Splunk Search

Extract Area Code From Phone Numbers

IRHM73
Motivator

Hi,

I wonder whether someone may be able to help me please.

I have a list of telephone numbers of varying length, but all with an area code at the beginning e.g. 44 for the UK.

What I'm trying to do is put together a regex which looks to see if the first three characters match 350, if they do then extract those 3 digits into my new field, or if they match 44, the extract those 2 digits into the same field.

This is what I've put together so far:

| rex field=telno "350?(?<area_code>\d{3})|44?(?area_code>\d{2})"

I've clearly gone wrong, because Splunk is returning a "unrecognised character" error.

Could someone possibly look at this please and offer some guidance on where I've gone wrong.

Many thanks and kind regards

Chris

Tags (2)
0 Karma
1 Solution

DavidHourani
Super Champion

Hi @IRHM73,

What you're looking for is way easier than what you've built, something like this :

 | rex field=telno "(?<area_code>^350|^44)"

This will grab 350 if your number starts with that or 44 if it starts with that. Feel free to add the + sign if you need it. You can use www.regex101.com to validate your regexes it makes everything much easier.

Cheers,
David

View solution in original post

0 Karma

DavidHourani
Super Champion

Hi @IRHM73,

What you're looking for is way easier than what you've built, something like this :

 | rex field=telno "(?<area_code>^350|^44)"

This will grab 350 if your number starts with that or 44 if it starts with that. Feel free to add the + sign if you need it. You can use www.regex101.com to validate your regexes it makes everything much easier.

Cheers,
David

0 Karma

IRHM73
Motivator

Hi @DavidHourani . Thank you for your reply and solution. It works great.

Kind regards

Chris

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Can you please provide some sample data (Please mask any sensitive data) ? I didn't get your question properly, do you want to extract 350 and 44 into same field or do you want to extract number after 350 and 44 ?

0 Karma

IRHM73
Motivator

Hi @harsmarvania57 . Thank you for taking the time to reply.

Your solution worked great.

Thank you and kind regards

Chris

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Great, earlier I thought that you want area code as number after 350 and 44 & that's why I deleted my answer earlier.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) v3.54.0

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v3.54.0 and ...

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...