I am able to use "SEDCMD" to mask the sensitive data during the index time, but is it possible to mask the sensitive data during the search time? Thanks.
Yes this is possible.
You can make an calculated field with the name of the field you want to change. The Eval expression should look like this:
replace(fieldname, "text-to-replace", "replacement")
When trying to mask data you can use the same command but with regex:
replace(fieldname, "field=[^;]+", "field=XXXX")
Remember to set sharing to the correct level.
Try using rex command with mode=sed option.
your base search
| rex mode=sed "s/(sensitive_data_regex)/replacement_string/g"
Again, this won't change the underlying data, just the raw data that's displayed in table/event visualization. Any fields extracted from _raw before your rex command (e.g. saved field extractions or auto-field extraction) could still have those sensitive data.
Thanks somesoni2, but I wanted to make it work from the configuration files.
You can try some stuff but that method has many loop holes. For example you can setup a calculated field to overwrite the _raw field with masked data. It will do the replacement of _raw values in cases where saved field extractions are called (searches running in Smart Mode OR Verbose mode), but it won't do anything if the search has in Fast Mode and user is just running the base search (not referenced _raw field explicitly).