Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to write rex with sed mode so that it shows/extracts all unique numbers with specific digits masked ?

user290317
Explorer
‎04-05-2017 08:16 AM

Hi, novice splunker here.

How could I search or extract all the unique numbers while keeping certain digits masked?
E.g. Field with a 16 digits credit card number would look like 123456######0011.

I typed in this syntax :

source="log.xml" | dedup CC | rex field=CC mode=sed "s/(\\d{6})(\\d{6})(\\d{4})/\\1############\\3/g"

to no avail.

Reply
1 Solution
Solved! Jump to solution
Solution

DalJeanis
Legend
‎04-05-2017 08:32 AM

Your code works just fine. Here's some randomly generated 16-digit numbers starting with 4 or 5. 

| makeresults 
| eval CC = "4272244909012766 4558001333691191 4558001234691191 4558005678691191 4251094150032295 4389981912828463 5967770933229475 5301338379674613 5985771287844680 5006543747713681"
| makemv CC
| mvexpand CC
 | rex field=CC mode=sed "s/(\\d{6})(\\d{6})(\\d{4})/\\1############\\3/g"

Note that since you are masking some of the characters, you may get the same output CC numbers for different inputs. Records 2, 3 and 4 produce the same masked number....

427224############2766
455800############1191
455800############1191
455800############1191
425109############2295
438998############8463
596777############9475
530133############4613
598577############4680
500654############3681

Note - it works just fine in search without doubling the backslashes also.

View solution in original post

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎04-05-2017 08:50 AM

Why is this a new question? This clutters the forum (when you ask the same question twice).

0 Karma
Reply
Solved! Jump to solution
Solution

DalJeanis
Legend
‎04-05-2017 08:32 AM

Your code works just fine. Here's some randomly generated 16-digit numbers starting with 4 or 5. 

| makeresults 
| eval CC = "4272244909012766 4558001333691191 4558001234691191 4558005678691191 4251094150032295 4389981912828463 5967770933229475 5301338379674613 5985771287844680 5006543747713681"
| makemv CC
| mvexpand CC
 | rex field=CC mode=sed "s/(\\d{6})(\\d{6})(\\d{4})/\\1############\\3/g"

Note that since you are masking some of the characters, you may get the same output CC numbers for different inputs. Records 2, 3 and 4 produce the same masked number....

427224############2766
455800############1191
455800############1191
455800############1191
425109############2295
438998############8463
596777############9475
530133############4613
598577############4680
500654############3681

Note - it works just fine in search without doubling the backslashes also.

Reply
Solved! Jump to solution

Funderburg78
Path Finder
‎07-07-2021 06:05 AM

What  if the value being replaced was from DNS Query logs like:

(3)windows(12)live(2)com(7)

and sometimes

(4)live(7)windows(4)update(13)com(4)

The goal of course to replace (\d+) with a "." anywhere it appears in the field.    I can easily replace the leading and trailing (\d) using rex to strip them from the field so it looks like:

windows(12)live(2)com

or

live(7)windows(4)update(13)com

 

how can I then use mode=sed to convert it to windows.live.com and/or live.windows.update.com?  Sometimes the domain name is 10+ word.word.word.owrd in length and it is variable.

Tags (1)
0 Karma
Reply
Solved! Jump to solution

Funderburg78
Path Finder
‎07-07-2021 07:19 AM

I figured it out for those curious:

| rex field=domain mode=sed "s/\(\d+\)/./g"

 

 

0 Karma
Reply
Solved! Jump to solution

cpetterborg
SplunkTrust
SplunkTrust
‎04-05-2017 08:29 AM

The following works:

| makeresults | eval raw="1234567890123456" | rex field=raw mode=sed "s/(\d{6})(\d{6})(\d{4})/\\1#######\\3/g"

So it is likely that the only thing wrong is the double backslashes.

Reply
Get Updates on the Splunk Community!

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Community Content Calendar, October Edition

Welcome to the October edition of our Community Spotlight! The Splunk Community is a treasure trove of ...