Skip to content

Examples: Correlation MAPPING

Jump to bottom Edit New page
Paul Dee edited this page May 15, 2020 · 24 revisions

For example you have SIP CALLS and all SIP messages has been stored in the table hep_proto_1_call

For this protocol HEP: 1 , Profile: Call, you can make an additonal correlation MAPPING:

Screenshot from 2019-05-20 13-59-14

Click EDIT and in the MAPPING you can add your custom logic.

I.e. you would like to correlate SIP traffic to your LOG: we take callid from JSON body of hep_proto_1_call and do lookup to HEP: 100 (logs), profile: default in destination field: sid, in the timerange (original) from+=-300, to+=200

the SQL query will look like : select * from hep_proto_100_default where sid = 'CALLID';

[
  {
    "source_field": "data_header.callid",
    "lookup_id": 100,
    "lookup_profile": "default",
    "lookup_field": "sid",
    "lookup_range": [
      -300,
      200
    ]
  }
]

here is an example of how to do correlation to another protocol: RTCP JSON, HEP: 5, desination SID can be any header from your JSON body.

{
[  
  {
    "source_field": "data_header.callid",
    "lookup_id": 5,
    "lookup_profile": "default",
    "lookup_field": "sid",
    "lookup_range": [
      -300,
      200
    ]
  }
]

Screenshot from 2019-05-20 14-03-36

and of coruse you can combine the mappings:

[
  {
    "source_field": "data_header.callid",
    "lookup_id": 100,
    "lookup_profile": "default",
    "lookup_field": "sid",
    "lookup_range": [
      -300,
      200
    ]
  },
  {
    "source_field": "data_header.callid",
    "lookup_id": 5,
    "lookup_profile": "default",
    "lookup_field": "sid",
    "lookup_range": [
      -300,
      200
    ]
  }
]

SIP-ISUP correlation.

input_function will remove leading 0 from number and put array back. post_aggregation_field: sid will aggregate the calls with same SID (OPC:DPC:CIC)

So SQL query will look like:

select * from hep_proto_54_default where data_header->'calling_number' IN ('0123456', 123456', '123456') and create_date BETWEEN '2019-02-02-XXXX' AND '2019-02-02-YYYYY'

and second

select * from hep_proto_54_default where sid IN ('SID_FROM_LAST_QUERY' )
  {
    "source_field": "data_header.from_user",
    "lookup_id": 54,
    "lookup_match_field": "data_header.method",
    "lookup_match_value": [
      "INVITE"
    ],
    "input_function": "data.forEach(function(el) {if(el.charAt(0) === '0') data.push(el.substr(1));});return data",
    "lookup_match_first": true,
    "lookup_profile": "default",
    "lookup_field": "data_header->>calling_number",
    "post_aggregation_field": "sid",
    "lookup_range": [
      -300,
      200
    ]
  },

Remote Mapping

Correlation requests can be emitted to entities through the HEP pub-sub API, and dispatched by type. The following example will emit a data request to any entity providing cdr capabilities using the source_field specified in the mapping configuration:

    {
      source_field: 'data_header.callid',
      lookup_id: 0,
      lookup_type: "pubsub",
      lookup_profile: 'cdr',
      lookup_field: '{"data":$source_field,"fromts":$fromts,"tots":$tots}',
      lookup_range: [-300, 200],
    }
Add a custom footer
Add a custom sidebar
Clone this wiki locally