Getting Data In

How can I mask email id's when indexing?

ansif
Motivator

Hi All,

I want to mask email id from Message tracking logs,but it mask the whole event.Could you pelase help me in masking only emailid's and no other data from the event.

transforms.conf

[emailaddr-anonymizer]
REGEX = ([A-z0-9._%+-]+@[A-z0-9.-]+\.[A-z]{2,63})
FORMAT = ********@*********
DEST_KEY = _raw

props.conf

[<given_source_type>]

TRANSFORMS-anonymize = emailaddr-anonymizer

Sample log

gotsomething,somename@something.com,junk files for,somename@somedomain.com,this is a test log with some emails,myname@mydomain.net,

Expected output:

gotsomething,xxxxx@xxxxxxx,junk files for,xxxxxx@xxxxxxx,this is a test log with some emails,xxxxx@xxxxxxx,

Thanks

Tags (1)
0 Karma
1 Solution

gcusello
Esteemed Legend

Hi ansif,
try to replace your transform.conf with the following

[emailaddr-anonymizer]
REGEX = ,[^@]*@[^,]*,
FORMAT = ,********@*********,
DEST_KEY = _raw

you can test it at https://regex101.com/r/z1JhxR/1
Bye.
Giuseppe

View solution in original post

0 Karma

gcusello
Esteemed Legend

Hi ansif,
try to replace your transform.conf with the following

[emailaddr-anonymizer]
REGEX = ,[^@]*@[^,]*,
FORMAT = ,********@*********,
DEST_KEY = _raw

you can test it at https://regex101.com/r/z1JhxR/1
Bye.
Giuseppe

0 Karma

ansif
Motivator

Thanks Giuseppe, but the above thing is not working as expected output

Expected output is as follows:

 gotsomething,xxxxx@xxxxxxx,junk files for,xxxxxx@xxxxxxx,this is a test log with some emails,xxxxx@xxxxxxx,

But I am getting:

,********@*********,

And one more thing,the logs might have email id's without a comma like:

gotsomething,somename@something.com,junk files for,somename@somedomain.com,this is a test log with some emails,myname@mydomain.net,addedmail@domain.net

0 Karma

gcusello
Esteemed Legend

Hi ansif,
did yu seen https://docs.splunk.com/Documentation/Splunk/latest/Data/Anonymizedata ?
using a sed script in props.conf

[given_source_type]
SEDCMD-emails = s/,[^@]*@[^,]*,/,********@*********,/g

or using transforms.conf

[emailaddr-anonymizer]
REGEX = ,[^@]*@[^,]*,
FORMAT = $1,********@*********,$2
DEST_KEY = _raw

Bye.
Giuseppe

0 Karma

ansif
Motivator

Working fine with below:

 [MSExchange:2013:MessageTracking]
    SEDCMD-emails = s/,?([A-z0-9._%+-]+@[A-z0-9.-]+\.[A-z]{2,63},?)/,********@*********,/g

@Giuseppe :: Please let me know how can I include domain name.

0 Karma

ansif
Motivator

It is resolved:

Tried below code:

[MSExchange:2013:MessageTracking]
SEDCMD-emails = s/,?([A-z0-9._%+-]+@,?)/,********@/g
Get Updates on the Splunk Community!

Splunk Education - Fast Start Program!

Welcome to Splunk Education! Splunk training programs are designed to enable you to get started quickly and ...

Five Subtly Different Ways of Adding Manual Instrumentation in Java

You can find the code of this example on GitHub here. Please feel free to star the repository to keep in ...

New Splunk APM Enhancements Help Troubleshoot Your MySQL and NoSQL Databases Faster

Splunk Observability has two new enhancements to make it quicker and easier to troubleshoot slow or frequently ...