Index time masking maintaining string length (cont...

payl_chdhry · ‎08-19-2020

Posting a new question similar to my query from post: https://community.splunk.com/t5/Getting-Data-In/Index-time-masking-maintaining-string-length/td-p/51...

I have same requirement but for different format of string. I am trying to customize the rex/sed (SEDCMD=s/(?=[^\|]+\w{4}]$)./#/g) for this format but have not been able to achieve it yet.

2020-08-19T07:42:38,942 [Engine 9] TRACE MEHSegment WHERE "00" "00000123456 " 1 240

should give me:

2020-08-19T07:42:38,942 [Engine 9] TRACE MEHSegment WHERE "00" "0000012XXXX " 1 240

thambisetty · ‎08-19-2020

you have shared only one sample event. I have added few more digits to change length and see my regex is working or not. and also it mask only 4 digits always.

[yoursourcetype]
SEDCMD=s/(\"\d{3,})(\d{4})/\1****/g

————————————
If this helps, give a like below.

to4kawa · ‎08-19-2020

s/(\"\d+)(\d{4})/\1####/

Index time masking maintaining string length (continue)

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

How Edge Processor's Durable Queue Works

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Join the Conversation