Hi,
I have something like the following which gets logged:
sessionId=A,phone=4155550123
sessionId=B,phone=14155550123
sessionId=C,phone=+14155550123
sessionId=D,phone=4085550123
I'm trying to come up with a dashboard where I have a text field that takes a phone number as input.
If user enters the phone number value as one of the following:
4155550123
or 14155550123
or +14155550123
, then I want to get all the session ID's associated.
In a nutshell, I have the same phone number logged in different formats and I still need to get all the session ID's associated with the given phone.
index=myIndex phone=$phoneNumber$ | table sessionId
If I replace $phoneNumber$
with 4155550123
or +14155550123
or 14155550123
, then I would like to A, B, and C in my search result.
I gave you an answer that works efficiently by operating on metadata. You can work with eval
and other post-pipe commands (e.g. regex
) but your search efficiency will suffer (which may or may not be important to you).
index=myIndex | regex phone="4155550123$"
If you have a search-time extraction (probably) then you will need to take a look at this Q&A and modify fields.conf
so it works they way you expect:
https://answers.splunk.com/answers/267175/search-does-not-return-results-for-some-values-of.html
Once that is done, you should be able to do this:
index=myIndex phone="$phoneNumber$" OR phone="1$phoneNumber$" OR phone="+1$phoneNumber$" | table sessionId
index=myIndex | eval last10Digits=substr($phoneNumber$, len($phoneNumber$)-9, 10) | where like (phone, "%".last10Digits."%")
This worked for me... I need to run some tests to verify...
What I did is something like this:
index=myIndex | eval last10Digits=substr($phoneNumber$, len($phoneNumber$)-9, 10) | where like (phone, "%last10Digits")
And it did not work.
It may not work if $phoneNumber$ is +14155550123 as I would like to see A,B and C in my search result if $phoneNumber$ is either 4155550123 or +14155550123 or 14155550123.
Assuming that user enters the phone number as 4155550123, then it gets translated to:
index=myIndex phone=4155550123 OR phone=14155550123 OR phone=+14155550123
And the search result will have A, B and C.
If it is entered as +14155550123, then it will be:
index=myIndex phone=+14155550123 OR phone=1+14155550123 OR Phone=+1+14155550123.
I guess the search result will only have A (whereas the expectation is A, B and C).
This may work only if user enters it as 4155550123 (with no country code) and it may not work for 14155550123 or +14155550123 is used for searching.
What I'm interested in is that irrespective of whatever the input format is I would like to have A, B and C in my search result.