Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to get query to extract phone numbers from an ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all,
I'm trying to get a list of phone numbers for each event by sessionId. I can't quite figure it out. I think I need to use some sort of rex command. Here's what I have so far.
index=convo (input_type=VOICE OR input_type=SPEECH) botId=123456789 customerANI
| rex field=phone "\+1(?<phone_number>\d{10})"
| stats values(phone) as PhoneNumber by sessionId
Example event:
2022-09-26T06:18:41,105+0000 [INFO ] level=INFO [https-jssa-exec-10]-[tid=be75a0f9-9039-41ea-8104-afe25cfa7177 authId=123456789 sessionId=10987654321 test=false botId=123456789 cfBotId=123456789 offl_TKT=true proto=V2 platform=WEB input_type=SPEECH appId=web.intlgntsys.cui.sbgiva sku= pn= cid=123456789123456789 convo=service_routing_info_call]-[ServiceClient]-[55 ] ExecutingRequest requestState=executing action=contact_channels input={"appName":"voice_bot","language":"en","locale":"en-us","query":"talk with an agent","inputs":{"customerQuestion":"a wrong charge","DNIS":"+18008008000","Level":"|","Year":"2019","universalId":"123456789","Rating":"|","edition":"Blue|Yellow|Green","experience":"phone","sku":"0","intent":"BILLING","platform":"web","customerANI":"+15555555555"}}
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If the Event Example is the _raw data of the event then this should work:
| rex field=_raw "\"customerANI\"\:\"\+1(?<phone_number>\d{10})"
| stats values(phone_number) as PhoneNumber by sessionId
EDIT: for clarification, the query from my first answer obviously would still need the extraction:
| rex field=phone "\+1(?<phone_number>\d{10})"
| stats values(phone_number) as PhoneNumber by sessionId
_______________________________________
If this was helpful please consider awarding Karma. Thx!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you are sure that the field which includes the phone number ist called "phone" then the extraction should work. Since you want a list of phone numbers though, the second part of your query should use the extracted field:
| stats values(phone_number) as PhoneNumber by sessionId
_______________________________________
If this was helpful please consider awarding Karma. Thx!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The current query I have doesn't work. I just added phone_number for the sake of understanding in this thread.
In the event below, the phone number is listed as: 15555555555
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If the Event Example is the _raw data of the event then this should work:
| rex field=_raw "\"customerANI\"\:\"\+1(?<phone_number>\d{10})"
| stats values(phone_number) as PhoneNumber by sessionId
EDIT: for clarification, the query from my first answer obviously would still need the extraction:
| rex field=phone "\+1(?<phone_number>\d{10})"
| stats values(phone_number) as PhoneNumber by sessionId
_______________________________________
If this was helpful please consider awarding Karma. Thx!
Tech Talk Recap | Mastering Threat Hunting
Observability for AI Applications: Troubleshooting Latency
Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?
