Splunk Search

Rex command: Help with regex to extract fields containing credit card numbers

skansi
Explorer

Hello,

I have a problem with splunk search. What I need to do is to do a search from the fields containing CC numbers. I have tried the example from the Splunk tutorial:

| rex field=ccnumber mode=sed "s/(\d{4}-){3}/XXXX-XXXX-XXXX-/g"

And I modified it as:

| rex field=kreditnakatica mode=sed "s/(\d{4}){3}/XXXXXXXXXXXX/g"

As to accommodate my field name and the CC format with no hyphens, but it does not work. Overall, I seem to have a problem understanding what kind of regex would Splunk accept, as e.g. it does not accept regexes such as \d{16}.

Thank you and cheers!

Tags (3)
1 Solution

skansi
Explorer

Hi, I managed to solve the problem by circumventing it--just used Python to produce the xxxx-xxxx-xxxx-xxxx CC numbers and then applied the upper code.

View solution in original post

skansi
Explorer

Hi, I needed to anonymize the data. It works with the xxxx-xxxx-xxxx-xxxx CC format, and the example from the tutorial works fine, but fot the xxxxxxxxxxxxx format I am not able to modify the example. My solution was to modify the log to have an xxxx-...-xxxx format input and then use the out-of-the-box Splunk tutorial example.

0 Karma

skansi
Explorer

Hi, I managed to solve the problem by circumventing it--just used Python to produce the xxxx-xxxx-xxxx-xxxx CC numbers and then applied the upper code.

somesoni2
Revered Legend

Thats great. Alternatively you could use | rex field=kreditnakatica mode=sed "s/(\d{12})/XXXXXXXXXXXX/g"

strive
Influencer

Are you trying to anonymize the credit card number? Do you need simple extraction or you need to anonymize the data?

Can you post your log event.

0 Karma
Get Updates on the Splunk Community!

Security Professional: Sharpen Your Defenses with These .conf25 Sessions

Sooooooooooo, guess what. .conf25 is almost here, and if you're on the Security Learning Path, this is your ...

First Steps with Splunk SOAR

Our first step was to gather a list of the playbooks we wanted and to sort them by priority.  Once this list ...

How To Build a Self-Service Observability Practice with Splunk Observability Cloud

If you’ve read our previous post on self-service observability, you already know what it is and why it ...