Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I get my search to return all associated sessionIDs based on user input with values that can be in 3 different formats?

servlette
Engager
‎06-13-2016 03:44 PM

Hi,

I have something like the following which gets logged:

sessionId=A,phone=4155550123
sessionId=B,phone=14155550123
sessionId=C,phone=+14155550123
sessionId=D,phone=4085550123

I'm trying to come up with a dashboard where I have a text field that takes a phone number as input.

If user enters the phone number value as one of the following:

4155550123 or 14155550123 or +14155550123, then I want to get all the session ID's associated.

In a nutshell, I have the same phone number logged in different formats and I still need to get all the session ID's associated with the given phone.

index=myIndex phone=$phoneNumber$ | table sessionId

If I replace $phoneNumber$ with 4155550123 or +14155550123 or 14155550123, then I would like to A, B, and C in my search result.

Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
‎06-14-2016 08:41 AM

I gave you an answer that works efficiently by operating on metadata. You can work with eval and other post-pipe commands (e.g. regex ) but your search efficiency will suffer (which may or may not be important to you).

index=myIndex | regex phone="4155550123$"
0 Karma
Reply

woodcock
Esteemed Legend
‎06-13-2016 03:50 PM

If you have a search-time extraction (probably) then you will need to take a look at this Q&A and modify fields.conf so it works they way you expect:

https://answers.splunk.com/answers/267175/search-does-not-return-results-for-some-values-of.html

Once that is done, you should be able to do this:

 index=myIndex phone="$phoneNumber$" OR phone="1$phoneNumber$" OR phone="+1$phoneNumber$" | table sessionId
0 Karma
Reply

servlette
Engager
‎06-13-2016 04:58 PM

index=myIndex | eval last10Digits=substr($phoneNumber$, len($phoneNumber$)-9, 10) | where like (phone, "%".last10Digits."%")

This worked for me... I need to run some tests to verify...

0 Karma
Reply

servlette
Engager
‎06-13-2016 04:35 PM

What I did is something like this:

index=myIndex | eval last10Digits=substr($phoneNumber$, len($phoneNumber$)-9, 10) | where like (phone, "%last10Digits")

And it did not work.

0 Karma
Reply

servlette
Engager
‎06-13-2016 04:07 PM

It may not work if $phoneNumber$ is +14155550123 as I would like to see A,B and C in my search result if $phoneNumber$ is either 4155550123 or +14155550123 or 14155550123.

0 Karma
Reply

servlette
Engager
‎06-13-2016 04:02 PM

Assuming that user enters the phone number as 4155550123, then it gets translated to:

index=myIndex phone=4155550123 OR phone=14155550123 OR phone=+14155550123

And the search result will have A, B and C.

If it is entered as +14155550123, then it will be:

index=myIndex phone=+14155550123 OR phone=1+14155550123 OR Phone=+1+14155550123.

I guess the search result will only have A (whereas the expectation is A, B and C).

This may work only if user enters it as 4155550123 (with no country code) and it may not work for 14155550123 or +14155550123 is used for searching.

What I'm interested in is that irrespective of whatever the input format is I would like to have A, B and C in my search result.

0 Karma
Reply
Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf24, and Community Connections

Thank you to everyone in the Splunk Community who joined us for .conf24 – starting with Splunk University and ...

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...