Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I partially mask or anonymize a field value at search time?

flee
Path Finder
‎05-17-2015 08:16 PM

Hello,

I have events with two extracted fields with values that I'd like to mask partially at search time. Here are the two sample field values:
AccountID=987654321
SSN=123-45-6789

When I entered the following search command, the result showed with AccountID=XXXXXXXX and SSN=XXXXXXXX; both values are completely masked with XXXXXXXX.

sourcetype=MyTest | table _time First_Name Last_Name AccountID SSN | eval AccountID = "XXXXXXXX" | eval SSN = "XXXXXXXX"

However, I'd like the result to show only the last 4 digits of the AccountID and SSN. For example, I'd like the result to show AccountID=XXXXX4321 and SSN=XXX-XX-6789. How would I construct a search to do that and also test for an empty/null value and put a static text "NONE" if the value is empty/null?

Thank you.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

esix_splunk
Splunk Employee
Splunk Employee
‎05-18-2015 11:28 PM

You can try this...

sourcetype=MyTest| eval SSN=if(isnull(SSN),"NONE",SSN) | rex field=SSN mode=sed "s/\d{3}-\d{2}/XXX-XX/g"| table _time First_Name Last_Name AccountID SSN

View solution in original post

Reply
Solved! Jump to solution
Solution

esix_splunk
Splunk Employee
Splunk Employee
‎05-18-2015 11:28 PM

You can try this...

sourcetype=MyTest| eval SSN=if(isnull(SSN),"NONE",SSN) | rex field=SSN mode=sed "s/\d{3}-\d{2}/XXX-XX/g"| table _time First_Name Last_Name AccountID SSN
Reply
Solved! Jump to solution

flee
Path Finder
‎05-20-2015 10:52 PM

Thanks esix_splunk! It worked!

0 Karma
Reply
Solved! Jump to solution

Yasaswy
Contributor
‎05-18-2015 08:45 AM

Hi,
You can use rex and sed to do a match and replace. Check out rex syntax.
Eg:

sourcetype=MyTest|rex field=SSN mode=sed "s/\d{3}-\d{2}/XXX-XX/g"| table _time First_Name Last_Name AccountID SSN

should mask SSN in the search results. If your AccountId follows a fixed pattern.. you can do the same.

0 Karma
Reply
Solved! Jump to solution

flee
Path Finder
‎05-18-2015 10:22 PM

Thanks Yasaswy! It worked! Any suggestion on how to test for an empty/null value and put a static text "NONE" if the value is empty/null?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...