- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: How to mask emails and credit card numbers in ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
According to the link below, it looks possible to mask data in splunk.
https://docs.splunk.com/Documentation/Splunk/6.4.3/Data/Anonymizedata
I want to mask the email and credit card number for the logs.
Here are the example for each:
test@test.com
3234-1234-5678-5678
As I need to configure props.conf and transforms.conf under $SPLUNK_HOME/etc/system/local/
Specifically, in props.conf, it will be something like this:
[<sourcetype>]
TRANSFORMS-anonymize = emailaddr-anonymizer, creditcard-anonymizer
in transforms.conf, it will be:
[emailaddr-anonymizer]
REGEX = <regex>
FORMAT = ********@*********
DEST_KEY = _raw
[creditcard-anonymizer]
REGEX = <regex>
FORMAT = ****-****-****-****
DEST_KEY = _raw
As I am not good at REGEX in Splunk, can any body tell me what exact regular expression I have to write in the REGEX field for email and credit card?
(Only need to match '@'and '.' in email field)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
in transforms.conf,
[emailaddr-anonymizer]
REGEX = ([A-z0-9._%+-]+@[A-z0-9.-]+\.[A-z]{2,63})
FORMAT = ********@*********
DEST_KEY = _raw
[creditcard-anonymizer]
REGEX = ((\d{4}[-|\s]*){3}\d{4})
FORMAT = ****-****-****-****
DEST_KEY = _raw
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
in transforms.conf,
[emailaddr-anonymizer]
REGEX = ([A-z0-9._%+-]+@[A-z0-9.-]+\.[A-z]{2,63})
FORMAT = ********@*********
DEST_KEY = _raw
[creditcard-anonymizer]
REGEX = ((\d{4}[-|\s]*){3}\d{4})
FORMAT = ****-****-****-****
DEST_KEY = _raw
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi somesoni2, I have an additional question regarding this question.
I found that the whole line of the log are masked. Below is the example.
# (Input text)
Card Number #1 : 1234-5678-9012-3456
# (Actual result)
****-****-****-****
(Expected)
Card Number #1 : ****-****-****-****
I also tried to replace the format with below but get no luck.
FORMAT = $1****-****-****-****$2
What should I do if I want to get the expected result above?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just to answer my question, it seems that the following can do the trick.
REGEX = (.*)([A-z0-9._%+-]+@[A-z0-9.-]+\.[A-z]{2,63})(.*)
FORMAT = $1********@*********$3
REGEX = (.*)((\d{4}[-|\s]*){3}\d{4})(.*)
FORMAT = $1****-****-****-****$3
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi somesoni2, the regex worked! Thanks a lot!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Somesoni2, I am trying to test this search inline. Can you help with the direct search not in .conf propl
I would want to generate alert based on appearance of the cc numbers in logs. was trying this:
index="myIndex"
| rex "(?((\d{4}[-|\s]){3}\d{4}))"
| search possible_cc_number=
| table _time possible_cc_number _raw
so the events are showing numbers, how to use regex and formating in the same inline searches?
Thanks.
Monitoring MariaDB and MySQL
Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...
Splunk Federated Analytics for Amazon Security Lake
