Hi, as Ayn said in his response to your earlier question, you'd have to create a rather long regex of all possible country codes, since you do not know if it's one, two or three digits (sometimes even four or five) long. For the sake of simplicity you might not want to get into the sub country codes like Pitcairn (located under NewZealand) or Zanzibar (which is located under Tanzania).
If you do want that level of precision, where there is possible ambiguity, you would probably want to specify the country codes in the order from most specific to least specific, in order to not classify Jamaica (1876) as part of the US/Canada (1)
So assuming you have a field in your events called tel , that contains values like 001001201111212, 00100118002322, 0010018765545499 etc, you'd extract the country code like this;
... | rex field=tel "001001(?<cc>(1876|1869|1|20|211|212|213|216|218|220))" | ...
which would give you 20, 1, and 1876 as values for cc , respectively.
Then you'd probably want to create a lookup for the country codes as well;
cc country
1 North America
1876 Jamaica
1869 StKitts_Nevis
1868 Trinidad_Tobago
1809 Dominica
1829 Dominica
1849 Dominica
20 Egypt
211 South Sudan
212 Morocco
213 Algeria
...
etc
It should be in the format of a csv file, and you could configure the look to run automatically through props.conf settings, or on-demand with the lookup search command.
See http://en.wikipedia.org/wiki/List_of_country_calling_codes for a full list of country codes.
For more info on lookups, see;
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Lookup
http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Addfieldsfromexternaldatasources#Set_up_a_fields_lookup_based_on_a_static_file
Hope this helps,
K
... View more