Getting Data In

How can I mask email id's when indexing?

ansif
Motivator

Hi All,

I want to mask email id from Message tracking logs,but it mask the whole event.Could you pelase help me in masking only emailid's and no other data from the event.

transforms.conf

[emailaddr-anonymizer]
REGEX = ([A-z0-9._%+-]+@[A-z0-9.-]+\.[A-z]{2,63})
FORMAT = ********@*********
DEST_KEY = _raw

props.conf

[<given_source_type>]

TRANSFORMS-anonymize = emailaddr-anonymizer

Sample log

gotsomething,[email protected],junk files for,[email protected],this is a test log with some emails,[email protected],

Expected output:

gotsomething,xxxxx@xxxxxxx,junk files for,xxxxxx@xxxxxxx,this is a test log with some emails,xxxxx@xxxxxxx,

Thanks

Tags (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi ansif,
try to replace your transform.conf with the following

[emailaddr-anonymizer]
REGEX = ,[^@]*@[^,]*,
FORMAT = ,********@*********,
DEST_KEY = _raw

you can test it at https://regex101.com/r/z1JhxR/1
Bye.
Giuseppe

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi ansif,
try to replace your transform.conf with the following

[emailaddr-anonymizer]
REGEX = ,[^@]*@[^,]*,
FORMAT = ,********@*********,
DEST_KEY = _raw

you can test it at https://regex101.com/r/z1JhxR/1
Bye.
Giuseppe

0 Karma

ansif
Motivator

Thanks Giuseppe, but the above thing is not working as expected output

Expected output is as follows:

 gotsomething,xxxxx@xxxxxxx,junk files for,xxxxxx@xxxxxxx,this is a test log with some emails,xxxxx@xxxxxxx,

But I am getting:

,********@*********,

And one more thing,the logs might have email id's without a comma like:

gotsomething,[email protected],junk files for,[email protected],this is a test log with some emails,[email protected],[email protected]

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi ansif,
did yu seen https://docs.splunk.com/Documentation/Splunk/latest/Data/Anonymizedata ?
using a sed script in props.conf

[given_source_type]
SEDCMD-emails = s/,[^@]*@[^,]*,/,********@*********,/g

or using transforms.conf

[emailaddr-anonymizer]
REGEX = ,[^@]*@[^,]*,
FORMAT = $1,********@*********,$2
DEST_KEY = _raw

Bye.
Giuseppe

0 Karma

ansif
Motivator

Working fine with below:

 [MSExchange:2013:MessageTracking]
    SEDCMD-emails = s/,?([A-z0-9._%+-]+@[A-z0-9.-]+\.[A-z]{2,63},?)/,********@*********,/g

@Giuseppe :: Please let me know how can I include domain name.

0 Karma

ansif
Motivator

It is resolved:

Tried below code:

[MSExchange:2013:MessageTracking]
SEDCMD-emails = s/,?([A-z0-9._%+-]+@,?)/,********@/g
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Get Agentic with Splunk Lantern: Connect to Cisco Cloud Control, Transform ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...

July Community Events: Master ITSI 5.0 & Automate Splunk

Struggling with alert fatigue or feeling like you're spending more time on infrastructure maintenance than ...

New Release of Federated Search: Bringing Splunk Analytics to More of Your Data

Organizations today are generating more data than ever and storing it across cloud object stores, data lakes, ...