "SessionId",
        "TransactionId","ApplicationRegion", "PassthroughVersion",
        "IsOutboundFromCust", "CallingNumber", "CalledNumber",
        "CalledNumberCountry", "CalledNumberState",
        "CalledNumberRegion", "CallOfferTime", "CallAnswerTime",
        "CallEndTime", "CallDuration", "CallAnswerIndicator",
        "CallVoicemailDetected", "CallDisconnectReason"]
     }
  },
  "filters": {
    "CallEvent": {
      "CallingNumber": {"$eq": "+18052091817"}
    }
  }
}

2.  Once a filter is set, identify the focus of your search. For example:

Use the timestamp attribute to filter for records (or verbs) that occur between 4:30pm and 7:30pm MDT on February 11th, 2019.

 

Note: All records are stored in 24-hour format UTC with seconds. Therefore 6:30pm becomes 18:30:00 in 24-hour format. And for timezone MDT (-0600), we add 6 hours to create 00:30:00

4:30pm MDT -> 16:30 MDT -> 22:30 UTC -> 2019-02-11T22:30:00Z

7:30pm MDT -> 19:30 MDT -> 01:30 UTC -> 2019-02-12T01:30:00Z

{
  "timestamp": {
    "$gte": "2019-02-11T22:30:00Z",
    "$lte": "2019-02-12T01:30:00Z"
  }
}

Now indicate at least 1 column for the report…

{
  "timestamp": {
    "$gte": "2019-02-11T22:30:00Z",
    "$lte": "2019-02-12T01:30:00Z"
  },
  "data": {
    "ApplicationExitEvent": {
      "fields": ["FlowId"]
    }
  }
}

3.  After running and reviewing the report, adjust your filters to get more or less data.

Analysis: The flow you’re interested in might take place over a long period of time, but the time period is narrow, so the provided records don’t have enough contextual information to analyze.

To do cooperative filtering and receive all related session records, switch to using the scope filter.

This yields many more results because there are two searches:

  • Find any record (verb) with CallingNumber “+17652285679”.
  • Next, find any record with a matching SessionId

 

Here is the updated query:

{
  "timestamp": {
    "$gte": "2019-11-25T00:00:00Z",
    "$lte": "2019-11-26T00:00:00Z"
  },
  "data": {
    "ApplicationExitEvent": {
      "fields": ["FlowId"]
    }
  },
  "scope": {
    "field": "Sessionid",
    "filters": {
      "CallEvent": {
        "CallingNumber": {"$eq": "+17652285679"}
      }
    }
  }
}

4.  Once you have the full flow of information, you can refine your search results to see API callouts associated with sessions related to the CallingNumber “+17652285679”.

That query would look like this:

{
  "timestamp": {
    "$gte": "2019-11-20T00:00:00",
    "$lte": "2019-11-20T23:00:00"
  },
  "data": {
     "MsgEvent": {
        "fields": ["EventName", "EventVersion", "TimeStamp",
        "SessionId", "SendingId", "SentId"]
     }
  },
  "filters": {
     "MsgEvent": {
        "TimeStamp": {
        "$gte": "2019-11-15T00:00:00Z",
        "$lte": "2019-11-23T00:00:00Z"
      }
     }
  }
}