Transforms to mask a bank ID

kteng2024 · ‎08-31-2017

Hi,

I am writing the transforms to hide the bankID for the below event.

14:14:09,573 ERROR [J2DefaultEngine] [0.0.0.0] [111111] [abcfder1,,stg8sfv8_ACNSFQA1.,dbquote3,data1,data2,en_US]
Failed record info: {PerbankId/cardType=xyz-bcf, PerbankId/country=hma, PerbankId/isPrimary=true, PerbankId/bankId=123-345-789, , PerbankId/personIdExternal=123456789}.

but the transforms i am trying is not working as the bankID can't be replaced with the XXXXXX. can someone please help with the transforms

REGEX = (.*bankId=\d{3}\-\d{3}\-\d{4}).* 
FORMAT = $1bankId=xxx-xxx-xxxx$2
DEST_KEY = _raw

woodcock · ‎08-31-2017

First, your sample data does not match your RegEx because the last segment in the former is 3-digits but in the latter is 4-digits. I will assume that the RegEx is correct. This is most easily/clearly done with SEDCMD as follows:

SEDCMD-X_out_bankId = s/bankId=\d{3}-\d{3}-\d{4}/bankId=XXX-XXX-XXXX/

https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/Anonymizedata

DalJeanis · ‎08-31-2017

Your REGEX only captures one item, but it has two replacements. You didn't close the first parenthesis or open and close the second one in the right place.

 SOURCE_KEY = _raw
 REGEX = (.+)bankId=\d{3}\-\d{3}\-\d{4}(.*) 
 FORMAT = $1bankId=xxx-xxx-xxxx$2
 DEST_KEY = _raw

FYI, if you are going to mask any other data, then you probably want to do it at the same time.

kteng2024 · ‎08-31-2017

Thank you for the reply.. when i tested your regex , data after the bankID is being removed i don't see PerbankId/personIdExternal=123456789}.

Transforms to mask a bank ID

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...