hi im trying to replace credit card number (16 digits) in a csv file with xxxx
when i input below text, full event will be masked i will only see xxxx in the search
test1,test2, 0123456789123456
when i input any credit card number which is less than 16 digits , i can see full event in the search
test3,test4,1234
please find the following configuration files
props.conf
[ccdata]
TRANSFORMS-anonymize = masking
transforms.conf
[masking]
REGEX = \d{16}
FORMAT = xxxx
DEST_KEY = _raw
Hi @gotenzw,
as @richgalloway, the behavior you described is correct: you transform a credit card number (16 digits) if you have a number with 16 digits in that field, if you have anything different, the transformation doesn't run but it's correct.
If you want to mask every number in the third field (also less than 16 digits), you have to use a different approach as described at https://docs.splunk.com/Documentation/Splunk/9.0.0/Data/Anonymizedata:
in props.conf use this command:
[<your_sourcetype>]
TRANSFORMS-anonymize = anonymizer
in transforms.conf:
[anonymizer]
REGEX = ^(\w+,\w+,)\d+
FORMAT = $1xxxxxxxxxxxxxxxx
DEST_KEY = _raw
Ciao.
Giuseppe
i need to use same approach which is 16 digits but i want to see other fields.
im expecting the event like below
event1,event2,xxxx
Hi @gotenzw,
with my approach, you should see the other fields and anonymize only the Credit Card Number, otherwise, as described in the above url (https://docs.splunk.com/Documentation/Splunk/9.0.0/Data/Anonymizedata), you can also try SEDCMD command in props.conf:
[<your_sourcetype>]
SEDCMD-Anonymize = s/^\w+,\w+,\d+/^\w+,\w+,xxxxxxxxxxxxxxxx/g
Ciao.
Giuseppe
i used the SEDCMD and it worked fine but i need to do it using transforms.conf
below is the props.conf which i used.
[ccdata]
SEDCMD-ccdatamask = s/\d{16}/xxxx/g
is it possible to do the same using trasnforms.conf ?
Hi @gotenzw,
yes, it's possible.
Your transforms.conf is correct, and the configuration you shared is correct but only for 16 digits numbers, if you have less numbers it doesn't work.
if you don't have other numerical fields you could try to use a little different regex to recognize your CC number:
[masking]
REGEX = \d+
FORMAT = xxxx
DEST_KEY = _raw
Ciao.
Giuseppe
What is the problem you are trying to solve? The way I read this description everything appears to be working as desired.
i need to see other fields like test1, test2, what is required is to mask only credit card number which is the 16 digit, but the issue here i can't see full event after masking as stated before only xxxx i can see in the search