Hi,
Ive been playing with the SEDCMD in my props.conf to anonymize CC data in a log.
Originally I tried this:
[host::nas.x.com]
SEDCMD-cc_anon = s/strRtCardNum:\s+\d{16}/strRtCardNum: ################/g
I changed that based on the splunk example given:
SEDCMD-accounts = s/ssn=\d{5}(\d{4})/ssn=xxxxx\1/g s/cc=(\d{4}-){3}(\d{4})/cc=xxxx-xxxx-xxxx-\2/
So now its this:
[host::nas.x.com]
SEDCMD-cc_anon = s/strRtCardNum=\s+\d{16}/strRtCardNum= ################/g
And its still not working. This is getting frustrating. Has anyone gotten this to work right? What am I doing wrong?
[host::nas.x.com]
SEDCMD-cc_anon = s/ccNum:\s+\d{16}/ccNum: ################/ s/Shopper:\s+\d+/Shopper: #####/
providing the data comes from host called nas.x.com
yeah, something like 
 s/\d{15,16}/xxxx/g
should work to replace all instances of 15 or 16 consecutive numbers
The "ccNum" string before hand is just to ensure the digits being matched are always after the string ccNum
ok, so can i take the string out altogether and simply match all 16 digit numbers in this log?
I've found using perl on the command line is the easiest way to troubleshoot SEDCMD
i.e. 
 perl -pe 's/ccNum:\s([0-9]{16})/ccNum: xxxx/g' 
It's a quick way to see if the SEDCMD works at all, and if the output is in the format you're trying to get
[host::nas.x.com]
SEDCMD-cc_anon = s/ccNum:\s+\d{16}/ccNum: ################/ s/Shopper:\s+\d+/Shopper: #####/
providing the data comes from host called nas.x.com
try modifying \d{16} to \d{15,16}
Awesome, that worked! Only problem is now I found some 15 digit american express cards that also need to be blocked out but I think I can figure that out. Thank you gentlemen very much!
Thank you sir. Im trying this now and will let you know what happens.
Well if the string "strRTCardNum" isn't in your event, then a regex looking for that string will obviously not match.
Its in a props.conf that is being sent to all indexers with the deployment server.
Heres some sample data.
CheckoutServices.finishPaymentStartOrderReview: inside is mode check Shopper: 5555555
CheckoutServices.finishPaymentStartOrderReview: ccNum: 9999999999999999 Shopper: 5555555
strRTCardNum was something the splunk consultant put in before he left, though im not sure where he got it. Its never worked right.
Thanks guys!
Is this done on a Universal Forwarder or an indexer?
Can you provide a sample of the an original event ? (just set the cc number to 99999999999999 or something.
whats after the string strRtCardNum  is it a : or a = ?
Is there really a space before the card number ?
