Splunk Search

Need to mask the data twice in a single field

Path Finder

Can you please help me in masking the data.

Raw Data: -> "login": "44337754-004613081080P"

I want the number to be masked as the below pattern 
Example: 44337754-004613081080P
Expected result of masking
Example (masked): ****7754-*********080P

I tried with the following 
| rex mode=sed "s/(\"login\"\:\s+\")(\w+)(\d\d\d)-/\1\2xxx-/g"
But not getting the expected output

Labels (1)
Tags (1)
0 Karma


I think part of the problem is the regex is looking for 3 digits followed by a hyphen and there's only one instance of that in the sample data so only one substitution.

Try a different regex that matches the entire string (assuming all events follow the same pattern):

| rex mode=sed "s/(\"login\"\:\s+\")\w{5}(\d\d\d)-\d{9}(\w+)/\1xxxxx\2-xxxxxxxxx\3/"
If this reply helps you, Karma would be appreciated.


hi @Vignesh-107,

Try this:

| makeresults 
| eval _raw="\"login\": \"44337754-004613081080P\"" 
| rex mode=sed "s/(\"login\"\:\s+\")\d{4}(\d{4}-)\d{9}/\1****\2*********/g"


If this reply helps you, an upvote/like would be appreciated.

0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...