Good day all,
I am trying to create field extractions from my SIP messaging.
Automatically, splunk will extract anything past an = sign.
How can I configure splunk to create fields past a : ?
I would like to report on ANI's, DNIS's, etc.
Thanks in advance.
04/23 20:50:26: INFO: SIP Agent: SS_Stack::ReadUdpMsgs: received msg (909 bytes) from source ip 192.168.255.7 source port 5060:
INVITE sip:64.211.96.74:5060 SIP/2.0
Via: SIP/2.0/UDP 64.210.85.70:5060;branch=z9hG4bK04B95916ad5ac6f297a
From: sip:4029779166@64.210.85.70;tag=gK049ef6d5
To: sip:3034510115@64.211.96.74;tag=100012488 Call-ID: 100012489.1.824.conference.102@64.214.112.141 CSeq: 26999 INVITE Max-Forwards: 70 Allow: INVITE,ACK,CANCEL,BYE,REGISTER,INFO,SUBSCRIBE,NOTIFY,PRACK,UPDATE,OPTIONS,MESSAGE,PUBLISH Accept: application/sdp, application/isup, application/dtmf, application/dtmf-relay, multipart/mixed Contact: sip:4029779166@64.210.85.70:5060 Supported: timer,replaces Session-Expires: 1800;refresher=uac Min-SE: 90 Content-Length: 180 Content-Disposition: session; handling=required Content-Type: application/sdp
v=0
o=Sonus_UAC 19737 10570 IN IP4 64.210.85.70
s=SIP Media Capabilities
c=IN IP4 67.17.57.141
t=0 0
m=audio 18268 RTP/AVP 0
a=rtpmap:0 PCMU/8000
a=sendrecv
a=maxptime:20
You can configure key-value extractions around colons as well using props.conf+transforms.conf, however I fear those may get confused by the colons in the From:
and To:
values. Consider setting up regex-based extractions if that confusion does happen.
Here's a rough sketch of how colon-based key-value extractions might look for your sourcetype:
props.conf
[your_sourcetype]
...
TRANSFORMS-colons = colons
transforms.conf
[colons]
REGEX = (?<_KEY_1>\w+):\s+(?<_VAL_1>\S+)
See http://docs.splunk.com/Documentation/Splunk/6.0.3/Admin/transformsconf for reference, search for "key".
Note, I've made the assumption that values are a string of non-space characters due to laziness - your reality may be more complicated.