Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How can I mask email id's when indexing?

ansif
Motivator
‎11-20-2017 12:49 AM

Hi All,

I want to mask email id from Message tracking logs,but it mask the whole event.Could you pelase help me in masking only emailid's and no other data from the event.

transforms.conf

[emailaddr-anonymizer]
REGEX = ([A-z0-9._%+-]+@[A-z0-9.-]+\.[A-z]{2,63})
FORMAT = ********@*********
DEST_KEY = _raw

props.conf

[<given_source_type>]

TRANSFORMS-anonymize = emailaddr-anonymizer

Sample log

gotsomething,[email protected],junk files for,[email protected],this is a test log with some emails,[email protected],

Expected output:

gotsomething,xxxxx@xxxxxxx,junk files for,xxxxxx@xxxxxxx,this is a test log with some emails,xxxxx@xxxxxxx,

Thanks

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-20-2017 01:01 AM

Hi ansif,
try to replace your transform.conf with the following

[emailaddr-anonymizer]
REGEX = ,[^@]*@[^,]*,
FORMAT = ,********@*********,
DEST_KEY = _raw

you can test it at https://regex101.com/r/z1JhxR/1
Bye.
Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-20-2017 01:01 AM

Hi ansif,
try to replace your transform.conf with the following

[emailaddr-anonymizer]
REGEX = ,[^@]*@[^,]*,
FORMAT = ,********@*********,
DEST_KEY = _raw

you can test it at https://regex101.com/r/z1JhxR/1
Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

ansif
Motivator
‎11-20-2017 01:22 AM

Thanks Giuseppe, but the above thing is not working as expected output

Expected output is as follows:

 gotsomething,xxxxx@xxxxxxx,junk files for,xxxxxx@xxxxxxx,this is a test log with some emails,xxxxx@xxxxxxx,

But I am getting:

,********@*********,

And one more thing,the logs might have email id's without a comma like:

gotsomething,[email protected],junk files for,[email protected],this is a test log with some emails,[email protected],[email protected]

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎11-20-2017 01:36 AM

Hi ansif,
did yu seen https://docs.splunk.com/Documentation/Splunk/latest/Data/Anonymizedata ?
using a sed script in props.conf

[given_source_type]
SEDCMD-emails = s/,[^@]*@[^,]*,/,********@*********,/g

or using transforms.conf

[emailaddr-anonymizer]
REGEX = ,[^@]*@[^,]*,
FORMAT = $1,********@*********,$2
DEST_KEY = _raw

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

ansif
Motivator
‎11-20-2017 02:51 AM

Working fine with below:

 [MSExchange:2013:MessageTracking]
    SEDCMD-emails = s/,?([A-z0-9._%+-]+@[A-z0-9.-]+\.[A-z]{2,63},?)/,********@*********,/g

@Giuseppe :: Please let me know how can I include domain name.

0 Karma
Reply
Solved! Jump to solution

ansif
Motivator
‎11-20-2017 03:42 AM

It is resolved:

Tried below code:

[MSExchange:2013:MessageTracking]
SEDCMD-emails = s/,?([A-z0-9._%+-]+@,?)/,********@/g
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

AI is one of the biggest topics in the market today, and for security teams, its value goes far beyond the ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

[REGISTER HERE] This thread is for the Community Office Hours session on Detection Engineering Office Hours: ...