Splunk Search

Rex command: Help with regex to extract fields containing credit card numbers

skansi
Explorer

Hello,

I have a problem with splunk search. What I need to do is to do a search from the fields containing CC numbers. I have tried the example from the Splunk tutorial:

| rex field=ccnumber mode=sed "s/(\d{4}-){3}/XXXX-XXXX-XXXX-/g"

And I modified it as:

| rex field=kreditnakatica mode=sed "s/(\d{4}){3}/XXXXXXXXXXXX/g"

As to accommodate my field name and the CC format with no hyphens, but it does not work. Overall, I seem to have a problem understanding what kind of regex would Splunk accept, as e.g. it does not accept regexes such as \d{16}.

Thank you and cheers!

Tags (3)
1 Solution

skansi
Explorer

Hi, I managed to solve the problem by circumventing it--just used Python to produce the xxxx-xxxx-xxxx-xxxx CC numbers and then applied the upper code.

View solution in original post

skansi
Explorer

Hi, I needed to anonymize the data. It works with the xxxx-xxxx-xxxx-xxxx CC format, and the example from the tutorial works fine, but fot the xxxxxxxxxxxxx format I am not able to modify the example. My solution was to modify the log to have an xxxx-...-xxxx format input and then use the out-of-the-box Splunk tutorial example.

0 Karma

skansi
Explorer

Hi, I managed to solve the problem by circumventing it--just used Python to produce the xxxx-xxxx-xxxx-xxxx CC numbers and then applied the upper code.

somesoni2
Revered Legend

Thats great. Alternatively you could use | rex field=kreditnakatica mode=sed "s/(\d{12})/XXXXXXXXXXXX/g"

strive
Influencer

Are you trying to anonymize the credit card number? Do you need simple extraction or you need to anonymize the data?

Can you post your log event.

0 Karma
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...