Splunk Search

SIP Field Extraction, using the colon? transforms.conf?

stankylb
New Member

Good day all,
I am trying to create field extractions from my SIP messaging.
Automatically, splunk will extract anything past an = sign.
How can I configure splunk to create fields past a : ?
I would like to report on ANI's, DNIS's, etc.
Thanks in advance.

04/23 20:50:26: INFO: SIP Agent: SS_Stack::ReadUdpMsgs: received msg (909 bytes) from source ip 192.168.255.7 source port 5060:
INVITE sip:64.211.96.74:5060 SIP/2.0
Via: SIP/2.0/UDP 64.210.85.70:5060;branch=z9hG4bK04B95916ad5ac6f297a
From: sip:4029779166@64.210.85.70;tag=gK049ef6d5
To: sip:3034510115@64.211.96.74;tag=100012488 Call-ID: 100012489.1.824.conference.102@64.214.112.141 CSeq: 26999 INVITE Max-Forwards: 70 Allow: INVITE,ACK,CANCEL,BYE,REGISTER,INFO,SUBSCRIBE,NOTIFY,PRACK,UPDATE,OPTIONS,MESSAGE,PUBLISH Accept: application/sdp, application/isup, application/dtmf, application/dtmf-relay, multipart/mixed Contact: sip:4029779166@64.210.85.70:5060 Supported: timer,replaces Session-Expires: 1800;refresher=uac Min-SE: 90 Content-Length: 180 Content-Disposition: session; handling=required Content-Type: application/sdp
v=0
o=Sonus_UAC 19737 10570 IN IP4 64.210.85.70
s=SIP Media Capabilities
c=IN IP4 67.17.57.141
t=0 0
m=audio 18268 RTP/AVP 0
a=rtpmap:0 PCMU/8000
a=sendrecv
a=maxptime:20

Tags (1)
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

You can configure key-value extractions around colons as well using props.conf+transforms.conf, however I fear those may get confused by the colons in the From: and To: values. Consider setting up regex-based extractions if that confusion does happen.

Here's a rough sketch of how colon-based key-value extractions might look for your sourcetype:

props.conf

[your_sourcetype]
...
TRANSFORMS-colons = colons

transforms.conf

[colons]
REGEX = (?<_KEY_1>\w+):\s+(?<_VAL_1>\S+)

See http://docs.splunk.com/Documentation/Splunk/6.0.3/Admin/transformsconf for reference, search for "key".
Note, I've made the assumption that values are a string of non-space characters due to laziness - your reality may be more complicated.

0 Karma
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...