Skip to content

Examples: Correlation MAPPING

Jump to bottom Edit New page
Paul Dee edited this page May 31, 2020 · 24 revisions

Let's say you have SIP CALLS, and all SIP messages have been stored in the table hep_proto_1_call

For this protocol HEP ID: 1, Profile: Call, you can make an additional correlation MAPPING:

Screenshot from 2019-05-20 13-59-14

Click to EDIT (the blue wrench in the above picture) and in the MAPPING, add your custom logic.

E.g. you want to correlate SIP traffic to your LOGs which are stored in hep_proto_100_logs: we take callid from JSON body of hep_proto_1_call (below: "source_field": "data_header.callid",) and do the lookup to HEP: 100 (logs), profile: default in destination field: sid, in the time-range (original) from+=-300, to+=200.

The SQL query will look like : select * from hep_proto_100_default where sid = 'CALLID';

[
  {
    "source_field": "data_header.callid",
    "lookup_id": 100,
    "lookup_profile": "default",
    "lookup_field": "sid",
    "lookup_range": [
      -300,
      200
    ]
  }
]

Here is an example of how to do correlation to another protocol: RTCP JSON, HEP: 5, destination SID can be any header from your JSON body.

[  
  {
    "source_field": "data_header.callid",
    "lookup_id": 5,
    "lookup_profile": "default",
    "lookup_field": "sid",
    "lookup_range": [
      -300,
      200
    ]
  }
]

Screenshot from 2019-05-20 14-03-36

and of course you can combine the mappings:

[
  {
    "source_field": "data_header.callid",
    "lookup_id": 100,
    "lookup_profile": "default",
    "lookup_field": "sid",
    "lookup_range": [
      -300,
      200
    ]
  },
  {
    "source_field": "data_header.callid",
    "lookup_id": 5,
    "lookup_profile": "default",
    "lookup_field": "sid",
    "lookup_range": [
      -300,
      200
    ]
  }
]

SIP-ISUP correlation.

input_function will remove any leading 0 from the number and put array back. post_aggregation_field: sid will aggregate the calls with the same SID (OPC:DPC:CIC)

So the resulting SQL query might look like:

select * from hep_proto_54_default where data_header->'calling_number' IN ('0123456', 123456', '123456') and create_date BETWEEN '2019-02-02-XXXX' AND '2019-02-02-YYYYY'

and second

select * from hep_proto_54_default where sid IN ('SID_FROM_LAST_QUERY' )

This is achieved with the following correlation mapping:

  {
    "source_field": "data_header.from_user",
    "lookup_id": 54,
    "lookup_match_field": "data_header.method",
    "lookup_match_value": [
      "INVITE"
    ],
    "input_function": "data.forEach(function(el) {if(el.charAt(0) === '0') data.push(el.substr(1));});return data",
    "lookup_match_first": true,
    "lookup_profile": "default",
    "lookup_field": "data_header->>calling_number",
    "post_aggregation_field": "sid",
    "lookup_range": [
      -300,
      200
    ]
  },

Remote Mapping

Correlation requests can be emitted to entities through the HEP pub-sub API, and dispatched by type. The following example will emit a data request to any entity providing cdr capabilities using the source_field specified in the mapping configuration:

    {
      source_field: 'data_header.callid',
      lookup_id: 0,
      lookup_type: "pubsub",
      lookup_profile: 'cdr',
      lookup_field: '{"data":$source_field,"fromts":$fromts,"tots":$tots}',
      lookup_range: [-300, 200],
    }
Add a custom footer
Add a custom sidebar
Clone this wiki locally