Solved: How to change phone number format in splunk

ajees_basha · ‎06-03-2021

how can we change the phone number format. i used sed mod it is working fine but i want to store the formatted phone number in separate variable,

for ex: 123-123-1234 to 1231231234

Any help will be highly appreciated. Thanks in advance.

gcusello · ‎06-03-2021

HI @ajees_basha,

let me understand:

you have phone numbers in format 123-123-1234: three groups divided by "-";
you want to store the three groups in three fields (e.g. ph1, ph2 and ph3);
then you want to store the full number (without "-") in a field called e.g. "phone";

is it correct?

If this is your need, try something like this:

| makeresults count=1 
| eval orig_num="123-123-1234"
| rex field=orig_num "^(?<ph1>\w+)-(?<ph2>\w+)-(?<ph3>\w+)"
| rex field=orig_num mode=sed "s/-//g"

Ciao.

Giuseppe

View solution in original post

richgalloway · ‎06-03-2021

If you used sed successfully, then you have what you need. Just use eval to copy the field then use sed to format the copy and now you have the formatted number in a separate "variable".

---
If this reply helps you, Karma would be appreciated.

ITWhisperer · ‎06-03-2021

Do you want to do this at ingestion or at search time?

ajees_basha · ‎06-03-2021

@ITWhisperer at search time

kamlesh_vaghela · ‎06-03-2021

@ajees_basha

You can try by updating props.cof also.

[YOUR_SOURCE_TYPE]
EVAL-new_phone_number = replace(phone_number,"-","")

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

gcusello · ‎06-03-2021

HI @ajees_basha,

let me understand:

you have phone numbers in format 123-123-1234: three groups divided by "-";
you want to store the three groups in three fields (e.g. ph1, ph2 and ph3);
then you want to store the full number (without "-") in a field called e.g. "phone";

is it correct?

If this is your need, try something like this:

| makeresults count=1 
| eval orig_num="123-123-1234"
| rex field=orig_num "^(?<ph1>\w+)-(?<ph2>\w+)-(?<ph3>\w+)"
| rex field=orig_num mode=sed "s/-//g"

Ciao.

Giuseppe

ajees_basha · ‎06-03-2021

@gcusello yes i want to remove the hyphens(-) between phone number and store the formatted number(without hyphen) in a separate variable

gcusello · ‎06-03-2021

Hi @ajees_basha,

is mine or one of the other answers good for you?

Tell us if you need more help, otherwise, please, accept one answer for the other people of Community.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated by all the Contributors 😉

ajees_basha · ‎06-03-2021

@gcusello Thank you. sorry to bother you..just one quick doubt is there a way we change the number from

1234567890 to 123-456-7890

gcusello · ‎06-03-2021

HI @ajees_basha,

in this case you have to do the opporite operation using the substr option in the eval command, something like this:

| makeresults count=1
| eval my_field="1234567890"
| eval phone=substr(my_field,1,3)."-".substr(my_field,4,3)."-".substr(my_field,7,4)
| table phone

Ciao.

Giuseppe

ajees_basha · ‎06-03-2021

@ITWhisperer @gcusello @kamlesh_vaghela @richgalloway @bowesmana any help will be highly appreciated

How to change phone number format in splunk

chart

eval

field extraction

join

stats

subsearch

timechart

transaction

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...