Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Extract Area Code From Phone Numbers

IRHM73
Motivator
‎05-16-2019 01:59 AM

Hi,

I wonder whether someone may be able to help me please.

I have a list of telephone numbers of varying length, but all with an area code at the beginning e.g. 44 for the UK.

What I'm trying to do is put together a regex which looks to see if the first three characters match 350, if they do then extract those 3 digits into my new field, or if they match 44, the extract those 2 digits into the same field.

This is what I've put together so far:

| rex field=telno "350?(?<area_code>\d{3})|44?(?area_code>\d{2})"

I've clearly gone wrong, because Splunk is returning a "unrecognised character" error.

Could someone possibly look at this please and offer some guidance on where I've gone wrong.

Many thanks and kind regards

Chris

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DavidHourani
Super Champion
‎05-16-2019 03:02 AM

Hi @IRHM73,

What you're looking for is way easier than what you've built, something like this : 

 | rex field=telno "(?<area_code>^350|^44)"

This will grab 350 if your number starts with that or 44 if it starts with that. Feel free to add the + sign if you need it. You can use www.regex101.com to validate your regexes it makes everything much easier.

Cheers,
David

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

DavidHourani
Super Champion
‎05-16-2019 03:02 AM

Hi @IRHM73,

What you're looking for is way easier than what you've built, something like this : 

 | rex field=telno "(?<area_code>^350|^44)"

This will grab 350 if your number starts with that or 44 if it starts with that. Feel free to add the + sign if you need it. You can use www.regex101.com to validate your regexes it makes everything much easier.

Cheers,
David

0 Karma
Reply
Solved! Jump to solution

IRHM73
Motivator
‎05-16-2019 03:26 AM

Hi @DavidHourani . Thank you for your reply and solution. It works great.

Kind regards

Chris

0 Karma
Reply
Solved! Jump to solution

harsmarvania57
Ultra Champion
‎05-16-2019 02:34 AM

Can you please provide some sample data (Please mask any sensitive data) ? I didn't get your question properly, do you want to extract 350 and 44 into same field or do you want to extract number after 350 and 44 ?

0 Karma
Reply
Solved! Jump to solution

IRHM73
Motivator
‎05-16-2019 03:25 AM

Hi @harsmarvania57 . Thank you for taking the time to reply.

Your solution worked great.

Thank you and kind regards

Chris

0 Karma
Reply
Solved! Jump to solution

harsmarvania57
Ultra Champion
‎05-16-2019 03:41 AM

Great, earlier I thought that you want area code as number after 350 and 44 & that's why I deleted my answer earlier.

0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...