I can't speak to other Solarwinds tools but Kiwi syslog cannot do this with the built in actions and filters only. However, you could do this in Kiwi with some scripting added to the mix to do this in real time. Otherwise writing them all to a log then parsing the log with the tool of your choice on a schedule(daily, hourly) could be done. That just depends on your reporting and alerting needs.
We do something similar for backup tape drive status that needs information from 2 separate device logs to match the detail.
Event comes in with 'U-PE', this is matched with a filter, then there is an action that runs a script.
The script would do several things.
First would be to parse the message into fields and look for the OnHook event in the message. Two split actions would be needed, one using ':' as the delimiter, then a ' ' to split the item with the user ID. If it is an onhook event you could manage state for those two ways. Write it to a data dictionary(in memory array) or write to a file.
My preference is a file since they are maintained in the event of the Kiwi service restarting or a server reboot. Each UserID would get a separate file(for example "20000156-onhook.txt").
When an 'Established' event occurs, the script will catch that and another file would be written("20000156-established.txt").
When the 'OffHook' event occurs, the script will catch that then read the directory for the OnHook and Established files, gets the file creation times and does the calculations. If the 'Established' file doesn't existing it generates some additional action(s) like email, writes to a log, etc. Then the files are deleted.
Variations of this could be to have a rule that matches each event state(OnHook, Established, OffHook) and has a script that does each portion of the steps above. It's more rules but more simple scripts. You could also add the timestamp to the filename. This would make getting the file creation time unnecessary and only need to read the filename.