topic Looking for a phone # in logs using Splunk in Splunk Search

Looking for a phone # in logs using Splunk

cadeli — Sat, 05 Feb 2011 08:01:10 GMT

Newbie here, please help.

Trying to search/filter for all occurrences of phone #s in my logs. Regex would be [0-9] \ {10}. I don't have a key-value pair, my log looks similar to this: "This is an incoming call from 4151111111 on trunk 10.10.01.01 and was processed ok."

Later on, I will have to filter all occurences of calls from ANY #, ONLY on the specified trunk.

Thanks! A.C.

Re: Looking for a phone # in logs using Splunk

dwaddle — Sat, 05 Feb 2011 10:46:29 GMT

Try something like this for your search:

incoming call | where match(_raw,"\d{10}")

Re: Looking for a phone # in logs using Splunk

Paolo_Prigione — Sat, 05 Feb 2011 10:48:41 GMT

I'd suggest to build a field out of it in any case...

You can use the interactive field extractor to get that:

pop a search for "this is an incoming call"
right-click the little triangle on the left of a matching event
select "extract fields"
provide some examples of phone #s
Test
if satisfied save and provide a field name

The modified config files will reside in:

$SPLUNK_HOME/etc/users/<username>/<appname>/local/

As a faster alternative, locate the proper props.conf file where your sourcetype stanza is specified and append this line to such a stanza:

EXTRACT-phone = (?i)incoming call from (?<phonenum>\d+) on trunk (?<trunk>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})

then pop a search like

"this is an incoming call" | extract reload=true

to reload the configuration and see if Splunk got the new fields.

Re: Looking for a phone # in logs using Splunk

cadeli — Sat, 05 Feb 2011 12:02:56 GMT

Thank you, this is very helpful. I followed the steps. The extracted field looks like this:

Message="Port : 0X55555553B : This is an incoming call from 4151111111;phone-context=+1@10.10.01.01, To 8888888888;phone-context=+1."

It is a blob text, I have no key/value pairs in there to play with.

I am interested in "This is an incomings call" and the IP address but I have this blob text with specific FROM and TO phone numbers in between and I have to make the "Message" generic enough to catch all logs, for all phone #s.

Argh. Working on it, your answer helped!

Re: Looking for a phone # in logs using Splunk

cadeli — Sat, 05 Feb 2011 12:07:00 GMT

Thank you. When I use it as above, I catch too many logs, including the ones that have just "incoming" or "call" in them. If I use "incoming call" I don't get anything. Still digging 🙂

Re: Looking for a phone # in logs using Splunk

cadeli — Sat, 05 Feb 2011 12:09:59 GMT

I should change the name of the Question/Thread because in fact I am looking for a way to catch ALL phone numbers.

Re: Looking for a phone # in logs using Splunk

Lowell — Tue, 08 Feb 2011 00:00:22 GMT

cadeli, please update your original question (use the "edit" link) to include additional examples of what your event looks like and what phone numbers you are looking to extract. Be sure to include examples of different types of events that you would like to extract phone #s from (it sounds like you may have multiple formats, based on the fact that your question and your above comment show two different message formats.)