Solved: Rex command: Help with regex to extract fields con...

skansi · ‎08-11-2014

Hello,

I have a problem with splunk search. What I need to do is to do a search from the fields containing CC numbers. I have tried the example from the Splunk tutorial:

| rex field=ccnumber mode=sed "s/(\d{4}-){3}/XXXX-XXXX-XXXX-/g"

And I modified it as:

| rex field=kreditnakatica mode=sed "s/(\d{4}){3}/XXXXXXXXXXXX/g"

As to accommodate my field name and the CC format with no hyphens, but it does not work. Overall, I seem to have a problem understanding what kind of regex would Splunk accept, as e.g. it does not accept regexes such as \d{16}.

Thank you and cheers!

skansi · ‎08-12-2014

Hi, I managed to solve the problem by circumventing it--just used Python to produce the xxxx-xxxx-xxxx-xxxx CC numbers and then applied the upper code.

View solution in original post

skansi · ‎08-12-2014

Hi, I needed to anonymize the data. It works with the xxxx-xxxx-xxxx-xxxx CC format, and the example from the tutorial works fine, but fot the xxxxxxxxxxxxx format I am not able to modify the example. My solution was to modify the log to have an xxxx-...-xxxx format input and then use the out-of-the-box Splunk tutorial example.

skansi · ‎08-12-2014

Hi, I managed to solve the problem by circumventing it--just used Python to produce the xxxx-xxxx-xxxx-xxxx CC numbers and then applied the upper code.

somesoni2 · ‎08-12-2014

Thats great. Alternatively you could use | rex field=kreditnakatica mode=sed "s/(\d{12})/XXXXXXXXXXXX/g"

strive · ‎08-12-2014

Are you trying to anonymize the credit card number? Do you need simple extraction or you need to anonymize the data?

Can you post your log event.

Rex command: Help with regex to extract fields containing credit card numbers

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!