Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Lookup issues

ipops
Path Finder
‎08-26-2016 03:28 AM

Having issues getting the NANP app to work (https://splunkbase.splunk.com/app/1515/)

I have the following search but it does not return any lookup fields

sourcetype=ivrdata | eval {message}=varValue | stats first(LogTimestamp) as Time values(Phone) as phone values(Platform) as Platform by IVR_SessionID | WHERE Platform="FWA" | table areacode city latitude longitude

This search returns a phone number in the 1234567890 format as the "phone" field. Any idea what I am doing wrong here?

Here are the relevant files

props.conf

[ivrdata]
LOOKUP-ac = AreaCodeLookup areacode AS phone OUTPUTNEW city country latitude AS _lat longitude AS _lng region
REPORT-ac = getareacode

transforms.conf

[getareacode]
REGEX = phone_no="?(\d{3}\d{3})
FORMAT = areacode::$1

Sample of areacode_latitude_longitude.csv

areacode,city,region,country,latitude,longitude
201200,Jersey City,NJ,US,40.7280556,-74.0780556
201202,Hackensack,NJ,US,40.8858333,-74.0438889
201203,Hackensack,NJ,US,40.8858333,-74.0438889
201204,Jersey City,NJ,US,40.7280556,-74.0780556

Tags (1)
0 Karma
Reply

ipops
Path Finder
‎08-26-2016 08:20 AM

I have removed and reinstalled the NANP app.

It's expecting a phone number in xxx-xxx format

transforms.conf
[getareacode]
REGEX = phone_no="?(\d{3}[-|.]\d{3})
FORMAT = areacode::$1

props.conf
[ivrdata]
LOOKUP-ac = AreaCodeLookup areacode AS phone_no OUTPUTNEW city country latitude AS _lat longitude AS _lng region
REPORT-ac = getareacode

Using the following search but it's not returning any lookup data

sourcetype=ivrdata | WHERE IVR_Message="Phone" | rename IVR_Value AS phone_no | rex field=phone_no mode=sed "s/(\d{3})(\d{3})(\d{4})/\1-\2/g" | table phone_no city country latitude longitude region

any ideas where I am going wrong?

alt text

Preview file
33 KB
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...