Splunk Search

Rex command: Help with regex to extract fields containing credit card numbers

Explorer

Hello,

I have a problem with splunk search. What I need to do is to do a search from the fields containing CC numbers. I have tried the example from the Splunk tutorial:

| rex field=ccnumber mode=sed "s/(\d{4}-){3}/XXXX-XXXX-XXXX-/g"

And I modified it as:

| rex field=kreditnakatica mode=sed "s/(\d{4}){3}/XXXXXXXXXXXX/g"

As to accommodate my field name and the CC format with no hyphens, but it does not work. Overall, I seem to have a problem understanding what kind of regex would Splunk accept, as e.g. it does not accept regexes such as \d{16}.

Thank you and cheers!

Tags (3)
1 Solution

Explorer

Hi, I managed to solve the problem by circumventing it--just used Python to produce the xxxx-xxxx-xxxx-xxxx CC numbers and then applied the upper code.

View solution in original post

Explorer

Hi, I needed to anonymize the data. It works with the xxxx-xxxx-xxxx-xxxx CC format, and the example from the tutorial works fine, but fot the xxxxxxxxxxxxx format I am not able to modify the example. My solution was to modify the log to have an xxxx-...-xxxx format input and then use the out-of-the-box Splunk tutorial example.

0 Karma

Explorer

Hi, I managed to solve the problem by circumventing it--just used Python to produce the xxxx-xxxx-xxxx-xxxx CC numbers and then applied the upper code.

View solution in original post

SplunkTrust
SplunkTrust

Thats great. Alternatively you could use | rex field=kreditnakatica mode=sed "s/(\d{12})/XXXXXXXXXXXX/g"

Influencer

Are you trying to anonymize the credit card number? Do you need simple extraction or you need to anonymize the data?

Can you post your log event.

0 Karma