Trying to run a search in my environment to see what logs/events have credit cards in them. Any help? (PCI requirements)

Path Finder

Need a query to find credit card numbers in events. Please help. I have run queries but they don't seem to be right.

This one is for Master Card, but I need one for OVERALL credit card numbers. this one doesnt even work btw

index=<index> | rex field=_raw "^4[0-9]{12}(?:[0-9]{3})?$(?<credit_card>)" | stats count by credit_card 
Tags (1)
0 Karma


Hi Jewatson17,

you can use this regex to match all possible credit cards:

| rex "(?<possible_credit_card_number>\d{12,19})"

According to the IIN ranges have a possible length of 12 - 19 digits.

Hope this helps ...

cheers, MuS

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!