Skip to content

Examples: Correlation MAPPING

Jump to bottom Edit New page
Paul Dee edited this page May 31, 2020 · 24 revisions

Let's say you have SIP CALLS, and all SIP messages have been stored in the table hep_proto_1_call, and your LOGs are stored in hep_proto_100_logs

For protocol HEP ID: 1, Profile: Call, you can make an additional correlation MAPPING. Click to EDIT (the blue wrench in the following picture):

Screenshot from 2019-05-20 13-59-14

And in the MAPPING, add your custom logic.

In this case, to correlate SIP CALLs traffic to your LOGs which are stored in hep_proto_100_logs: we extract callid from the JSON body of hep_proto_1_call (below: "source_field": "data_header.callid",) and do the lookup to HEP: 100 (logs), profile: default in destination field: sid, in the time-range (original) from+=-300, to+=200.

[
  {
    "source_field": "data_header.callid",
    "lookup_id": 100,
    "lookup_profile": "default",
    "lookup_field": "sid",
    "lookup_range": [
      -300,
      200
    ]
  }
]

The SQL query will look like :

select * from hep_proto_100_default where sid = 'CALLID';

RTCP JSON correlation

Here is an example of how to do correlation to another protocol: RTCP JSON, HEP: 5 (below: "lookup_id": 5,), destination SID (below: "lookup_field": "sid",) can be any header from your JSON body. Here we choose callid i.e. "source_field": "data_header.callid",:

[  
  {
    "source_field": "data_header.callid",
    "lookup_id": 5,
    "lookup_profile": "default",
    "lookup_field": "sid",
    "lookup_range": [
      -300,
      200
    ]
  }
]

Screenshot from 2019-05-20 14-03-36

and of course you can combine the mappings:

[
  {
    "source_field": "data_header.callid",
    "lookup_id": 100,
    "lookup_profile": "default",
    "lookup_field": "sid",
    "lookup_range": [
      -300,
      200
    ]
  },
  {
    "source_field": "data_header.callid",
    "lookup_id": 5,
    "lookup_profile": "default",
    "lookup_field": "sid",
    "lookup_range": [
      -300,
      200
    ]
  }
]

SIP-ISUP correlation.

In the below example, input_function will remove any leading 0 from the number and add it to the array. post_aggregation_field: sid will aggregate the calls with the same SID (OPC:DPC:CIC)

So that the resulting SQL query might look like:

select * from hep_proto_54_default where data_header->'calling_number' IN ('0123456', '123456', '123456') and create_date BETWEEN '2019-02-02-XXXX' AND '2019-02-02-YYYYY'

and that the second SQL query might look like

select * from hep_proto_54_default where sid IN ('SID_FROM_LAST_QUERY' )

The following correlation mapping is necessary:

  {
    "source_field": "data_header.from_user",
    "lookup_id": 54,
    "lookup_match_field": "data_header.method",
    "lookup_match_value": [
      "INVITE"
    ],
    "input_function": "data.forEach(function(el) {if(el.charAt(0) === '0') data.push(el.substr(1));});return data",
    "lookup_match_first": true,
    "lookup_profile": "default",
    "lookup_field": "data_header->>calling_number",
    "post_aggregation_field": "sid",
    "lookup_range": [
      -300,
      200
    ]
  },

Remote Mapping

Correlation requests can be emitted to entities through the HEP pub-sub API, and dispatched by type. The following example will emit a data request to any entity providing cdr capabilities using the source_field specified in the mapping configuration:

    {
      source_field: 'data_header.callid',
      lookup_id: 0,
      lookup_type: "pubsub",
      lookup_profile: 'cdr',
      lookup_field: '{"data":$source_field,"fromts":$fromts,"tots":$tots}',
      lookup_range: [-300, 200],
    }
Add a custom footer
Add a custom sidebar
Clone this wiki locally