topic Re: How do I get my search to return all associated sessionIDs based on user input with values that can be in 3 different formats? in Splunk Search

How do I get my search to return all associated sessionIDs based on user input with values that can be in 3 different formats?

servlette — Mon, 13 Jun 2016 22:44:28 GMT

Hi,

I have something like the following which gets logged:

sessionId=A,phone=4155550123
sessionId=B,phone=14155550123
sessionId=C,phone=+14155550123
sessionId=D,phone=4085550123

I'm trying to come up with a dashboard where I have a text field that takes a phone number as input.

If user enters the phone number value as one of the following:

4155550123 or 14155550123 or +14155550123, then I want to get all the session ID's associated.

In a nutshell, I have the same phone number logged in different formats and I still need to get all the session ID's associated with the given phone.

index=myIndex phone=$phoneNumber$ | table sessionId

If I replace $phoneNumber$ with 4155550123 or +14155550123 or 14155550123, then I would like to A, B, and C in my search result.

Re: How do I get my search to return all associated sessionIDs based on user input with values that can be in 3 different formats?

woodcock — Mon, 13 Jun 2016 22:50:38 GMT

If you have a search-time extraction (probably) then you will need to take a look at this Q&A and modify fields.conf so it works they way you expect:

https://answers.splunk.com/answers/267175/search-does-not-return-results-for-some-values-of.html

Once that is done, you should be able to do this:

 index=myIndex phone="$phoneNumber$" OR phone="1$phoneNumber$" OR phone="+1$phoneNumber$" | table sessionId

Re: How do I get my search to return all associated sessionIDs based on user input with values that can be in 3 different formats?

servlette — Mon, 13 Jun 2016 23:02:23 GMT

Assuming that user enters the phone number as 4155550123, then it gets translated to:

index=myIndex phone=4155550123 OR phone=14155550123 OR phone=+14155550123

And the search result will have A, B and C.

If it is entered as +14155550123, then it will be:

index=myIndex phone=+14155550123 OR phone=1+14155550123 OR Phone=+1+14155550123.

I guess the search result will only have A (whereas the expectation is A, B and C).

This may work only if user enters it as 4155550123 (with no country code) and it may not work for 14155550123 or +14155550123 is used for searching.

What I'm interested in is that irrespective of whatever the input format is I would like to have A, B and C in my search result.

Re: How do I get my search to return all associated sessionIDs based on user input with values that can be in 3 different formats?

servlette — Mon, 13 Jun 2016 23:07:57 GMT

It may not work if $phoneNumber$ is +14155550123 as I would like to see A,B and C in my search result if $phoneNumber$ is either 4155550123 or +14155550123 or 14155550123.

Re: How do I get my search to return all associated sessionIDs based on user input with values that can be in 3 different formats?

servlette — Mon, 13 Jun 2016 23:35:39 GMT

What I did is something like this:

index=myIndex | eval last10Digits=substr($phoneNumber$, len($phoneNumber$)-9, 10) | where like (phone, "%last10Digits")

And it did not work.

Re: How do I get my search to return all associated sessionIDs based on user input with values that can be in 3 different formats?

servlette — Mon, 13 Jun 2016 23:58:56 GMT

index=myIndex | eval last10Digits=substr($phoneNumber$, len($phoneNumber$)-9, 10) | where like (phone, "%".last10Digits."%")

This worked for me... I need to run some tests to verify...

Re: How do I get my search to return all associated sessionIDs based on user input with values that can be in 3 different formats?

woodcock — Tue, 14 Jun 2016 15:41:50 GMT

I gave you an answer that works efficiently by operating on metadata. You can work with eval and other post-pipe commands (e.g. regex ) but your search efficiency will suffer (which may or may not be important to you).

index=myIndex | regex phone="4155550123$"