Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Mask the last 4 digits of a number which is 8 digits longer

VipeRafajzat
Explorer
‎11-24-2020 04:53 AM

Hello!

I am struggling to mask the last 4 digits of my numbers.

 

| rex field=FIELD_XY mode=sed "s/[0-9#]{3}$/###/g"

 

With this code I am able to mask the last 4 digits of all kind of numbers in my table to ####. So the numbers looking like : 123456####.

What I cannot do is to apply this masking only those numbers which are 8 digits or more long.  Tried several options and played with regex, but it didn't mask it or over masking everything .

Thank you!

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎11-24-2020 06:40 AM

Try this run-anywhere example query.

| makeresults | eval FIELD_XY="12345~12345678" | eval FIELD_XY=split(FIELD_XY,"~") | mvexpand FIELD_XY
```Above just creates test data```
| rex field=FIELD_XY mode=sed "s/(\d{4,})[0-9#]{4}$/\1####/g"

The regex looks for a group of a least 4 digits followed by 4 digits or octothorpes.  It then retains the group and replaces the remaining four characters with octothorpes.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-24-2020 07:24 AM 
| makeresults | eval _raw="1234567890 12345678 1234567"
| rex mode=sed max_match=0 "s/([0-9]{4})([0-9]{4})($|[^0-9])/\1XXXX\3/g"
0 Karma
Reply
Solved! Jump to solution

VipeRafajzat
Explorer
‎11-24-2020 07:49 AM

Thank you!

 

It was almost perfect, except that it failed if the last digit was a #, then it was not masked with XXXX then.

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎11-24-2020 06:40 AM

Try this run-anywhere example query.

| makeresults | eval FIELD_XY="12345~12345678" | eval FIELD_XY=split(FIELD_XY,"~") | mvexpand FIELD_XY
```Above just creates test data```
| rex field=FIELD_XY mode=sed "s/(\d{4,})[0-9#]{4}$/\1####/g"

The regex looks for a group of a least 4 digits followed by 4 digits or octothorpes.  It then retains the group and replaces the remaining four characters with octothorpes.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

VipeRafajzat
Explorer
‎11-24-2020 07:48 AM

Thank you!

This was the solution what I was looking for 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...