I'm appreciative of your response. I tried the one below, but it contains more information than just the credit card number. I'm wondering how I can mask the field value contains the credit card number and expiration date along with some information in the field.

Fieldname: abcd
field value :n required YES Accommodation [Bucharest] 5 Nights – Novotel Bucharest HDFC Master card number 1234 4567 0002 4786 Expiry Date of HDFC card 02/28 Any other relevant info Thanks and Regards, santhosh. From

SEDCMD-accmasking = s/abcd=(.)(\d{4}-){3}(\d{4})/cc=xxxx-xxxx-xxxx-\2/

But to be honest this  part in Splunk I am not bit confident. could you please help me 
 

The cited SEDCMD is looking for the literal text "abcd=", which doesn't exist in the sample event.  Therefore, the card number will not be masked.  It's also looking for groups of 4 digits separated by hyphens, which also is not in the sample event.  SEDCMD looks at the raw event rather than  a specific field.

Try this

SEDCMD=accmasking = s/card number \d{4} \d{4} \d{4} (\d{4})/card number xxxx xxxx xxxx \1/

Actually the field abcd is already extracted but that field contains all the values including credit card number and expiry date example like below:

abcd="n required YES Accommodation [Bucharest] 5 Nights – Novotel Bucharest HDFC Master card number 1234 4567 0002 4786 Expiry Date of HDFC card 02/28 Any other relevant info Thanks and Regards, santhosh. From"

abcd="n required YES Accommodation [Bucharest] 5 Nights – Novotel Bucharest HDFC Master card number 2345 3333 0012 0405 Expiry Date of HDFC card 06/29 Any other relevant info QATAR FARE IS INR 122645 /-ONWARD"

abcd="n required YES Accommodation [Bucharest] 6 Nights – Novotel Bucharest HDFC Master card number 2323 2324 0010 0600 Expiry Date of HDFC card 06/34 Any other relevant info [cid:image001.png@01DA4ACD.FF6"

so the data already extracted in one field called abcd , so I want to mask credit card number except last 4 digits and expiry date.

What do you mean by "the field abcd is already extracted"?

Remember that most of the fields you work with in Splunk are so called "search-time" extractions which means that they are extracted dynamically when you are searching and displaying the data while SEDCMD works in so called "index-time" which means _before_ the data is written to Splunk's indexes. SEDCMD as @richgalloway pointed out does not know anything about the search-time extracted fields so you can't rely on their values.

SEDCMD is a regex-based text substitution which works on the _raw data. There is no concept of field here whatsoever.

Thanks for the clarification, but the regex you provided still doesn't match the data.  Did you try the one I gave?

yes I have tried this one like below but still it  is not masking the data.

| rex field=abcd mode=sed "s/card number \d{4}\d{4}\d{4}(\d{4})/card number xxxx xxxx xxxx \1/"

That's not the same regex as the one I provided.  Spaces are significant. Here's a variation with more explicit spaces.

SEDCMD-accmasking = s/card number \d{4}\s\d{4}\s\d{4}\s(\d{4})/card number xxxx xxxx xxxx \1/

This is another that I tried, but it doesn't seem to be working.Will the masking apply to fields that have already been extracted during the search process?

SEDCMD applies at index time and only to new events.