Common EDR Format

EDR Common Format

All Event Data Records (EDRs) generated by n2svcd (and associated packages such as n2sip, n2scp) have the same basic syntax and record format.

Here is an example complete EDR file containing only one EDR:

#HEADER|FILENAME=/tmp/edr/n2svcd_candyfloss_20210322005441924721_131977.edr|TIME_START=1616374481|HOSTNAME=testscp-01
2021-03-22 00:54:41.919<SCP-DUMMY-1616374153-1893f994>SHUTDOWN|EXCEPTION=Overdue TCAP response for ERBCSM %5B2%5D.
#FOOTER|TIME_FINISH=1616374485|NUM_EDRS=1|NUM_BYTES=233

EDR Lines

Each EDR is a single “line” in the file, terminated by a LF.

There are three special fields at the start of each record, followed by none or more standard fields specific to the event type.

Here is an example EDR line:

2021-03-24 01:16:09.689<N2DSG-SCP2-1616548284-1bd93fac>DIAMETER-A|ACTION=continue|BAL_EXP=1|
BAL_VALUE=123|BEARER=voice|CHARGE_ID=n2|COST_EXP=10|COST_VALUE=456|CURRENCY=554|CUSTOM1=1|
DIAMETER_SID=test%3BN2DSG-SCP2%3B6943023212456991433|IDP_KEY=TERM:6421300400:368c023c|
LOCATION=6421200300|LOGICAL=6421001023|MSC=6421300400|NETWORK=home|RC_MSCC=2001|RC_ROOT=2001|
REQ_NUM=4|REQ_TYPE=3|SERVICE_KEY=31|VLR=6421200300

Note that extra line breaks have been inserted for readability. In practice, this is all one single line.

In this case the special fields are:

Special Fields

Event Log Timestamp

This is the time at which the originating application determined that this EDR should be generated.

This is in UTC (aka GMT), and is in YYYY-MM-DD HH:MM:SS.sss format.

The EDR is encoded, and sent through the shared message bus to the EdrApp, where it might also spend some time in-memory before being written to disk. So the actual write-to-disk time will naturally be slightly after this timestamp.

Conversely, this actual inbound message or event which caused this EDR will of course have happened slightly prior to this time. There will then be additional processing, including perhaps confirmation delay. Hence, when interpreting this timestamp, it is important to consider “at what point in the overall processing” was this EDR generated.

Key Field

This field is a key for a specific “call instance” within a specific application. It is constructed from three separate components, connected with a hyphen - character.

  1. The Application Name.
  2. The Application Start Epoch.
  3. The Instance IDX.

The Application Name is the n2svcd application name as configured in the n2svcd.xml service daemon configuration file. It consists of a name part (alphanumeric, space, underscore, hypen), with an optional (colon + integer) “repeat number”, depending on the configuration.

The application name must match the POSIX RegEx: /^[a-zA-Z0-9 _\-]+(:[0-9]+)?$/

An application will have the :[0-9]+ suffix when it has been “repeated” for performance reasons. I.e. multiple copies of that application are being run, each in a separate process.

The Application Start Epoch is the integer “epoch” time at which this application was last started. If an application dies and is restarted by the WatchdogApp then it will have a new epoch time, hence ensuring that the Instance IDX is still unique.

The Instance IDX is an automatically assigned hex value for each processing context managed by an application. An instance may be a voice call, or a REST request/response pair, or a start-to-finishe execution of a LUA script.

The instance IDX must match the POSIX RegEx: /^[0-9a-f]{8}$/

When an application starts up, it choosing a random starting point for the Instance IDX field, and then increments by one for each new call instance (rotating if it reaches ffffffff).

There is of course a small chance that one application will choose an Instance IDX which overlaps with the values chosen randomly by one of the other applications. Equally, there is a small chance that an application (after dying and being restarted) will choose an Instance IDX which overlaps with the values used by its previous incarnation.

However, the combined three-part field with Name, Start Epoch, and IDX is guaranteed to be completely unique.

Event Type

The event type is a string which indicates the nature of the event which is being recorded.

The event type must match the POSIX RegEx: /^[a-zA-Z][a-zA-Z0-9_\-]*$/

The event type then determines what additional standard fields may then follow.

Standard Fields

Each standard field is separated by a vertical pipe | character.

Each standard field consists of a field name, then an equals = character, then a field simple scalar value or list of simple scalar values.

The field name must match the POSIX RegEx: /^[a-zA-Z][a-zA-Z0-9_\-]*$/

Standard Field Values (Scalar)

A scalar field value is represented in ASCII, with some characters “escaped” using the % percent-encoding syntax which is standard for Uniform Resource Identifiers (URI) on the Internet.

Safe characters must match this POSIX RegEx: /A-Za-z0-9\-\._~:; \/@/

This is similar to RFC 3986, except that extra characters are considered “safe” in EDR lines, which are not strictly “safe” in RFC 3986. This is a pragmatic decision made for readability, since these characters are quite common in EDR records for some key applications. These additional fields are:

(:) COLON
(;) SEMICOLON
( ) SPACE
(/) SLASH
(@) AT SIGN

All non-safe characters will be replaced with % specifying the ASCII character code. For example, the equals character = in an EDR field value will be represented by %3D. The percent character % itself is represented by %25.

An “undefined” value is represented by the empty string. When reading an EDR file, there is no way to distinguish between an EDR field with zero-length (empty) string value and one with an undefined value.

Standard Field Values (List)

A standard field value may consiste of a “list” of values.

In this case, an unescaped comma character , separator is used. For example, a list of played announcement IDs with field name PID and two list entries 300 and 301 would be represented in the EDR file as:

PID=300,301

A list of scalars is the most complex format supported by the EDR. Nested sub-fields are not supported.

Every EDR file begins with a #HEADER line.

#HEADER|FILENAME=(full file path)|TIME_START=(epoch)|HOSTNAME=(hostname)

This consists of the string #HEADER, followed by three header fields. These are also separated by a vertical pipe | character, and have name and value parts separated by an equals = character.

The header field names are:

Every well-formed EDR file begins with a #FOOTER line.

#FOOTER|TIME_FINISH=1616374485|NUM_EDRS=1|NUM_BYTES=233

This consists of the string #FOOTER, followed by three header fields. These are also separated by a vertical pipe | character, and have name and value parts separated by an equals = character.

The footer field names are:

The NUM_EDRS includes only the EDR lines. The #HEADER and #FOOTER lines are not included in this count.

The NUM_BYTES includes the bytes for the #HEADER line, and all of the bytes for the EDR lines, including the one-byte for the LF (line feed) character written for the header and EDR lines. It does not include the bytes for the #FOOTER itself.