Splunk Search

Looking for a phone # in logs using Splunk

cadeli
New Member

Newbie here, please help.

Trying to search/filter for all occurrences of phone #s in my logs. Regex would be [0-9] \ {10}. I don't have a key-value pair, my log looks similar to this: "This is an incoming call from 4151111111 on trunk 10.10.01.01 and was processed ok."

Later on, I will have to filter all occurences of calls from ANY #, ONLY on the specified trunk.

Thanks! A.C.

Tags (2)
0 Karma

Paolo_Prigione
Builder

I'd suggest to build a field out of it in any case...

You can use the interactive field extractor to get that:

  1. pop a search for "this is an incoming call"
  2. right-click the little triangle on the left of a matching event
  3. select "extract fields"
  4. provide some examples of phone #s
  5. Test
  6. if satisfied save and provide a field name

The modified config files will reside in:

$SPLUNK_HOME/etc/users/<username>/<appname>/local/

As a faster alternative, locate the proper props.conf file where your sourcetype stanza is specified and append this line to such a stanza:

EXTRACT-phone = (?i)incoming call from (?<phonenum>\d+) on trunk (?<trunk>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})  

then pop a search like

"this is an incoming call" | extract reload=true

to reload the configuration and see if Splunk got the new fields.

Lowell
Super Champion

cadeli, please update your original question (use the "edit" link) to include additional examples of what your event looks like and what phone numbers you are looking to extract. Be sure to include examples of different types of events that you would like to extract phone #s from (it sounds like you may have multiple formats, based on the fact that your question and your above comment show two different message formats.)

cadeli
New Member

I should change the name of the Question/Thread because in fact I am looking for a way to catch ALL phone numbers.

0 Karma

cadeli
New Member

Thank you, this is very helpful. I followed the steps. The extracted field looks like this:

Message="Port : 0X55555553B : This is an incoming call from 4151111111;phone-context=+1@10.10.01.01, To 8888888888;phone-context=+1."

It is a blob text, I have no key/value pairs in there to play with.

I am interested in "This is an incomings call" and the IP address but I have this blob text with specific FROM and TO phone numbers in between and I have to make the "Message" generic enough to catch all logs, for all phone #s.

Argh. Working on it, your answer helped!

0 Karma

dwaddle
SplunkTrust
SplunkTrust

Try something like this for your search:

incoming call | where match(_raw,"\d{10}")

cadeli
New Member

Thank you. When I use it as above, I catch too many logs, including the ones that have just "incoming" or "call" in them. If I use "incoming call" I don't get anything. Still digging 🙂

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...