pls help with regular expression

DataOrg · ‎01-04-2018

i want to keep the pattern of specific word which starts with OS0003/SSED-BUS-0015 as it is and want to mask others numbers and email with "XXXX"

OS00194 - master Id: 1-56579333 Cancelled amazoon package

OS00194 - master Id: 1-56579333 Cancelled amazo0n package

P58U0040: record : First amazon package.

OS00178 - master Id: 0297276774 is
SSED-BUS-0000

..SSED-BUS-0000: ASEEM7593 micrsoft error
SSED-BUS-0015
..Action not allowed because airteel with value 377593df332

mayurr98 · ‎01-04-2018

hey premranjithj

if you want to mask anything after Id: with Id: XXXX
then use below query

 | rex field=_raw mode=sed "s/Id:\s((\d+-\d+)|(\d+))/Id: XXXX/g"

If you want to mask : ASEEM7593 with : XXXX

| rex field=raw mode=sed "s/:\s[A-Z]+\d+/: XXXX/g"

If you want to mask value 377593df332 with value XXXX

| rex field=raw mode=sed "s/\w+$/XXXX/g"

If you want to mask P58U0040 with P58UXXXX

| rex field=raw mode=sed "s/P58U\d{4}/P58UXXXX/g"

If you want to mask any email in the data then use

| rex field=raw mode=sed "s/((\w[\w\-\.]+@\w+.com))(.*)/XXXX/g"

If you want to mask any email except your domain suppose gmail

| rex field=raw mode=sed "s/[A-z0-9._%+-]+@[A-z0-9.-]+\.[A-z]{2,63}(?<!@gmail.com)(?:[^A-z]|$)/XXXX/g"

Let me know if this helps you!

nikita_p · ‎01-04-2018

Hi @ premranjithj,
Can you tell me exactly what data you want to extract from your events?

DataOrg · ‎01-04-2018

@nikita_p . i want the data to be masked as below.
example
OS00194 - master Id: 1-XXXX Cancelled amazon package
OS00194 - master Id: 1-XXXX Cancelled amazon package
P58UXXXX: record : First amazon package.
OS00178 - master Id: XXXXXXX is
SSED-BUS-0000
..SSED-BUS-0000: XXXXX micrsoft error
SSED-BUS-0015
..Action not allowed because airtel with value XXXXXX

pls help with regular expression

.conf24 | Day 0

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector