Splunk Search

SIP Field Extraction, using the colon? transforms.conf?

stankylb
New Member

Good day all,
I am trying to create field extractions from my SIP messaging.
Automatically, splunk will extract anything past an = sign.
How can I configure splunk to create fields past a : ?
I would like to report on ANI's, DNIS's, etc.
Thanks in advance.

04/23 20:50:26: INFO: SIP Agent: SS_Stack::ReadUdpMsgs: received msg (909 bytes) from source ip 192.168.255.7 source port 5060:
INVITE sip:64.211.96.74:5060 SIP/2.0
Via: SIP/2.0/UDP 64.210.85.70:5060;branch=z9hG4bK04B95916ad5ac6f297a
From: sip:4029779166@64.210.85.70;tag=gK049ef6d5
To: sip:3034510115@64.211.96.74;tag=100012488 Call-ID: 100012489.1.824.conference.102@64.214.112.141 CSeq: 26999 INVITE Max-Forwards: 70 Allow: INVITE,ACK,CANCEL,BYE,REGISTER,INFO,SUBSCRIBE,NOTIFY,PRACK,UPDATE,OPTIONS,MESSAGE,PUBLISH Accept: application/sdp, application/isup, application/dtmf, application/dtmf-relay, multipart/mixed Contact: sip:4029779166@64.210.85.70:5060 Supported: timer,replaces Session-Expires: 1800;refresher=uac Min-SE: 90 Content-Length: 180 Content-Disposition: session; handling=required Content-Type: application/sdp
v=0
o=Sonus_UAC 19737 10570 IN IP4 64.210.85.70
s=SIP Media Capabilities
c=IN IP4 67.17.57.141
t=0 0
m=audio 18268 RTP/AVP 0
a=rtpmap:0 PCMU/8000
a=sendrecv
a=maxptime:20

Tags (1)
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

You can configure key-value extractions around colons as well using props.conf+transforms.conf, however I fear those may get confused by the colons in the From: and To: values. Consider setting up regex-based extractions if that confusion does happen.

Here's a rough sketch of how colon-based key-value extractions might look for your sourcetype:

props.conf

[your_sourcetype]
...
TRANSFORMS-colons = colons

transforms.conf

[colons]
REGEX = (?<_KEY_1>\w+):\s+(?<_VAL_1>\S+)

See http://docs.splunk.com/Documentation/Splunk/6.0.3/Admin/transformsconf for reference, search for "key".
Note, I've made the assumption that values are a string of non-space characters due to laziness - your reality may be more complicated.

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...