Hi,
I am writing the transforms to hide the bankID for the below event.
14:14:09,573 ERROR [J2DefaultEngine] [0.0.0.0] [111111] [abcfder1,,stg8sfv8_ACNSFQA1.,dbquote3,data1,data2,en_US]
Failed record info: {PerbankId/cardType=xyz-bcf, PerbankId/country=hma, PerbankId/isPrimary=true, PerbankId/bankId=123-345-789, , PerbankId/personIdExternal=123456789}.
but the transforms i am trying is not working as the bankID can't be replaced with the XXXXXX. can someone please help with the transforms
REGEX = (.*bankId=\d{3}\-\d{3}\-\d{4}).*
FORMAT = $1bankId=xxx-xxx-xxxx$2
DEST_KEY = _raw
First, your sample data does not match your RegEx because the last segment in the former is 3-digits but in the latter is 4-digits. I will assume that the RegEx is correct. This is most easily/clearly done with SEDCMD
as follows:
SEDCMD-X_out_bankId = s/bankId=\d{3}-\d{3}-\d{4}/bankId=XXX-XXX-XXXX/
https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/Anonymizedata
Your REGEX only captures one item, but it has two replacements. You didn't close the first parenthesis or open and close the second one in the right place.
SOURCE_KEY = _raw
REGEX = (.+)bankId=\d{3}\-\d{3}\-\d{4}(.*)
FORMAT = $1bankId=xxx-xxx-xxxx$2
DEST_KEY = _raw
FYI, if you are going to mask any other data, then you probably want to do it at the same time.
Thank you for the reply.. when i tested your regex , data after the bankID is being removed i don't see PerbankId/personIdExternal=123456789}.