Splunk Search

Need to mask the data twice in a single field

Path Finder

Can you please help me in masking the data.

Raw Data: -> "login": "44337754-004613081080P"

I want the number to be masked as the below pattern 
Example: 44337754-004613081080P
Expected result of masking
Example (masked): ****7754-*********080P

I tried with the following 
| rex mode=sed "s/(\"login\"\:\s+\")(\w+)(\d\d\d)-/\1\2xxx-/g"
But not getting the expected output

Labels (1)
Tags (1)
0 Karma


I think part of the problem is the regex is looking for 3 digits followed by a hyphen and there's only one instance of that in the sample data so only one substitution.

Try a different regex that matches the entire string (assuming all events follow the same pattern):

| rex mode=sed "s/(\"login\"\:\s+\")\w{5}(\d\d\d)-\d{9}(\w+)/\1xxxxx\2-xxxxxxxxx\3/"
If this reply helps you, Karma would be appreciated.


hi @Vignesh-107,

Try this:

| makeresults 
| eval _raw="\"login\": \"44337754-004613081080P\"" 
| rex mode=sed "s/(\"login\"\:\s+\")\d{4}(\d{4}-)\d{9}/\1****\2*********/g"


If this reply helps you, an upvote/like would be appreciated.

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...