- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Search Time Masking Using Calculated Field
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Search Time Masking Using Calculated Field
Hi Splunkers,
Good day. I am trying to perform search time masking using a Calculated Field to replace _raw with the required result.
This goes fine for me for my particular data of concern. However, it goes complex somehow when that particular field in the same event has to be masked another way. Citing an example below to explain more clearly.
Masking - 16 digits
2021/01/21 - 01:15 AM <ACT>1234567890123456</ACT>
Result: 2021/01/21 - 01:15 AM <ACT>123456######3456</ACT>
However, if I see 15 digits for this field, masking should be 5 ##### rather than 6 for 16digits.
Masking - 15 digits
2021/01/25 - 01:15 AM <ACT>987654321012345</ACT>
Result: 2021/01/25 - 01:15 AM <ACT>987654#####2345</ACT>
Since the same field, _raw, is being worked on. I reckon this is not possible.
props.conf
[<sourcetype>]
EVAL-_raw = replace(_raw,"(\d{6})(\d{5,6})(\d{4})","\1######\3")
Please let me know of your thoughts/suggestions.
Thanks in adv.
Cheers!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi, @arielpconsolaci,
You can use the EVAL command like below,
[<sourcetype>]
EVAL-_raw = replace(_raw, "(\d{6})\d{5,}(\d{4})", "\1######\2")
If this reply helps you, an upvote/like would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks @manjunathmeti .
I tried this. However, this does not work. Probably because it is the same field _raw.
I checked as well via btool and it only reads one of the eval calculations for the same sourcetype.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah, that is true. I've updated my answer. You can try it if the number of # doesn't matter in the replaced text.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks again @manjunathmeti .
I am trying to observe that for 16 digits numbers be masked with 6#s between the first 6 digits and last 4 digits.
while for 15 digit numbers, masking should be just 5#s between the first 6 digits and last 4 digits.
Currently, with my current config, masking happens with 6#s. I am trying to get and observe 6#s and 5#s respective what is given (16 digit numbers and 15 digit numbers). From testing, this seems not possible. But let me know if otherwise.
Thanks for your time on this.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| makeresults
| eval _raw="2021/01/21 - 01:15 AM <ACT>1234567890123456</ACT>
2021/01/25 - 01:15 AM <ACT>987654321012345</ACT>"
| multikv noheader=t
| fields _raw
| rex mode=sed "s/(\d{6})(\d{5,6})(\d{4})/\1######\3/g"How about SEDCMD?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks @to4kawa . That may work but what I am trying to achieve is that a plain search using the index and sourcetype at search time will return masked data accdg. to the rule set. Thus using a calculated field for _raw. Thanks still for the suggestion.
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
