Splunk Search

Need to mask the data twice in a single field

Path Finder

Can you please help me in masking the data.

Raw Data: -> "login": "44337754-004613081080P"

I want the number to be masked as the below pattern 
Example: 44337754-004613081080P
Expected result of masking
Example (masked): ****7754-*********080P

I tried with the following 
| rex mode=sed "s/(\"login\"\:\s+\")(\w+)(\d\d\d)-/\1\2xxx-/g"
But not getting the expected output

Labels (1)
Tags (1)
0 Karma


I think part of the problem is the regex is looking for 3 digits followed by a hyphen and there's only one instance of that in the sample data so only one substitution.

Try a different regex that matches the entire string (assuming all events follow the same pattern):

| rex mode=sed "s/(\"login\"\:\s+\")\w{5}(\d\d\d)-\d{9}(\w+)/\1xxxxx\2-xxxxxxxxx\3/"
If this reply helps you, Karma would be appreciated.


hi @Vignesh-107,

Try this:

| makeresults 
| eval _raw="\"login\": \"44337754-004613081080P\"" 
| rex mode=sed "s/(\"login\"\:\s+\")\d{4}(\d{4}-)\d{9}/\1****\2*********/g"


If this reply helps you, an upvote/like would be appreciated.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...