Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Index time masking maintaining string length

payl_chdhry
Path Finder
‎08-18-2020 06:55 AM

Hi,

I want to do masking for logs at index time but the replaced value ("X" here) should be same character length as original string. My requirement for masking is that for the value within [] only last 4 characters should be visible.

Example for below logs:

2020-08-18T13:17:43,990 [Engine 1] TRACE log data V01 [1|12345678]
2020-08-18T13:17:44,979 [Engine 2] TRACE log data V02 [2|A35453DFDF65]

The indexed logs should be:

2020-08-18T13:17:43,990 [Engine 1] TRACE log data V01 [1|XXXX5678]
2020-08-18T13:17:44,979 [Engine 2] TRACE log data V02 [2|XXXXXXXXDF65]

 

Currently I am using SEDCMD command as below but that is taking only static length for X:
s/(TRACE\slog\s+data\s+V\d+\s+\[\d\|)(\w+)(\w{4})/\1XXXXXX\3/g

 

Is there a way to replace string at index time with another string maintaining the count of  characters.

Labels (3)
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

cpetterborg
SplunkTrust
SplunkTrust
‎08-18-2020 05:28 PM

Using the clever regex from @thambisetty (and slightly modified), here is a SEDCMD that I have tested which works and does what you want:

SEDCMD=s/(?=[^\|]+\w{4}]$)./#/g

 Screen Shot 2020-08-18 at 6.26.53 PM.png

View solution in original post

Reply
Solved! Jump to solution

thambisetty
SplunkTrust
SplunkTrust
‎08-18-2020 11:57 AM

Is Length of the string dynamic? 

33FA2DD2-35F3-456B-A0C3-E175B54A71E5.png

————————————
If this helps, give a like below.
Reply
Solved! Jump to solution

payl_chdhry
Path Finder
‎08-18-2020 09:11 PM

@thambisetty  yes the length would be dynamic. It should be anywhere between say 8 to maybe 20.

0 Karma
Reply
Solved! Jump to solution

thambisetty
SplunkTrust
SplunkTrust
‎08-18-2020 09:28 PM

No worries 😉, I shared tested regex.

upvote if that solves your problem.

————————————
If this helps, give a like below.
0 Karma
Reply
Solved! Jump to solution
Solution

cpetterborg
SplunkTrust
SplunkTrust
‎08-18-2020 05:28 PM

Using the clever regex from @thambisetty (and slightly modified), here is a SEDCMD that I have tested which works and does what you want:

SEDCMD=s/(?=[^\|]+\w{4}]$)./#/g

 Screen Shot 2020-08-18 at 6.26.53 PM.png

Reply
Solved! Jump to solution

payl_chdhry
Path Finder
‎08-19-2020 12:45 AM

@cpetterborg Thank you for this. It worked 🙂

I had one more query in case you might be able to help. I have same requirement but for different  format of string. I am trying to customize this rex/sed for this format as well but not able to achieve it yet.

 

2020-08-19T07:42:38,942 [Engine 9] TRACE MEHSegment WHERE "00" "00000123456                 " 1 240

should give me:

2020-08-19T07:42:38,942 [Engine 9] TRACE MEHSegment WHERE "00" "0000012XXXX                 " 1 240

0 Karma
Reply
Solved! Jump to solution

thambisetty
SplunkTrust
SplunkTrust
‎08-19-2020 02:38 AM

Can you post this as new question?

————————————
If this helps, give a like below.
0 Karma
Reply
Solved! Jump to solution

thambisetty
SplunkTrust
SplunkTrust
‎08-19-2020 01:01 AM

@payl_chdhry 
you could upvote my post also, because my post is the source to your answer.😉

————————————
If this helps, give a like below.
0 Karma
Reply
Solved! Jump to solution

payl_chdhry
Path Finder
‎08-19-2020 01:19 AM

Sorry m new to posting here. How do I upvote a post once I have marked anther post as answer.

0 Karma
Reply
Solved! Jump to solution

payl_chdhry
Path Finder
‎08-18-2020 09:13 PM

great. Let me try this. @cpetterborg 

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎08-18-2020 09:12 PM

SEDCMD-mask = s/\|(\w+)(\w{4}\])$/|#\2/

Why can't we use this one, which has less of a load?

0 Karma
Reply
Solved! Jump to solution

payl_chdhry
Path Finder
‎08-19-2020 12:32 AM

@to4kawa that would replace the whole  matching string with single #, like below:

2020-08-19T07:28:32,032 [Engine 8] TRACE SegmentLocks V13 added [1|A454FFDPP01]

To:

2020-08-19T07:28:32,032 [Engine 8] TRACE SegmentLocks V13 added [1|#PP01]

My requirement is to replace each character (and not whole string) with X so the count of characters replaced before masking is equal to count of Xs.

2020-08-19T07:28:32,032 [Engine 8] TRACE SegmentLocks V13 added [1|XXXXXXXPP01]

Tags (1)
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf25, and our Community

Thank you to everyone in the Splunk Community who joined us for .conf25, which kicked off with our iconic ...

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Now On Demand Whether you're managing complex deployments or looking to future-proof your data ...