Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Lookup issues

ipops
Path Finder
‎08-26-2016 03:28 AM

Having issues getting the NANP app to work (https://splunkbase.splunk.com/app/1515/)

I have the following search but it does not return any lookup fields

sourcetype=ivrdata | eval {message}=varValue | stats first(LogTimestamp) as Time values(Phone) as phone values(Platform) as Platform by IVR_SessionID | WHERE Platform="FWA" | table areacode city latitude longitude

This search returns a phone number in the 1234567890 format as the "phone" field. Any idea what I am doing wrong here?

Here are the relevant files

props.conf

[ivrdata]
LOOKUP-ac = AreaCodeLookup areacode AS phone OUTPUTNEW city country latitude AS _lat longitude AS _lng region
REPORT-ac = getareacode

transforms.conf

[getareacode]
REGEX = phone_no="?(\d{3}\d{3})
FORMAT = areacode::$1

Sample of areacode_latitude_longitude.csv

areacode,city,region,country,latitude,longitude
201200,Jersey City,NJ,US,40.7280556,-74.0780556
201202,Hackensack,NJ,US,40.8858333,-74.0438889
201203,Hackensack,NJ,US,40.8858333,-74.0438889
201204,Jersey City,NJ,US,40.7280556,-74.0780556

Tags (1)
0 Karma
Reply

ipops
Path Finder
‎08-26-2016 08:20 AM

I have removed and reinstalled the NANP app.

It's expecting a phone number in xxx-xxx format

transforms.conf
[getareacode]
REGEX = phone_no="?(\d{3}[-|.]\d{3})
FORMAT = areacode::$1

props.conf
[ivrdata]
LOOKUP-ac = AreaCodeLookup areacode AS phone_no OUTPUTNEW city country latitude AS _lat longitude AS _lng region
REPORT-ac = getareacode

Using the following search but it's not returning any lookup data

sourcetype=ivrdata | WHERE IVR_Message="Phone" | rename IVR_Value AS phone_no | rex field=phone_no mode=sed "s/(\d{3})(\d{3})(\d{4})/\1-\2/g" | table phone_no city country latitude longitude region

any ideas where I am going wrong?

alt text

Preview file
33 KB
0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...