Splunk Search

Manipulating inputs prior search in app

carljohan
Path Finder

I have created an app which has a single input for MSISDN.

The user enters the MSISDN in local 10-digit format ex: 0123456789

The events in my logs are in international format ex: 999123456789

So I need to remove the leading 0 and add 999 to the input prior conducting the search.
I have no idea how to do this so all help is appreciated.

Tags (2)
0 Karma

somesoni2
SplunkTrust
SplunkTrust

try something like this

index=yourindex sourcetype=yoursourcetype [|gentimes start=-1 | eval msisdn="10 digit msisdn input" | eval msisdn="999".ltrim(msisdn,"0") | fields msisdn] |table _time, msisdn, sms
0 Karma

somesoni2
SplunkTrust
SplunkTrust

When you use the query in dashboard (and I assume you'll have token defined for textbox, lets say token=msisdn), use like this, so that it'll use the single value passed in textbox)

index=* sourcetype=sms [|gentimes start=-1 | eval msisdn="$msisdn$" | eval msisdn="999".ltrim(tostring(msisdn),"0") | fields msisdn] |table _time, msisdn, sms

0 Karma

carljohan
Path Finder

Yes I am using a textbox. The logs are in 999763206619 format and the input is in 0763206619 format.

The query you provided works when I try it in a search field but not in my custom app with the textfield input.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Also, can you try something like this?

index=* sourcetype=sms [|gentimes start=-1 | eval msisdn="0763206619" | eval msisdn="999".ltrim(tostring(msisdn),"0") | fields msisdn] |table _time, msisdn, sms

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Are you using a textbox for users to enter the msisdn and that input you want to updated before using in the search OR the msisdn is there in the logs with 0763206619 format and you want to update it??

0 Karma

carljohan
Path Finder

Here is another find of mine:

This does not work: index=* sourcetype=sms [|gentimes start=-1 | eval msisdn="0763206619" | eval msisdn="999".ltrim(msisdn,"0") | fields msisdn] |table _time, msisdn, sms

This does not work: index=* sourcetype=sms [|gentimes start=-1 | eval msisdn="k763206619" | eval msisdn="999".ltrim(msisdn,"k") | fields msisdn] |table _time, msisdn, sms

This works: index=* sourcetype=sms [|gentimes start=-1 | eval msisdn="k763206619" | eval msisdn="0".ltrim(msisdn,"k") | fields msisdn] |table _time, msisdn, sms

0 Karma

carljohan
Path Finder

I am not getting it to work. Can I share something which would display the outcome and help you understand why?

This is the search I am performing:

index=* sourcetype=sms [|gentimes start=-1 | eval msisdn="0763206619" | eval msisdn="999".ltrim(msisdn,"0") | fields msisdn] |table _time, msisdn, sms

0 Karma

aaronkorn
Splunk Employee
Splunk Employee

Give rex a shot: | rex mode=sed field=MSISDN "s/(^0)/999/g"

0 Karma

carljohan
Path Finder

Where in the following search query should I add the regex?

index=* event="*" msisdn="$customer_msisdn$" |table _time, msisdn, sms

0 Karma

carljohan
Path Finder

I have tried the following but it did not work:
msisdn="0123456789"| eval msisdn=substr(msisdn,2)|eval msisdn="999".msisdn|table _time, msisdn, sms

0 Karma

somesoni2
SplunkTrust
SplunkTrust

How are you using the input in your search? You can use 'ltrim' command with EVAL to trim the leading 0's and prefix '999'.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...