Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

SIP Field Extraction, using the colon? transforms.conf?

stankylb
New Member
‎04-23-2014 02:03 PM

Good day all,
I am trying to create field extractions from my SIP messaging.
Automatically, splunk will extract anything past an = sign.
How can I configure splunk to create fields past a : ?
I would like to report on ANI's, DNIS's, etc.
Thanks in advance.

04/23 20:50:26: INFO: SIP Agent: SS_Stack::ReadUdpMsgs: received msg (909 bytes) from source ip 192.168.255.7 source port 5060:
INVITE sip:64.211.96.74:5060 SIP/2.0
Via: SIP/2.0/UDP 64.210.85.70:5060;branch=z9hG4bK04B95916ad5ac6f297a
From: sip:4029779166@64.210.85.70;tag=gK049ef6d5
To: sip:3034510115@64.211.96.74;tag=100012488 Call-ID: 100012489.1.824.conference.102@64.214.112.141 CSeq: 26999 INVITE Max-Forwards: 70 Allow: INVITE,ACK,CANCEL,BYE,REGISTER,INFO,SUBSCRIBE,NOTIFY,PRACK,UPDATE,OPTIONS,MESSAGE,PUBLISH Accept: application/sdp, application/isup, application/dtmf, application/dtmf-relay, multipart/mixed Contact: sip:4029779166@64.210.85.70:5060 Supported: timer,replaces Session-Expires: 1800;refresher=uac Min-SE: 90 Content-Length: 180 Content-Disposition: session; handling=required Content-Type: application/sdp
v=0
o=Sonus_UAC 19737 10570 IN IP4 64.210.85.70
s=SIP Media Capabilities
c=IN IP4 67.17.57.141
t=0 0
m=audio 18268 RTP/AVP 0
a=rtpmap:0 PCMU/8000
a=sendrecv
a=maxptime:20

Tags (1)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎04-23-2014 03:07 PM

You can configure key-value extractions around colons as well using props.conf+transforms.conf, however I fear those may get confused by the colons in the From: and To: values. Consider setting up regex-based extractions if that confusion does happen.

Here's a rough sketch of how colon-based key-value extractions might look for your sourcetype:

props.conf

[your_sourcetype]
...
TRANSFORMS-colons = colons

transforms.conf

[colons]
REGEX = (?<_KEY_1>\w+):\s+(?<_VAL_1>\S+)

See http://docs.splunk.com/Documentation/Splunk/6.0.3/Admin/transformsconf for reference, search for "key".
Note, I've made the assumption that values are a string of non-space characters due to laziness - your reality may be more complicated.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

    Thursday, June 25, 2026  |  11AM PDT / 2PM EDT  Duration: 1 Hour (Includes live Q&A) Register to ...

Analytics Workspace deprecation

As of Splunk Cloud Platform 10.4.2604 and Splunk Enterprise 10.4, Analytics Workspace is now deprecated. ...

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Splunk Developer Day brought the Splunk developer community together for a practical look at what it means to ...