https://community.splunk.com/t5/Splunk-Search/How-to-get-query-to-extract-phone-numbers-from-an-event/m-p/614585#M213588 <P>Hi all,</P> <P>I'm trying to get a list of phone numbers for each event by sessionId. I can't quite figure it out. I think I need to use some sort of rex command. Here's what I have so far.</P> <P>&nbsp;</P> <LI-CODE lang="markup">index=convo (input_type=VOICE OR input_type=SPEECH) botId=123456789 customerANI | rex field=phone "\+1(?&lt;phone_number&gt;\d{10})" | stats values(phone) as PhoneNumber by sessionId</LI-CODE> <P>&nbsp;</P> <P>Example event:</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">2022-09-26T06:18:41,105+0000 [INFO ] level=INFO [https-jssa-exec-10]-[tid=be75a0f9-9039-41ea-8104-afe25cfa7177 authId=123456789 sessionId=10987654321 test=false botId=123456789 cfBotId=123456789 offl_TKT=true proto=V2 platform=WEB input_type=SPEECH appId=web.intlgntsys.cui.sbgiva sku= pn= cid=123456789123456789 convo=service_routing_info_call]-[ServiceClient]-[55 ] ExecutingRequest requestState=executing action=contact_channels input={"appName":"voice_bot","language":"en","locale":"en-us","query":"talk with an agent","inputs":{"customerQuestion":"a wrong charge","DNIS":"+18008008000","Level":"|","Year":"2019","universalId":"123456789","Rating":"|","edition":"Blue|Yellow|Green","experience":"phone","sku":"0","intent":"BILLING","platform":"web","customerANI":"+15555555555"}}</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 26 Sep 2022 19:27:40 GMT KyleMcDougall 2022-09-26T19:27:40Z https://community.splunk.com/t5/Splunk-Search/How-to-get-query-to-extract-phone-numbers-from-an-event/m-p/614585#M213588 <P>Hi all,</P> <P>I'm trying to get a list of phone numbers for each event by sessionId. I can't quite figure it out. I think I need to use some sort of rex command. Here's what I have so far.</P> <P>&nbsp;</P> <LI-CODE lang="markup">index=convo (input_type=VOICE OR input_type=SPEECH) botId=123456789 customerANI | rex field=phone "\+1(?&lt;phone_number&gt;\d{10})" | stats values(phone) as PhoneNumber by sessionId</LI-CODE> <P>&nbsp;</P> <P>Example event:</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">2022-09-26T06:18:41,105+0000 [INFO ] level=INFO [https-jssa-exec-10]-[tid=be75a0f9-9039-41ea-8104-afe25cfa7177 authId=123456789 sessionId=10987654321 test=false botId=123456789 cfBotId=123456789 offl_TKT=true proto=V2 platform=WEB input_type=SPEECH appId=web.intlgntsys.cui.sbgiva sku= pn= cid=123456789123456789 convo=service_routing_info_call]-[ServiceClient]-[55 ] ExecutingRequest requestState=executing action=contact_channels input={"appName":"voice_bot","language":"en","locale":"en-us","query":"talk with an agent","inputs":{"customerQuestion":"a wrong charge","DNIS":"+18008008000","Level":"|","Year":"2019","universalId":"123456789","Rating":"|","edition":"Blue|Yellow|Green","experience":"phone","sku":"0","intent":"BILLING","platform":"web","customerANI":"+15555555555"}}</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 26 Sep 2022 19:27:40 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-query-to-extract-phone-numbers-from-an-event/m-p/614585#M213588 KyleMcDougall 2022-09-26T19:27:40Z https://community.splunk.com/t5/Splunk-Search/How-to-get-query-to-extract-phone-numbers-from-an-event/m-p/614587#M213589 <P>If you are sure that the field which includes the phone number ist called "phone" then the extraction should work. Since you want a list of phone numbers though, the second part of your query should use the extracted field:</P><P><STRONG>| stats values(phone_number) as PhoneNumber by sessionId<BR /><BR /></STRONG></P><P>_______________________________________</P><P>If this was helpful please consider awarding Karma. Thx!</P><P><STRONG>&nbsp;</STRONG></P> Mon, 26 Sep 2022 16:05:49 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-query-to-extract-phone-numbers-from-an-event/m-p/614587#M213589 FelixLeh 2022-09-26T16:05:49Z https://community.splunk.com/t5/Splunk-Search/How-to-get-query-to-extract-phone-numbers-from-an-event/m-p/614589#M213590 <P>The current query I have doesn't work. I just added phone_number for the sake of understanding in this thread.</P><P>In the event below, the phone number is listed as: 15555555555</P> Mon, 26 Sep 2022 16:11:43 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-query-to-extract-phone-numbers-from-an-event/m-p/614589#M213590 KyleMcDougall 2022-09-26T16:11:43Z https://community.splunk.com/t5/Splunk-Search/How-to-get-query-to-extract-phone-numbers-from-an-event/m-p/614591#M213591 <P>If the Event Example is the _raw data of the event then this should work:</P><P><STRONG>| rex field=_raw "\"customerANI\"\:\"\+1(?&lt;phone_number&gt;\d{10})"<BR />| stats values(phone_number) as PhoneNumber by sessionId<BR /></STRONG></P><P>&nbsp;</P><P><STRONG>EDIT:&nbsp;</STRONG>for clarification,&nbsp;the query from my first answer obviously would still need the extraction:</P><P><STRONG>| rex field=phone "\+1(?&lt;phone_number&gt;\d{10})"<BR /></STRONG><STRONG>| stats values(phone_number) as PhoneNumber by sessionId</STRONG></P><P>_______________________________________</P><P>If this was helpful please consider awarding Karma. Thx!</P> Mon, 26 Sep 2022 16:53:12 GMT https://community.splunk.com/t5/Splunk-Search/How-to-get-query-to-extract-phone-numbers-from-an-event/m-p/614591#M213591 FelixLeh 2022-09-26T16:53:12Z