Having issues getting the NANP app to work (https://splunkbase.splunk.com/app/1515/)
I have the following search but it does not return any lookup fields
sourcetype=ivrdata | eval {message}=varValue | stats first(LogTimestamp) as Time values(Phone) as phone values(Platform) as Platform by IVR_SessionID | WHERE Platform="FWA" | table areacode city latitude longitude
This search returns a phone number in the 1234567890 format as the "phone" field. Any idea what I am doing wrong here?
Here are the relevant files
props.conf
[ivrdata]
LOOKUP-ac = AreaCodeLookup areacode AS phone OUTPUTNEW city country latitude AS _lat longitude AS _lng region
REPORT-ac = getareacode
transforms.conf
[getareacode]
REGEX = phone_no="?(\d{3}\d{3})
FORMAT = areacode::$1
Sample of areacode_latitude_longitude.csv
areacode,city,region,country,latitude,longitude
201200,Jersey City,NJ,US,40.7280556,-74.0780556
201202,Hackensack,NJ,US,40.8858333,-74.0438889
201203,Hackensack,NJ,US,40.8858333,-74.0438889
201204,Jersey City,NJ,US,40.7280556,-74.0780556
I have removed and reinstalled the NANP app.
It's expecting a phone number in xxx-xxx format
transforms.conf
[getareacode]
REGEX = phone_no="?(\d{3}[-|.]\d{3})
FORMAT = areacode::$1
props.conf
[ivrdata]
LOOKUP-ac = AreaCodeLookup areacode AS phone_no OUTPUTNEW city country latitude AS _lat longitude AS _lng region
REPORT-ac = getareacode
Using the following search but it's not returning any lookup data
sourcetype=ivrdata | WHERE IVR_Message="Phone" | rename IVR_Value AS phone_no | rex field=phone_no mode=sed "s/(\d{3})(\d{3})(\d{4})/\1-\2/g" | table phone_no city country latitude longitude region
any ideas where I am going wrong?