Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

SIP Field Extraction, using the colon? transforms.conf?

stankylb
New Member
‎04-23-2014 02:03 PM

Good day all,
I am trying to create field extractions from my SIP messaging.
Automatically, splunk will extract anything past an = sign.
How can I configure splunk to create fields past a : ?
I would like to report on ANI's, DNIS's, etc.
Thanks in advance.

04/23 20:50:26: INFO: SIP Agent: SS_Stack::ReadUdpMsgs: received msg (909 bytes) from source ip 192.168.255.7 source port 5060:
INVITE sip:64.211.96.74:5060 SIP/2.0
Via: SIP/2.0/UDP 64.210.85.70:5060;branch=z9hG4bK04B95916ad5ac6f297a
From: sip:[email protected];tag=gK049ef6d5
To: sip:[email protected];tag=100012488 Call-ID: [email protected] CSeq: 26999 INVITE Max-Forwards: 70 Allow: INVITE,ACK,CANCEL,BYE,REGISTER,INFO,SUBSCRIBE,NOTIFY,PRACK,UPDATE,OPTIONS,MESSAGE,PUBLISH Accept: application/sdp, application/isup, application/dtmf, application/dtmf-relay, multipart/mixed Contact: sip:[email protected]:5060 Supported: timer,replaces Session-Expires: 1800;refresher=uac Min-SE: 90 Content-Length: 180 Content-Disposition: session; handling=required Content-Type: application/sdp
v=0
o=Sonus_UAC 19737 10570 IN IP4 64.210.85.70
s=SIP Media Capabilities
c=IN IP4 67.17.57.141
t=0 0
m=audio 18268 RTP/AVP 0
a=rtpmap:0 PCMU/8000
a=sendrecv
a=maxptime:20

Tags (1)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎04-23-2014 03:07 PM

You can configure key-value extractions around colons as well using props.conf+transforms.conf, however I fear those may get confused by the colons in the From: and To: values. Consider setting up regex-based extractions if that confusion does happen.

Here's a rough sketch of how colon-based key-value extractions might look for your sourcetype:

props.conf

[your_sourcetype]
...
TRANSFORMS-colons = colons

transforms.conf

[colons]
REGEX = (?<_KEY_1>\w+):\s+(?<_VAL_1>\S+)

See http://docs.splunk.com/Documentation/Splunk/6.0.3/Admin/transformsconf for reference, search for "key".
Note, I've made the assumption that values are a string of non-space characters due to laziness - your reality may be more complicated.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

[REGISTER HERE] This thread is for the Community Office Hours session on Detection Engineering Office Hours: ...

Developer Spotlight with Mika Borner

From Hackathon Winner to Enterprise Leader    Mika Borner, CEO and Founder of Datapunctum AG, has been ...

Continue Your Federation Journey: Join Session 3 of the Bootcamp Series

To help practitioners build a stronger foundation, we launched the Data Management & Federation ...