Need to mask the data twice in a single field

Vignesh-107 · ‎03-11-2021

Can you please help me in masking the data.

Raw Data: -> "login": "44337754-004613081080P"

I want the number to be masked as the below pattern
Example: 44337754-004613081080P
Expected result of masking
Example (masked): ****7754-*********080P

I tried with the following
| rex mode=sed "s/(\"login\"\:\s+\")(\w+)(\d\d\d)-/\1\2xxx-/g"
But not getting the expected output

richgalloway · ‎03-11-2021

I think part of the problem is the regex is looking for 3 digits followed by a hyphen and there's only one instance of that in the sample data so only one substitution.

Try a different regex that matches the entire string (assuming all events follow the same pattern):

| rex mode=sed "s/(\"login\"\:\s+\")\w{5}(\d\d\d)-\d{9}(\w+)/\1xxxxx\2-xxxxxxxxx\3/"

---
If this reply helps you, Karma would be appreciated.

manjunathmeti · ‎03-11-2021

hi @Vignesh-107,

Try this:

| makeresults 
| eval _raw="\"login\": \"44337754-004613081080P\"" 
| rex mode=sed "s/(\"login\"\:\s+\")\d{4}(\d{4}-)\d{9}/\1****\2*********/g"

If this reply helps you, an upvote/like would be appreciated.

Need to mask the data twice in a single field

rex

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms