Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I partially mask or anonymize a field value at search time?

flee
Path Finder
‎05-17-2015 08:16 PM

Hello,

I have events with two extracted fields with values that I'd like to mask partially at search time. Here are the two sample field values:
AccountID=987654321
SSN=123-45-6789

When I entered the following search command, the result showed with AccountID=XXXXXXXX and SSN=XXXXXXXX; both values are completely masked with XXXXXXXX.

sourcetype=MyTest | table _time First_Name Last_Name AccountID SSN | eval AccountID = "XXXXXXXX" | eval SSN = "XXXXXXXX"

However, I'd like the result to show only the last 4 digits of the AccountID and SSN. For example, I'd like the result to show AccountID=XXXXX4321 and SSN=XXX-XX-6789. How would I construct a search to do that and also test for an empty/null value and put a static text "NONE" if the value is empty/null?

Thank you.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

esix_splunk
Splunk Employee
Splunk Employee
‎05-18-2015 11:28 PM

You can try this...

sourcetype=MyTest| eval SSN=if(isnull(SSN),"NONE",SSN) | rex field=SSN mode=sed "s/\d{3}-\d{2}/XXX-XX/g"| table _time First_Name Last_Name AccountID SSN

View solution in original post

Reply
Solved! Jump to solution
Solution

esix_splunk
Splunk Employee
Splunk Employee
‎05-18-2015 11:28 PM

You can try this...

sourcetype=MyTest| eval SSN=if(isnull(SSN),"NONE",SSN) | rex field=SSN mode=sed "s/\d{3}-\d{2}/XXX-XX/g"| table _time First_Name Last_Name AccountID SSN
Reply
Solved! Jump to solution

flee
Path Finder
‎05-20-2015 10:52 PM

Thanks esix_splunk! It worked!

0 Karma
Reply
Solved! Jump to solution

Yasaswy
Contributor
‎05-18-2015 08:45 AM

Hi,
You can use rex and sed to do a match and replace. Check out rex syntax.
Eg:

sourcetype=MyTest|rex field=SSN mode=sed "s/\d{3}-\d{2}/XXX-XX/g"| table _time First_Name Last_Name AccountID SSN

should mask SSN in the search results. If your AccountId follows a fixed pattern.. you can do the same.

0 Karma
Reply
Solved! Jump to solution

flee
Path Finder
‎05-18-2015 10:22 PM

Thanks Yasaswy! It worked! Any suggestion on how to test for an empty/null value and put a static text "NONE" if the value is empty/null?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...