Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Mask the last 4 digits of a number which is 8 digits longer

VipeRafajzat
Explorer
‎11-24-2020 04:53 AM

Hello!

I am struggling to mask the last 4 digits of my numbers.

 

| rex field=FIELD_XY mode=sed "s/[0-9#]{3}$/###/g"

 

With this code I am able to mask the last 4 digits of all kind of numbers in my table to ####. So the numbers looking like : 123456####.

What I cannot do is to apply this masking only those numbers which are 8 digits or more long.  Tried several options and played with regex, but it didn't mask it or over masking everything .

Thank you!

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎11-24-2020 06:40 AM

Try this run-anywhere example query.

| makeresults | eval FIELD_XY="12345~12345678" | eval FIELD_XY=split(FIELD_XY,"~") | mvexpand FIELD_XY
```Above just creates test data```
| rex field=FIELD_XY mode=sed "s/(\d{4,})[0-9#]{4}$/\1####/g"

The regex looks for a group of a least 4 digits followed by 4 digits or octothorpes.  It then retains the group and replaces the remaining four characters with octothorpes.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-24-2020 07:24 AM 
| makeresults | eval _raw="1234567890 12345678 1234567"
| rex mode=sed max_match=0 "s/([0-9]{4})([0-9]{4})($|[^0-9])/\1XXXX\3/g"
0 Karma
Reply
Solved! Jump to solution

VipeRafajzat
Explorer
‎11-24-2020 07:49 AM

Thank you!

 

It was almost perfect, except that it failed if the last digit was a #, then it was not masked with XXXX then.

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎11-24-2020 06:40 AM

Try this run-anywhere example query.

| makeresults | eval FIELD_XY="12345~12345678" | eval FIELD_XY=split(FIELD_XY,"~") | mvexpand FIELD_XY
```Above just creates test data```
| rex field=FIELD_XY mode=sed "s/(\d{4,})[0-9#]{4}$/\1####/g"

The regex looks for a group of a least 4 digits followed by 4 digits or octothorpes.  It then retains the group and replaces the remaining four characters with octothorpes.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

VipeRafajzat
Explorer
‎11-24-2020 07:48 AM

Thank you!

This was the solution what I was looking for 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...