Skip to content

Examples: Correlation MAPPING

Jump to bottom Edit New page
Alexandr Dubovikov edited this page May 20, 2019 · 24 revisions

For example you have SIP CALLS and all SIP messages has been stored in the table hep_proto_1_call

For this protocol HEP: 1 , Profile: Call, you can make an additonal correlation MAPPING:

Screenshot from 2019-05-20 13-59-14

Click EDIT and in the MAPPING you can add your custom logic.

I.e. you would like to correlate SIP traffic to your LOG: we take callid from JSON body of hep_proto_1_call and do lookup to HEP: 100 (logs), profile: default in destination field: sid, in the timerange (original) from+=-300, to+=200

the SQL query will look like : select * from hep_proto_100_default where sid = 'CALLID';

[
  {
    "source_field": "data_header.callid",
    "lookup_id": 100,
    "lookup_profile": "default",
    "lookup_field": "sid",
    "lookup_range": [
      -300,
      200
    ]
  }
]

here is example how to do correlation to another protocol: RTCP JSON, HEP: 5, desination SID can be any header from your JSON body.

[  
  {
    "source_field": "data_header.callid",
    "lookup_id": 5,
    "lookup_profile": "default",
    "lookup_field": "sid",
    "lookup_range": [
      -300,
      200
    ]
  }
]

Screenshot from 2019-05-20 14-03-36

and of coruse you can combine the mappings:

[
  {
    "source_field": "data_header.callid",
    "lookup_id": 100,
    "lookup_profile": "default",
    "lookup_field": "sid",
    "lookup_range": [
      -300,
      200
    ]
  },
  {
    "source_field": "data_header.callid",
    "lookup_id": 5,
    "lookup_profile": "default",
    "lookup_field": "sid",
    "lookup_range": [
      -300,
      200
    ]
  }
]
Add a custom footer
Add a custom sidebar
Clone this wiki locally