Splunk Search

Need to mask the data twice in a single field

Path Finder

Can you please help me in masking the data.

Raw Data: -> "login": "44337754-004613081080P"

I want the number to be masked as the below pattern 
Example: 44337754-004613081080P
Expected result of masking
Example (masked): ****7754-*********080P

I tried with the following 
| rex mode=sed "s/(\"login\"\:\s+\")(\w+)(\d\d\d)-/\1\2xxx-/g"
But not getting the expected output

Labels (1)
Tags (1)
0 Karma


I think part of the problem is the regex is looking for 3 digits followed by a hyphen and there's only one instance of that in the sample data so only one substitution.

Try a different regex that matches the entire string (assuming all events follow the same pattern):

| rex mode=sed "s/(\"login\"\:\s+\")\w{5}(\d\d\d)-\d{9}(\w+)/\1xxxxx\2-xxxxxxxxx\3/"
If this reply helps you, Karma would be appreciated.


hi @Vignesh-107,

Try this:

| makeresults 
| eval _raw="\"login\": \"44337754-004613081080P\"" 
| rex mode=sed "s/(\"login\"\:\s+\")\d{4}(\d{4}-)\d{9}/\1****\2*********/g"


If this reply helps you, an upvote/like would be appreciated.

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...