Remove cc data from splunk

npandith · ‎12-17-2011

We have couple of credit card data in splunk and we need to remove those from the splunk. I am using the below query to search for cc data and remove it from splunk.

sourcetype="logs" (ccNumber=0* OR ccNumber=1* OR ccNumber=2* OR ccNumber=3* OR ccNumber=4* OR ccNumber=5* OR ccNumber=6* OR ccNumber=7* OR ccNumber=8* OR ccNumber=9*) | delete

Even running this query i am seeing credit card data in splunk. I am just a beginner on regex and i couldnt use it. I would appreciate if you can help me in query for removing these data.

NOTE- Few ccNumber fields are already hashed out.

npandith · ‎12-17-2011

The above query has asterisk after ccNumber=[0-9]

Remove cc data from splunk

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!