Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Mask the last 4 digits of a number which is 8 digits longer

VipeRafajzat
Explorer
‎11-24-2020 04:53 AM

Hello!

I am struggling to mask the last 4 digits of my numbers.

 

| rex field=FIELD_XY mode=sed "s/[0-9#]{3}$/###/g"

 

With this code I am able to mask the last 4 digits of all kind of numbers in my table to ####. So the numbers looking like : 123456####.

What I cannot do is to apply this masking only those numbers which are 8 digits or more long.  Tried several options and played with regex, but it didn't mask it or over masking everything .

Thank you!

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎11-24-2020 06:40 AM

Try this run-anywhere example query.

| makeresults | eval FIELD_XY="12345~12345678" | eval FIELD_XY=split(FIELD_XY,"~") | mvexpand FIELD_XY
```Above just creates test data```
| rex field=FIELD_XY mode=sed "s/(\d{4,})[0-9#]{4}$/\1####/g"

The regex looks for a group of a least 4 digits followed by 4 digits or octothorpes.  It then retains the group and replaces the remaining four characters with octothorpes.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-24-2020 07:24 AM 
| makeresults | eval _raw="1234567890 12345678 1234567"
| rex mode=sed max_match=0 "s/([0-9]{4})([0-9]{4})($|[^0-9])/\1XXXX\3/g"
0 Karma
Reply
Solved! Jump to solution

VipeRafajzat
Explorer
‎11-24-2020 07:49 AM

Thank you!

 

It was almost perfect, except that it failed if the last digit was a #, then it was not masked with XXXX then.

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎11-24-2020 06:40 AM

Try this run-anywhere example query.

| makeresults | eval FIELD_XY="12345~12345678" | eval FIELD_XY=split(FIELD_XY,"~") | mvexpand FIELD_XY
```Above just creates test data```
| rex field=FIELD_XY mode=sed "s/(\d{4,})[0-9#]{4}$/\1####/g"

The regex looks for a group of a least 4 digits followed by 4 digits or octothorpes.  It then retains the group and replaces the remaining four characters with octothorpes.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

VipeRafajzat
Explorer
‎11-24-2020 07:48 AM

Thank you!

This was the solution what I was looking for 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...