- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Looking for a phone # in logs using Splunk
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Looking for a phone # in logs using Splunk
Newbie here, please help.
Trying to search/filter for all occurrences of phone #s in my logs. Regex would be [0-9] \ {10}. I don't have a key-value pair, my log looks similar to this: "This is an incoming call from 4151111111 on trunk 10.10.01.01 and was processed ok."
Later on, I will have to filter all occurences of calls from ANY #, ONLY on the specified trunk.
Thanks! A.C.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'd suggest to build a field out of it in any case...
You can use the interactive field extractor to get that:
- pop a search for "this is an incoming call"
- right-click the little triangle on the left of a matching event
- select "extract fields"
- provide some examples of phone #s
- Test
- if satisfied save and provide a field name
The modified config files will reside in:
$SPLUNK_HOME/etc/users/<username>/<appname>/local/
As a faster alternative, locate the proper props.conf file where your sourcetype stanza is specified and append this line to such a stanza:
EXTRACT-phone = (?i)incoming call from (?<phonenum>\d+) on trunk (?<trunk>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
then pop a search like
"this is an incoming call" | extract reload=true
to reload the configuration and see if Splunk got the new fields.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
cadeli, please update your original question (use the "edit" link) to include additional examples of what your event looks like and what phone numbers you are looking to extract. Be sure to include examples of different types of events that you would like to extract phone #s from (it sounds like you may have multiple formats, based on the fact that your question and your above comment show two different message formats.)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I should change the name of the Question/Thread because in fact I am looking for a way to catch ALL phone numbers.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you, this is very helpful. I followed the steps. The extracted field looks like this:
Message="Port : 0X55555553B : This is an incoming call from 4151111111;phone-context=+1@10.10.01.01, To 8888888888;phone-context=+1."
It is a blob text, I have no key/value pairs in there to play with.
I am interested in "This is an incomings call" and the IP address but I have this blob text with specific FROM and TO phone numbers in between and I have to make the "Message" generic enough to catch all logs, for all phone #s.
Argh. Working on it, your answer helped!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try something like this for your search:
incoming call | where match(_raw,"\d{10}")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you. When I use it as above, I catch too many logs, including the ones that have just "incoming" or "call" in them. If I use "incoming call" I don't get anything. Still digging 🙂
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
