- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Substring lookup to enhance DB query results?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I am VERY new to Splunk. I have built some basic dashboards using DB queries, because the data is not (yet) being put directly into the Splunk database. With that said, I would like to enhance my current dashboard with some additional data defined in a CSV file. To be more specific my dashboard contains phone numbers. My CSV file contains the location data of North American Numbering Plan area codes and prefixes (NPA-NXX). I would like to lookup the location of the caller, based on the NPA-NXX, and include that in my dashboard.
Given my limited knowledge/skill set with Splunk, I have a few questions:
1) Is this even possible in Splunk?
2) Does Splunk support data/format manipulation within the search string, such as using RegEx, or can you define a substring to look for?
3) Are there any existing tutorials around these areas that could help guide me to a solution?
Any help would be greatly appreciated!!
EXAMPLE (dots added for spacing purposes)
[Query Results]
Phone Number .......... Call Count
+12345678901........... 12
[CSV Entry]
NPA-NXX .................. Location
234-567 .................... Anytown, USA
Desired Output
Phone Number .............. Location .................................. Call Count
+12345678901............... Anytown, USA ......................... 12
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1) Is this even possible in Splunk?
Yes...BUT just like an excel look up...you need to have 1 common field value...NOT just a field name...in your case if we extact 234-567 from your query we can match it with your csv look up like a common 'key' field join in SQL/EXCEL
2) Does Splunk support data/format manipulation within the search string, such as using RegEx, or can you define a substring to look for?OHH yes 🙂
3) Are there any existing tutorials around these areas that could help guide me to a solution?
http://docs.splunk.com/Documentation/SplunkCloud/6.6.1/Knowledge/ConfigureCSVlookups
https://docs.splunk.com/Documentation/SplunkCloud/6.6.1/Knowledge/DefineanautomaticlookupinSplunkWeb
https://docs.splunk.com/Documentation/SplunkCloud/6.6.1/SearchReference/Inputlookup
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Lookup
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1) Is this even possible in Splunk?
Yes...BUT just like an excel look up...you need to have 1 common field value...NOT just a field name...in your case if we extact 234-567 from your query we can match it with your csv look up like a common 'key' field join in SQL/EXCEL
2) Does Splunk support data/format manipulation within the search string, such as using RegEx, or can you define a substring to look for?OHH yes 🙂
3) Are there any existing tutorials around these areas that could help guide me to a solution?
http://docs.splunk.com/Documentation/SplunkCloud/6.6.1/Knowledge/ConfigureCSVlookups
https://docs.splunk.com/Documentation/SplunkCloud/6.6.1/Knowledge/DefineanautomaticlookupinSplunkWeb
https://docs.splunk.com/Documentation/SplunkCloud/6.6.1/SearchReference/Inputlookup
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Lookup
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this for prefix:
|eval prfxubstr("Phone Number",3,5)"-"+substr("Phone Number",6,8
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sukisen1981,
Thank you for the sample code. I had to manipulate it a little, but it was close enough to get me where I needed to be.
The assistance is much appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sukisen1981,
Thank you for the quick response!!
I'll work on figuring out how to "extract" the area code and prefix (234-567) from the query results for this purpose. I appreciate the links! I'm so new, I'm not even sure what I'm searching for sometimes. 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey @sarge338, welcome to the Splunk community! When you're responding to answers on Answer posts please use the comment feature rather than posting a new "answer". As well, if @sukisen1981 is able to find the solution for you please accept their answer so you can award karma points and close the question! 🙂 You can also upvote to award points.
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
