Index time masking maintaining string length (cont...

payl_chdhry · ‎08-19-2020

Posting a new question similar to my query from post: https://community.splunk.com/t5/Getting-Data-In/Index-time-masking-maintaining-string-length/td-p/51...

I have same requirement but for different format of string. I am trying to customize the rex/sed (SEDCMD=s/(?=[^\|]+\w{4}]$)./#/g) for this format but have not been able to achieve it yet.

2020-08-19T07:42:38,942 [Engine 9] TRACE MEHSegment WHERE "00" "00000123456 " 1 240

should give me:

2020-08-19T07:42:38,942 [Engine 9] TRACE MEHSegment WHERE "00" "0000012XXXX " 1 240

thambisetty · ‎08-19-2020

you have shared only one sample event. I have added few more digits to change length and see my regex is working or not. and also it mask only 4 digits always.

[yoursourcetype]
SEDCMD=s/(\"\d{3,})(\d{4})/\1****/g

————————————
If this helps, give a like below.

to4kawa · ‎08-19-2020

s/(\"\d+)(\d{4})/\1####/

Index time masking maintaining string length (continue)

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

Join the Conversation