Getting Data In

SEDCMD not working for credit masking

msmapper
Path Finder

When trying to use the SEDCMD in props.conf to mask credit card numbers that are URL encoded and which can possibly have commas or no dashes to separate the numbers. Below is what I currently have in my props.conf file. I have used a PCRE regex tester and the regex works well.

[index::main]
SEDCMD-ccmask= s/((\%20|\%2C)?(6\d{3}|5\d{3}|4\d{3})(\-|\%20|\%2C)?\d{4}(\-|\%20|\%2C)?\d{4}(\-| \%20|\%2C)?\d{4}(\%20|\%2C))|((\%20|\%2C)+3\d{3}(\-|\%20|\%2C)?\d{6}(\-|\%20|\%2C)?\d{4,5}(\%20|\%2C))/####CC-SCRUBBED###\1/g

any help with this would be greatly appreciated.

0 Karma
1 Solution

msmapper
Path Finder

I was able to figure out how to make it work. here is my final version for props.conf

[reporting_test]
SEDCMD-ccmask= s/(((\%20|\%2C)?(6\d{3}|5\d{3}|4\d{3})(\-|\%20|\%2C)?\d{4}(\-|\%20|\%2C)?\d{4}(\-|\%20|\%2C)?\d{4}(\%20|\%2C))|((\%20|\%2C)+3\d{3}(\-|\%20|\%2C)?\d{6}(\-|\%20|\%2C)?\d{4,5}(\%20|\%2C)))/####CC-SCRUBBED###/g

thanks
jen

View solution in original post

msmapper
Path Finder

I was able to figure out how to make it work. here is my final version for props.conf

[reporting_test]
SEDCMD-ccmask= s/(((\%20|\%2C)?(6\d{3}|5\d{3}|4\d{3})(\-|\%20|\%2C)?\d{4}(\-|\%20|\%2C)?\d{4}(\-|\%20|\%2C)?\d{4}(\%20|\%2C))|((\%20|\%2C)+3\d{3}(\-|\%20|\%2C)?\d{6}(\-|\%20|\%2C)?\d{4,5}(\%20|\%2C)))/####CC-SCRUBBED###/g

thanks
jen

msmapper
Path Finder

Turk,

here is an example, the fake cc number in the example is near the end but in our logs it can be anywhere after "notes="

Sep 10 20:47:26 server.chi <local4-notice> logger: 111.111.444.18 - - [10/Sep/2013:20:47:25 -0500] "GET /ajaxHandler?request=process&transId=5237260030018826951&bucketId=1&Id=R_5237260000000015722&Text=ALLOW&notes=frd.inv.ok%20to%20process.pc-no%2di-no%2CAvs%20Z%2Clinked%20order%3A500834127%2Cbil2shp2%20tch%20hm%20addr.bank%2099-400-9999%20rep%20stated%20no%20phn%20merchant%20vrfctn%20allowed%2Cnon%20susp%20order%20details%20so%20processing.celia%2Ftofc%0A%0A%0AXXXX-XXXX-XXXX-XXXX%20 HTTP/1.1" 200 75

Regards
Jen

0 Karma

rturk
Builder

Hi Msmapper - Can you provide a few example events (obviously changing the CC numbers 🙂

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...